1 /*
2 * TLS client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
23
24 #include "mbedtls/platform.h"
25
26 #include "mbedtls/ssl.h"
27 #include "ssl_client.h"
28 #include "ssl_misc.h"
29 #include "mbedtls/debug.h"
30 #include "mbedtls/error.h"
31 #include "mbedtls/constant_time.h"
32
33 #if defined(MBEDTLS_USE_PSA_CRYPTO)
34 #include "mbedtls/psa_util.h"
35 #include "psa/crypto.h"
36 #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
37 psa_to_ssl_errors, \
38 psa_generic_status_to_mbedtls)
39 #endif /* MBEDTLS_USE_PSA_CRYPTO */
40
41 #include <string.h>
42
43 #include <stdint.h>
44
45 #if defined(MBEDTLS_HAVE_TIME)
46 #include "mbedtls/platform_time.h"
47 #endif
48
49 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
50 #include "mbedtls/platform_util.h"
51 #endif
52
53 #include "hash_info.h"
54
55 #if defined(MBEDTLS_SSL_RENEGOTIATION)
56 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_renegotiation_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)57 static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
58 unsigned char *buf,
59 const unsigned char *end,
60 size_t *olen)
61 {
62 unsigned char *p = buf;
63
64 *olen = 0;
65
66 /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
67 * initial ClientHello, in which case also adding the renegotiation
68 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
69 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
70 return 0;
71 }
72
73 MBEDTLS_SSL_DEBUG_MSG(3,
74 ("client hello, adding renegotiation extension"));
75
76 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
77
78 /*
79 * Secure renegotiation
80 */
81 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
82 p += 2;
83
84 *p++ = 0x00;
85 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1);
86 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len);
87
88 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
89
90 *olen = 5 + ssl->verify_data_len;
91
92 return 0;
93 }
94 #endif /* MBEDTLS_SSL_RENEGOTIATION */
95
96 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
97 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
98
99 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_supported_point_formats_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)100 static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
101 unsigned char *buf,
102 const unsigned char *end,
103 size_t *olen)
104 {
105 unsigned char *p = buf;
106 (void) ssl; /* ssl used for debugging only */
107
108 *olen = 0;
109
110 MBEDTLS_SSL_DEBUG_MSG(3,
111 ("client hello, adding supported_point_formats extension"));
112 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
113
114 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
115 p += 2;
116
117 *p++ = 0x00;
118 *p++ = 2;
119
120 *p++ = 1;
121 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
122
123 *olen = 6;
124
125 return 0;
126 }
127 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
128 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
129
130 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
131 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)132 static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
133 unsigned char *buf,
134 const unsigned char *end,
135 size_t *olen)
136 {
137 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
138 unsigned char *p = buf;
139 size_t kkpp_len = 0;
140
141 *olen = 0;
142
143 /* Skip costly extension if we can't use EC J-PAKE anyway */
144 #if defined(MBEDTLS_USE_PSA_CRYPTO)
145 if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
146 return 0;
147 }
148 #else
149 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
150 return 0;
151 }
152 #endif /* MBEDTLS_USE_PSA_CRYPTO */
153
154 MBEDTLS_SSL_DEBUG_MSG(3,
155 ("client hello, adding ecjpake_kkpp extension"));
156
157 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
158
159 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
160 p += 2;
161
162 /*
163 * We may need to send ClientHello multiple times for Hello verification.
164 * We don't want to compute fresh values every time (both for performance
165 * and consistency reasons), so cache the extension content.
166 */
167 if (ssl->handshake->ecjpake_cache == NULL ||
168 ssl->handshake->ecjpake_cache_len == 0) {
169 MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
170
171 #if defined(MBEDTLS_USE_PSA_CRYPTO)
172 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
173 p + 2, end - p - 2, &kkpp_len,
174 MBEDTLS_ECJPAKE_ROUND_ONE);
175 if (ret != 0) {
176 psa_destroy_key(ssl->handshake->psa_pake_password);
177 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
178 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
179 return ret;
180 }
181 #else
182 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
183 p + 2, end - p - 2, &kkpp_len,
184 ssl->conf->f_rng, ssl->conf->p_rng);
185 if (ret != 0) {
186 MBEDTLS_SSL_DEBUG_RET(1,
187 "mbedtls_ecjpake_write_round_one", ret);
188 return ret;
189 }
190 #endif /* MBEDTLS_USE_PSA_CRYPTO */
191
192 ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
193 if (ssl->handshake->ecjpake_cache == NULL) {
194 MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed"));
195 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
196 }
197
198 memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
199 ssl->handshake->ecjpake_cache_len = kkpp_len;
200 } else {
201 MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters"));
202
203 kkpp_len = ssl->handshake->ecjpake_cache_len;
204 MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len);
205
206 memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
207 }
208
209 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
210 p += 2;
211
212 *olen = kkpp_len + 4;
213
214 return 0;
215 }
216 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
217
218 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
219 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_cid_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)220 static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
221 unsigned char *buf,
222 const unsigned char *end,
223 size_t *olen)
224 {
225 unsigned char *p = buf;
226 size_t ext_len;
227
228 /*
229 * struct {
230 * opaque cid<0..2^8-1>;
231 * } ConnectionId;
232 */
233
234 *olen = 0;
235 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
236 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
237 return 0;
238 }
239 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension"));
240
241 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
242 * which is at most 255, so the increment cannot overflow. */
243 MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5));
244
245 /* Add extension ID + size */
246 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
247 p += 2;
248 ext_len = (size_t) ssl->own_cid_len + 1;
249 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
250 p += 2;
251
252 *p++ = (uint8_t) ssl->own_cid_len;
253 memcpy(p, ssl->own_cid, ssl->own_cid_len);
254
255 *olen = ssl->own_cid_len + 5;
256
257 return 0;
258 }
259 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
260
261 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
262 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_max_fragment_length_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)263 static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
264 unsigned char *buf,
265 const unsigned char *end,
266 size_t *olen)
267 {
268 unsigned char *p = buf;
269
270 *olen = 0;
271
272 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
273 return 0;
274 }
275
276 MBEDTLS_SSL_DEBUG_MSG(3,
277 ("client hello, adding max_fragment_length extension"));
278
279 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5);
280
281 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
282 p += 2;
283
284 *p++ = 0x00;
285 *p++ = 1;
286
287 *p++ = ssl->conf->mfl_code;
288
289 *olen = 5;
290
291 return 0;
292 }
293 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
294
295 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
296 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)297 static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
298 unsigned char *buf,
299 const unsigned char *end,
300 size_t *olen)
301 {
302 unsigned char *p = buf;
303
304 *olen = 0;
305
306 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
307 return 0;
308 }
309
310 MBEDTLS_SSL_DEBUG_MSG(3,
311 ("client hello, adding encrypt_then_mac extension"));
312
313 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
314
315 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
316 p += 2;
317
318 *p++ = 0x00;
319 *p++ = 0x00;
320
321 *olen = 4;
322
323 return 0;
324 }
325 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
326
327 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
328 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_extended_ms_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)329 static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
330 unsigned char *buf,
331 const unsigned char *end,
332 size_t *olen)
333 {
334 unsigned char *p = buf;
335
336 *olen = 0;
337
338 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
339 return 0;
340 }
341
342 MBEDTLS_SSL_DEBUG_MSG(3,
343 ("client hello, adding extended_master_secret extension"));
344
345 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
346
347 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
348 p += 2;
349
350 *p++ = 0x00;
351 *p++ = 0x00;
352
353 *olen = 4;
354
355 return 0;
356 }
357 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
358
359 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
360 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)361 static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
362 unsigned char *buf,
363 const unsigned char *end,
364 size_t *olen)
365 {
366 unsigned char *p = buf;
367 size_t tlen = ssl->session_negotiate->ticket_len;
368
369 *olen = 0;
370
371 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
372 return 0;
373 }
374
375 MBEDTLS_SSL_DEBUG_MSG(3,
376 ("client hello, adding session ticket extension"));
377
378 /* The addition is safe here since the ticket length is 16 bit. */
379 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen);
380
381 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
382 p += 2;
383
384 MBEDTLS_PUT_UINT16_BE(tlen, p, 0);
385 p += 2;
386
387 *olen = 4;
388
389 if (ssl->session_negotiate->ticket == NULL || tlen == 0) {
390 return 0;
391 }
392
393 MBEDTLS_SSL_DEBUG_MSG(3,
394 ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen));
395
396 memcpy(p, ssl->session_negotiate->ticket, tlen);
397
398 *olen += tlen;
399
400 return 0;
401 }
402 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
403
404 #if defined(MBEDTLS_SSL_DTLS_SRTP)
405 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_use_srtp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)406 static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
407 unsigned char *buf,
408 const unsigned char *end,
409 size_t *olen)
410 {
411 unsigned char *p = buf;
412 size_t protection_profiles_index = 0, ext_len = 0;
413 uint16_t mki_len = 0, profile_value = 0;
414
415 *olen = 0;
416
417 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
418 (ssl->conf->dtls_srtp_profile_list == NULL) ||
419 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
420 return 0;
421 }
422
423 /* RFC 5764 section 4.1.1
424 * uint8 SRTPProtectionProfile[2];
425 *
426 * struct {
427 * SRTPProtectionProfiles SRTPProtectionProfiles;
428 * opaque srtp_mki<0..255>;
429 * } UseSRTPData;
430 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
431 */
432 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
433 mki_len = ssl->dtls_srtp_info.mki_len;
434 }
435 /* Extension length = 2 bytes for profiles length,
436 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
437 * 1 byte for srtp_mki vector length and the mki_len value
438 */
439 ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
440
441 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension"));
442
443 /* Check there is room in the buffer for the extension + 4 bytes
444 * - the extension tag (2 bytes)
445 * - the extension length (2 bytes)
446 */
447 MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4);
448
449 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0);
450 p += 2;
451
452 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
453 p += 2;
454
455 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
456 /* micro-optimization:
457 * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
458 * which is lower than 127, so the upper byte of the length is always 0
459 * For the documentation, the more generic code is left in comments
460 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
461 * >> 8 ) & 0xFF );
462 */
463 *p++ = 0;
464 *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len);
465
466 for (protection_profiles_index = 0;
467 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
468 protection_profiles_index++) {
469 profile_value = mbedtls_ssl_check_srtp_profile_value
470 (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
471 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
472 MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x",
473 profile_value));
474 MBEDTLS_PUT_UINT16_BE(profile_value, p, 0);
475 p += 2;
476 } else {
477 /*
478 * Note: we shall never arrive here as protection profiles
479 * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
480 */
481 MBEDTLS_SSL_DEBUG_MSG(3,
482 ("client hello, "
483 "illegal DTLS-SRTP protection profile %d",
484 ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
485 ));
486 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
487 }
488 }
489
490 *p++ = mki_len & 0xFF;
491
492 if (mki_len != 0) {
493 memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
494 /*
495 * Increment p to point to the current position.
496 */
497 p += mki_len;
498 MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value,
499 ssl->dtls_srtp_info.mki_len);
500 }
501
502 /*
503 * total extension length: extension type (2 bytes)
504 * + extension length (2 bytes)
505 * + protection profile length (2 bytes)
506 * + 2 * number of protection profiles
507 * + srtp_mki vector length(1 byte)
508 * + mki value
509 */
510 *olen = p - buf;
511
512 return 0;
513 }
514 #endif /* MBEDTLS_SSL_DTLS_SRTP */
515
mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,int uses_ec,size_t * out_len)516 int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
517 unsigned char *buf,
518 const unsigned char *end,
519 int uses_ec,
520 size_t *out_len)
521 {
522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
523 unsigned char *p = buf;
524 size_t ext_len = 0;
525
526 (void) ssl;
527 (void) end;
528 (void) uses_ec;
529 (void) ret;
530 (void) ext_len;
531
532 *out_len = 0;
533
534 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
535 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
536 #if defined(MBEDTLS_SSL_RENEGOTIATION)
537 if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) {
538 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret);
539 return ret;
540 }
541 p += ext_len;
542 #endif
543
544 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
545 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
546 if (uses_ec) {
547 if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end,
548 &ext_len)) != 0) {
549 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret);
550 return ret;
551 }
552 p += ext_len;
553 }
554 #endif
555
556 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
557 if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) {
558 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret);
559 return ret;
560 }
561 p += ext_len;
562 #endif
563
564 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
565 if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) {
566 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret);
567 return ret;
568 }
569 p += ext_len;
570 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
571
572 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
573 if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end,
574 &ext_len)) != 0) {
575 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret);
576 return ret;
577 }
578 p += ext_len;
579 #endif
580
581 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
582 if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) {
583 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret);
584 return ret;
585 }
586 p += ext_len;
587 #endif
588
589 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
590 if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) {
591 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret);
592 return ret;
593 }
594 p += ext_len;
595 #endif
596
597 #if defined(MBEDTLS_SSL_DTLS_SRTP)
598 if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) {
599 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret);
600 return ret;
601 }
602 p += ext_len;
603 #endif
604
605 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
606 if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) {
607 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret);
608 return ret;
609 }
610 p += ext_len;
611 #endif
612
613 *out_len = p - buf;
614
615 return 0;
616 }
617
618 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_renegotiation_info(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)619 static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
620 const unsigned char *buf,
621 size_t len)
622 {
623 #if defined(MBEDTLS_SSL_RENEGOTIATION)
624 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
625 /* Check verify-data in constant-time. The length OTOH is no secret */
626 if (len != 1 + ssl->verify_data_len * 2 ||
627 buf[0] != ssl->verify_data_len * 2 ||
628 mbedtls_ct_memcmp(buf + 1,
629 ssl->own_verify_data, ssl->verify_data_len) != 0 ||
630 mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len,
631 ssl->peer_verify_data, ssl->verify_data_len) != 0) {
632 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
633 mbedtls_ssl_send_alert_message(
634 ssl,
635 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
636 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
637 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
638 }
639 } else
640 #endif /* MBEDTLS_SSL_RENEGOTIATION */
641 {
642 if (len != 1 || buf[0] != 0x00) {
643 MBEDTLS_SSL_DEBUG_MSG(1,
644 ("non-zero length renegotiation info"));
645 mbedtls_ssl_send_alert_message(
646 ssl,
647 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
648 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
649 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
650 }
651
652 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
653 }
654
655 return 0;
656 }
657
658 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
659 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_max_fragment_length_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)660 static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
661 const unsigned char *buf,
662 size_t len)
663 {
664 /*
665 * server should use the extension only if we did,
666 * and if so the server's value should match ours (and len is always 1)
667 */
668 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
669 len != 1 ||
670 buf[0] != ssl->conf->mfl_code) {
671 MBEDTLS_SSL_DEBUG_MSG(1,
672 ("non-matching max fragment length extension"));
673 mbedtls_ssl_send_alert_message(
674 ssl,
675 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
676 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
677 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
678 }
679
680 return 0;
681 }
682 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
683
684 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
685 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_cid_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)686 static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
687 const unsigned char *buf,
688 size_t len)
689 {
690 size_t peer_cid_len;
691
692 if ( /* CID extension only makes sense in DTLS */
693 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
694 /* The server must only send the CID extension if we have offered it. */
695 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
696 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected"));
697 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
698 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
699 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
700 }
701
702 if (len == 0) {
703 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
704 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
705 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
706 return MBEDTLS_ERR_SSL_DECODE_ERROR;
707 }
708
709 peer_cid_len = *buf++;
710 len--;
711
712 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
713 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
714 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
715 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
716 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
717 }
718
719 if (len != peer_cid_len) {
720 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
721 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
722 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
723 return MBEDTLS_ERR_SSL_DECODE_ERROR;
724 }
725
726 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
727 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
728 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
729
730 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
731 MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len);
732
733 return 0;
734 }
735 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
736
737 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
738 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)739 static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
740 const unsigned char *buf,
741 size_t len)
742 {
743 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
744 len != 0) {
745 MBEDTLS_SSL_DEBUG_MSG(1,
746 ("non-matching encrypt-then-MAC extension"));
747 mbedtls_ssl_send_alert_message(
748 ssl,
749 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
750 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
751 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
752 }
753
754 ((void) buf);
755
756 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
757
758 return 0;
759 }
760 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
761
762 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
763 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_extended_ms_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)764 static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
765 const unsigned char *buf,
766 size_t len)
767 {
768 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
769 len != 0) {
770 MBEDTLS_SSL_DEBUG_MSG(1,
771 ("non-matching extended master secret extension"));
772 mbedtls_ssl_send_alert_message(
773 ssl,
774 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
775 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
776 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
777 }
778
779 ((void) buf);
780
781 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
782
783 return 0;
784 }
785 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
786
787 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
788 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_session_ticket_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)789 static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
790 const unsigned char *buf,
791 size_t len)
792 {
793 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
794 len != 0) {
795 MBEDTLS_SSL_DEBUG_MSG(1,
796 ("non-matching session ticket extension"));
797 mbedtls_ssl_send_alert_message(
798 ssl,
799 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
800 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
801 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
802 }
803
804 ((void) buf);
805
806 ssl->handshake->new_session_ticket = 1;
807
808 return 0;
809 }
810 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
811
812 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
813 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
814 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_supported_point_formats_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)815 static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
816 const unsigned char *buf,
817 size_t len)
818 {
819 size_t list_size;
820 const unsigned char *p;
821
822 if (len == 0 || (size_t) (buf[0] + 1) != len) {
823 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
824 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
825 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
826 return MBEDTLS_ERR_SSL_DECODE_ERROR;
827 }
828 list_size = buf[0];
829
830 p = buf + 1;
831 while (list_size > 0) {
832 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
833 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
834 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
835 (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C))
836 ssl->handshake->ecdh_ctx.point_format = p[0];
837 #endif /* !MBEDTLS_USE_PSA_CRYPTO &&
838 ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */
839 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
840 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
841 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
842 p[0]);
843 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
844 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
845 return 0;
846 }
847
848 list_size--;
849 p++;
850 }
851
852 MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common"));
853 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
854 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
855 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
856 }
857 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
858 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
859
860 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
861 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_ecjpake_kkpp(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)862 static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
863 const unsigned char *buf,
864 size_t len)
865 {
866 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
867
868 if (ssl->handshake->ciphersuite_info->key_exchange !=
869 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
870 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
871 return 0;
872 }
873
874 /* If we got here, we no longer need our cached extension */
875 mbedtls_free(ssl->handshake->ecjpake_cache);
876 ssl->handshake->ecjpake_cache = NULL;
877 ssl->handshake->ecjpake_cache_len = 0;
878
879 #if defined(MBEDTLS_USE_PSA_CRYPTO)
880 if ((ret = mbedtls_psa_ecjpake_read_round(
881 &ssl->handshake->psa_pake_ctx, buf, len,
882 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
883 psa_destroy_key(ssl->handshake->psa_pake_password);
884 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
885
886 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
887 mbedtls_ssl_send_alert_message(
888 ssl,
889 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
890 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
891 return ret;
892 }
893
894 return 0;
895 #else
896 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
897 buf, len)) != 0) {
898 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
899 mbedtls_ssl_send_alert_message(
900 ssl,
901 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
902 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
903 return ret;
904 }
905
906 return 0;
907 #endif /* MBEDTLS_USE_PSA_CRYPTO */
908 }
909 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
910
911 #if defined(MBEDTLS_SSL_ALPN)
912 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)913 static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
914 const unsigned char *buf, size_t len)
915 {
916 size_t list_len, name_len;
917 const char **p;
918
919 /* If we didn't send it, the server shouldn't send it */
920 if (ssl->conf->alpn_list == NULL) {
921 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension"));
922 mbedtls_ssl_send_alert_message(
923 ssl,
924 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
925 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
926 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
927 }
928
929 /*
930 * opaque ProtocolName<1..2^8-1>;
931 *
932 * struct {
933 * ProtocolName protocol_name_list<2..2^16-1>
934 * } ProtocolNameList;
935 *
936 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
937 */
938
939 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
940 if (len < 4) {
941 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
942 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
943 return MBEDTLS_ERR_SSL_DECODE_ERROR;
944 }
945
946 list_len = (buf[0] << 8) | buf[1];
947 if (list_len != len - 2) {
948 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
949 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
950 return MBEDTLS_ERR_SSL_DECODE_ERROR;
951 }
952
953 name_len = buf[2];
954 if (name_len != list_len - 1) {
955 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
956 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
957 return MBEDTLS_ERR_SSL_DECODE_ERROR;
958 }
959
960 /* Check that the server chosen protocol was in our list and save it */
961 for (p = ssl->conf->alpn_list; *p != NULL; p++) {
962 if (name_len == strlen(*p) &&
963 memcmp(buf + 3, *p, name_len) == 0) {
964 ssl->alpn_chosen = *p;
965 return 0;
966 }
967 }
968
969 MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol"));
970 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
971 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
972 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
973 }
974 #endif /* MBEDTLS_SSL_ALPN */
975
976 #if defined(MBEDTLS_SSL_DTLS_SRTP)
977 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_use_srtp_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)978 static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
979 const unsigned char *buf,
980 size_t len)
981 {
982 mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
983 size_t i, mki_len = 0;
984 uint16_t server_protection_profile_value = 0;
985
986 /* If use_srtp is not configured, just ignore the extension */
987 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
988 (ssl->conf->dtls_srtp_profile_list == NULL) ||
989 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
990 return 0;
991 }
992
993 /* RFC 5764 section 4.1.1
994 * uint8 SRTPProtectionProfile[2];
995 *
996 * struct {
997 * SRTPProtectionProfiles SRTPProtectionProfiles;
998 * opaque srtp_mki<0..255>;
999 * } UseSRTPData;
1000
1001 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
1002 *
1003 */
1004 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
1005 mki_len = ssl->dtls_srtp_info.mki_len;
1006 }
1007
1008 /*
1009 * Length is 5 + optional mki_value : one protection profile length (2 bytes)
1010 * + protection profile (2 bytes)
1011 * + mki_len(1 byte)
1012 * and optional srtp_mki
1013 */
1014 if ((len < 5) || (len != (buf[4] + 5u))) {
1015 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1016 }
1017
1018 /*
1019 * get the server protection profile
1020 */
1021
1022 /*
1023 * protection profile length must be 0x0002 as we must have only
1024 * one protection profile in server Hello
1025 */
1026 if ((buf[0] != 0) || (buf[1] != 2)) {
1027 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1028 }
1029
1030 server_protection_profile_value = (buf[2] << 8) | buf[3];
1031 server_protection = mbedtls_ssl_check_srtp_profile_value(
1032 server_protection_profile_value);
1033 if (server_protection != MBEDTLS_TLS_SRTP_UNSET) {
1034 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
1035 mbedtls_ssl_get_srtp_profile_as_string(
1036 server_protection)));
1037 }
1038
1039 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
1040
1041 /*
1042 * Check we have the server profile in our list
1043 */
1044 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
1045 if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
1046 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
1047 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
1048 mbedtls_ssl_get_srtp_profile_as_string(
1049 server_protection)));
1050 break;
1051 }
1052 }
1053
1054 /* If no match was found : server problem, it shall never answer with incompatible profile */
1055 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
1056 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1057 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1058 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1059 }
1060
1061 /* If server does not use mki in its reply, make sure the client won't keep
1062 * one as negotiated */
1063 if (len == 5) {
1064 ssl->dtls_srtp_info.mki_len = 0;
1065 }
1066
1067 /*
1068 * RFC5764:
1069 * If the client detects a nonzero-length MKI in the server's response
1070 * that is different than the one the client offered, then the client
1071 * MUST abort the handshake and SHOULD send an invalid_parameter alert.
1072 */
1073 if (len > 5 && (buf[4] != mki_len ||
1074 (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
1075 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1076 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1077 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1078 }
1079 #if defined(MBEDTLS_DEBUG_C)
1080 if (len > 5) {
1081 MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
1082 ssl->dtls_srtp_info.mki_len);
1083 }
1084 #endif
1085 return 0;
1086 }
1087 #endif /* MBEDTLS_SSL_DTLS_SRTP */
1088
1089 /*
1090 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1091 */
1092 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1093 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_hello_verify_request(mbedtls_ssl_context * ssl)1094 static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
1095 {
1096 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1097 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
1098 uint16_t dtls_legacy_version;
1099
1100 #if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
1101 uint8_t cookie_len;
1102 #else
1103 uint16_t cookie_len;
1104 #endif
1105
1106 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request"));
1107
1108 /* Check that there is enough room for:
1109 * - 2 bytes of version
1110 * - 1 byte of cookie_len
1111 */
1112 if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
1113 MBEDTLS_SSL_DEBUG_MSG(1,
1114 ("incoming HelloVerifyRequest message is too short"));
1115 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1116 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1117 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1118 }
1119
1120 /*
1121 * struct {
1122 * ProtocolVersion server_version;
1123 * opaque cookie<0..2^8-1>;
1124 * } HelloVerifyRequest;
1125 */
1126 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
1127 dtls_legacy_version = MBEDTLS_GET_UINT16_BE(p, 0);
1128 p += 2;
1129
1130 /*
1131 * Since the RFC is not clear on this point, accept DTLS 1.0 (0xfeff)
1132 * The DTLS 1.3 (current draft) renames ProtocolVersion server_version to
1133 * legacy_version and locks the value of legacy_version to 0xfefd (DTLS 1.2)
1134 */
1135 if (dtls_legacy_version != 0xfefd && dtls_legacy_version != 0xfeff) {
1136 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version"));
1137
1138 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1139 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1140
1141 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1142 }
1143
1144 cookie_len = *p++;
1145 if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
1146 MBEDTLS_SSL_DEBUG_MSG(1,
1147 ("cookie length does not match incoming message size"));
1148 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1149 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1150 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1151 }
1152 MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len);
1153
1154 mbedtls_free(ssl->handshake->cookie);
1155
1156 ssl->handshake->cookie = mbedtls_calloc(1, cookie_len);
1157 if (ssl->handshake->cookie == NULL) {
1158 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len));
1159 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1160 }
1161
1162 memcpy(ssl->handshake->cookie, p, cookie_len);
1163 ssl->handshake->cookie_len = cookie_len;
1164
1165 /* Start over at ClientHello */
1166 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1167 ret = mbedtls_ssl_reset_checksum(ssl);
1168 if (0 != ret) {
1169 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
1170 return ret;
1171 }
1172
1173 mbedtls_ssl_recv_flight_completed(ssl);
1174
1175 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request"));
1176
1177 return 0;
1178 }
1179 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1180
1181 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_hello(mbedtls_ssl_context * ssl)1182 static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
1183 {
1184 int ret, i;
1185 size_t n;
1186 size_t ext_len;
1187 unsigned char *buf, *ext;
1188 unsigned char comp;
1189 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1190 int renegotiation_info_seen = 0;
1191 #endif
1192 int handshake_failure = 0;
1193 const mbedtls_ssl_ciphersuite_t *suite_info;
1194
1195 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello"));
1196
1197 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
1198 /* No alert on a read error. */
1199 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
1200 return ret;
1201 }
1202
1203 buf = ssl->in_msg;
1204
1205 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
1206 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1207 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1208 ssl->renego_records_seen++;
1209
1210 if (ssl->conf->renego_max_records >= 0 &&
1211 ssl->renego_records_seen > ssl->conf->renego_max_records) {
1212 MBEDTLS_SSL_DEBUG_MSG(1,
1213 ("renegotiation requested, but not honored by server"));
1214 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1215 }
1216
1217 MBEDTLS_SSL_DEBUG_MSG(1,
1218 ("non-handshake message during renegotiation"));
1219
1220 ssl->keep_current_message = 1;
1221 return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO;
1222 }
1223 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1224
1225 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1226 mbedtls_ssl_send_alert_message(
1227 ssl,
1228 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1229 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
1230 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1231 }
1232
1233 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1234 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1235 if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
1236 MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request"));
1237 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
1238 return ssl_parse_hello_verify_request(ssl);
1239 } else {
1240 /* We made it through the verification process */
1241 mbedtls_free(ssl->handshake->cookie);
1242 ssl->handshake->cookie = NULL;
1243 ssl->handshake->cookie_len = 0;
1244 }
1245 }
1246 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1247
1248 if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
1249 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) {
1250 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1251 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1252 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1253 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1254 }
1255
1256 /*
1257 * 0 . 1 server_version
1258 * 2 . 33 random (maybe including 4 bytes of Unix time)
1259 * 34 . 34 session_id length = n
1260 * 35 . 34+n session_id
1261 * 35+n . 36+n cipher_suite
1262 * 37+n . 37+n compression_method
1263 *
1264 * 38+n . 39+n extensions length (optional)
1265 * 40+n . .. extensions
1266 */
1267 buf += mbedtls_ssl_hs_hdr_len(ssl);
1268
1269 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf, 2);
1270 ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport);
1271 ssl->session_negotiate->tls_version = ssl->tls_version;
1272
1273 if (ssl->tls_version < ssl->conf->min_tls_version ||
1274 ssl->tls_version > ssl->conf->max_tls_version) {
1275 MBEDTLS_SSL_DEBUG_MSG(1,
1276 (
1277 "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]",
1278 (unsigned) ssl->conf->min_tls_version,
1279 (unsigned) ssl->tls_version,
1280 (unsigned) ssl->conf->max_tls_version));
1281
1282 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1283 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1284
1285 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1286 }
1287
1288 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu",
1289 ((unsigned long) buf[2] << 24) |
1290 ((unsigned long) buf[3] << 16) |
1291 ((unsigned long) buf[4] << 8) |
1292 ((unsigned long) buf[5])));
1293
1294 memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
1295
1296 n = buf[34];
1297
1298 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32);
1299
1300 if (n > 32) {
1301 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1302 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1303 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1304 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1305 }
1306
1307 if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
1308 ext_len = ((buf[38 + n] << 8)
1309 | (buf[39 + n]));
1310
1311 if ((ext_len > 0 && ext_len < 4) ||
1312 ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
1313 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1314 mbedtls_ssl_send_alert_message(
1315 ssl,
1316 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1317 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1318 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1319 }
1320 } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
1321 ext_len = 0;
1322 } else {
1323 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1324 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1325 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1326 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1327 }
1328
1329 /* ciphersuite (used later) */
1330 i = (buf[35 + n] << 8) | buf[36 + n];
1331
1332 /*
1333 * Read and check compression
1334 */
1335 comp = buf[37 + n];
1336
1337 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1338 MBEDTLS_SSL_DEBUG_MSG(1,
1339 ("server hello, bad compression: %d", comp));
1340 mbedtls_ssl_send_alert_message(
1341 ssl,
1342 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1343 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1344 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1345 }
1346
1347 /*
1348 * Initialize update checksum functions
1349 */
1350 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
1351 if (ssl->handshake->ciphersuite_info == NULL) {
1352 MBEDTLS_SSL_DEBUG_MSG(1,
1353 ("ciphersuite info for %04x not found", (unsigned int) i));
1354 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1355 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1356 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1357 }
1358
1359 mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
1360
1361 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
1362 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n);
1363
1364 /*
1365 * Check if the session can be resumed
1366 */
1367 if (ssl->handshake->resume == 0 || n == 0 ||
1368 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1369 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
1370 #endif
1371 ssl->session_negotiate->ciphersuite != i ||
1372 ssl->session_negotiate->id_len != n ||
1373 memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
1374 ssl->state++;
1375 ssl->handshake->resume = 0;
1376 #if defined(MBEDTLS_HAVE_TIME)
1377 ssl->session_negotiate->start = mbedtls_time(NULL);
1378 #endif
1379 ssl->session_negotiate->ciphersuite = i;
1380 ssl->session_negotiate->id_len = n;
1381 memcpy(ssl->session_negotiate->id, buf + 35, n);
1382 } else {
1383 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
1384 }
1385
1386 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
1387 ssl->handshake->resume ? "a" : "no"));
1388
1389 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i));
1390 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d",
1391 buf[37 + n]));
1392
1393 /*
1394 * Perform cipher suite validation in same way as in ssl_write_client_hello.
1395 */
1396 i = 0;
1397 while (1) {
1398 if (ssl->conf->ciphersuite_list[i] == 0) {
1399 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1400 mbedtls_ssl_send_alert_message(
1401 ssl,
1402 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1403 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1404 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1405 }
1406
1407 if (ssl->conf->ciphersuite_list[i++] ==
1408 ssl->session_negotiate->ciphersuite) {
1409 break;
1410 }
1411 }
1412
1413 suite_info = mbedtls_ssl_ciphersuite_from_id(
1414 ssl->session_negotiate->ciphersuite);
1415 if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version,
1416 ssl->tls_version) != 0) {
1417 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1418 mbedtls_ssl_send_alert_message(
1419 ssl,
1420 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1421 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1422 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1423 }
1424
1425 MBEDTLS_SSL_DEBUG_MSG(3,
1426 ("server hello, chosen ciphersuite: %s", suite_info->name));
1427
1428 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1429 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
1430 ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
1431 ssl->handshake->ecrs_enabled = 1;
1432 }
1433 #endif
1434
1435 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
1436 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1437 mbedtls_ssl_send_alert_message(
1438 ssl,
1439 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1440 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1441 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1442 }
1443
1444 ext = buf + 40 + n;
1445
1446 MBEDTLS_SSL_DEBUG_MSG(2,
1447 ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
1448 ext_len));
1449
1450 while (ext_len) {
1451 unsigned int ext_id = ((ext[0] << 8)
1452 | (ext[1]));
1453 unsigned int ext_size = ((ext[2] << 8)
1454 | (ext[3]));
1455
1456 if (ext_size + 4 > ext_len) {
1457 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1458 mbedtls_ssl_send_alert_message(
1459 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1460 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1461 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1462 }
1463
1464 switch (ext_id) {
1465 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1466 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
1467 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1468 renegotiation_info_seen = 1;
1469 #endif
1470
1471 if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
1472 ext_size)) != 0) {
1473 return ret;
1474 }
1475
1476 break;
1477
1478 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1479 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1480 MBEDTLS_SSL_DEBUG_MSG(3,
1481 ("found max_fragment_length extension"));
1482
1483 if ((ret = ssl_parse_max_fragment_length_ext(ssl,
1484 ext + 4, ext_size)) != 0) {
1485 return ret;
1486 }
1487
1488 break;
1489 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1490
1491 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1492 case MBEDTLS_TLS_EXT_CID:
1493 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
1494
1495 if ((ret = ssl_parse_cid_ext(ssl,
1496 ext + 4,
1497 ext_size)) != 0) {
1498 return ret;
1499 }
1500
1501 break;
1502 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1503
1504 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1505 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1506 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension"));
1507
1508 if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
1509 ext + 4, ext_size)) != 0) {
1510 return ret;
1511 }
1512
1513 break;
1514 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1515
1516 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1517 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1518 MBEDTLS_SSL_DEBUG_MSG(3,
1519 ("found extended_master_secret extension"));
1520
1521 if ((ret = ssl_parse_extended_ms_ext(ssl,
1522 ext + 4, ext_size)) != 0) {
1523 return ret;
1524 }
1525
1526 break;
1527 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1528
1529 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1530 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1531 MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension"));
1532
1533 if ((ret = ssl_parse_session_ticket_ext(ssl,
1534 ext + 4, ext_size)) != 0) {
1535 return ret;
1536 }
1537
1538 break;
1539 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1540
1541 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1542 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1543 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1544 MBEDTLS_SSL_DEBUG_MSG(3,
1545 ("found supported_point_formats extension"));
1546
1547 if ((ret = ssl_parse_supported_point_formats_ext(ssl,
1548 ext + 4, ext_size)) != 0) {
1549 return ret;
1550 }
1551
1552 break;
1553 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1554 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1555
1556 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1557 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1558 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension"));
1559
1560 if ((ret = ssl_parse_ecjpake_kkpp(ssl,
1561 ext + 4, ext_size)) != 0) {
1562 return ret;
1563 }
1564
1565 break;
1566 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1567
1568 #if defined(MBEDTLS_SSL_ALPN)
1569 case MBEDTLS_TLS_EXT_ALPN:
1570 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
1571
1572 if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) {
1573 return ret;
1574 }
1575
1576 break;
1577 #endif /* MBEDTLS_SSL_ALPN */
1578
1579 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1580 case MBEDTLS_TLS_EXT_USE_SRTP:
1581 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
1582
1583 if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) {
1584 return ret;
1585 }
1586
1587 break;
1588 #endif /* MBEDTLS_SSL_DTLS_SRTP */
1589
1590 default:
1591 MBEDTLS_SSL_DEBUG_MSG(3,
1592 ("unknown extension found: %u (ignoring)", ext_id));
1593 }
1594
1595 ext_len -= 4 + ext_size;
1596 ext += 4 + ext_size;
1597
1598 if (ext_len > 0 && ext_len < 4) {
1599 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1600 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1601 }
1602 }
1603
1604 /*
1605 * mbedtls_ssl_derive_keys() has to be called after the parsing of the
1606 * extensions. It sets the transform data for the resumed session which in
1607 * case of DTLS includes the server CID extracted from the CID extension.
1608 */
1609 if (ssl->handshake->resume) {
1610 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
1611 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
1612 mbedtls_ssl_send_alert_message(
1613 ssl,
1614 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1615 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
1616 return ret;
1617 }
1618 }
1619
1620 /*
1621 * Renegotiation security checks
1622 */
1623 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1624 ssl->conf->allow_legacy_renegotiation ==
1625 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1626 MBEDTLS_SSL_DEBUG_MSG(1,
1627 ("legacy renegotiation, breaking off handshake"));
1628 handshake_failure = 1;
1629 }
1630 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1631 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1632 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1633 renegotiation_info_seen == 0) {
1634 MBEDTLS_SSL_DEBUG_MSG(1,
1635 ("renegotiation_info extension missing (secure)"));
1636 handshake_failure = 1;
1637 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1638 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1639 ssl->conf->allow_legacy_renegotiation ==
1640 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1641 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
1642 handshake_failure = 1;
1643 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1644 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1645 renegotiation_info_seen == 1) {
1646 MBEDTLS_SSL_DEBUG_MSG(1,
1647 ("renegotiation_info extension present (legacy)"));
1648 handshake_failure = 1;
1649 }
1650 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1651
1652 if (handshake_failure == 1) {
1653 mbedtls_ssl_send_alert_message(
1654 ssl,
1655 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1656 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1657 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1658 }
1659
1660 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
1661
1662 return 0;
1663 }
1664
1665 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1666 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1667 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_dh_params(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)1668 static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
1669 unsigned char **p,
1670 unsigned char *end)
1671 {
1672 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1673 size_t dhm_actual_bitlen;
1674
1675 /*
1676 * Ephemeral DH parameters:
1677 *
1678 * struct {
1679 * opaque dh_p<1..2^16-1>;
1680 * opaque dh_g<1..2^16-1>;
1681 * opaque dh_Ys<1..2^16-1>;
1682 * } ServerDHParams;
1683 */
1684 if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
1685 p, end)) != 0) {
1686 MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
1687 return ret;
1688 }
1689
1690 dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx);
1691 if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
1692 MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
1693 dhm_actual_bitlen,
1694 ssl->conf->dhm_min_bitlen));
1695 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1696 }
1697
1698 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
1699 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
1700 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
1701
1702 return ret;
1703 }
1704 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1705 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1706
1707 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1708 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1709 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1710 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1711 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_ecdh_params(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)1712 static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1713 unsigned char **p,
1714 unsigned char *end)
1715 {
1716 uint16_t tls_id;
1717 uint8_t ecpoint_len;
1718 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1719 psa_ecc_family_t ec_psa_family = 0;
1720 size_t ec_bits = 0;
1721
1722 /*
1723 * struct {
1724 * ECParameters curve_params;
1725 * ECPoint public;
1726 * } ServerECDHParams;
1727 *
1728 * 1 curve_type (must be "named_curve")
1729 * 2..3 NamedCurve
1730 * 4 ECPoint.len
1731 * 5+ ECPoint contents
1732 */
1733 if (end - *p < 4) {
1734 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1735 }
1736
1737 /* First byte is curve_type; only named_curve is handled */
1738 if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
1739 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1740 }
1741
1742 /* Next two bytes are the namedcurve value */
1743 tls_id = *(*p)++;
1744 tls_id <<= 8;
1745 tls_id |= *(*p)++;
1746
1747 /* Check it's a curve we offered */
1748 if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
1749 MBEDTLS_SSL_DEBUG_MSG(2,
1750 ("bad server key exchange message (ECDHE curve): %u",
1751 (unsigned) tls_id));
1752 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1753 }
1754
1755 /* Convert EC's TLS ID to PSA key type. */
1756 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ec_psa_family,
1757 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
1758 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1759 }
1760 handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family);
1761 handshake->ecdh_bits = ec_bits;
1762
1763 /* Keep a copy of the peer's public key */
1764 ecpoint_len = *(*p)++;
1765 if ((size_t) (end - *p) < ecpoint_len) {
1766 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1767 }
1768
1769 if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) {
1770 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1771 }
1772
1773 memcpy(handshake->ecdh_psa_peerkey, *p, ecpoint_len);
1774 handshake->ecdh_psa_peerkey_len = ecpoint_len;
1775 *p += ecpoint_len;
1776
1777 return 0;
1778 }
1779 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1780 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1781 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1782 #else
1783 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1784 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1785 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1786 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1787 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1788 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_server_ecdh_params(const mbedtls_ssl_context * ssl)1789 static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
1790 {
1791 uint16_t tls_id;
1792 mbedtls_ecp_group_id grp_id;
1793 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
1794 grp_id = ssl->handshake->ecdh_ctx.grp.id;
1795 #else
1796 grp_id = ssl->handshake->ecdh_ctx.grp_id;
1797 #endif
1798
1799 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
1800 if (tls_id == 0) {
1801 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1802 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1803 }
1804
1805 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
1806 mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
1807
1808 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
1809 return -1;
1810 }
1811
1812 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
1813 MBEDTLS_DEBUG_ECDH_QP);
1814
1815 return 0;
1816 }
1817
1818 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1819 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1820 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1821 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1822 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1823
1824 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1825 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1826 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
1827 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_ecdh_params(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)1828 static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1829 unsigned char **p,
1830 unsigned char *end)
1831 {
1832 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1833
1834 /*
1835 * Ephemeral ECDH parameters:
1836 *
1837 * struct {
1838 * ECParameters curve_params;
1839 * ECPoint public;
1840 * } ServerECDHParams;
1841 */
1842 if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
1843 (const unsigned char **) p, end)) != 0) {
1844 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
1845 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1846 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
1847 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
1848 }
1849 #endif
1850 return ret;
1851 }
1852
1853 if (ssl_check_server_ecdh_params(ssl) != 0) {
1854 MBEDTLS_SSL_DEBUG_MSG(1,
1855 ("bad server key exchange message (ECDHE curve)"));
1856 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1857 }
1858
1859 return ret;
1860 }
1861 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
1862 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
1863 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
1864 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
1865 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1866 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_psk_hint(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)1867 static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
1868 unsigned char **p,
1869 unsigned char *end)
1870 {
1871 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1872 uint16_t len;
1873 ((void) ssl);
1874
1875 /*
1876 * PSK parameters:
1877 *
1878 * opaque psk_identity_hint<0..2^16-1>;
1879 */
1880 if (end - (*p) < 2) {
1881 MBEDTLS_SSL_DEBUG_MSG(1,
1882 ("bad server key exchange message (psk_identity_hint length)"));
1883 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1884 }
1885 len = (*p)[0] << 8 | (*p)[1];
1886 *p += 2;
1887
1888 if (end - (*p) < len) {
1889 MBEDTLS_SSL_DEBUG_MSG(1,
1890 ("bad server key exchange message (psk_identity_hint length)"));
1891 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1892 }
1893
1894 /*
1895 * Note: we currently ignore the PSK identity hint, as we only allow one
1896 * PSK to be provisioned on the client. This could be changed later if
1897 * someone needs that feature.
1898 */
1899 *p += len;
1900 ret = 0;
1901
1902 return ret;
1903 }
1904 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1905
1906 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
1907 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1908 /*
1909 * Generate a pre-master secret and encrypt it with the server's RSA key
1910 */
1911 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_encrypted_pms(mbedtls_ssl_context * ssl,size_t offset,size_t * olen,size_t pms_offset)1912 static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
1913 size_t offset, size_t *olen,
1914 size_t pms_offset)
1915 {
1916 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1917 size_t len_bytes = 2;
1918 unsigned char *p = ssl->handshake->premaster + pms_offset;
1919 mbedtls_pk_context *peer_pk;
1920
1921 if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
1922 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
1923 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
1924 }
1925
1926 /*
1927 * Generate (part of) the pre-master as
1928 * struct {
1929 * ProtocolVersion client_version;
1930 * opaque random[46];
1931 * } PreMasterSecret;
1932 */
1933 mbedtls_ssl_write_version(p, ssl->conf->transport,
1934 MBEDTLS_SSL_VERSION_TLS1_2);
1935
1936 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
1937 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
1938 return ret;
1939 }
1940
1941 ssl->handshake->pmslen = 48;
1942
1943 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1944 peer_pk = &ssl->handshake->peer_pubkey;
1945 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1946 if (ssl->session_negotiate->peer_cert == NULL) {
1947 /* Should never happen */
1948 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1949 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1950 }
1951 peer_pk = &ssl->session_negotiate->peer_cert->pk;
1952 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1953
1954 /*
1955 * Now write it out, encrypted
1956 */
1957 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
1958 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
1959 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
1960 }
1961
1962 if ((ret = mbedtls_pk_encrypt(peer_pk,
1963 p, ssl->handshake->pmslen,
1964 ssl->out_msg + offset + len_bytes, olen,
1965 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
1966 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
1967 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
1968 return ret;
1969 }
1970
1971 if (len_bytes == 2) {
1972 MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
1973 *olen += 2;
1974 }
1975
1976 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1977 /* We don't need the peer's public key anymore. Free it. */
1978 mbedtls_pk_free(peer_pk);
1979 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1980 return 0;
1981 }
1982 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
1983 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1984
1985 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1986 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1987 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_ecdh_params_from_cert(mbedtls_ssl_context * ssl)1988 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
1989 {
1990 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1991 const mbedtls_ecp_keypair *peer_key;
1992 mbedtls_pk_context *peer_pk;
1993
1994 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1995 peer_pk = &ssl->handshake->peer_pubkey;
1996 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1997 if (ssl->session_negotiate->peer_cert == NULL) {
1998 /* Should never happen */
1999 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2000 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2001 }
2002 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2003 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2004
2005 /* This is a public key, so it can't be opaque, so can_do() is a good
2006 * enough check to ensure pk_ec() is safe to use below. */
2007 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) {
2008 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2009 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2010 }
2011
2012 peer_key = mbedtls_pk_ec(*peer_pk);
2013
2014 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2015 size_t olen = 0;
2016 uint16_t tls_id = 0;
2017 psa_ecc_family_t ecc_family;
2018
2019 if (mbedtls_ssl_check_curve(ssl, peer_key->grp.id) != 0) {
2020 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2021 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
2022 }
2023
2024 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(peer_key->grp.id);
2025 if (tls_id == 0) {
2026 MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported",
2027 peer_key->grp.id));
2028 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2029 }
2030
2031 /* If the above conversion to TLS ID was fine, then also this one will be,
2032 so there is no need to check the return value here */
2033 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ecc_family,
2034 &ssl->handshake->ecdh_bits);
2035
2036 ssl->handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family);
2037
2038 /* Store peer's public key in psa format. */
2039 ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
2040 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
2041 ssl->handshake->ecdh_psa_peerkey,
2042 MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH);
2043
2044 if (ret != 0) {
2045 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
2046 return ret;
2047 }
2048
2049 ssl->handshake->ecdh_psa_peerkey_len = olen;
2050 #else
2051 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
2052 MBEDTLS_ECDH_THEIRS)) != 0) {
2053 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2054 return ret;
2055 }
2056
2057 if (ssl_check_server_ecdh_params(ssl) != 0) {
2058 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2059 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
2060 }
2061 #endif
2062 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2063 /* We don't need the peer's public key anymore. Free it,
2064 * so that more RAM is available for upcoming expensive
2065 * operations like ECDHE. */
2066 mbedtls_pk_free(peer_pk);
2067 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2068
2069 return ret;
2070 }
2071 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2072 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2073
2074 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_key_exchange(mbedtls_ssl_context * ssl)2075 static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
2076 {
2077 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2078 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2079 ssl->handshake->ciphersuite_info;
2080 unsigned char *p = NULL, *end = NULL;
2081
2082 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
2083
2084 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2085 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
2086 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
2087 ssl->state++;
2088 return 0;
2089 }
2090 ((void) p);
2091 ((void) end);
2092 #endif
2093
2094 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2095 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2096 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2097 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
2098 if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
2099 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
2100 mbedtls_ssl_send_alert_message(
2101 ssl,
2102 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2103 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2104 return ret;
2105 }
2106
2107 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
2108 ssl->state++;
2109 return 0;
2110 }
2111 ((void) p);
2112 ((void) end);
2113 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2114 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2115
2116 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2117 if (ssl->handshake->ecrs_enabled &&
2118 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
2119 goto start_processing;
2120 }
2121 #endif
2122
2123 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2124 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2125 return ret;
2126 }
2127
2128 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2129 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2130 mbedtls_ssl_send_alert_message(
2131 ssl,
2132 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2133 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2134 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2135 }
2136
2137 /*
2138 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2139 * doesn't use a psk_identity_hint
2140 */
2141 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
2142 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2143 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
2144 /* Current message is probably either
2145 * CertificateRequest or ServerHelloDone */
2146 ssl->keep_current_message = 1;
2147 goto exit;
2148 }
2149
2150 MBEDTLS_SSL_DEBUG_MSG(1,
2151 ("server key exchange message must not be skipped"));
2152 mbedtls_ssl_send_alert_message(
2153 ssl,
2154 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2155 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2156
2157 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2158 }
2159
2160 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2161 if (ssl->handshake->ecrs_enabled) {
2162 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2163 }
2164
2165 start_processing:
2166 #endif
2167 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
2168 end = ssl->in_msg + ssl->in_hslen;
2169 MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, end - p);
2170
2171 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
2172 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2173 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2174 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2175 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
2176 if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
2177 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2178 mbedtls_ssl_send_alert_message(
2179 ssl,
2180 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2181 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2182 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2183 }
2184 } /* FALLTHROUGH */
2185 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
2186
2187 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2188 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2189 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2190 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
2191 ; /* nothing more to do */
2192 } else
2193 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2194 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2195 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2196 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2197 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2198 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
2199 if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
2200 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2201 mbedtls_ssl_send_alert_message(
2202 ssl,
2203 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2204 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2205 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2206 }
2207 } else
2208 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2209 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2210 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2211 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2212 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2213 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2214 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2215 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
2216 if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
2217 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2218 mbedtls_ssl_send_alert_message(
2219 ssl,
2220 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2221 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2222 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2223 }
2224 } else
2225 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2226 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2227 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2228 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2229 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
2230 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2231 /*
2232 * The first 3 bytes are:
2233 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2234 * [1, 2] elliptic curve's TLS ID
2235 *
2236 * However since we only support secp256r1 for now, we check only
2237 * that TLS ID here
2238 */
2239 uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1);
2240 uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
2241 MBEDTLS_ECP_DP_SECP256R1);
2242
2243 if (exp_tls_id == 0) {
2244 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2245 }
2246
2247 if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) ||
2248 (read_tls_id != exp_tls_id)) {
2249 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2250 }
2251
2252 p += 3;
2253
2254 if ((ret = mbedtls_psa_ecjpake_read_round(
2255 &ssl->handshake->psa_pake_ctx, p, end - p,
2256 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
2257 psa_destroy_key(ssl->handshake->psa_pake_password);
2258 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2259
2260 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
2261 mbedtls_ssl_send_alert_message(
2262 ssl,
2263 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2264 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2265 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2266 }
2267 #else
2268 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
2269 p, end - p);
2270 if (ret != 0) {
2271 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
2272 mbedtls_ssl_send_alert_message(
2273 ssl,
2274 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2275 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2276 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2277 }
2278 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2279 } else
2280 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2281 {
2282 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2283 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2284 }
2285
2286 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2287 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
2288 size_t sig_len, hashlen;
2289 unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
2290
2291 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2292 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2293 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
2294 size_t params_len = p - params;
2295 void *rs_ctx = NULL;
2296 uint16_t sig_alg;
2297
2298 mbedtls_pk_context *peer_pk;
2299
2300 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2301 peer_pk = &ssl->handshake->peer_pubkey;
2302 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2303 if (ssl->session_negotiate->peer_cert == NULL) {
2304 /* Should never happen */
2305 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2306 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2307 }
2308 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2309 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2310
2311 /*
2312 * Handle the digitally-signed structure
2313 */
2314 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2315 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
2316 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2317 sig_alg, &pk_alg, &md_alg) != 0 &&
2318 !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) &&
2319 !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
2320 MBEDTLS_SSL_DEBUG_MSG(1,
2321 ("bad server key exchange message"));
2322 mbedtls_ssl_send_alert_message(
2323 ssl,
2324 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2325 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2326 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2327 }
2328 p += 2;
2329
2330 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2331 MBEDTLS_SSL_DEBUG_MSG(1,
2332 ("bad server key exchange message"));
2333 mbedtls_ssl_send_alert_message(
2334 ssl,
2335 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2336 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2337 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2338 }
2339
2340 /*
2341 * Read signature
2342 */
2343
2344 if (p > end - 2) {
2345 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2346 mbedtls_ssl_send_alert_message(
2347 ssl,
2348 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2349 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2350 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2351 }
2352 sig_len = (p[0] << 8) | p[1];
2353 p += 2;
2354
2355 if (p != end - sig_len) {
2356 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2357 mbedtls_ssl_send_alert_message(
2358 ssl,
2359 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2360 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2361 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2362 }
2363
2364 MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len);
2365
2366 /*
2367 * Compute the hash that has been signed
2368 */
2369 if (md_alg != MBEDTLS_MD_NONE) {
2370 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
2371 params, params_len,
2372 md_alg);
2373 if (ret != 0) {
2374 return ret;
2375 }
2376 } else {
2377 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2378 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2379 }
2380
2381 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
2382
2383 /*
2384 * Verify signature
2385 */
2386 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
2387 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
2388 mbedtls_ssl_send_alert_message(
2389 ssl,
2390 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2391 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2392 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2393 }
2394
2395 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2396 if (ssl->handshake->ecrs_enabled) {
2397 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
2398 }
2399 #endif
2400
2401 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
2402 if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
2403 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
2404 rsassa_pss_options.mgf1_hash_id = md_alg;
2405 rsassa_pss_options.expected_salt_len =
2406 mbedtls_hash_info_get_size(md_alg);
2407 if (rsassa_pss_options.expected_salt_len == 0) {
2408 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2409 }
2410
2411 ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options,
2412 peer_pk,
2413 md_alg, hash, hashlen,
2414 p, sig_len);
2415 } else
2416 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
2417 ret = mbedtls_pk_verify_restartable(peer_pk,
2418 md_alg, hash, hashlen, p, sig_len, rs_ctx);
2419
2420 if (ret != 0) {
2421 int send_alert_msg = 1;
2422 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2423 send_alert_msg = (ret != MBEDTLS_ERR_ECP_IN_PROGRESS);
2424 #endif
2425 if (send_alert_msg) {
2426 mbedtls_ssl_send_alert_message(
2427 ssl,
2428 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2429 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
2430 }
2431 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
2432 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2433 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2434 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2435 }
2436 #endif
2437 return ret;
2438 }
2439
2440 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2441 /* We don't need the peer's public key anymore. Free it,
2442 * so that more RAM is available for upcoming expensive
2443 * operations like ECDHE. */
2444 mbedtls_pk_free(peer_pk);
2445 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2446 }
2447 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
2448
2449 exit:
2450 ssl->state++;
2451
2452 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
2453
2454 return 0;
2455 }
2456
2457 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2458 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_request(mbedtls_ssl_context * ssl)2459 static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
2460 {
2461 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2462 ssl->handshake->ciphersuite_info;
2463
2464 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
2465
2466 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2467 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
2468 ssl->state++;
2469 return 0;
2470 }
2471
2472 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2473 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2474 }
2475 #else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2476 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_request(mbedtls_ssl_context * ssl)2477 static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
2478 {
2479 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2480 unsigned char *buf;
2481 size_t n = 0;
2482 size_t cert_type_len = 0, dn_len = 0;
2483 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2484 ssl->handshake->ciphersuite_info;
2485 size_t sig_alg_len;
2486 #if defined(MBEDTLS_DEBUG_C)
2487 unsigned char *sig_alg;
2488 unsigned char *dn;
2489 #endif
2490
2491 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
2492
2493 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2494 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
2495 ssl->state++;
2496 return 0;
2497 }
2498
2499 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2500 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2501 return ret;
2502 }
2503
2504 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2505 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2506 mbedtls_ssl_send_alert_message(
2507 ssl,
2508 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2509 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2510 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2511 }
2512
2513 ssl->state++;
2514 ssl->handshake->client_auth =
2515 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
2516
2517 MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request",
2518 ssl->handshake->client_auth ? "a" : "no"));
2519
2520 if (ssl->handshake->client_auth == 0) {
2521 /* Current message is probably the ServerHelloDone */
2522 ssl->keep_current_message = 1;
2523 goto exit;
2524 }
2525
2526 /*
2527 * struct {
2528 * ClientCertificateType certificate_types<1..2^8-1>;
2529 * SignatureAndHashAlgorithm
2530 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2531 * DistinguishedName certificate_authorities<0..2^16-1>;
2532 * } CertificateRequest;
2533 *
2534 * Since we only support a single certificate on clients, let's just
2535 * ignore all the information that's supposed to help us pick a
2536 * certificate.
2537 *
2538 * We could check that our certificate matches the request, and bail out
2539 * if it doesn't, but it's simpler to just send the certificate anyway,
2540 * and give the server the opportunity to decide if it should terminate
2541 * the connection when it doesn't like our certificate.
2542 *
2543 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
2544 * point we only have one hash available (see comments in
2545 * write_certificate_verify), so let's just use what we have.
2546 *
2547 * However, we still minimally parse the message to check it is at least
2548 * superficially sane.
2549 */
2550 buf = ssl->in_msg;
2551
2552 /* certificate_types */
2553 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
2554 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2555 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2556 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2557 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2558 }
2559 cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
2560 n = cert_type_len;
2561
2562 /*
2563 * In the subsequent code there are two paths that read from buf:
2564 * * the length of the signature algorithms field (if minor version of
2565 * SSL is 3),
2566 * * distinguished name length otherwise.
2567 * Both reach at most the index:
2568 * ...hdr_len + 2 + n,
2569 * therefore the buffer length at this point must be greater than that
2570 * regardless of the actual code path.
2571 */
2572 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
2573 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2574 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2575 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2576 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2577 }
2578
2579 /* supported_signature_algorithms */
2580 sig_alg_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
2581 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
2582
2583 /*
2584 * The furthest access in buf is in the loop few lines below:
2585 * sig_alg[i + 1],
2586 * where:
2587 * sig_alg = buf + ...hdr_len + 3 + n,
2588 * max(i) = sig_alg_len - 1.
2589 * Therefore the furthest access is:
2590 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
2591 * which reduces to:
2592 * buf[...hdr_len + 3 + n + sig_alg_len],
2593 * which is one less than we need the buf to be.
2594 */
2595 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) {
2596 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2597 mbedtls_ssl_send_alert_message(
2598 ssl,
2599 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2600 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2601 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2602 }
2603
2604 #if defined(MBEDTLS_DEBUG_C)
2605 sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
2606 for (size_t i = 0; i < sig_alg_len; i += 2) {
2607 MBEDTLS_SSL_DEBUG_MSG(3,
2608 ("Supported Signature Algorithm found: %02x %02x",
2609 sig_alg[i], sig_alg[i + 1]));
2610 }
2611 #endif
2612
2613 n += 2 + sig_alg_len;
2614
2615 /* certificate_authorities */
2616 dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
2617 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
2618
2619 n += dn_len;
2620 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
2621 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2622 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2623 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2624 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2625 }
2626
2627 #if defined(MBEDTLS_DEBUG_C)
2628 dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len;
2629 for (size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len) {
2630 unsigned char *p = dn + i + 2;
2631 mbedtls_x509_name name;
2632 size_t asn1_len;
2633 char s[MBEDTLS_X509_MAX_DN_NAME_SIZE];
2634 memset(&name, 0, sizeof(name));
2635 dni_len = MBEDTLS_GET_UINT16_BE(dn + i, 0);
2636 if (dni_len > dn_len - i - 2 ||
2637 mbedtls_asn1_get_tag(&p, p + dni_len, &asn1_len,
2638 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) != 0 ||
2639 mbedtls_x509_get_name(&p, p + asn1_len, &name) != 0) {
2640 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
2641 mbedtls_ssl_send_alert_message(
2642 ssl,
2643 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2644 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2645 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2646 }
2647 MBEDTLS_SSL_DEBUG_MSG(3,
2648 ("DN hint: %.*s",
2649 mbedtls_x509_dn_gets(s, sizeof(s), &name), s));
2650 mbedtls_asn1_free_named_data_list_shallow(name.next);
2651 }
2652 #endif
2653
2654 exit:
2655 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
2656
2657 return 0;
2658 }
2659 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2660
2661 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_server_hello_done(mbedtls_ssl_context * ssl)2662 static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
2663 {
2664 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2665
2666 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done"));
2667
2668 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2669 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2670 return ret;
2671 }
2672
2673 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2674 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2675 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2676 }
2677
2678 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) ||
2679 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
2680 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
2681 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2682 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2683 return MBEDTLS_ERR_SSL_DECODE_ERROR;
2684 }
2685
2686 ssl->state++;
2687
2688 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2689 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2690 mbedtls_ssl_recv_flight_completed(ssl);
2691 }
2692 #endif
2693
2694 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done"));
2695
2696 return 0;
2697 }
2698
2699 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_client_key_exchange(mbedtls_ssl_context * ssl)2700 static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
2701 {
2702 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2703
2704 size_t header_len;
2705 size_t content_len;
2706 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2707 ssl->handshake->ciphersuite_info;
2708
2709 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
2710
2711 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
2712 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
2713 /*
2714 * DHM key exchange -- send G^X mod P
2715 */
2716 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
2717
2718 MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
2719 header_len = 6;
2720
2721 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
2722 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2723 &ssl->out_msg[header_len], content_len,
2724 ssl->conf->f_rng, ssl->conf->p_rng);
2725 if (ret != 0) {
2726 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
2727 return ret;
2728 }
2729
2730 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2731 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
2732
2733 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
2734 ssl->handshake->premaster,
2735 MBEDTLS_PREMASTER_SIZE,
2736 &ssl->handshake->pmslen,
2737 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2738 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
2739 return ret;
2740 }
2741
2742 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
2743 } else
2744 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
2745 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2746 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2747 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2748 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2749 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2750 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2751 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2752 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
2753 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2754 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2755 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
2756 psa_key_attributes_t key_attributes;
2757
2758 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2759
2760 header_len = 4;
2761
2762 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
2763
2764 /*
2765 * Generate EC private key for ECDHE exchange.
2766 */
2767
2768 /* The master secret is obtained from the shared ECDH secret by
2769 * applying the TLS 1.2 PRF with a specific salt and label. While
2770 * the PSA Crypto API encourages combining key agreement schemes
2771 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2772 * yet support the provisioning of salt + label to the KDF.
2773 * For the time being, we therefore need to split the computation
2774 * of the ECDH secret and the application of the TLS 1.2 PRF. */
2775 key_attributes = psa_key_attributes_init();
2776 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2777 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2778 psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
2779 psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
2780
2781 /* Generate ECDH private key. */
2782 status = psa_generate_key(&key_attributes,
2783 &handshake->ecdh_psa_privkey);
2784 if (status != PSA_SUCCESS) {
2785 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2786 }
2787
2788 /* Export the public part of the ECDH private key from PSA.
2789 * The export format is an ECPoint structure as expected by TLS,
2790 * but we just need to add a length byte before that. */
2791 unsigned char *own_pubkey = ssl->out_msg + header_len + 1;
2792 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2793 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
2794 size_t own_pubkey_len;
2795
2796 status = psa_export_public_key(handshake->ecdh_psa_privkey,
2797 own_pubkey, own_pubkey_max_len,
2798 &own_pubkey_len);
2799 if (status != PSA_SUCCESS) {
2800 psa_destroy_key(handshake->ecdh_psa_privkey);
2801 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
2802 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2803 }
2804
2805 ssl->out_msg[header_len] = (unsigned char) own_pubkey_len;
2806 content_len = own_pubkey_len + 1;
2807
2808 /* The ECDH secret is the premaster secret used for key derivation. */
2809
2810 /* Compute ECDH shared secret. */
2811 status = psa_raw_key_agreement(PSA_ALG_ECDH,
2812 handshake->ecdh_psa_privkey,
2813 handshake->ecdh_psa_peerkey,
2814 handshake->ecdh_psa_peerkey_len,
2815 ssl->handshake->premaster,
2816 sizeof(ssl->handshake->premaster),
2817 &ssl->handshake->pmslen);
2818
2819 destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey);
2820 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
2821
2822 if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
2823 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2824 }
2825 #else
2826 /*
2827 * ECDH key exchange -- send client public value
2828 */
2829 header_len = 4;
2830
2831 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2832 if (ssl->handshake->ecrs_enabled) {
2833 if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
2834 goto ecdh_calc_secret;
2835 }
2836
2837 mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
2838 }
2839 #endif
2840
2841 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
2842 &content_len,
2843 &ssl->out_msg[header_len], 1000,
2844 ssl->conf->f_rng, ssl->conf->p_rng);
2845 if (ret != 0) {
2846 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
2847 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2848 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2849 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2850 }
2851 #endif
2852 return ret;
2853 }
2854
2855 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2856 MBEDTLS_DEBUG_ECDH_Q);
2857
2858 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2859 if (ssl->handshake->ecrs_enabled) {
2860 ssl->handshake->ecrs_n = content_len;
2861 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
2862 }
2863
2864 ecdh_calc_secret:
2865 if (ssl->handshake->ecrs_enabled) {
2866 content_len = ssl->handshake->ecrs_n;
2867 }
2868 #endif
2869 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
2870 &ssl->handshake->pmslen,
2871 ssl->handshake->premaster,
2872 MBEDTLS_MPI_MAX_SIZE,
2873 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2874 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
2875 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2876 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2877 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2878 }
2879 #endif
2880 return ret;
2881 }
2882
2883 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2884 MBEDTLS_DEBUG_ECDH_Z);
2885 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2886 } else
2887 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2888 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2889 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2890 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2891 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2892 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2893 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
2894 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2895 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
2896 psa_key_attributes_t key_attributes;
2897
2898 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2899
2900 /*
2901 * opaque psk_identity<0..2^16-1>;
2902 */
2903 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
2904 /* We don't offer PSK suites if we don't have a PSK,
2905 * and we check that the server's choice is among the
2906 * ciphersuites we offered, so this should never happen. */
2907 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2908 }
2909
2910 /* uint16 to store content length */
2911 const size_t content_len_size = 2;
2912
2913 header_len = 4;
2914
2915 if (header_len + content_len_size + ssl->conf->psk_identity_len
2916 > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2917 MBEDTLS_SSL_DEBUG_MSG(1,
2918 ("psk identity too long or SSL buffer too short"));
2919 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
2920 }
2921
2922 unsigned char *p = ssl->out_msg + header_len;
2923
2924 *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len);
2925 *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len);
2926 header_len += content_len_size;
2927
2928 memcpy(p, ssl->conf->psk_identity,
2929 ssl->conf->psk_identity_len);
2930 p += ssl->conf->psk_identity_len;
2931
2932 header_len += ssl->conf->psk_identity_len;
2933
2934 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
2935
2936 /*
2937 * Generate EC private key for ECDHE exchange.
2938 */
2939
2940 /* The master secret is obtained from the shared ECDH secret by
2941 * applying the TLS 1.2 PRF with a specific salt and label. While
2942 * the PSA Crypto API encourages combining key agreement schemes
2943 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
2944 * yet support the provisioning of salt + label to the KDF.
2945 * For the time being, we therefore need to split the computation
2946 * of the ECDH secret and the application of the TLS 1.2 PRF. */
2947 key_attributes = psa_key_attributes_init();
2948 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2949 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2950 psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
2951 psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
2952
2953 /* Generate ECDH private key. */
2954 status = psa_generate_key(&key_attributes,
2955 &handshake->ecdh_psa_privkey);
2956 if (status != PSA_SUCCESS) {
2957 return PSA_TO_MBEDTLS_ERR(status);
2958 }
2959
2960 /* Export the public part of the ECDH private key from PSA.
2961 * The export format is an ECPoint structure as expected by TLS,
2962 * but we just need to add a length byte before that. */
2963 unsigned char *own_pubkey = p + 1;
2964 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2965 size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
2966 size_t own_pubkey_len = 0;
2967
2968 status = psa_export_public_key(handshake->ecdh_psa_privkey,
2969 own_pubkey, own_pubkey_max_len,
2970 &own_pubkey_len);
2971 if (status != PSA_SUCCESS) {
2972 psa_destroy_key(handshake->ecdh_psa_privkey);
2973 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
2974 return PSA_TO_MBEDTLS_ERR(status);
2975 }
2976
2977 *p = (unsigned char) own_pubkey_len;
2978 content_len = own_pubkey_len + 1;
2979
2980 /* As RFC 5489 section 2, the premaster secret is formed as follows:
2981 * - a uint16 containing the length (in octets) of the ECDH computation
2982 * - the octet string produced by the ECDH computation
2983 * - a uint16 containing the length (in octets) of the PSK
2984 * - the PSK itself
2985 */
2986 unsigned char *pms = ssl->handshake->premaster;
2987 const unsigned char * const pms_end = pms +
2988 sizeof(ssl->handshake->premaster);
2989 /* uint16 to store length (in octets) of the ECDH computation */
2990 const size_t zlen_size = 2;
2991 size_t zlen = 0;
2992
2993 /* Perform ECDH computation after the uint16 reserved for the length */
2994 status = psa_raw_key_agreement(PSA_ALG_ECDH,
2995 handshake->ecdh_psa_privkey,
2996 handshake->ecdh_psa_peerkey,
2997 handshake->ecdh_psa_peerkey_len,
2998 pms + zlen_size,
2999 pms_end - (pms + zlen_size),
3000 &zlen);
3001
3002 destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey);
3003 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3004
3005 if (status != PSA_SUCCESS) {
3006 return PSA_TO_MBEDTLS_ERR(status);
3007 } else if (destruction_status != PSA_SUCCESS) {
3008 return PSA_TO_MBEDTLS_ERR(destruction_status);
3009 }
3010
3011 /* Write the ECDH computation length before the ECDH computation */
3012 MBEDTLS_PUT_UINT16_BE(zlen, pms, 0);
3013 pms += zlen_size + zlen;
3014 } else
3015 #endif /* MBEDTLS_USE_PSA_CRYPTO &&
3016 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3017 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
3018 if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
3019 /*
3020 * opaque psk_identity<0..2^16-1>;
3021 */
3022 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
3023 /* We don't offer PSK suites if we don't have a PSK,
3024 * and we check that the server's choice is among the
3025 * ciphersuites we offered, so this should never happen. */
3026 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3027 }
3028
3029 header_len = 4;
3030 content_len = ssl->conf->psk_identity_len;
3031
3032 if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
3033 MBEDTLS_SSL_DEBUG_MSG(1,
3034 ("psk identity too long or SSL buffer too short"));
3035 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3036 }
3037
3038 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3039 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
3040
3041 memcpy(ssl->out_msg + header_len,
3042 ssl->conf->psk_identity,
3043 ssl->conf->psk_identity_len);
3044 header_len += ssl->conf->psk_identity_len;
3045
3046 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3047 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3048 content_len = 0;
3049 } else
3050 #endif
3051 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3052 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3053 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3054 &content_len, 2)) != 0) {
3055 return ret;
3056 }
3057 } else
3058 #endif
3059 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3060 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3061 /*
3062 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3063 */
3064 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
3065
3066 if (header_len + 2 + content_len >
3067 MBEDTLS_SSL_OUT_CONTENT_LEN) {
3068 MBEDTLS_SSL_DEBUG_MSG(1,
3069 ("psk identity or DHM size too long or SSL buffer too short"));
3070 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3071 }
3072
3073 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3074 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
3075
3076 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
3077 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
3078 &ssl->out_msg[header_len], content_len,
3079 ssl->conf->f_rng, ssl->conf->p_rng);
3080 if (ret != 0) {
3081 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
3082 return ret;
3083 }
3084
3085 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3086 unsigned char *pms = ssl->handshake->premaster;
3087 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
3088 size_t pms_len;
3089
3090 /* Write length only when we know the actual value */
3091 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3092 pms + 2, pms_end - (pms + 2), &pms_len,
3093 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3094 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3095 return ret;
3096 }
3097 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
3098 pms += 2 + pms_len;
3099
3100 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3101 #endif
3102 } else
3103 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3104 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
3105 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3106 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
3107 /*
3108 * ClientECDiffieHellmanPublic public;
3109 */
3110 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
3111 &content_len,
3112 &ssl->out_msg[header_len],
3113 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3114 ssl->conf->f_rng, ssl->conf->p_rng);
3115 if (ret != 0) {
3116 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
3117 return ret;
3118 }
3119
3120 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3121 MBEDTLS_DEBUG_ECDH_Q);
3122 } else
3123 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3124 {
3125 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3126 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3127 }
3128
3129 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
3130 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3131 ciphersuite_info->key_exchange)) != 0) {
3132 MBEDTLS_SSL_DEBUG_RET(1,
3133 "mbedtls_ssl_psk_derive_premaster", ret);
3134 return ret;
3135 }
3136 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
3137 } else
3138 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
3139 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3140 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
3141 header_len = 4;
3142 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3143 &content_len, 0)) != 0) {
3144 return ret;
3145 }
3146 } else
3147 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3148 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3149 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
3150 header_len = 4;
3151
3152 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3153 unsigned char *out_p = ssl->out_msg + header_len;
3154 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
3155 header_len;
3156 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
3157 out_p, end_p - out_p, &content_len,
3158 MBEDTLS_ECJPAKE_ROUND_TWO);
3159 if (ret != 0) {
3160 psa_destroy_key(ssl->handshake->psa_pake_password);
3161 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
3162 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
3163 return ret;
3164 }
3165 #else
3166 ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
3167 ssl->out_msg + header_len,
3168 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3169 &content_len,
3170 ssl->conf->f_rng, ssl->conf->p_rng);
3171 if (ret != 0) {
3172 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
3173 return ret;
3174 }
3175
3176 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
3177 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3178 ssl->conf->f_rng, ssl->conf->p_rng);
3179 if (ret != 0) {
3180 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
3181 return ret;
3182 }
3183 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3184 } else
3185 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3186 {
3187 ((void) ciphersuite_info);
3188 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3189 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3190 }
3191
3192 ssl->out_msglen = header_len + content_len;
3193 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3194 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
3195
3196 ssl->state++;
3197
3198 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3199 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3200 return ret;
3201 }
3202
3203 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange"));
3204
3205 return 0;
3206 }
3207
3208 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
3209 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_certificate_verify(mbedtls_ssl_context * ssl)3210 static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
3211 {
3212 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3213 ssl->handshake->ciphersuite_info;
3214 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3215
3216 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
3217
3218 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3219 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3220 return ret;
3221 }
3222
3223 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3224 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
3225 ssl->state++;
3226 return 0;
3227 }
3228
3229 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3230 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3231 }
3232 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
3233 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_certificate_verify(mbedtls_ssl_context * ssl)3234 static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
3235 {
3236 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3237 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3238 ssl->handshake->ciphersuite_info;
3239 size_t n = 0, offset = 0;
3240 unsigned char hash[48];
3241 unsigned char *hash_start = hash;
3242 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3243 size_t hashlen;
3244 void *rs_ctx = NULL;
3245 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3246 size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf);
3247 #else
3248 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf);
3249 #endif
3250
3251 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
3252
3253 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3254 if (ssl->handshake->ecrs_enabled &&
3255 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
3256 goto sign;
3257 }
3258 #endif
3259
3260 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3261 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3262 return ret;
3263 }
3264
3265 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3266 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
3267 ssl->state++;
3268 return 0;
3269 }
3270
3271 if (ssl->handshake->client_auth == 0 ||
3272 mbedtls_ssl_own_cert(ssl) == NULL) {
3273 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
3274 ssl->state++;
3275 return 0;
3276 }
3277
3278 if (mbedtls_ssl_own_key(ssl) == NULL) {
3279 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate"));
3280 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3281 }
3282
3283 /*
3284 * Make a signature of the handshake digests
3285 */
3286 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3287 if (ssl->handshake->ecrs_enabled) {
3288 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3289 }
3290
3291 sign:
3292 #endif
3293
3294 ret = ssl->handshake->calc_verify(ssl, hash, &hashlen);
3295 if (0 != ret) {
3296 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
3297 return ret;
3298 }
3299
3300 /*
3301 * digitally-signed struct {
3302 * opaque handshake_messages[handshake_messages_length];
3303 * };
3304 *
3305 * Taking shortcut here. We assume that the server always allows the
3306 * PRF Hash function and has sent it in the allowed signature
3307 * algorithms list received in the Certificate Request message.
3308 *
3309 * Until we encounter a server that does not, we will take this
3310 * shortcut.
3311 *
3312 * Reason: Otherwise we should have running hashes for SHA512 and
3313 * SHA224 in order to satisfy 'weird' needs from the server
3314 * side.
3315 */
3316 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
3317 md_alg = MBEDTLS_MD_SHA384;
3318 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
3319 } else {
3320 md_alg = MBEDTLS_MD_SHA256;
3321 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
3322 }
3323 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
3324
3325 /* Info from md_alg will be used instead */
3326 hashlen = 0;
3327 offset = 2;
3328
3329 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3330 if (ssl->handshake->ecrs_enabled) {
3331 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
3332 }
3333 #endif
3334
3335 if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
3336 md_alg, hash_start, hashlen,
3337 ssl->out_msg + 6 + offset,
3338 out_buf_len - 6 - offset,
3339 &n,
3340 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
3341 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3342 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3343 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
3344 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3345 }
3346 #endif
3347 return ret;
3348 }
3349
3350 MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4);
3351
3352 ssl->out_msglen = 6 + n + offset;
3353 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3354 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
3355
3356 ssl->state++;
3357
3358 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3359 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3360 return ret;
3361 }
3362
3363 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
3364
3365 return ret;
3366 }
3367 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
3368
3369 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3370 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_new_session_ticket(mbedtls_ssl_context * ssl)3371 static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
3372 {
3373 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3374 uint32_t lifetime;
3375 size_t ticket_len;
3376 unsigned char *ticket;
3377 const unsigned char *msg;
3378
3379 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
3380
3381 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3382 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3383 return ret;
3384 }
3385
3386 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3387 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3388 mbedtls_ssl_send_alert_message(
3389 ssl,
3390 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3391 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
3392 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3393 }
3394
3395 /*
3396 * struct {
3397 * uint32 ticket_lifetime_hint;
3398 * opaque ticket<0..2^16-1>;
3399 * } NewSessionTicket;
3400 *
3401 * 0 . 3 ticket_lifetime_hint
3402 * 4 . 5 ticket_len (n)
3403 * 6 . 5+n ticket content
3404 */
3405 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3406 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
3407 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3408 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3409 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3410 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3411 }
3412
3413 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
3414
3415 lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) |
3416 (msg[2] << 8) | (msg[3]);
3417
3418 ticket_len = (msg[4] << 8) | (msg[5]);
3419
3420 if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
3421 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
3422 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3423 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3424 return MBEDTLS_ERR_SSL_DECODE_ERROR;
3425 }
3426
3427 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len));
3428
3429 /* We're not waiting for a NewSessionTicket message any more */
3430 ssl->handshake->new_session_ticket = 0;
3431 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
3432
3433 /*
3434 * Zero-length ticket means the server changed his mind and doesn't want
3435 * to send a ticket after all, so just forget it
3436 */
3437 if (ticket_len == 0) {
3438 return 0;
3439 }
3440
3441 if (ssl->session != NULL && ssl->session->ticket != NULL) {
3442 mbedtls_platform_zeroize(ssl->session->ticket,
3443 ssl->session->ticket_len);
3444 mbedtls_free(ssl->session->ticket);
3445 ssl->session->ticket = NULL;
3446 ssl->session->ticket_len = 0;
3447 }
3448
3449 mbedtls_platform_zeroize(ssl->session_negotiate->ticket,
3450 ssl->session_negotiate->ticket_len);
3451 mbedtls_free(ssl->session_negotiate->ticket);
3452 ssl->session_negotiate->ticket = NULL;
3453 ssl->session_negotiate->ticket_len = 0;
3454
3455 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
3456 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
3457 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3458 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
3459 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3460 }
3461
3462 memcpy(ticket, msg + 6, ticket_len);
3463
3464 ssl->session_negotiate->ticket = ticket;
3465 ssl->session_negotiate->ticket_len = ticket_len;
3466 ssl->session_negotiate->ticket_lifetime = lifetime;
3467
3468 /*
3469 * RFC 5077 section 3.4:
3470 * "If the client receives a session ticket from the server, then it
3471 * discards any Session ID that was sent in the ServerHello."
3472 */
3473 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id"));
3474 ssl->session_negotiate->id_len = 0;
3475
3476 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
3477
3478 return 0;
3479 }
3480 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3481
3482 /*
3483 * SSL handshake -- client side -- single step
3484 */
mbedtls_ssl_handshake_client_step(mbedtls_ssl_context * ssl)3485 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
3486 {
3487 int ret = 0;
3488
3489 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
3490 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
3491 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3492 if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3493 ssl->handshake->new_session_ticket != 0) {
3494 ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
3495 }
3496 #endif
3497
3498 switch (ssl->state) {
3499 case MBEDTLS_SSL_HELLO_REQUEST:
3500 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3501 break;
3502
3503 /*
3504 * ==> ClientHello
3505 */
3506 case MBEDTLS_SSL_CLIENT_HELLO:
3507 ret = mbedtls_ssl_write_client_hello(ssl);
3508 break;
3509
3510 /*
3511 * <== ServerHello
3512 * Certificate
3513 * ( ServerKeyExchange )
3514 * ( CertificateRequest )
3515 * ServerHelloDone
3516 */
3517 case MBEDTLS_SSL_SERVER_HELLO:
3518 ret = ssl_parse_server_hello(ssl);
3519 break;
3520
3521 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3522 ret = mbedtls_ssl_parse_certificate(ssl);
3523 break;
3524
3525 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3526 ret = ssl_parse_server_key_exchange(ssl);
3527 break;
3528
3529 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3530 ret = ssl_parse_certificate_request(ssl);
3531 break;
3532
3533 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3534 ret = ssl_parse_server_hello_done(ssl);
3535 break;
3536
3537 /*
3538 * ==> ( Certificate/Alert )
3539 * ClientKeyExchange
3540 * ( CertificateVerify )
3541 * ChangeCipherSpec
3542 * Finished
3543 */
3544 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3545 ret = mbedtls_ssl_write_certificate(ssl);
3546 break;
3547
3548 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3549 ret = ssl_write_client_key_exchange(ssl);
3550 break;
3551
3552 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3553 ret = ssl_write_certificate_verify(ssl);
3554 break;
3555
3556 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3557 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
3558 break;
3559
3560 case MBEDTLS_SSL_CLIENT_FINISHED:
3561 ret = mbedtls_ssl_write_finished(ssl);
3562 break;
3563
3564 /*
3565 * <== ( NewSessionTicket )
3566 * ChangeCipherSpec
3567 * Finished
3568 */
3569 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3570 case MBEDTLS_SSL_NEW_SESSION_TICKET:
3571 ret = ssl_parse_new_session_ticket(ssl);
3572 break;
3573 #endif
3574
3575 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3576 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
3577 break;
3578
3579 case MBEDTLS_SSL_SERVER_FINISHED:
3580 ret = mbedtls_ssl_parse_finished(ssl);
3581 break;
3582
3583 case MBEDTLS_SSL_FLUSH_BUFFERS:
3584 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
3585 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3586 break;
3587
3588 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3589 mbedtls_ssl_handshake_wrapup(ssl);
3590 break;
3591
3592 default:
3593 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3594 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3595 }
3596
3597 return ret;
3598 }
3599
3600 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_2 */
3601
