1 /* 2 * TLS client-side functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 #include "common.h" 21 22 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) 23 24 #include "mbedtls/platform.h" 25 26 #include "mbedtls/ssl.h" 27 #include "ssl_client.h" 28 #include "ssl_misc.h" 29 #include "mbedtls/debug.h" 30 #include "mbedtls/error.h" 31 #include "mbedtls/constant_time.h" 32 33 #if defined(MBEDTLS_USE_PSA_CRYPTO) 34 #include "mbedtls/psa_util.h" 35 #include "psa/crypto.h" 36 #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ 37 psa_to_ssl_errors, \ 38 psa_generic_status_to_mbedtls) 39 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 40 41 #include <string.h> 42 43 #include <stdint.h> 44 45 #if defined(MBEDTLS_HAVE_TIME) 46 #include "mbedtls/platform_time.h" 47 #endif 48 49 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 50 #include "mbedtls/platform_util.h" 51 #endif 52 53 #include "hash_info.h" 54 55 #if defined(MBEDTLS_SSL_RENEGOTIATION) 56 MBEDTLS_CHECK_RETURN_CRITICAL 57 static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl, 58 unsigned char *buf, 59 const unsigned char *end, 60 size_t *olen) 61 { 62 unsigned char *p = buf; 63 64 *olen = 0; 65 66 /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the 67 * initial ClientHello, in which case also adding the renegotiation 68 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ 69 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 70 return 0; 71 } 72 73 MBEDTLS_SSL_DEBUG_MSG(3, 74 ("client hello, adding renegotiation extension")); 75 76 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len); 77 78 /* 79 * Secure renegotiation 80 */ 81 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0); 82 p += 2; 83 84 *p++ = 0x00; 85 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1); 86 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len); 87 88 memcpy(p, ssl->own_verify_data, ssl->verify_data_len); 89 90 *olen = 5 + ssl->verify_data_len; 91 92 return 0; 93 } 94 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 95 96 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 97 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 98 99 MBEDTLS_CHECK_RETURN_CRITICAL 100 static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl, 101 unsigned char *buf, 102 const unsigned char *end, 103 size_t *olen) 104 { 105 unsigned char *p = buf; 106 (void) ssl; /* ssl used for debugging only */ 107 108 *olen = 0; 109 110 MBEDTLS_SSL_DEBUG_MSG(3, 111 ("client hello, adding supported_point_formats extension")); 112 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); 113 114 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0); 115 p += 2; 116 117 *p++ = 0x00; 118 *p++ = 2; 119 120 *p++ = 1; 121 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 122 123 *olen = 6; 124 125 return 0; 126 } 127 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 128 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 129 130 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 131 MBEDTLS_CHECK_RETURN_CRITICAL 132 static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl, 133 unsigned char *buf, 134 const unsigned char *end, 135 size_t *olen) 136 { 137 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 138 unsigned char *p = buf; 139 size_t kkpp_len = 0; 140 141 *olen = 0; 142 143 /* Skip costly extension if we can't use EC J-PAKE anyway */ 144 #if defined(MBEDTLS_USE_PSA_CRYPTO) 145 if (ssl->handshake->psa_pake_ctx_is_ok != 1) { 146 return 0; 147 } 148 #else 149 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) { 150 return 0; 151 } 152 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 153 154 MBEDTLS_SSL_DEBUG_MSG(3, 155 ("client hello, adding ecjpake_kkpp extension")); 156 157 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); 158 159 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0); 160 p += 2; 161 162 /* 163 * We may need to send ClientHello multiple times for Hello verification. 164 * We don't want to compute fresh values every time (both for performance 165 * and consistency reasons), so cache the extension content. 166 */ 167 if (ssl->handshake->ecjpake_cache == NULL || 168 ssl->handshake->ecjpake_cache_len == 0) { 169 MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters")); 170 171 #if defined(MBEDTLS_USE_PSA_CRYPTO) 172 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, 173 p + 2, end - p - 2, &kkpp_len, 174 MBEDTLS_ECJPAKE_ROUND_ONE); 175 if (ret != 0) { 176 psa_destroy_key(ssl->handshake->psa_pake_password); 177 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 178 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); 179 return ret; 180 } 181 #else 182 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx, 183 p + 2, end - p - 2, &kkpp_len, 184 ssl->conf->f_rng, ssl->conf->p_rng); 185 if (ret != 0) { 186 MBEDTLS_SSL_DEBUG_RET(1, 187 "mbedtls_ecjpake_write_round_one", ret); 188 return ret; 189 } 190 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 191 192 ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len); 193 if (ssl->handshake->ecjpake_cache == NULL) { 194 MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed")); 195 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 196 } 197 198 memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len); 199 ssl->handshake->ecjpake_cache_len = kkpp_len; 200 } else { 201 MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters")); 202 203 kkpp_len = ssl->handshake->ecjpake_cache_len; 204 MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len); 205 206 memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len); 207 } 208 209 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0); 210 p += 2; 211 212 *olen = kkpp_len + 4; 213 214 return 0; 215 } 216 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 217 218 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 219 MBEDTLS_CHECK_RETURN_CRITICAL 220 static int ssl_write_cid_ext(mbedtls_ssl_context *ssl, 221 unsigned char *buf, 222 const unsigned char *end, 223 size_t *olen) 224 { 225 unsigned char *p = buf; 226 size_t ext_len; 227 228 /* 229 * struct { 230 * opaque cid<0..2^8-1>; 231 * } ConnectionId; 232 */ 233 234 *olen = 0; 235 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 236 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { 237 return 0; 238 } 239 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension")); 240 241 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX 242 * which is at most 255, so the increment cannot overflow. */ 243 MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5)); 244 245 /* Add extension ID + size */ 246 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0); 247 p += 2; 248 ext_len = (size_t) ssl->own_cid_len + 1; 249 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); 250 p += 2; 251 252 *p++ = (uint8_t) ssl->own_cid_len; 253 memcpy(p, ssl->own_cid, ssl->own_cid_len); 254 255 *olen = ssl->own_cid_len + 5; 256 257 return 0; 258 } 259 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 260 261 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 262 MBEDTLS_CHECK_RETURN_CRITICAL 263 static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, 264 unsigned char *buf, 265 const unsigned char *end, 266 size_t *olen) 267 { 268 unsigned char *p = buf; 269 270 *olen = 0; 271 272 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) { 273 return 0; 274 } 275 276 MBEDTLS_SSL_DEBUG_MSG(3, 277 ("client hello, adding max_fragment_length extension")); 278 279 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5); 280 281 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0); 282 p += 2; 283 284 *p++ = 0x00; 285 *p++ = 1; 286 287 *p++ = ssl->conf->mfl_code; 288 289 *olen = 5; 290 291 return 0; 292 } 293 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 294 295 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 296 MBEDTLS_CHECK_RETURN_CRITICAL 297 static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, 298 unsigned char *buf, 299 const unsigned char *end, 300 size_t *olen) 301 { 302 unsigned char *p = buf; 303 304 *olen = 0; 305 306 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) { 307 return 0; 308 } 309 310 MBEDTLS_SSL_DEBUG_MSG(3, 311 ("client hello, adding encrypt_then_mac extension")); 312 313 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); 314 315 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0); 316 p += 2; 317 318 *p++ = 0x00; 319 *p++ = 0x00; 320 321 *olen = 4; 322 323 return 0; 324 } 325 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 326 327 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 328 MBEDTLS_CHECK_RETURN_CRITICAL 329 static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl, 330 unsigned char *buf, 331 const unsigned char *end, 332 size_t *olen) 333 { 334 unsigned char *p = buf; 335 336 *olen = 0; 337 338 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) { 339 return 0; 340 } 341 342 MBEDTLS_SSL_DEBUG_MSG(3, 343 ("client hello, adding extended_master_secret extension")); 344 345 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); 346 347 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0); 348 p += 2; 349 350 *p++ = 0x00; 351 *p++ = 0x00; 352 353 *olen = 4; 354 355 return 0; 356 } 357 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 358 359 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 360 MBEDTLS_CHECK_RETURN_CRITICAL 361 static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl, 362 unsigned char *buf, 363 const unsigned char *end, 364 size_t *olen) 365 { 366 unsigned char *p = buf; 367 size_t tlen = ssl->session_negotiate->ticket_len; 368 369 *olen = 0; 370 371 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) { 372 return 0; 373 } 374 375 MBEDTLS_SSL_DEBUG_MSG(3, 376 ("client hello, adding session ticket extension")); 377 378 /* The addition is safe here since the ticket length is 16 bit. */ 379 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen); 380 381 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0); 382 p += 2; 383 384 MBEDTLS_PUT_UINT16_BE(tlen, p, 0); 385 p += 2; 386 387 *olen = 4; 388 389 if (ssl->session_negotiate->ticket == NULL || tlen == 0) { 390 return 0; 391 } 392 393 MBEDTLS_SSL_DEBUG_MSG(3, 394 ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen)); 395 396 memcpy(p, ssl->session_negotiate->ticket, tlen); 397 398 *olen += tlen; 399 400 return 0; 401 } 402 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 403 404 #if defined(MBEDTLS_SSL_DTLS_SRTP) 405 MBEDTLS_CHECK_RETURN_CRITICAL 406 static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl, 407 unsigned char *buf, 408 const unsigned char *end, 409 size_t *olen) 410 { 411 unsigned char *p = buf; 412 size_t protection_profiles_index = 0, ext_len = 0; 413 uint16_t mki_len = 0, profile_value = 0; 414 415 *olen = 0; 416 417 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || 418 (ssl->conf->dtls_srtp_profile_list == NULL) || 419 (ssl->conf->dtls_srtp_profile_list_len == 0)) { 420 return 0; 421 } 422 423 /* RFC 5764 section 4.1.1 424 * uint8 SRTPProtectionProfile[2]; 425 * 426 * struct { 427 * SRTPProtectionProfiles SRTPProtectionProfiles; 428 * opaque srtp_mki<0..255>; 429 * } UseSRTPData; 430 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; 431 */ 432 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { 433 mki_len = ssl->dtls_srtp_info.mki_len; 434 } 435 /* Extension length = 2 bytes for profiles length, 436 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ), 437 * 1 byte for srtp_mki vector length and the mki_len value 438 */ 439 ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len; 440 441 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension")); 442 443 /* Check there is room in the buffer for the extension + 4 bytes 444 * - the extension tag (2 bytes) 445 * - the extension length (2 bytes) 446 */ 447 MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4); 448 449 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0); 450 p += 2; 451 452 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); 453 p += 2; 454 455 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */ 456 /* micro-optimization: 457 * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH 458 * which is lower than 127, so the upper byte of the length is always 0 459 * For the documentation, the more generic code is left in comments 460 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len ) 461 * >> 8 ) & 0xFF ); 462 */ 463 *p++ = 0; 464 *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len); 465 466 for (protection_profiles_index = 0; 467 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len; 468 protection_profiles_index++) { 469 profile_value = mbedtls_ssl_check_srtp_profile_value 470 (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]); 471 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) { 472 MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x", 473 profile_value)); 474 MBEDTLS_PUT_UINT16_BE(profile_value, p, 0); 475 p += 2; 476 } else { 477 /* 478 * Note: we shall never arrive here as protection profiles 479 * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function 480 */ 481 MBEDTLS_SSL_DEBUG_MSG(3, 482 ("client hello, " 483 "illegal DTLS-SRTP protection profile %d", 484 ssl->conf->dtls_srtp_profile_list[protection_profiles_index] 485 )); 486 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 487 } 488 } 489 490 *p++ = mki_len & 0xFF; 491 492 if (mki_len != 0) { 493 memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len); 494 /* 495 * Increment p to point to the current position. 496 */ 497 p += mki_len; 498 MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value, 499 ssl->dtls_srtp_info.mki_len); 500 } 501 502 /* 503 * total extension length: extension type (2 bytes) 504 * + extension length (2 bytes) 505 * + protection profile length (2 bytes) 506 * + 2 * number of protection profiles 507 * + srtp_mki vector length(1 byte) 508 * + mki value 509 */ 510 *olen = p - buf; 511 512 return 0; 513 } 514 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 515 516 int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl, 517 unsigned char *buf, 518 const unsigned char *end, 519 int uses_ec, 520 size_t *out_len) 521 { 522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 523 unsigned char *p = buf; 524 size_t ext_len = 0; 525 526 (void) ssl; 527 (void) end; 528 (void) uses_ec; 529 (void) ret; 530 (void) ext_len; 531 532 *out_len = 0; 533 534 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added 535 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ 536 #if defined(MBEDTLS_SSL_RENEGOTIATION) 537 if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) { 538 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret); 539 return ret; 540 } 541 p += ext_len; 542 #endif 543 544 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 545 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 546 if (uses_ec) { 547 if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end, 548 &ext_len)) != 0) { 549 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret); 550 return ret; 551 } 552 p += ext_len; 553 } 554 #endif 555 556 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 557 if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) { 558 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret); 559 return ret; 560 } 561 p += ext_len; 562 #endif 563 564 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 565 if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) { 566 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret); 567 return ret; 568 } 569 p += ext_len; 570 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 571 572 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 573 if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end, 574 &ext_len)) != 0) { 575 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret); 576 return ret; 577 } 578 p += ext_len; 579 #endif 580 581 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 582 if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) { 583 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret); 584 return ret; 585 } 586 p += ext_len; 587 #endif 588 589 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 590 if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) { 591 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret); 592 return ret; 593 } 594 p += ext_len; 595 #endif 596 597 #if defined(MBEDTLS_SSL_DTLS_SRTP) 598 if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) { 599 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret); 600 return ret; 601 } 602 p += ext_len; 603 #endif 604 605 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 606 if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) { 607 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret); 608 return ret; 609 } 610 p += ext_len; 611 #endif 612 613 *out_len = p - buf; 614 615 return 0; 616 } 617 618 MBEDTLS_CHECK_RETURN_CRITICAL 619 static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl, 620 const unsigned char *buf, 621 size_t len) 622 { 623 #if defined(MBEDTLS_SSL_RENEGOTIATION) 624 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 625 /* Check verify-data in constant-time. The length OTOH is no secret */ 626 if (len != 1 + ssl->verify_data_len * 2 || 627 buf[0] != ssl->verify_data_len * 2 || 628 mbedtls_ct_memcmp(buf + 1, 629 ssl->own_verify_data, ssl->verify_data_len) != 0 || 630 mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len, 631 ssl->peer_verify_data, ssl->verify_data_len) != 0) { 632 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info")); 633 mbedtls_ssl_send_alert_message( 634 ssl, 635 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 636 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 637 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 638 } 639 } else 640 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 641 { 642 if (len != 1 || buf[0] != 0x00) { 643 MBEDTLS_SSL_DEBUG_MSG(1, 644 ("non-zero length renegotiation info")); 645 mbedtls_ssl_send_alert_message( 646 ssl, 647 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 648 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 649 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 650 } 651 652 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 653 } 654 655 return 0; 656 } 657 658 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 659 MBEDTLS_CHECK_RETURN_CRITICAL 660 static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, 661 const unsigned char *buf, 662 size_t len) 663 { 664 /* 665 * server should use the extension only if we did, 666 * and if so the server's value should match ours (and len is always 1) 667 */ 668 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 669 len != 1 || 670 buf[0] != ssl->conf->mfl_code) { 671 MBEDTLS_SSL_DEBUG_MSG(1, 672 ("non-matching max fragment length extension")); 673 mbedtls_ssl_send_alert_message( 674 ssl, 675 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 676 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 677 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 678 } 679 680 return 0; 681 } 682 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 683 684 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 685 MBEDTLS_CHECK_RETURN_CRITICAL 686 static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl, 687 const unsigned char *buf, 688 size_t len) 689 { 690 size_t peer_cid_len; 691 692 if ( /* CID extension only makes sense in DTLS */ 693 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 694 /* The server must only send the CID extension if we have offered it. */ 695 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { 696 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected")); 697 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 698 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); 699 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; 700 } 701 702 if (len == 0) { 703 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); 704 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 705 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 706 return MBEDTLS_ERR_SSL_DECODE_ERROR; 707 } 708 709 peer_cid_len = *buf++; 710 len--; 711 712 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) { 713 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); 714 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 715 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 716 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 717 } 718 719 if (len != peer_cid_len) { 720 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); 721 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 722 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 723 return MBEDTLS_ERR_SSL_DECODE_ERROR; 724 } 725 726 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; 727 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; 728 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len); 729 730 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated")); 731 MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len); 732 733 return 0; 734 } 735 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 736 737 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 738 MBEDTLS_CHECK_RETURN_CRITICAL 739 static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, 740 const unsigned char *buf, 741 size_t len) 742 { 743 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 744 len != 0) { 745 MBEDTLS_SSL_DEBUG_MSG(1, 746 ("non-matching encrypt-then-MAC extension")); 747 mbedtls_ssl_send_alert_message( 748 ssl, 749 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 750 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); 751 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; 752 } 753 754 ((void) buf); 755 756 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 757 758 return 0; 759 } 760 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 761 762 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 763 MBEDTLS_CHECK_RETURN_CRITICAL 764 static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl, 765 const unsigned char *buf, 766 size_t len) 767 { 768 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 769 len != 0) { 770 MBEDTLS_SSL_DEBUG_MSG(1, 771 ("non-matching extended master secret extension")); 772 mbedtls_ssl_send_alert_message( 773 ssl, 774 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 775 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); 776 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; 777 } 778 779 ((void) buf); 780 781 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 782 783 return 0; 784 } 785 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 786 787 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 788 MBEDTLS_CHECK_RETURN_CRITICAL 789 static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl, 790 const unsigned char *buf, 791 size_t len) 792 { 793 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 794 len != 0) { 795 MBEDTLS_SSL_DEBUG_MSG(1, 796 ("non-matching session ticket extension")); 797 mbedtls_ssl_send_alert_message( 798 ssl, 799 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 800 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); 801 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; 802 } 803 804 ((void) buf); 805 806 ssl->handshake->new_session_ticket = 1; 807 808 return 0; 809 } 810 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 811 812 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 813 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 814 MBEDTLS_CHECK_RETURN_CRITICAL 815 static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl, 816 const unsigned char *buf, 817 size_t len) 818 { 819 size_t list_size; 820 const unsigned char *p; 821 822 if (len == 0 || (size_t) (buf[0] + 1) != len) { 823 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); 824 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 825 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 826 return MBEDTLS_ERR_SSL_DECODE_ERROR; 827 } 828 list_size = buf[0]; 829 830 p = buf + 1; 831 while (list_size > 0) { 832 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 833 p[0] == MBEDTLS_ECP_PF_COMPRESSED) { 834 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 835 (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) 836 ssl->handshake->ecdh_ctx.point_format = p[0]; 837 #endif /* !MBEDTLS_USE_PSA_CRYPTO && 838 ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ 839 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 840 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 841 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, 842 p[0]); 843 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 844 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0])); 845 return 0; 846 } 847 848 list_size--; 849 p++; 850 } 851 852 MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common")); 853 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 854 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 855 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 856 } 857 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 858 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 859 860 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 861 MBEDTLS_CHECK_RETURN_CRITICAL 862 static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl, 863 const unsigned char *buf, 864 size_t len) 865 { 866 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 867 868 if (ssl->handshake->ciphersuite_info->key_exchange != 869 MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 870 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension")); 871 return 0; 872 } 873 874 /* If we got here, we no longer need our cached extension */ 875 mbedtls_free(ssl->handshake->ecjpake_cache); 876 ssl->handshake->ecjpake_cache = NULL; 877 ssl->handshake->ecjpake_cache_len = 0; 878 879 #if defined(MBEDTLS_USE_PSA_CRYPTO) 880 if ((ret = mbedtls_psa_ecjpake_read_round( 881 &ssl->handshake->psa_pake_ctx, buf, len, 882 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) { 883 psa_destroy_key(ssl->handshake->psa_pake_password); 884 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 885 886 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret); 887 mbedtls_ssl_send_alert_message( 888 ssl, 889 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 890 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 891 return ret; 892 } 893 894 return 0; 895 #else 896 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx, 897 buf, len)) != 0) { 898 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret); 899 mbedtls_ssl_send_alert_message( 900 ssl, 901 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 902 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 903 return ret; 904 } 905 906 return 0; 907 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 908 } 909 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 910 911 #if defined(MBEDTLS_SSL_ALPN) 912 MBEDTLS_CHECK_RETURN_CRITICAL 913 static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, 914 const unsigned char *buf, size_t len) 915 { 916 size_t list_len, name_len; 917 const char **p; 918 919 /* If we didn't send it, the server shouldn't send it */ 920 if (ssl->conf->alpn_list == NULL) { 921 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension")); 922 mbedtls_ssl_send_alert_message( 923 ssl, 924 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 925 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); 926 return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; 927 } 928 929 /* 930 * opaque ProtocolName<1..2^8-1>; 931 * 932 * struct { 933 * ProtocolName protocol_name_list<2..2^16-1> 934 * } ProtocolNameList; 935 * 936 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 937 */ 938 939 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 940 if (len < 4) { 941 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 942 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 943 return MBEDTLS_ERR_SSL_DECODE_ERROR; 944 } 945 946 list_len = (buf[0] << 8) | buf[1]; 947 if (list_len != len - 2) { 948 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 949 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 950 return MBEDTLS_ERR_SSL_DECODE_ERROR; 951 } 952 953 name_len = buf[2]; 954 if (name_len != list_len - 1) { 955 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 956 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 957 return MBEDTLS_ERR_SSL_DECODE_ERROR; 958 } 959 960 /* Check that the server chosen protocol was in our list and save it */ 961 for (p = ssl->conf->alpn_list; *p != NULL; p++) { 962 if (name_len == strlen(*p) && 963 memcmp(buf + 3, *p, name_len) == 0) { 964 ssl->alpn_chosen = *p; 965 return 0; 966 } 967 } 968 969 MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol")); 970 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 971 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 972 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 973 } 974 #endif /* MBEDTLS_SSL_ALPN */ 975 976 #if defined(MBEDTLS_SSL_DTLS_SRTP) 977 MBEDTLS_CHECK_RETURN_CRITICAL 978 static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl, 979 const unsigned char *buf, 980 size_t len) 981 { 982 mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET; 983 size_t i, mki_len = 0; 984 uint16_t server_protection_profile_value = 0; 985 986 /* If use_srtp is not configured, just ignore the extension */ 987 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || 988 (ssl->conf->dtls_srtp_profile_list == NULL) || 989 (ssl->conf->dtls_srtp_profile_list_len == 0)) { 990 return 0; 991 } 992 993 /* RFC 5764 section 4.1.1 994 * uint8 SRTPProtectionProfile[2]; 995 * 996 * struct { 997 * SRTPProtectionProfiles SRTPProtectionProfiles; 998 * opaque srtp_mki<0..255>; 999 * } UseSRTPData; 1000 1001 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; 1002 * 1003 */ 1004 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { 1005 mki_len = ssl->dtls_srtp_info.mki_len; 1006 } 1007 1008 /* 1009 * Length is 5 + optional mki_value : one protection profile length (2 bytes) 1010 * + protection profile (2 bytes) 1011 * + mki_len(1 byte) 1012 * and optional srtp_mki 1013 */ 1014 if ((len < 5) || (len != (buf[4] + 5u))) { 1015 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1016 } 1017 1018 /* 1019 * get the server protection profile 1020 */ 1021 1022 /* 1023 * protection profile length must be 0x0002 as we must have only 1024 * one protection profile in server Hello 1025 */ 1026 if ((buf[0] != 0) || (buf[1] != 2)) { 1027 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1028 } 1029 1030 server_protection_profile_value = (buf[2] << 8) | buf[3]; 1031 server_protection = mbedtls_ssl_check_srtp_profile_value( 1032 server_protection_profile_value); 1033 if (server_protection != MBEDTLS_TLS_SRTP_UNSET) { 1034 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s", 1035 mbedtls_ssl_get_srtp_profile_as_string( 1036 server_protection))); 1037 } 1038 1039 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET; 1040 1041 /* 1042 * Check we have the server profile in our list 1043 */ 1044 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) { 1045 if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) { 1046 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; 1047 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s", 1048 mbedtls_ssl_get_srtp_profile_as_string( 1049 server_protection))); 1050 break; 1051 } 1052 } 1053 1054 /* If no match was found : server problem, it shall never answer with incompatible profile */ 1055 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) { 1056 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1057 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 1058 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1059 } 1060 1061 /* If server does not use mki in its reply, make sure the client won't keep 1062 * one as negotiated */ 1063 if (len == 5) { 1064 ssl->dtls_srtp_info.mki_len = 0; 1065 } 1066 1067 /* 1068 * RFC5764: 1069 * If the client detects a nonzero-length MKI in the server's response 1070 * that is different than the one the client offered, then the client 1071 * MUST abort the handshake and SHOULD send an invalid_parameter alert. 1072 */ 1073 if (len > 5 && (buf[4] != mki_len || 1074 (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) { 1075 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1076 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 1077 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1078 } 1079 #if defined(MBEDTLS_DEBUG_C) 1080 if (len > 5) { 1081 MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value, 1082 ssl->dtls_srtp_info.mki_len); 1083 } 1084 #endif 1085 return 0; 1086 } 1087 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 1088 1089 /* 1090 * Parse HelloVerifyRequest. Only called after verifying the HS type. 1091 */ 1092 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1093 MBEDTLS_CHECK_RETURN_CRITICAL 1094 static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl) 1095 { 1096 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1097 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); 1098 uint16_t dtls_legacy_version; 1099 1100 #if !defined(MBEDTLS_SSL_PROTO_TLS1_3) 1101 uint8_t cookie_len; 1102 #else 1103 uint16_t cookie_len; 1104 #endif 1105 1106 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request")); 1107 1108 /* Check that there is enough room for: 1109 * - 2 bytes of version 1110 * - 1 byte of cookie_len 1111 */ 1112 if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) { 1113 MBEDTLS_SSL_DEBUG_MSG(1, 1114 ("incoming HelloVerifyRequest message is too short")); 1115 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1116 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1117 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1118 } 1119 1120 /* 1121 * struct { 1122 * ProtocolVersion server_version; 1123 * opaque cookie<0..2^8-1>; 1124 * } HelloVerifyRequest; 1125 */ 1126 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2); 1127 dtls_legacy_version = MBEDTLS_GET_UINT16_BE(p, 0); 1128 p += 2; 1129 1130 /* 1131 * Since the RFC is not clear on this point, accept DTLS 1.0 (0xfeff) 1132 * The DTLS 1.3 (current draft) renames ProtocolVersion server_version to 1133 * legacy_version and locks the value of legacy_version to 0xfefd (DTLS 1.2) 1134 */ 1135 if (dtls_legacy_version != 0xfefd && dtls_legacy_version != 0xfeff) { 1136 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version")); 1137 1138 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1139 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); 1140 1141 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; 1142 } 1143 1144 cookie_len = *p++; 1145 if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) { 1146 MBEDTLS_SSL_DEBUG_MSG(1, 1147 ("cookie length does not match incoming message size")); 1148 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1149 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1150 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1151 } 1152 MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len); 1153 1154 mbedtls_free(ssl->handshake->cookie); 1155 1156 ssl->handshake->cookie = mbedtls_calloc(1, cookie_len); 1157 if (ssl->handshake->cookie == NULL) { 1158 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len)); 1159 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1160 } 1161 1162 memcpy(ssl->handshake->cookie, p, cookie_len); 1163 ssl->handshake->cookie_len = cookie_len; 1164 1165 /* Start over at ClientHello */ 1166 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 1167 ret = mbedtls_ssl_reset_checksum(ssl); 1168 if (0 != ret) { 1169 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret); 1170 return ret; 1171 } 1172 1173 mbedtls_ssl_recv_flight_completed(ssl); 1174 1175 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request")); 1176 1177 return 0; 1178 } 1179 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1180 1181 MBEDTLS_CHECK_RETURN_CRITICAL 1182 static int ssl_parse_server_hello(mbedtls_ssl_context *ssl) 1183 { 1184 int ret, i; 1185 size_t n; 1186 size_t ext_len; 1187 unsigned char *buf, *ext; 1188 unsigned char comp; 1189 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1190 int renegotiation_info_seen = 0; 1191 #endif 1192 int handshake_failure = 0; 1193 const mbedtls_ssl_ciphersuite_t *suite_info; 1194 1195 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello")); 1196 1197 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 1198 /* No alert on a read error. */ 1199 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 1200 return ret; 1201 } 1202 1203 buf = ssl->in_msg; 1204 1205 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 1206 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1207 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 1208 ssl->renego_records_seen++; 1209 1210 if (ssl->conf->renego_max_records >= 0 && 1211 ssl->renego_records_seen > ssl->conf->renego_max_records) { 1212 MBEDTLS_SSL_DEBUG_MSG(1, 1213 ("renegotiation requested, but not honored by server")); 1214 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 1215 } 1216 1217 MBEDTLS_SSL_DEBUG_MSG(1, 1218 ("non-handshake message during renegotiation")); 1219 1220 ssl->keep_current_message = 1; 1221 return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO; 1222 } 1223 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1224 1225 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); 1226 mbedtls_ssl_send_alert_message( 1227 ssl, 1228 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1229 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 1230 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 1231 } 1232 1233 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1234 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1235 if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) { 1236 MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request")); 1237 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello")); 1238 return ssl_parse_hello_verify_request(ssl); 1239 } else { 1240 /* We made it through the verification process */ 1241 mbedtls_free(ssl->handshake->cookie); 1242 ssl->handshake->cookie = NULL; 1243 ssl->handshake->cookie_len = 0; 1244 } 1245 } 1246 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1247 1248 if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) || 1249 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) { 1250 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); 1251 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1252 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1253 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1254 } 1255 1256 /* 1257 * 0 . 1 server_version 1258 * 2 . 33 random (maybe including 4 bytes of Unix time) 1259 * 34 . 34 session_id length = n 1260 * 35 . 34+n session_id 1261 * 35+n . 36+n cipher_suite 1262 * 37+n . 37+n compression_method 1263 * 1264 * 38+n . 39+n extensions length (optional) 1265 * 40+n . .. extensions 1266 */ 1267 buf += mbedtls_ssl_hs_hdr_len(ssl); 1268 1269 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf, 2); 1270 ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport); 1271 ssl->session_negotiate->tls_version = ssl->tls_version; 1272 1273 if (ssl->tls_version < ssl->conf->min_tls_version || 1274 ssl->tls_version > ssl->conf->max_tls_version) { 1275 MBEDTLS_SSL_DEBUG_MSG(1, 1276 ( 1277 "server version out of bounds - min: [0x%x], server: [0x%x], max: [0x%x]", 1278 (unsigned) ssl->conf->min_tls_version, 1279 (unsigned) ssl->tls_version, 1280 (unsigned) ssl->conf->max_tls_version)); 1281 1282 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1283 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); 1284 1285 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; 1286 } 1287 1288 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu", 1289 ((unsigned long) buf[2] << 24) | 1290 ((unsigned long) buf[3] << 16) | 1291 ((unsigned long) buf[4] << 8) | 1292 ((unsigned long) buf[5]))); 1293 1294 memcpy(ssl->handshake->randbytes + 32, buf + 2, 32); 1295 1296 n = buf[34]; 1297 1298 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32); 1299 1300 if (n > 32) { 1301 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); 1302 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1303 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1304 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1305 } 1306 1307 if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) { 1308 ext_len = ((buf[38 + n] << 8) 1309 | (buf[39 + n])); 1310 1311 if ((ext_len > 0 && ext_len < 4) || 1312 ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) { 1313 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); 1314 mbedtls_ssl_send_alert_message( 1315 ssl, 1316 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1317 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1318 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1319 } 1320 } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) { 1321 ext_len = 0; 1322 } else { 1323 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); 1324 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1325 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1326 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1327 } 1328 1329 /* ciphersuite (used later) */ 1330 i = (buf[35 + n] << 8) | buf[36 + n]; 1331 1332 /* 1333 * Read and check compression 1334 */ 1335 comp = buf[37 + n]; 1336 1337 if (comp != MBEDTLS_SSL_COMPRESS_NULL) { 1338 MBEDTLS_SSL_DEBUG_MSG(1, 1339 ("server hello, bad compression: %d", comp)); 1340 mbedtls_ssl_send_alert_message( 1341 ssl, 1342 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1343 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 1344 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1345 } 1346 1347 /* 1348 * Initialize update checksum functions 1349 */ 1350 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i); 1351 if (ssl->handshake->ciphersuite_info == NULL) { 1352 MBEDTLS_SSL_DEBUG_MSG(1, 1353 ("ciphersuite info for %04x not found", (unsigned int) i)); 1354 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1355 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 1356 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 1357 } 1358 1359 mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info); 1360 1361 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n)); 1362 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n); 1363 1364 /* 1365 * Check if the session can be resumed 1366 */ 1367 if (ssl->handshake->resume == 0 || n == 0 || 1368 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1369 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 1370 #endif 1371 ssl->session_negotiate->ciphersuite != i || 1372 ssl->session_negotiate->id_len != n || 1373 memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) { 1374 ssl->state++; 1375 ssl->handshake->resume = 0; 1376 #if defined(MBEDTLS_HAVE_TIME) 1377 ssl->session_negotiate->start = mbedtls_time(NULL); 1378 #endif 1379 ssl->session_negotiate->ciphersuite = i; 1380 ssl->session_negotiate->id_len = n; 1381 memcpy(ssl->session_negotiate->id, buf + 35, n); 1382 } else { 1383 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 1384 } 1385 1386 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed", 1387 ssl->handshake->resume ? "a" : "no")); 1388 1389 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i)); 1390 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d", 1391 buf[37 + n])); 1392 1393 /* 1394 * Perform cipher suite validation in same way as in ssl_write_client_hello. 1395 */ 1396 i = 0; 1397 while (1) { 1398 if (ssl->conf->ciphersuite_list[i] == 0) { 1399 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); 1400 mbedtls_ssl_send_alert_message( 1401 ssl, 1402 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1403 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 1404 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1405 } 1406 1407 if (ssl->conf->ciphersuite_list[i++] == 1408 ssl->session_negotiate->ciphersuite) { 1409 break; 1410 } 1411 } 1412 1413 suite_info = mbedtls_ssl_ciphersuite_from_id( 1414 ssl->session_negotiate->ciphersuite); 1415 if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version, 1416 ssl->tls_version) != 0) { 1417 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); 1418 mbedtls_ssl_send_alert_message( 1419 ssl, 1420 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1421 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 1422 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1423 } 1424 1425 MBEDTLS_SSL_DEBUG_MSG(3, 1426 ("server hello, chosen ciphersuite: %s", suite_info->name)); 1427 1428 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 1429 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA && 1430 ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 1431 ssl->handshake->ecrs_enabled = 1; 1432 } 1433 #endif 1434 1435 if (comp != MBEDTLS_SSL_COMPRESS_NULL) { 1436 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); 1437 mbedtls_ssl_send_alert_message( 1438 ssl, 1439 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1440 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 1441 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1442 } 1443 1444 ext = buf + 40 + n; 1445 1446 MBEDTLS_SSL_DEBUG_MSG(2, 1447 ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, 1448 ext_len)); 1449 1450 while (ext_len) { 1451 unsigned int ext_id = ((ext[0] << 8) 1452 | (ext[1])); 1453 unsigned int ext_size = ((ext[2] << 8) 1454 | (ext[3])); 1455 1456 if (ext_size + 4 > ext_len) { 1457 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); 1458 mbedtls_ssl_send_alert_message( 1459 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1460 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1461 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1462 } 1463 1464 switch (ext_id) { 1465 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 1466 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension")); 1467 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1468 renegotiation_info_seen = 1; 1469 #endif 1470 1471 if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4, 1472 ext_size)) != 0) { 1473 return ret; 1474 } 1475 1476 break; 1477 1478 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1479 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 1480 MBEDTLS_SSL_DEBUG_MSG(3, 1481 ("found max_fragment_length extension")); 1482 1483 if ((ret = ssl_parse_max_fragment_length_ext(ssl, 1484 ext + 4, ext_size)) != 0) { 1485 return ret; 1486 } 1487 1488 break; 1489 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 1490 1491 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1492 case MBEDTLS_TLS_EXT_CID: 1493 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension")); 1494 1495 if ((ret = ssl_parse_cid_ext(ssl, 1496 ext + 4, 1497 ext_size)) != 0) { 1498 return ret; 1499 } 1500 1501 break; 1502 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1503 1504 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1505 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 1506 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension")); 1507 1508 if ((ret = ssl_parse_encrypt_then_mac_ext(ssl, 1509 ext + 4, ext_size)) != 0) { 1510 return ret; 1511 } 1512 1513 break; 1514 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 1515 1516 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1517 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 1518 MBEDTLS_SSL_DEBUG_MSG(3, 1519 ("found extended_master_secret extension")); 1520 1521 if ((ret = ssl_parse_extended_ms_ext(ssl, 1522 ext + 4, ext_size)) != 0) { 1523 return ret; 1524 } 1525 1526 break; 1527 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 1528 1529 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1530 case MBEDTLS_TLS_EXT_SESSION_TICKET: 1531 MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension")); 1532 1533 if ((ret = ssl_parse_session_ticket_ext(ssl, 1534 ext + 4, ext_size)) != 0) { 1535 return ret; 1536 } 1537 1538 break; 1539 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1540 1541 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1542 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1543 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 1544 MBEDTLS_SSL_DEBUG_MSG(3, 1545 ("found supported_point_formats extension")); 1546 1547 if ((ret = ssl_parse_supported_point_formats_ext(ssl, 1548 ext + 4, ext_size)) != 0) { 1549 return ret; 1550 } 1551 1552 break; 1553 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 1554 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1555 1556 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1557 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 1558 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension")); 1559 1560 if ((ret = ssl_parse_ecjpake_kkpp(ssl, 1561 ext + 4, ext_size)) != 0) { 1562 return ret; 1563 } 1564 1565 break; 1566 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1567 1568 #if defined(MBEDTLS_SSL_ALPN) 1569 case MBEDTLS_TLS_EXT_ALPN: 1570 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); 1571 1572 if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) { 1573 return ret; 1574 } 1575 1576 break; 1577 #endif /* MBEDTLS_SSL_ALPN */ 1578 1579 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1580 case MBEDTLS_TLS_EXT_USE_SRTP: 1581 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension")); 1582 1583 if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) { 1584 return ret; 1585 } 1586 1587 break; 1588 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 1589 1590 default: 1591 MBEDTLS_SSL_DEBUG_MSG(3, 1592 ("unknown extension found: %u (ignoring)", ext_id)); 1593 } 1594 1595 ext_len -= 4 + ext_size; 1596 ext += 4 + ext_size; 1597 1598 if (ext_len > 0 && ext_len < 4) { 1599 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); 1600 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1601 } 1602 } 1603 1604 /* 1605 * mbedtls_ssl_derive_keys() has to be called after the parsing of the 1606 * extensions. It sets the transform data for the resumed session which in 1607 * case of DTLS includes the server CID extracted from the CID extension. 1608 */ 1609 if (ssl->handshake->resume) { 1610 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { 1611 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); 1612 mbedtls_ssl_send_alert_message( 1613 ssl, 1614 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1615 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 1616 return ret; 1617 } 1618 } 1619 1620 /* 1621 * Renegotiation security checks 1622 */ 1623 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1624 ssl->conf->allow_legacy_renegotiation == 1625 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) { 1626 MBEDTLS_SSL_DEBUG_MSG(1, 1627 ("legacy renegotiation, breaking off handshake")); 1628 handshake_failure = 1; 1629 } 1630 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1631 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1632 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 1633 renegotiation_info_seen == 0) { 1634 MBEDTLS_SSL_DEBUG_MSG(1, 1635 ("renegotiation_info extension missing (secure)")); 1636 handshake_failure = 1; 1637 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1638 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1639 ssl->conf->allow_legacy_renegotiation == 1640 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) { 1641 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed")); 1642 handshake_failure = 1; 1643 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1644 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1645 renegotiation_info_seen == 1) { 1646 MBEDTLS_SSL_DEBUG_MSG(1, 1647 ("renegotiation_info extension present (legacy)")); 1648 handshake_failure = 1; 1649 } 1650 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1651 1652 if (handshake_failure == 1) { 1653 mbedtls_ssl_send_alert_message( 1654 ssl, 1655 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1656 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 1657 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1658 } 1659 1660 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello")); 1661 1662 return 0; 1663 } 1664 1665 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 1666 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 1667 MBEDTLS_CHECK_RETURN_CRITICAL 1668 static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl, 1669 unsigned char **p, 1670 unsigned char *end) 1671 { 1672 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1673 size_t dhm_actual_bitlen; 1674 1675 /* 1676 * Ephemeral DH parameters: 1677 * 1678 * struct { 1679 * opaque dh_p<1..2^16-1>; 1680 * opaque dh_g<1..2^16-1>; 1681 * opaque dh_Ys<1..2^16-1>; 1682 * } ServerDHParams; 1683 */ 1684 if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx, 1685 p, end)) != 0) { 1686 MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret); 1687 return ret; 1688 } 1689 1690 dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx); 1691 if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) { 1692 MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u", 1693 dhm_actual_bitlen, 1694 ssl->conf->dhm_min_bitlen)); 1695 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1696 } 1697 1698 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P); 1699 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G); 1700 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY); 1701 1702 return ret; 1703 } 1704 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 1705 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 1706 1707 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1708 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 1709 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 1710 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 1711 MBEDTLS_CHECK_RETURN_CRITICAL 1712 static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl, 1713 unsigned char **p, 1714 unsigned char *end) 1715 { 1716 uint16_t tls_id; 1717 uint8_t ecpoint_len; 1718 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 1719 psa_ecc_family_t ec_psa_family = 0; 1720 size_t ec_bits = 0; 1721 1722 /* 1723 * struct { 1724 * ECParameters curve_params; 1725 * ECPoint public; 1726 * } ServerECDHParams; 1727 * 1728 * 1 curve_type (must be "named_curve") 1729 * 2..3 NamedCurve 1730 * 4 ECPoint.len 1731 * 5+ ECPoint contents 1732 */ 1733 if (end - *p < 4) { 1734 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1735 } 1736 1737 /* First byte is curve_type; only named_curve is handled */ 1738 if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) { 1739 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1740 } 1741 1742 /* Next two bytes are the namedcurve value */ 1743 tls_id = *(*p)++; 1744 tls_id <<= 8; 1745 tls_id |= *(*p)++; 1746 1747 /* Check it's a curve we offered */ 1748 if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) { 1749 MBEDTLS_SSL_DEBUG_MSG(2, 1750 ("bad server key exchange message (ECDHE curve): %u", 1751 (unsigned) tls_id)); 1752 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1753 } 1754 1755 /* Convert EC's TLS ID to PSA key type. */ 1756 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ec_psa_family, 1757 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) { 1758 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1759 } 1760 handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family); 1761 handshake->ecdh_bits = ec_bits; 1762 1763 /* Keep a copy of the peer's public key */ 1764 ecpoint_len = *(*p)++; 1765 if ((size_t) (end - *p) < ecpoint_len) { 1766 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1767 } 1768 1769 if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) { 1770 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1771 } 1772 1773 memcpy(handshake->ecdh_psa_peerkey, *p, ecpoint_len); 1774 handshake->ecdh_psa_peerkey_len = ecpoint_len; 1775 *p += ecpoint_len; 1776 1777 return 0; 1778 } 1779 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 1780 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 1781 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 1782 #else 1783 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 1784 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 1785 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 1786 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 1787 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 1788 MBEDTLS_CHECK_RETURN_CRITICAL 1789 static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl) 1790 { 1791 uint16_t tls_id; 1792 mbedtls_ecp_group_id grp_id; 1793 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) 1794 grp_id = ssl->handshake->ecdh_ctx.grp.id; 1795 #else 1796 grp_id = ssl->handshake->ecdh_ctx.grp_id; 1797 #endif 1798 1799 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); 1800 if (tls_id == 0) { 1801 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 1802 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 1803 } 1804 1805 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", 1806 mbedtls_ssl_get_curve_name_from_tls_id(tls_id))); 1807 1808 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) { 1809 return -1; 1810 } 1811 1812 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 1813 MBEDTLS_DEBUG_ECDH_QP); 1814 1815 return 0; 1816 } 1817 1818 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 1819 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 1820 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 1821 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 1822 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 1823 1824 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 1825 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 1826 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 1827 MBEDTLS_CHECK_RETURN_CRITICAL 1828 static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl, 1829 unsigned char **p, 1830 unsigned char *end) 1831 { 1832 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1833 1834 /* 1835 * Ephemeral ECDH parameters: 1836 * 1837 * struct { 1838 * ECParameters curve_params; 1839 * ECPoint public; 1840 * } ServerECDHParams; 1841 */ 1842 if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx, 1843 (const unsigned char **) p, end)) != 0) { 1844 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret); 1845 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 1846 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 1847 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 1848 } 1849 #endif 1850 return ret; 1851 } 1852 1853 if (ssl_check_server_ecdh_params(ssl) != 0) { 1854 MBEDTLS_SSL_DEBUG_MSG(1, 1855 ("bad server key exchange message (ECDHE curve)")); 1856 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1857 } 1858 1859 return ret; 1860 } 1861 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \ 1862 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ 1863 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 1864 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 1865 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 1866 MBEDTLS_CHECK_RETURN_CRITICAL 1867 static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl, 1868 unsigned char **p, 1869 unsigned char *end) 1870 { 1871 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1872 uint16_t len; 1873 ((void) ssl); 1874 1875 /* 1876 * PSK parameters: 1877 * 1878 * opaque psk_identity_hint<0..2^16-1>; 1879 */ 1880 if (end - (*p) < 2) { 1881 MBEDTLS_SSL_DEBUG_MSG(1, 1882 ("bad server key exchange message (psk_identity_hint length)")); 1883 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1884 } 1885 len = (*p)[0] << 8 | (*p)[1]; 1886 *p += 2; 1887 1888 if (end - (*p) < len) { 1889 MBEDTLS_SSL_DEBUG_MSG(1, 1890 ("bad server key exchange message (psk_identity_hint length)")); 1891 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1892 } 1893 1894 /* 1895 * Note: we currently ignore the PSK identity hint, as we only allow one 1896 * PSK to be provisioned on the client. This could be changed later if 1897 * someone needs that feature. 1898 */ 1899 *p += len; 1900 ret = 0; 1901 1902 return ret; 1903 } 1904 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 1905 1906 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 1907 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 1908 /* 1909 * Generate a pre-master secret and encrypt it with the server's RSA key 1910 */ 1911 MBEDTLS_CHECK_RETURN_CRITICAL 1912 static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl, 1913 size_t offset, size_t *olen, 1914 size_t pms_offset) 1915 { 1916 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1917 size_t len_bytes = 2; 1918 unsigned char *p = ssl->handshake->premaster + pms_offset; 1919 mbedtls_pk_context *peer_pk; 1920 1921 if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) { 1922 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms")); 1923 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 1924 } 1925 1926 /* 1927 * Generate (part of) the pre-master as 1928 * struct { 1929 * ProtocolVersion client_version; 1930 * opaque random[46]; 1931 * } PreMasterSecret; 1932 */ 1933 mbedtls_ssl_write_version(p, ssl->conf->transport, 1934 MBEDTLS_SSL_VERSION_TLS1_2); 1935 1936 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) { 1937 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret); 1938 return ret; 1939 } 1940 1941 ssl->handshake->pmslen = 48; 1942 1943 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 1944 peer_pk = &ssl->handshake->peer_pubkey; 1945 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 1946 if (ssl->session_negotiate->peer_cert == NULL) { 1947 /* Should never happen */ 1948 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 1949 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 1950 } 1951 peer_pk = &ssl->session_negotiate->peer_cert->pk; 1952 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 1953 1954 /* 1955 * Now write it out, encrypted 1956 */ 1957 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) { 1958 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch")); 1959 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; 1960 } 1961 1962 if ((ret = mbedtls_pk_encrypt(peer_pk, 1963 p, ssl->handshake->pmslen, 1964 ssl->out_msg + offset + len_bytes, olen, 1965 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, 1966 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 1967 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret); 1968 return ret; 1969 } 1970 1971 if (len_bytes == 2) { 1972 MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset); 1973 *olen += 2; 1974 } 1975 1976 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 1977 /* We don't need the peer's public key anymore. Free it. */ 1978 mbedtls_pk_free(peer_pk); 1979 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 1980 return 0; 1981 } 1982 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 1983 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 1984 1985 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 1986 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 1987 MBEDTLS_CHECK_RETURN_CRITICAL 1988 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) 1989 { 1990 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1991 const mbedtls_ecp_keypair *peer_key; 1992 mbedtls_pk_context *peer_pk; 1993 1994 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 1995 peer_pk = &ssl->handshake->peer_pubkey; 1996 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 1997 if (ssl->session_negotiate->peer_cert == NULL) { 1998 /* Should never happen */ 1999 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 2000 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2001 } 2002 peer_pk = &ssl->session_negotiate->peer_cert->pk; 2003 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 2004 2005 /* This is a public key, so it can't be opaque, so can_do() is a good 2006 * enough check to ensure pk_ec() is safe to use below. */ 2007 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) { 2008 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable")); 2009 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; 2010 } 2011 2012 peer_key = mbedtls_pk_ec(*peer_pk); 2013 2014 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2015 size_t olen = 0; 2016 uint16_t tls_id = 0; 2017 psa_ecc_family_t ecc_family; 2018 2019 if (mbedtls_ssl_check_curve(ssl, peer_key->grp.id) != 0) { 2020 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)")); 2021 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 2022 } 2023 2024 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(peer_key->grp.id); 2025 if (tls_id == 0) { 2026 MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported", 2027 peer_key->grp.id)); 2028 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 2029 } 2030 2031 /* If the above conversion to TLS ID was fine, then also this one will be, 2032 so there is no need to check the return value here */ 2033 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ecc_family, 2034 &ssl->handshake->ecdh_bits); 2035 2036 ssl->handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family); 2037 2038 /* Store peer's public key in psa format. */ 2039 ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q, 2040 MBEDTLS_ECP_PF_UNCOMPRESSED, &olen, 2041 ssl->handshake->ecdh_psa_peerkey, 2042 MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH); 2043 2044 if (ret != 0) { 2045 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret); 2046 return ret; 2047 } 2048 2049 ssl->handshake->ecdh_psa_peerkey_len = olen; 2050 #else 2051 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key, 2052 MBEDTLS_ECDH_THEIRS)) != 0) { 2053 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret); 2054 return ret; 2055 } 2056 2057 if (ssl_check_server_ecdh_params(ssl) != 0) { 2058 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)")); 2059 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 2060 } 2061 #endif 2062 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 2063 /* We don't need the peer's public key anymore. Free it, 2064 * so that more RAM is available for upcoming expensive 2065 * operations like ECDHE. */ 2066 mbedtls_pk_free(peer_pk); 2067 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 2068 2069 return ret; 2070 } 2071 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 2072 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2073 2074 MBEDTLS_CHECK_RETURN_CRITICAL 2075 static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl) 2076 { 2077 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2078 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2079 ssl->handshake->ciphersuite_info; 2080 unsigned char *p = NULL, *end = NULL; 2081 2082 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange")); 2083 2084 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 2085 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { 2086 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange")); 2087 ssl->state++; 2088 return 0; 2089 } 2090 ((void) p); 2091 ((void) end); 2092 #endif 2093 2094 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2095 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2096 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 2097 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { 2098 if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) { 2099 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret); 2100 mbedtls_ssl_send_alert_message( 2101 ssl, 2102 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2103 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 2104 return ret; 2105 } 2106 2107 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange")); 2108 ssl->state++; 2109 return 0; 2110 } 2111 ((void) p); 2112 ((void) end); 2113 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 2114 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2115 2116 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 2117 if (ssl->handshake->ecrs_enabled && 2118 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) { 2119 goto start_processing; 2120 } 2121 #endif 2122 2123 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 2124 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 2125 return ret; 2126 } 2127 2128 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 2129 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); 2130 mbedtls_ssl_send_alert_message( 2131 ssl, 2132 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2133 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 2134 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 2135 } 2136 2137 /* 2138 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 2139 * doesn't use a psk_identity_hint 2140 */ 2141 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) { 2142 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2143 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 2144 /* Current message is probably either 2145 * CertificateRequest or ServerHelloDone */ 2146 ssl->keep_current_message = 1; 2147 goto exit; 2148 } 2149 2150 MBEDTLS_SSL_DEBUG_MSG(1, 2151 ("server key exchange message must not be skipped")); 2152 mbedtls_ssl_send_alert_message( 2153 ssl, 2154 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2155 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 2156 2157 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 2158 } 2159 2160 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 2161 if (ssl->handshake->ecrs_enabled) { 2162 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing; 2163 } 2164 2165 start_processing: 2166 #endif 2167 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); 2168 end = ssl->in_msg + ssl->in_hslen; 2169 MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, end - p); 2170 2171 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 2172 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2173 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 2174 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 2175 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { 2176 if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) { 2177 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); 2178 mbedtls_ssl_send_alert_message( 2179 ssl, 2180 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2181 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 2182 return MBEDTLS_ERR_SSL_DECODE_ERROR; 2183 } 2184 } /* FALLTHROUGH */ 2185 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 2186 2187 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 2188 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 2189 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2190 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 2191 ; /* nothing more to do */ 2192 } else 2193 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 2194 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 2195 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 2196 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 2197 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 2198 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 2199 if (ssl_parse_server_dh_params(ssl, &p, end) != 0) { 2200 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); 2201 mbedtls_ssl_send_alert_message( 2202 ssl, 2203 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2204 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 2205 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 2206 } 2207 } else 2208 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 2209 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 2210 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2211 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 2212 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 2213 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 2214 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 2215 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) { 2216 if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) { 2217 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); 2218 mbedtls_ssl_send_alert_message( 2219 ssl, 2220 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2221 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 2222 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 2223 } 2224 } else 2225 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2226 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 2227 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 2228 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2229 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 2230 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2231 /* 2232 * The first 3 bytes are: 2233 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE 2234 * [1, 2] elliptic curve's TLS ID 2235 * 2236 * However since we only support secp256r1 for now, we check only 2237 * that TLS ID here 2238 */ 2239 uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE(p, 1); 2240 uint16_t exp_tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( 2241 MBEDTLS_ECP_DP_SECP256R1); 2242 2243 if (exp_tls_id == 0) { 2244 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2245 } 2246 2247 if ((*p != MBEDTLS_ECP_TLS_NAMED_CURVE) || 2248 (read_tls_id != exp_tls_id)) { 2249 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 2250 } 2251 2252 p += 3; 2253 2254 if ((ret = mbedtls_psa_ecjpake_read_round( 2255 &ssl->handshake->psa_pake_ctx, p, end - p, 2256 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) { 2257 psa_destroy_key(ssl->handshake->psa_pake_password); 2258 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 2259 2260 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret); 2261 mbedtls_ssl_send_alert_message( 2262 ssl, 2263 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2264 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 2265 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 2266 } 2267 #else 2268 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx, 2269 p, end - p); 2270 if (ret != 0) { 2271 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret); 2272 mbedtls_ssl_send_alert_message( 2273 ssl, 2274 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2275 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 2276 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 2277 } 2278 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2279 } else 2280 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2281 { 2282 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 2283 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2284 } 2285 2286 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 2287 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) { 2288 size_t sig_len, hashlen; 2289 unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; 2290 2291 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 2292 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 2293 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); 2294 size_t params_len = p - params; 2295 void *rs_ctx = NULL; 2296 uint16_t sig_alg; 2297 2298 mbedtls_pk_context *peer_pk; 2299 2300 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 2301 peer_pk = &ssl->handshake->peer_pubkey; 2302 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 2303 if (ssl->session_negotiate->peer_cert == NULL) { 2304 /* Should never happen */ 2305 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 2306 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2307 } 2308 peer_pk = &ssl->session_negotiate->peer_cert->pk; 2309 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 2310 2311 /* 2312 * Handle the digitally-signed structure 2313 */ 2314 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 2315 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0); 2316 if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( 2317 sig_alg, &pk_alg, &md_alg) != 0 && 2318 !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) && 2319 !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) { 2320 MBEDTLS_SSL_DEBUG_MSG(1, 2321 ("bad server key exchange message")); 2322 mbedtls_ssl_send_alert_message( 2323 ssl, 2324 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2325 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 2326 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 2327 } 2328 p += 2; 2329 2330 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { 2331 MBEDTLS_SSL_DEBUG_MSG(1, 2332 ("bad server key exchange message")); 2333 mbedtls_ssl_send_alert_message( 2334 ssl, 2335 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2336 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 2337 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 2338 } 2339 2340 /* 2341 * Read signature 2342 */ 2343 2344 if (p > end - 2) { 2345 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); 2346 mbedtls_ssl_send_alert_message( 2347 ssl, 2348 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2349 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 2350 return MBEDTLS_ERR_SSL_DECODE_ERROR; 2351 } 2352 sig_len = (p[0] << 8) | p[1]; 2353 p += 2; 2354 2355 if (p != end - sig_len) { 2356 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); 2357 mbedtls_ssl_send_alert_message( 2358 ssl, 2359 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2360 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 2361 return MBEDTLS_ERR_SSL_DECODE_ERROR; 2362 } 2363 2364 MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len); 2365 2366 /* 2367 * Compute the hash that has been signed 2368 */ 2369 if (md_alg != MBEDTLS_MD_NONE) { 2370 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen, 2371 params, params_len, 2372 md_alg); 2373 if (ret != 0) { 2374 return ret; 2375 } 2376 } else { 2377 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 2378 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2379 } 2380 2381 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen); 2382 2383 /* 2384 * Verify signature 2385 */ 2386 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { 2387 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); 2388 mbedtls_ssl_send_alert_message( 2389 ssl, 2390 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2391 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 2392 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; 2393 } 2394 2395 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 2396 if (ssl->handshake->ecrs_enabled) { 2397 rs_ctx = &ssl->handshake->ecrs_ctx.pk; 2398 } 2399 #endif 2400 2401 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 2402 if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { 2403 mbedtls_pk_rsassa_pss_options rsassa_pss_options; 2404 rsassa_pss_options.mgf1_hash_id = md_alg; 2405 rsassa_pss_options.expected_salt_len = 2406 mbedtls_hash_info_get_size(md_alg); 2407 if (rsassa_pss_options.expected_salt_len == 0) { 2408 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2409 } 2410 2411 ret = mbedtls_pk_verify_ext(pk_alg, &rsassa_pss_options, 2412 peer_pk, 2413 md_alg, hash, hashlen, 2414 p, sig_len); 2415 } else 2416 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ 2417 ret = mbedtls_pk_verify_restartable(peer_pk, 2418 md_alg, hash, hashlen, p, sig_len, rs_ctx); 2419 2420 if (ret != 0) { 2421 int send_alert_msg = 1; 2422 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 2423 send_alert_msg = (ret != MBEDTLS_ERR_ECP_IN_PROGRESS); 2424 #endif 2425 if (send_alert_msg) { 2426 mbedtls_ssl_send_alert_message( 2427 ssl, 2428 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2429 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); 2430 } 2431 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); 2432 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 2433 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 2434 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 2435 } 2436 #endif 2437 return ret; 2438 } 2439 2440 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 2441 /* We don't need the peer's public key anymore. Free it, 2442 * so that more RAM is available for upcoming expensive 2443 * operations like ECDHE. */ 2444 mbedtls_pk_free(peer_pk); 2445 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 2446 } 2447 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ 2448 2449 exit: 2450 ssl->state++; 2451 2452 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange")); 2453 2454 return 0; 2455 } 2456 2457 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 2458 MBEDTLS_CHECK_RETURN_CRITICAL 2459 static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl) 2460 { 2461 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2462 ssl->handshake->ciphersuite_info; 2463 2464 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request")); 2465 2466 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { 2467 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request")); 2468 ssl->state++; 2469 return 0; 2470 } 2471 2472 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 2473 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2474 } 2475 #else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 2476 MBEDTLS_CHECK_RETURN_CRITICAL 2477 static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl) 2478 { 2479 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2480 unsigned char *buf; 2481 size_t n = 0; 2482 size_t cert_type_len = 0, dn_len = 0; 2483 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2484 ssl->handshake->ciphersuite_info; 2485 size_t sig_alg_len; 2486 #if defined(MBEDTLS_DEBUG_C) 2487 unsigned char *sig_alg; 2488 unsigned char *dn; 2489 #endif 2490 2491 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request")); 2492 2493 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { 2494 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request")); 2495 ssl->state++; 2496 return 0; 2497 } 2498 2499 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 2500 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 2501 return ret; 2502 } 2503 2504 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 2505 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); 2506 mbedtls_ssl_send_alert_message( 2507 ssl, 2508 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2509 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 2510 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 2511 } 2512 2513 ssl->state++; 2514 ssl->handshake->client_auth = 2515 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST); 2516 2517 MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request", 2518 ssl->handshake->client_auth ? "a" : "no")); 2519 2520 if (ssl->handshake->client_auth == 0) { 2521 /* Current message is probably the ServerHelloDone */ 2522 ssl->keep_current_message = 1; 2523 goto exit; 2524 } 2525 2526 /* 2527 * struct { 2528 * ClientCertificateType certificate_types<1..2^8-1>; 2529 * SignatureAndHashAlgorithm 2530 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 2531 * DistinguishedName certificate_authorities<0..2^16-1>; 2532 * } CertificateRequest; 2533 * 2534 * Since we only support a single certificate on clients, let's just 2535 * ignore all the information that's supposed to help us pick a 2536 * certificate. 2537 * 2538 * We could check that our certificate matches the request, and bail out 2539 * if it doesn't, but it's simpler to just send the certificate anyway, 2540 * and give the server the opportunity to decide if it should terminate 2541 * the connection when it doesn't like our certificate. 2542 * 2543 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 2544 * point we only have one hash available (see comments in 2545 * write_certificate_verify), so let's just use what we have. 2546 * 2547 * However, we still minimally parse the message to check it is at least 2548 * superficially sane. 2549 */ 2550 buf = ssl->in_msg; 2551 2552 /* certificate_types */ 2553 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) { 2554 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); 2555 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2556 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 2557 return MBEDTLS_ERR_SSL_DECODE_ERROR; 2558 } 2559 cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)]; 2560 n = cert_type_len; 2561 2562 /* 2563 * In the subsequent code there are two paths that read from buf: 2564 * * the length of the signature algorithms field (if minor version of 2565 * SSL is 3), 2566 * * distinguished name length otherwise. 2567 * Both reach at most the index: 2568 * ...hdr_len + 2 + n, 2569 * therefore the buffer length at this point must be greater than that 2570 * regardless of the actual code path. 2571 */ 2572 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) { 2573 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); 2574 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2575 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 2576 return MBEDTLS_ERR_SSL_DECODE_ERROR; 2577 } 2578 2579 /* supported_signature_algorithms */ 2580 sig_alg_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8) 2581 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n])); 2582 2583 /* 2584 * The furthest access in buf is in the loop few lines below: 2585 * sig_alg[i + 1], 2586 * where: 2587 * sig_alg = buf + ...hdr_len + 3 + n, 2588 * max(i) = sig_alg_len - 1. 2589 * Therefore the furthest access is: 2590 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1], 2591 * which reduces to: 2592 * buf[...hdr_len + 3 + n + sig_alg_len], 2593 * which is one less than we need the buf to be. 2594 */ 2595 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) { 2596 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); 2597 mbedtls_ssl_send_alert_message( 2598 ssl, 2599 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2600 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 2601 return MBEDTLS_ERR_SSL_DECODE_ERROR; 2602 } 2603 2604 #if defined(MBEDTLS_DEBUG_C) 2605 sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n; 2606 for (size_t i = 0; i < sig_alg_len; i += 2) { 2607 MBEDTLS_SSL_DEBUG_MSG(3, 2608 ("Supported Signature Algorithm found: %02x %02x", 2609 sig_alg[i], sig_alg[i + 1])); 2610 } 2611 #endif 2612 2613 n += 2 + sig_alg_len; 2614 2615 /* certificate_authorities */ 2616 dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8) 2617 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n])); 2618 2619 n += dn_len; 2620 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) { 2621 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); 2622 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2623 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 2624 return MBEDTLS_ERR_SSL_DECODE_ERROR; 2625 } 2626 2627 #if defined(MBEDTLS_DEBUG_C) 2628 dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len; 2629 for (size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len) { 2630 unsigned char *p = dn + i + 2; 2631 mbedtls_x509_name name; 2632 size_t asn1_len; 2633 char s[MBEDTLS_X509_MAX_DN_NAME_SIZE]; 2634 memset(&name, 0, sizeof(name)); 2635 dni_len = MBEDTLS_GET_UINT16_BE(dn + i, 0); 2636 if (dni_len > dn_len - i - 2 || 2637 mbedtls_asn1_get_tag(&p, p + dni_len, &asn1_len, 2638 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) != 0 || 2639 mbedtls_x509_get_name(&p, p + asn1_len, &name) != 0) { 2640 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); 2641 mbedtls_ssl_send_alert_message( 2642 ssl, 2643 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2644 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 2645 return MBEDTLS_ERR_SSL_DECODE_ERROR; 2646 } 2647 MBEDTLS_SSL_DEBUG_MSG(3, 2648 ("DN hint: %.*s", 2649 mbedtls_x509_dn_gets(s, sizeof(s), &name), s)); 2650 mbedtls_asn1_free_named_data_list_shallow(name.next); 2651 } 2652 #endif 2653 2654 exit: 2655 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request")); 2656 2657 return 0; 2658 } 2659 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 2660 2661 MBEDTLS_CHECK_RETURN_CRITICAL 2662 static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl) 2663 { 2664 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2665 2666 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done")); 2667 2668 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 2669 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 2670 return ret; 2671 } 2672 2673 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 2674 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message")); 2675 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 2676 } 2677 2678 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) || 2679 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) { 2680 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message")); 2681 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2682 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 2683 return MBEDTLS_ERR_SSL_DECODE_ERROR; 2684 } 2685 2686 ssl->state++; 2687 2688 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2689 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 2690 mbedtls_ssl_recv_flight_completed(ssl); 2691 } 2692 #endif 2693 2694 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done")); 2695 2696 return 0; 2697 } 2698 2699 MBEDTLS_CHECK_RETURN_CRITICAL 2700 static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl) 2701 { 2702 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2703 2704 size_t header_len; 2705 size_t content_len; 2706 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2707 ssl->handshake->ciphersuite_info; 2708 2709 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange")); 2710 2711 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 2712 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) { 2713 /* 2714 * DHM key exchange -- send G^X mod P 2715 */ 2716 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx); 2717 2718 MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4); 2719 header_len = 6; 2720 2721 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx, 2722 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx), 2723 &ssl->out_msg[header_len], content_len, 2724 ssl->conf->f_rng, ssl->conf->p_rng); 2725 if (ret != 0) { 2726 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret); 2727 return ret; 2728 } 2729 2730 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X); 2731 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX); 2732 2733 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, 2734 ssl->handshake->premaster, 2735 MBEDTLS_PREMASTER_SIZE, 2736 &ssl->handshake->pmslen, 2737 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 2738 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); 2739 return ret; 2740 } 2741 2742 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); 2743 } else 2744 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 2745 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2746 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 2747 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2748 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2749 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 2750 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 2751 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 2752 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { 2753 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2754 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2755 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; 2756 psa_key_attributes_t key_attributes; 2757 2758 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 2759 2760 header_len = 4; 2761 2762 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); 2763 2764 /* 2765 * Generate EC private key for ECDHE exchange. 2766 */ 2767 2768 /* The master secret is obtained from the shared ECDH secret by 2769 * applying the TLS 1.2 PRF with a specific salt and label. While 2770 * the PSA Crypto API encourages combining key agreement schemes 2771 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not 2772 * yet support the provisioning of salt + label to the KDF. 2773 * For the time being, we therefore need to split the computation 2774 * of the ECDH secret and the application of the TLS 1.2 PRF. */ 2775 key_attributes = psa_key_attributes_init(); 2776 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 2777 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); 2778 psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); 2779 psa_set_key_bits(&key_attributes, handshake->ecdh_bits); 2780 2781 /* Generate ECDH private key. */ 2782 status = psa_generate_key(&key_attributes, 2783 &handshake->ecdh_psa_privkey); 2784 if (status != PSA_SUCCESS) { 2785 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2786 } 2787 2788 /* Export the public part of the ECDH private key from PSA. 2789 * The export format is an ECPoint structure as expected by TLS, 2790 * but we just need to add a length byte before that. */ 2791 unsigned char *own_pubkey = ssl->out_msg + header_len + 1; 2792 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 2793 size_t own_pubkey_max_len = (size_t) (end - own_pubkey); 2794 size_t own_pubkey_len; 2795 2796 status = psa_export_public_key(handshake->ecdh_psa_privkey, 2797 own_pubkey, own_pubkey_max_len, 2798 &own_pubkey_len); 2799 if (status != PSA_SUCCESS) { 2800 psa_destroy_key(handshake->ecdh_psa_privkey); 2801 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 2802 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2803 } 2804 2805 ssl->out_msg[header_len] = (unsigned char) own_pubkey_len; 2806 content_len = own_pubkey_len + 1; 2807 2808 /* The ECDH secret is the premaster secret used for key derivation. */ 2809 2810 /* Compute ECDH shared secret. */ 2811 status = psa_raw_key_agreement(PSA_ALG_ECDH, 2812 handshake->ecdh_psa_privkey, 2813 handshake->ecdh_psa_peerkey, 2814 handshake->ecdh_psa_peerkey_len, 2815 ssl->handshake->premaster, 2816 sizeof(ssl->handshake->premaster), 2817 &ssl->handshake->pmslen); 2818 2819 destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey); 2820 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 2821 2822 if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) { 2823 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2824 } 2825 #else 2826 /* 2827 * ECDH key exchange -- send client public value 2828 */ 2829 header_len = 4; 2830 2831 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 2832 if (ssl->handshake->ecrs_enabled) { 2833 if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) { 2834 goto ecdh_calc_secret; 2835 } 2836 2837 mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx); 2838 } 2839 #endif 2840 2841 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx, 2842 &content_len, 2843 &ssl->out_msg[header_len], 1000, 2844 ssl->conf->f_rng, ssl->conf->p_rng); 2845 if (ret != 0) { 2846 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret); 2847 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 2848 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 2849 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 2850 } 2851 #endif 2852 return ret; 2853 } 2854 2855 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 2856 MBEDTLS_DEBUG_ECDH_Q); 2857 2858 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 2859 if (ssl->handshake->ecrs_enabled) { 2860 ssl->handshake->ecrs_n = content_len; 2861 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret; 2862 } 2863 2864 ecdh_calc_secret: 2865 if (ssl->handshake->ecrs_enabled) { 2866 content_len = ssl->handshake->ecrs_n; 2867 } 2868 #endif 2869 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, 2870 &ssl->handshake->pmslen, 2871 ssl->handshake->premaster, 2872 MBEDTLS_MPI_MAX_SIZE, 2873 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 2874 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); 2875 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 2876 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 2877 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 2878 } 2879 #endif 2880 return ret; 2881 } 2882 2883 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 2884 MBEDTLS_DEBUG_ECDH_Z); 2885 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2886 } else 2887 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2888 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 2889 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 2890 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2891 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 2892 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 2893 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { 2894 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2895 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; 2896 psa_key_attributes_t key_attributes; 2897 2898 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 2899 2900 /* 2901 * opaque psk_identity<0..2^16-1>; 2902 */ 2903 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) { 2904 /* We don't offer PSK suites if we don't have a PSK, 2905 * and we check that the server's choice is among the 2906 * ciphersuites we offered, so this should never happen. */ 2907 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2908 } 2909 2910 /* uint16 to store content length */ 2911 const size_t content_len_size = 2; 2912 2913 header_len = 4; 2914 2915 if (header_len + content_len_size + ssl->conf->psk_identity_len 2916 > MBEDTLS_SSL_OUT_CONTENT_LEN) { 2917 MBEDTLS_SSL_DEBUG_MSG(1, 2918 ("psk identity too long or SSL buffer too short")); 2919 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 2920 } 2921 2922 unsigned char *p = ssl->out_msg + header_len; 2923 2924 *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len); 2925 *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len); 2926 header_len += content_len_size; 2927 2928 memcpy(p, ssl->conf->psk_identity, 2929 ssl->conf->psk_identity_len); 2930 p += ssl->conf->psk_identity_len; 2931 2932 header_len += ssl->conf->psk_identity_len; 2933 2934 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); 2935 2936 /* 2937 * Generate EC private key for ECDHE exchange. 2938 */ 2939 2940 /* The master secret is obtained from the shared ECDH secret by 2941 * applying the TLS 1.2 PRF with a specific salt and label. While 2942 * the PSA Crypto API encourages combining key agreement schemes 2943 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not 2944 * yet support the provisioning of salt + label to the KDF. 2945 * For the time being, we therefore need to split the computation 2946 * of the ECDH secret and the application of the TLS 1.2 PRF. */ 2947 key_attributes = psa_key_attributes_init(); 2948 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 2949 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); 2950 psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); 2951 psa_set_key_bits(&key_attributes, handshake->ecdh_bits); 2952 2953 /* Generate ECDH private key. */ 2954 status = psa_generate_key(&key_attributes, 2955 &handshake->ecdh_psa_privkey); 2956 if (status != PSA_SUCCESS) { 2957 return PSA_TO_MBEDTLS_ERR(status); 2958 } 2959 2960 /* Export the public part of the ECDH private key from PSA. 2961 * The export format is an ECPoint structure as expected by TLS, 2962 * but we just need to add a length byte before that. */ 2963 unsigned char *own_pubkey = p + 1; 2964 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 2965 size_t own_pubkey_max_len = (size_t) (end - own_pubkey); 2966 size_t own_pubkey_len = 0; 2967 2968 status = psa_export_public_key(handshake->ecdh_psa_privkey, 2969 own_pubkey, own_pubkey_max_len, 2970 &own_pubkey_len); 2971 if (status != PSA_SUCCESS) { 2972 psa_destroy_key(handshake->ecdh_psa_privkey); 2973 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 2974 return PSA_TO_MBEDTLS_ERR(status); 2975 } 2976 2977 *p = (unsigned char) own_pubkey_len; 2978 content_len = own_pubkey_len + 1; 2979 2980 /* As RFC 5489 section 2, the premaster secret is formed as follows: 2981 * - a uint16 containing the length (in octets) of the ECDH computation 2982 * - the octet string produced by the ECDH computation 2983 * - a uint16 containing the length (in octets) of the PSK 2984 * - the PSK itself 2985 */ 2986 unsigned char *pms = ssl->handshake->premaster; 2987 const unsigned char * const pms_end = pms + 2988 sizeof(ssl->handshake->premaster); 2989 /* uint16 to store length (in octets) of the ECDH computation */ 2990 const size_t zlen_size = 2; 2991 size_t zlen = 0; 2992 2993 /* Perform ECDH computation after the uint16 reserved for the length */ 2994 status = psa_raw_key_agreement(PSA_ALG_ECDH, 2995 handshake->ecdh_psa_privkey, 2996 handshake->ecdh_psa_peerkey, 2997 handshake->ecdh_psa_peerkey_len, 2998 pms + zlen_size, 2999 pms_end - (pms + zlen_size), 3000 &zlen); 3001 3002 destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey); 3003 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3004 3005 if (status != PSA_SUCCESS) { 3006 return PSA_TO_MBEDTLS_ERR(status); 3007 } else if (destruction_status != PSA_SUCCESS) { 3008 return PSA_TO_MBEDTLS_ERR(destruction_status); 3009 } 3010 3011 /* Write the ECDH computation length before the ECDH computation */ 3012 MBEDTLS_PUT_UINT16_BE(zlen, pms, 0); 3013 pms += zlen_size + zlen; 3014 } else 3015 #endif /* MBEDTLS_USE_PSA_CRYPTO && 3016 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 3017 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 3018 if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) { 3019 /* 3020 * opaque psk_identity<0..2^16-1>; 3021 */ 3022 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) { 3023 /* We don't offer PSK suites if we don't have a PSK, 3024 * and we check that the server's choice is among the 3025 * ciphersuites we offered, so this should never happen. */ 3026 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3027 } 3028 3029 header_len = 4; 3030 content_len = ssl->conf->psk_identity_len; 3031 3032 if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) { 3033 MBEDTLS_SSL_DEBUG_MSG(1, 3034 ("psk identity too long or SSL buffer too short")); 3035 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 3036 } 3037 3038 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len); 3039 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len); 3040 3041 memcpy(ssl->out_msg + header_len, 3042 ssl->conf->psk_identity, 3043 ssl->conf->psk_identity_len); 3044 header_len += ssl->conf->psk_identity_len; 3045 3046 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 3047 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { 3048 content_len = 0; 3049 } else 3050 #endif 3051 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 3052 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 3053 if ((ret = ssl_write_encrypted_pms(ssl, header_len, 3054 &content_len, 2)) != 0) { 3055 return ret; 3056 } 3057 } else 3058 #endif 3059 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 3060 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 3061 /* 3062 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 3063 */ 3064 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx); 3065 3066 if (header_len + 2 + content_len > 3067 MBEDTLS_SSL_OUT_CONTENT_LEN) { 3068 MBEDTLS_SSL_DEBUG_MSG(1, 3069 ("psk identity or DHM size too long or SSL buffer too short")); 3070 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 3071 } 3072 3073 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len); 3074 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len); 3075 3076 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx, 3077 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx), 3078 &ssl->out_msg[header_len], content_len, 3079 ssl->conf->f_rng, ssl->conf->p_rng); 3080 if (ret != 0) { 3081 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret); 3082 return ret; 3083 } 3084 3085 #if defined(MBEDTLS_USE_PSA_CRYPTO) 3086 unsigned char *pms = ssl->handshake->premaster; 3087 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster); 3088 size_t pms_len; 3089 3090 /* Write length only when we know the actual value */ 3091 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, 3092 pms + 2, pms_end - (pms + 2), &pms_len, 3093 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 3094 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); 3095 return ret; 3096 } 3097 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0); 3098 pms += 2 + pms_len; 3099 3100 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); 3101 #endif 3102 } else 3103 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 3104 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 3105 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 3106 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { 3107 /* 3108 * ClientECDiffieHellmanPublic public; 3109 */ 3110 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx, 3111 &content_len, 3112 &ssl->out_msg[header_len], 3113 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, 3114 ssl->conf->f_rng, ssl->conf->p_rng); 3115 if (ret != 0) { 3116 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret); 3117 return ret; 3118 } 3119 3120 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 3121 MBEDTLS_DEBUG_ECDH_Q); 3122 } else 3123 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 3124 { 3125 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3126 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3127 } 3128 3129 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 3130 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, 3131 ciphersuite_info->key_exchange)) != 0) { 3132 MBEDTLS_SSL_DEBUG_RET(1, 3133 "mbedtls_ssl_psk_derive_premaster", ret); 3134 return ret; 3135 } 3136 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 3137 } else 3138 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 3139 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 3140 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { 3141 header_len = 4; 3142 if ((ret = ssl_write_encrypted_pms(ssl, header_len, 3143 &content_len, 0)) != 0) { 3144 return ret; 3145 } 3146 } else 3147 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 3148 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 3149 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 3150 header_len = 4; 3151 3152 #if defined(MBEDTLS_USE_PSA_CRYPTO) 3153 unsigned char *out_p = ssl->out_msg + header_len; 3154 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - 3155 header_len; 3156 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, 3157 out_p, end_p - out_p, &content_len, 3158 MBEDTLS_ECJPAKE_ROUND_TWO); 3159 if (ret != 0) { 3160 psa_destroy_key(ssl->handshake->psa_pake_password); 3161 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 3162 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); 3163 return ret; 3164 } 3165 #else 3166 ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx, 3167 ssl->out_msg + header_len, 3168 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, 3169 &content_len, 3170 ssl->conf->f_rng, ssl->conf->p_rng); 3171 if (ret != 0) { 3172 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret); 3173 return ret; 3174 } 3175 3176 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx, 3177 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 3178 ssl->conf->f_rng, ssl->conf->p_rng); 3179 if (ret != 0) { 3180 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret); 3181 return ret; 3182 } 3183 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3184 } else 3185 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 3186 { 3187 ((void) ciphersuite_info); 3188 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3189 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3190 } 3191 3192 ssl->out_msglen = header_len + content_len; 3193 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3194 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 3195 3196 ssl->state++; 3197 3198 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 3199 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 3200 return ret; 3201 } 3202 3203 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange")); 3204 3205 return 0; 3206 } 3207 3208 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 3209 MBEDTLS_CHECK_RETURN_CRITICAL 3210 static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl) 3211 { 3212 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3213 ssl->handshake->ciphersuite_info; 3214 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3215 3216 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); 3217 3218 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { 3219 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); 3220 return ret; 3221 } 3222 3223 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { 3224 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); 3225 ssl->state++; 3226 return 0; 3227 } 3228 3229 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3230 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3231 } 3232 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 3233 MBEDTLS_CHECK_RETURN_CRITICAL 3234 static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl) 3235 { 3236 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3237 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3238 ssl->handshake->ciphersuite_info; 3239 size_t n = 0, offset = 0; 3240 unsigned char hash[48]; 3241 unsigned char *hash_start = hash; 3242 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 3243 size_t hashlen; 3244 void *rs_ctx = NULL; 3245 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 3246 size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf); 3247 #else 3248 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf); 3249 #endif 3250 3251 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); 3252 3253 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 3254 if (ssl->handshake->ecrs_enabled && 3255 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) { 3256 goto sign; 3257 } 3258 #endif 3259 3260 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { 3261 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); 3262 return ret; 3263 } 3264 3265 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { 3266 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); 3267 ssl->state++; 3268 return 0; 3269 } 3270 3271 if (ssl->handshake->client_auth == 0 || 3272 mbedtls_ssl_own_cert(ssl) == NULL) { 3273 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); 3274 ssl->state++; 3275 return 0; 3276 } 3277 3278 if (mbedtls_ssl_own_key(ssl) == NULL) { 3279 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate")); 3280 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 3281 } 3282 3283 /* 3284 * Make a signature of the handshake digests 3285 */ 3286 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 3287 if (ssl->handshake->ecrs_enabled) { 3288 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign; 3289 } 3290 3291 sign: 3292 #endif 3293 3294 ret = ssl->handshake->calc_verify(ssl, hash, &hashlen); 3295 if (0 != ret) { 3296 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret); 3297 return ret; 3298 } 3299 3300 /* 3301 * digitally-signed struct { 3302 * opaque handshake_messages[handshake_messages_length]; 3303 * }; 3304 * 3305 * Taking shortcut here. We assume that the server always allows the 3306 * PRF Hash function and has sent it in the allowed signature 3307 * algorithms list received in the Certificate Request message. 3308 * 3309 * Until we encounter a server that does not, we will take this 3310 * shortcut. 3311 * 3312 * Reason: Otherwise we should have running hashes for SHA512 and 3313 * SHA224 in order to satisfy 'weird' needs from the server 3314 * side. 3315 */ 3316 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 3317 md_alg = MBEDTLS_MD_SHA384; 3318 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 3319 } else { 3320 md_alg = MBEDTLS_MD_SHA256; 3321 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 3322 } 3323 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl)); 3324 3325 /* Info from md_alg will be used instead */ 3326 hashlen = 0; 3327 offset = 2; 3328 3329 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 3330 if (ssl->handshake->ecrs_enabled) { 3331 rs_ctx = &ssl->handshake->ecrs_ctx.pk; 3332 } 3333 #endif 3334 3335 if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl), 3336 md_alg, hash_start, hashlen, 3337 ssl->out_msg + 6 + offset, 3338 out_buf_len - 6 - offset, 3339 &n, 3340 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) { 3341 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); 3342 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 3343 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 3344 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 3345 } 3346 #endif 3347 return ret; 3348 } 3349 3350 MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4); 3351 3352 ssl->out_msglen = 6 + n + offset; 3353 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3354 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 3355 3356 ssl->state++; 3357 3358 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 3359 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 3360 return ret; 3361 } 3362 3363 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify")); 3364 3365 return ret; 3366 } 3367 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 3368 3369 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3370 MBEDTLS_CHECK_RETURN_CRITICAL 3371 static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl) 3372 { 3373 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3374 uint32_t lifetime; 3375 size_t ticket_len; 3376 unsigned char *ticket; 3377 const unsigned char *msg; 3378 3379 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket")); 3380 3381 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 3382 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 3383 return ret; 3384 } 3385 3386 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 3387 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); 3388 mbedtls_ssl_send_alert_message( 3389 ssl, 3390 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3391 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 3392 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 3393 } 3394 3395 /* 3396 * struct { 3397 * uint32 ticket_lifetime_hint; 3398 * opaque ticket<0..2^16-1>; 3399 * } NewSessionTicket; 3400 * 3401 * 0 . 3 ticket_lifetime_hint 3402 * 4 . 5 ticket_len (n) 3403 * 6 . 5+n ticket content 3404 */ 3405 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 3406 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) { 3407 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); 3408 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3409 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 3410 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3411 } 3412 3413 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); 3414 3415 lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) | 3416 (msg[2] << 8) | (msg[3]); 3417 3418 ticket_len = (msg[4] << 8) | (msg[5]); 3419 3420 if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) { 3421 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); 3422 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3423 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 3424 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3425 } 3426 3427 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len)); 3428 3429 /* We're not waiting for a NewSessionTicket message any more */ 3430 ssl->handshake->new_session_ticket = 0; 3431 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 3432 3433 /* 3434 * Zero-length ticket means the server changed his mind and doesn't want 3435 * to send a ticket after all, so just forget it 3436 */ 3437 if (ticket_len == 0) { 3438 return 0; 3439 } 3440 3441 if (ssl->session != NULL && ssl->session->ticket != NULL) { 3442 mbedtls_platform_zeroize(ssl->session->ticket, 3443 ssl->session->ticket_len); 3444 mbedtls_free(ssl->session->ticket); 3445 ssl->session->ticket = NULL; 3446 ssl->session->ticket_len = 0; 3447 } 3448 3449 mbedtls_platform_zeroize(ssl->session_negotiate->ticket, 3450 ssl->session_negotiate->ticket_len); 3451 mbedtls_free(ssl->session_negotiate->ticket); 3452 ssl->session_negotiate->ticket = NULL; 3453 ssl->session_negotiate->ticket_len = 0; 3454 3455 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) { 3456 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed")); 3457 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3458 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 3459 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3460 } 3461 3462 memcpy(ticket, msg + 6, ticket_len); 3463 3464 ssl->session_negotiate->ticket = ticket; 3465 ssl->session_negotiate->ticket_len = ticket_len; 3466 ssl->session_negotiate->ticket_lifetime = lifetime; 3467 3468 /* 3469 * RFC 5077 section 3.4: 3470 * "If the client receives a session ticket from the server, then it 3471 * discards any Session ID that was sent in the ServerHello." 3472 */ 3473 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id")); 3474 ssl->session_negotiate->id_len = 0; 3475 3476 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket")); 3477 3478 return 0; 3479 } 3480 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3481 3482 /* 3483 * SSL handshake -- client side -- single step 3484 */ 3485 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl) 3486 { 3487 int ret = 0; 3488 3489 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 3490 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 3491 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3492 if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 3493 ssl->handshake->new_session_ticket != 0) { 3494 ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET; 3495 } 3496 #endif 3497 3498 switch (ssl->state) { 3499 case MBEDTLS_SSL_HELLO_REQUEST: 3500 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 3501 break; 3502 3503 /* 3504 * ==> ClientHello 3505 */ 3506 case MBEDTLS_SSL_CLIENT_HELLO: 3507 ret = mbedtls_ssl_write_client_hello(ssl); 3508 break; 3509 3510 /* 3511 * <== ServerHello 3512 * Certificate 3513 * ( ServerKeyExchange ) 3514 * ( CertificateRequest ) 3515 * ServerHelloDone 3516 */ 3517 case MBEDTLS_SSL_SERVER_HELLO: 3518 ret = ssl_parse_server_hello(ssl); 3519 break; 3520 3521 case MBEDTLS_SSL_SERVER_CERTIFICATE: 3522 ret = mbedtls_ssl_parse_certificate(ssl); 3523 break; 3524 3525 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 3526 ret = ssl_parse_server_key_exchange(ssl); 3527 break; 3528 3529 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 3530 ret = ssl_parse_certificate_request(ssl); 3531 break; 3532 3533 case MBEDTLS_SSL_SERVER_HELLO_DONE: 3534 ret = ssl_parse_server_hello_done(ssl); 3535 break; 3536 3537 /* 3538 * ==> ( Certificate/Alert ) 3539 * ClientKeyExchange 3540 * ( CertificateVerify ) 3541 * ChangeCipherSpec 3542 * Finished 3543 */ 3544 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 3545 ret = mbedtls_ssl_write_certificate(ssl); 3546 break; 3547 3548 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 3549 ret = ssl_write_client_key_exchange(ssl); 3550 break; 3551 3552 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 3553 ret = ssl_write_certificate_verify(ssl); 3554 break; 3555 3556 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 3557 ret = mbedtls_ssl_write_change_cipher_spec(ssl); 3558 break; 3559 3560 case MBEDTLS_SSL_CLIENT_FINISHED: 3561 ret = mbedtls_ssl_write_finished(ssl); 3562 break; 3563 3564 /* 3565 * <== ( NewSessionTicket ) 3566 * ChangeCipherSpec 3567 * Finished 3568 */ 3569 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3570 case MBEDTLS_SSL_NEW_SESSION_TICKET: 3571 ret = ssl_parse_new_session_ticket(ssl); 3572 break; 3573 #endif 3574 3575 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 3576 ret = mbedtls_ssl_parse_change_cipher_spec(ssl); 3577 break; 3578 3579 case MBEDTLS_SSL_SERVER_FINISHED: 3580 ret = mbedtls_ssl_parse_finished(ssl); 3581 break; 3582 3583 case MBEDTLS_SSL_FLUSH_BUFFERS: 3584 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); 3585 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 3586 break; 3587 3588 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 3589 mbedtls_ssl_handshake_wrapup(ssl); 3590 break; 3591 3592 default: 3593 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); 3594 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3595 } 3596 3597 return ret; 3598 } 3599 3600 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_2 */ 3601