1*32b31808SJens Wiklander /* 2*32b31808SJens Wiklander * TLS server-side functions 3*32b31808SJens Wiklander * 4*32b31808SJens Wiklander * Copyright The Mbed TLS Contributors 5*32b31808SJens Wiklander * SPDX-License-Identifier: Apache-2.0 6*32b31808SJens Wiklander * 7*32b31808SJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 8*32b31808SJens Wiklander * not use this file except in compliance with the License. 9*32b31808SJens Wiklander * You may obtain a copy of the License at 10*32b31808SJens Wiklander * 11*32b31808SJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 12*32b31808SJens Wiklander * 13*32b31808SJens Wiklander * Unless required by applicable law or agreed to in writing, software 14*32b31808SJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15*32b31808SJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16*32b31808SJens Wiklander * See the License for the specific language governing permissions and 17*32b31808SJens Wiklander * limitations under the License. 18*32b31808SJens Wiklander */ 19*32b31808SJens Wiklander 20*32b31808SJens Wiklander #include "common.h" 21*32b31808SJens Wiklander 22*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) 23*32b31808SJens Wiklander 24*32b31808SJens Wiklander #include "mbedtls/platform.h" 25*32b31808SJens Wiklander 26*32b31808SJens Wiklander #include "mbedtls/ssl.h" 27*32b31808SJens Wiklander #include "ssl_misc.h" 28*32b31808SJens Wiklander #include "mbedtls/debug.h" 29*32b31808SJens Wiklander #include "mbedtls/error.h" 30*32b31808SJens Wiklander #include "mbedtls/platform_util.h" 31*32b31808SJens Wiklander #include "constant_time_internal.h" 32*32b31808SJens Wiklander #include "mbedtls/constant_time.h" 33*32b31808SJens Wiklander #include "hash_info.h" 34*32b31808SJens Wiklander 35*32b31808SJens Wiklander #include <string.h> 36*32b31808SJens Wiklander 37*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 38*32b31808SJens Wiklander #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ 39*32b31808SJens Wiklander psa_to_ssl_errors, \ 40*32b31808SJens Wiklander psa_generic_status_to_mbedtls) 41*32b31808SJens Wiklander #endif 42*32b31808SJens Wiklander 43*32b31808SJens Wiklander #if defined(MBEDTLS_ECP_C) 44*32b31808SJens Wiklander #include "mbedtls/ecp.h" 45*32b31808SJens Wiklander #endif 46*32b31808SJens Wiklander 47*32b31808SJens Wiklander #if defined(MBEDTLS_HAVE_TIME) 48*32b31808SJens Wiklander #include "mbedtls/platform_time.h" 49*32b31808SJens Wiklander #endif 50*32b31808SJens Wiklander 51*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 52*32b31808SJens Wiklander int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl, 53*32b31808SJens Wiklander const unsigned char *info, 54*32b31808SJens Wiklander size_t ilen) 55*32b31808SJens Wiklander { 56*32b31808SJens Wiklander if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) { 57*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 58*32b31808SJens Wiklander } 59*32b31808SJens Wiklander 60*32b31808SJens Wiklander mbedtls_free(ssl->cli_id); 61*32b31808SJens Wiklander 62*32b31808SJens Wiklander if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) { 63*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ALLOC_FAILED; 64*32b31808SJens Wiklander } 65*32b31808SJens Wiklander 66*32b31808SJens Wiklander memcpy(ssl->cli_id, info, ilen); 67*32b31808SJens Wiklander ssl->cli_id_len = ilen; 68*32b31808SJens Wiklander 69*32b31808SJens Wiklander return 0; 70*32b31808SJens Wiklander } 71*32b31808SJens Wiklander 72*32b31808SJens Wiklander void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf, 73*32b31808SJens Wiklander mbedtls_ssl_cookie_write_t *f_cookie_write, 74*32b31808SJens Wiklander mbedtls_ssl_cookie_check_t *f_cookie_check, 75*32b31808SJens Wiklander void *p_cookie) 76*32b31808SJens Wiklander { 77*32b31808SJens Wiklander conf->f_cookie_write = f_cookie_write; 78*32b31808SJens Wiklander conf->f_cookie_check = f_cookie_check; 79*32b31808SJens Wiklander conf->p_cookie = p_cookie; 80*32b31808SJens Wiklander } 81*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 82*32b31808SJens Wiklander 83*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 84*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 85*32b31808SJens Wiklander static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf) 86*32b31808SJens Wiklander { 87*32b31808SJens Wiklander if (conf->f_psk != NULL) { 88*32b31808SJens Wiklander return 1; 89*32b31808SJens Wiklander } 90*32b31808SJens Wiklander 91*32b31808SJens Wiklander if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) { 92*32b31808SJens Wiklander return 0; 93*32b31808SJens Wiklander } 94*32b31808SJens Wiklander 95*32b31808SJens Wiklander 96*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 97*32b31808SJens Wiklander if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 98*32b31808SJens Wiklander return 1; 99*32b31808SJens Wiklander } 100*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 101*32b31808SJens Wiklander 102*32b31808SJens Wiklander if (conf->psk != NULL && conf->psk_len != 0) { 103*32b31808SJens Wiklander return 1; 104*32b31808SJens Wiklander } 105*32b31808SJens Wiklander 106*32b31808SJens Wiklander return 0; 107*32b31808SJens Wiklander } 108*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 109*32b31808SJens Wiklander 110*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 111*32b31808SJens Wiklander static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl, 112*32b31808SJens Wiklander const unsigned char *buf, 113*32b31808SJens Wiklander size_t len) 114*32b31808SJens Wiklander { 115*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 116*32b31808SJens Wiklander if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 117*32b31808SJens Wiklander /* Check verify-data in constant-time. The length OTOH is no secret */ 118*32b31808SJens Wiklander if (len != 1 + ssl->verify_data_len || 119*32b31808SJens Wiklander buf[0] != ssl->verify_data_len || 120*32b31808SJens Wiklander mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data, 121*32b31808SJens Wiklander ssl->verify_data_len) != 0) { 122*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info")); 123*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 124*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 125*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 126*32b31808SJens Wiklander } 127*32b31808SJens Wiklander } else 128*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_RENEGOTIATION */ 129*32b31808SJens Wiklander { 130*32b31808SJens Wiklander if (len != 1 || buf[0] != 0x0) { 131*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info")); 132*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 133*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 134*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 135*32b31808SJens Wiklander } 136*32b31808SJens Wiklander 137*32b31808SJens Wiklander ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 138*32b31808SJens Wiklander } 139*32b31808SJens Wiklander 140*32b31808SJens Wiklander return 0; 141*32b31808SJens Wiklander } 142*32b31808SJens Wiklander 143*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 144*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 145*32b31808SJens Wiklander /* 146*32b31808SJens Wiklander * Function for parsing a supported groups (TLS 1.3) or supported elliptic 147*32b31808SJens Wiklander * curves (TLS 1.2) extension. 148*32b31808SJens Wiklander * 149*32b31808SJens Wiklander * The "extension_data" field of a supported groups extension contains a 150*32b31808SJens Wiklander * "NamedGroupList" value (TLS 1.3 RFC8446): 151*32b31808SJens Wiklander * enum { 152*32b31808SJens Wiklander * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), 153*32b31808SJens Wiklander * x25519(0x001D), x448(0x001E), 154*32b31808SJens Wiklander * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102), 155*32b31808SJens Wiklander * ffdhe6144(0x0103), ffdhe8192(0x0104), 156*32b31808SJens Wiklander * ffdhe_private_use(0x01FC..0x01FF), 157*32b31808SJens Wiklander * ecdhe_private_use(0xFE00..0xFEFF), 158*32b31808SJens Wiklander * (0xFFFF) 159*32b31808SJens Wiklander * } NamedGroup; 160*32b31808SJens Wiklander * struct { 161*32b31808SJens Wiklander * NamedGroup named_group_list<2..2^16-1>; 162*32b31808SJens Wiklander * } NamedGroupList; 163*32b31808SJens Wiklander * 164*32b31808SJens Wiklander * The "extension_data" field of a supported elliptic curves extension contains 165*32b31808SJens Wiklander * a "NamedCurveList" value (TLS 1.2 RFC 8422): 166*32b31808SJens Wiklander * enum { 167*32b31808SJens Wiklander * deprecated(1..22), 168*32b31808SJens Wiklander * secp256r1 (23), secp384r1 (24), secp521r1 (25), 169*32b31808SJens Wiklander * x25519(29), x448(30), 170*32b31808SJens Wiklander * reserved (0xFE00..0xFEFF), 171*32b31808SJens Wiklander * deprecated(0xFF01..0xFF02), 172*32b31808SJens Wiklander * (0xFFFF) 173*32b31808SJens Wiklander * } NamedCurve; 174*32b31808SJens Wiklander * struct { 175*32b31808SJens Wiklander * NamedCurve named_curve_list<2..2^16-1> 176*32b31808SJens Wiklander * } NamedCurveList; 177*32b31808SJens Wiklander * 178*32b31808SJens Wiklander * The TLS 1.3 supported groups extension was defined to be a compatible 179*32b31808SJens Wiklander * generalization of the TLS 1.2 supported elliptic curves extension. They both 180*32b31808SJens Wiklander * share the same extension identifier. 181*32b31808SJens Wiklander * 182*32b31808SJens Wiklander * DHE groups are not supported yet. 183*32b31808SJens Wiklander */ 184*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 185*32b31808SJens Wiklander static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl, 186*32b31808SJens Wiklander const unsigned char *buf, 187*32b31808SJens Wiklander size_t len) 188*32b31808SJens Wiklander { 189*32b31808SJens Wiklander size_t list_size, our_size; 190*32b31808SJens Wiklander const unsigned char *p; 191*32b31808SJens Wiklander uint16_t *curves_tls_id; 192*32b31808SJens Wiklander 193*32b31808SJens Wiklander if (len < 2) { 194*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 195*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 196*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 197*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 198*32b31808SJens Wiklander } 199*32b31808SJens Wiklander list_size = ((buf[0] << 8) | (buf[1])); 200*32b31808SJens Wiklander if (list_size + 2 != len || 201*32b31808SJens Wiklander list_size % 2 != 0) { 202*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 203*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 204*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 205*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 206*32b31808SJens Wiklander } 207*32b31808SJens Wiklander 208*32b31808SJens Wiklander /* Should never happen unless client duplicates the extension */ 209*32b31808SJens Wiklander if (ssl->handshake->curves_tls_id != NULL) { 210*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 211*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 212*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 213*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 214*32b31808SJens Wiklander } 215*32b31808SJens Wiklander 216*32b31808SJens Wiklander /* Don't allow our peer to make us allocate too much memory, 217*32b31808SJens Wiklander * and leave room for a final 0 */ 218*32b31808SJens Wiklander our_size = list_size / 2 + 1; 219*32b31808SJens Wiklander if (our_size > MBEDTLS_ECP_DP_MAX) { 220*32b31808SJens Wiklander our_size = MBEDTLS_ECP_DP_MAX; 221*32b31808SJens Wiklander } 222*32b31808SJens Wiklander 223*32b31808SJens Wiklander if ((curves_tls_id = mbedtls_calloc(our_size, 224*32b31808SJens Wiklander sizeof(*curves_tls_id))) == NULL) { 225*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 226*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 227*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ALLOC_FAILED; 228*32b31808SJens Wiklander } 229*32b31808SJens Wiklander 230*32b31808SJens Wiklander ssl->handshake->curves_tls_id = curves_tls_id; 231*32b31808SJens Wiklander 232*32b31808SJens Wiklander p = buf + 2; 233*32b31808SJens Wiklander while (list_size > 0 && our_size > 1) { 234*32b31808SJens Wiklander uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0); 235*32b31808SJens Wiklander 236*32b31808SJens Wiklander if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) != 237*32b31808SJens Wiklander MBEDTLS_ECP_DP_NONE) { 238*32b31808SJens Wiklander *curves_tls_id++ = curr_tls_id; 239*32b31808SJens Wiklander our_size--; 240*32b31808SJens Wiklander } 241*32b31808SJens Wiklander 242*32b31808SJens Wiklander list_size -= 2; 243*32b31808SJens Wiklander p += 2; 244*32b31808SJens Wiklander } 245*32b31808SJens Wiklander 246*32b31808SJens Wiklander return 0; 247*32b31808SJens Wiklander } 248*32b31808SJens Wiklander 249*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 250*32b31808SJens Wiklander static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl, 251*32b31808SJens Wiklander const unsigned char *buf, 252*32b31808SJens Wiklander size_t len) 253*32b31808SJens Wiklander { 254*32b31808SJens Wiklander size_t list_size; 255*32b31808SJens Wiklander const unsigned char *p; 256*32b31808SJens Wiklander 257*32b31808SJens Wiklander if (len == 0 || (size_t) (buf[0] + 1) != len) { 258*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 259*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 260*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 261*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 262*32b31808SJens Wiklander } 263*32b31808SJens Wiklander list_size = buf[0]; 264*32b31808SJens Wiklander 265*32b31808SJens Wiklander p = buf + 1; 266*32b31808SJens Wiklander while (list_size > 0) { 267*32b31808SJens Wiklander if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 268*32b31808SJens Wiklander p[0] == MBEDTLS_ECP_PF_COMPRESSED) { 269*32b31808SJens Wiklander #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 270*32b31808SJens Wiklander (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) 271*32b31808SJens Wiklander ssl->handshake->ecdh_ctx.point_format = p[0]; 272*32b31808SJens Wiklander #endif /* !MBEDTLS_USE_PSA_CRYPTO && 273*32b31808SJens Wiklander ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ 274*32b31808SJens Wiklander #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 275*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 276*32b31808SJens Wiklander mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, 277*32b31808SJens Wiklander p[0]); 278*32b31808SJens Wiklander #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 279*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0])); 280*32b31808SJens Wiklander return 0; 281*32b31808SJens Wiklander } 282*32b31808SJens Wiklander 283*32b31808SJens Wiklander list_size--; 284*32b31808SJens Wiklander p++; 285*32b31808SJens Wiklander } 286*32b31808SJens Wiklander 287*32b31808SJens Wiklander return 0; 288*32b31808SJens Wiklander } 289*32b31808SJens Wiklander #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 290*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 291*32b31808SJens Wiklander 292*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 293*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 294*32b31808SJens Wiklander static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl, 295*32b31808SJens Wiklander const unsigned char *buf, 296*32b31808SJens Wiklander size_t len) 297*32b31808SJens Wiklander { 298*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 299*32b31808SJens Wiklander 300*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 301*32b31808SJens Wiklander if (ssl->handshake->psa_pake_ctx_is_ok != 1) 302*32b31808SJens Wiklander #else 303*32b31808SJens Wiklander if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) 304*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 305*32b31808SJens Wiklander { 306*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension")); 307*32b31808SJens Wiklander return 0; 308*32b31808SJens Wiklander } 309*32b31808SJens Wiklander 310*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 311*32b31808SJens Wiklander if ((ret = mbedtls_psa_ecjpake_read_round( 312*32b31808SJens Wiklander &ssl->handshake->psa_pake_ctx, buf, len, 313*32b31808SJens Wiklander MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) { 314*32b31808SJens Wiklander psa_destroy_key(ssl->handshake->psa_pake_password); 315*32b31808SJens Wiklander psa_pake_abort(&ssl->handshake->psa_pake_ctx); 316*32b31808SJens Wiklander 317*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret); 318*32b31808SJens Wiklander mbedtls_ssl_send_alert_message( 319*32b31808SJens Wiklander ssl, 320*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_LEVEL_FATAL, 321*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 322*32b31808SJens Wiklander 323*32b31808SJens Wiklander return ret; 324*32b31808SJens Wiklander } 325*32b31808SJens Wiklander #else 326*32b31808SJens Wiklander if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx, 327*32b31808SJens Wiklander buf, len)) != 0) { 328*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret); 329*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 330*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 331*32b31808SJens Wiklander return ret; 332*32b31808SJens Wiklander } 333*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 334*32b31808SJens Wiklander 335*32b31808SJens Wiklander /* Only mark the extension as OK when we're sure it is */ 336*32b31808SJens Wiklander ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; 337*32b31808SJens Wiklander 338*32b31808SJens Wiklander return 0; 339*32b31808SJens Wiklander } 340*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 341*32b31808SJens Wiklander 342*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 343*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 344*32b31808SJens Wiklander static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, 345*32b31808SJens Wiklander const unsigned char *buf, 346*32b31808SJens Wiklander size_t len) 347*32b31808SJens Wiklander { 348*32b31808SJens Wiklander if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) { 349*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 350*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 351*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 352*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 353*32b31808SJens Wiklander } 354*32b31808SJens Wiklander 355*32b31808SJens Wiklander ssl->session_negotiate->mfl_code = buf[0]; 356*32b31808SJens Wiklander 357*32b31808SJens Wiklander return 0; 358*32b31808SJens Wiklander } 359*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 360*32b31808SJens Wiklander 361*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 362*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 363*32b31808SJens Wiklander static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl, 364*32b31808SJens Wiklander const unsigned char *buf, 365*32b31808SJens Wiklander size_t len) 366*32b31808SJens Wiklander { 367*32b31808SJens Wiklander size_t peer_cid_len; 368*32b31808SJens Wiklander 369*32b31808SJens Wiklander /* CID extension only makes sense in DTLS */ 370*32b31808SJens Wiklander if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 371*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 372*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 373*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 374*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 375*32b31808SJens Wiklander } 376*32b31808SJens Wiklander 377*32b31808SJens Wiklander /* 378*32b31808SJens Wiklander * struct { 379*32b31808SJens Wiklander * opaque cid<0..2^8-1>; 380*32b31808SJens Wiklander * } ConnectionId; 381*32b31808SJens Wiklander */ 382*32b31808SJens Wiklander 383*32b31808SJens Wiklander if (len < 1) { 384*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 385*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 386*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 387*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 388*32b31808SJens Wiklander } 389*32b31808SJens Wiklander 390*32b31808SJens Wiklander peer_cid_len = *buf++; 391*32b31808SJens Wiklander len--; 392*32b31808SJens Wiklander 393*32b31808SJens Wiklander if (len != peer_cid_len) { 394*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 395*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 396*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 397*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 398*32b31808SJens Wiklander } 399*32b31808SJens Wiklander 400*32b31808SJens Wiklander /* Ignore CID if the user has disabled its use. */ 401*32b31808SJens Wiklander if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { 402*32b31808SJens Wiklander /* Leave ssl->handshake->cid_in_use in its default 403*32b31808SJens Wiklander * value of MBEDTLS_SSL_CID_DISABLED. */ 404*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled")); 405*32b31808SJens Wiklander return 0; 406*32b31808SJens Wiklander } 407*32b31808SJens Wiklander 408*32b31808SJens Wiklander if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) { 409*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 410*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 411*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 412*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 413*32b31808SJens Wiklander } 414*32b31808SJens Wiklander 415*32b31808SJens Wiklander ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; 416*32b31808SJens Wiklander ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; 417*32b31808SJens Wiklander memcpy(ssl->handshake->peer_cid, buf, peer_cid_len); 418*32b31808SJens Wiklander 419*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated")); 420*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len); 421*32b31808SJens Wiklander 422*32b31808SJens Wiklander return 0; 423*32b31808SJens Wiklander } 424*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 425*32b31808SJens Wiklander 426*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 427*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 428*32b31808SJens Wiklander static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, 429*32b31808SJens Wiklander const unsigned char *buf, 430*32b31808SJens Wiklander size_t len) 431*32b31808SJens Wiklander { 432*32b31808SJens Wiklander if (len != 0) { 433*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 434*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 435*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 436*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 437*32b31808SJens Wiklander } 438*32b31808SJens Wiklander 439*32b31808SJens Wiklander ((void) buf); 440*32b31808SJens Wiklander 441*32b31808SJens Wiklander if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) { 442*32b31808SJens Wiklander ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 443*32b31808SJens Wiklander } 444*32b31808SJens Wiklander 445*32b31808SJens Wiklander return 0; 446*32b31808SJens Wiklander } 447*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 448*32b31808SJens Wiklander 449*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 450*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 451*32b31808SJens Wiklander static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl, 452*32b31808SJens Wiklander const unsigned char *buf, 453*32b31808SJens Wiklander size_t len) 454*32b31808SJens Wiklander { 455*32b31808SJens Wiklander if (len != 0) { 456*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 457*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 458*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 459*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 460*32b31808SJens Wiklander } 461*32b31808SJens Wiklander 462*32b31808SJens Wiklander ((void) buf); 463*32b31808SJens Wiklander 464*32b31808SJens Wiklander if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { 465*32b31808SJens Wiklander ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 466*32b31808SJens Wiklander } 467*32b31808SJens Wiklander 468*32b31808SJens Wiklander return 0; 469*32b31808SJens Wiklander } 470*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 471*32b31808SJens Wiklander 472*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 473*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 474*32b31808SJens Wiklander static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl, 475*32b31808SJens Wiklander unsigned char *buf, 476*32b31808SJens Wiklander size_t len) 477*32b31808SJens Wiklander { 478*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 479*32b31808SJens Wiklander mbedtls_ssl_session session; 480*32b31808SJens Wiklander 481*32b31808SJens Wiklander mbedtls_ssl_session_init(&session); 482*32b31808SJens Wiklander 483*32b31808SJens Wiklander if (ssl->conf->f_ticket_parse == NULL || 484*32b31808SJens Wiklander ssl->conf->f_ticket_write == NULL) { 485*32b31808SJens Wiklander return 0; 486*32b31808SJens Wiklander } 487*32b31808SJens Wiklander 488*32b31808SJens Wiklander /* Remember the client asked us to send a new ticket */ 489*32b31808SJens Wiklander ssl->handshake->new_session_ticket = 1; 490*32b31808SJens Wiklander 491*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len)); 492*32b31808SJens Wiklander 493*32b31808SJens Wiklander if (len == 0) { 494*32b31808SJens Wiklander return 0; 495*32b31808SJens Wiklander } 496*32b31808SJens Wiklander 497*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 498*32b31808SJens Wiklander if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 499*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating")); 500*32b31808SJens Wiklander return 0; 501*32b31808SJens Wiklander } 502*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_RENEGOTIATION */ 503*32b31808SJens Wiklander 504*32b31808SJens Wiklander /* 505*32b31808SJens Wiklander * Failures are ok: just ignore the ticket and proceed. 506*32b31808SJens Wiklander */ 507*32b31808SJens Wiklander if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session, 508*32b31808SJens Wiklander buf, len)) != 0) { 509*32b31808SJens Wiklander mbedtls_ssl_session_free(&session); 510*32b31808SJens Wiklander 511*32b31808SJens Wiklander if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) { 512*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); 513*32b31808SJens Wiklander } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) { 514*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired")); 515*32b31808SJens Wiklander } else { 516*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret); 517*32b31808SJens Wiklander } 518*32b31808SJens Wiklander 519*32b31808SJens Wiklander return 0; 520*32b31808SJens Wiklander } 521*32b31808SJens Wiklander 522*32b31808SJens Wiklander /* 523*32b31808SJens Wiklander * Keep the session ID sent by the client, since we MUST send it back to 524*32b31808SJens Wiklander * inform them we're accepting the ticket (RFC 5077 section 3.4) 525*32b31808SJens Wiklander */ 526*32b31808SJens Wiklander session.id_len = ssl->session_negotiate->id_len; 527*32b31808SJens Wiklander memcpy(&session.id, ssl->session_negotiate->id, session.id_len); 528*32b31808SJens Wiklander 529*32b31808SJens Wiklander mbedtls_ssl_session_free(ssl->session_negotiate); 530*32b31808SJens Wiklander memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session)); 531*32b31808SJens Wiklander 532*32b31808SJens Wiklander /* Zeroize instead of free as we copied the content */ 533*32b31808SJens Wiklander mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session)); 534*32b31808SJens Wiklander 535*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket")); 536*32b31808SJens Wiklander 537*32b31808SJens Wiklander ssl->handshake->resume = 1; 538*32b31808SJens Wiklander 539*32b31808SJens Wiklander /* Don't send a new ticket after all, this one is OK */ 540*32b31808SJens Wiklander ssl->handshake->new_session_ticket = 0; 541*32b31808SJens Wiklander 542*32b31808SJens Wiklander return 0; 543*32b31808SJens Wiklander } 544*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 545*32b31808SJens Wiklander 546*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_SRTP) 547*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 548*32b31808SJens Wiklander static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl, 549*32b31808SJens Wiklander const unsigned char *buf, 550*32b31808SJens Wiklander size_t len) 551*32b31808SJens Wiklander { 552*32b31808SJens Wiklander mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET; 553*32b31808SJens Wiklander size_t i, j; 554*32b31808SJens Wiklander size_t profile_length; 555*32b31808SJens Wiklander uint16_t mki_length; 556*32b31808SJens Wiklander /*! 2 bytes for profile length and 1 byte for mki len */ 557*32b31808SJens Wiklander const size_t size_of_lengths = 3; 558*32b31808SJens Wiklander 559*32b31808SJens Wiklander /* If use_srtp is not configured, just ignore the extension */ 560*32b31808SJens Wiklander if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || 561*32b31808SJens Wiklander (ssl->conf->dtls_srtp_profile_list == NULL) || 562*32b31808SJens Wiklander (ssl->conf->dtls_srtp_profile_list_len == 0)) { 563*32b31808SJens Wiklander return 0; 564*32b31808SJens Wiklander } 565*32b31808SJens Wiklander 566*32b31808SJens Wiklander /* RFC5764 section 4.1.1 567*32b31808SJens Wiklander * uint8 SRTPProtectionProfile[2]; 568*32b31808SJens Wiklander * 569*32b31808SJens Wiklander * struct { 570*32b31808SJens Wiklander * SRTPProtectionProfiles SRTPProtectionProfiles; 571*32b31808SJens Wiklander * opaque srtp_mki<0..255>; 572*32b31808SJens Wiklander * } UseSRTPData; 573*32b31808SJens Wiklander 574*32b31808SJens Wiklander * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; 575*32b31808SJens Wiklander */ 576*32b31808SJens Wiklander 577*32b31808SJens Wiklander /* 578*32b31808SJens Wiklander * Min length is 5: at least one protection profile(2 bytes) 579*32b31808SJens Wiklander * and length(2 bytes) + srtp_mki length(1 byte) 580*32b31808SJens Wiklander * Check here that we have at least 2 bytes of protection profiles length 581*32b31808SJens Wiklander * and one of srtp_mki length 582*32b31808SJens Wiklander */ 583*32b31808SJens Wiklander if (len < size_of_lengths) { 584*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 585*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 586*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 587*32b31808SJens Wiklander } 588*32b31808SJens Wiklander 589*32b31808SJens Wiklander ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET; 590*32b31808SJens Wiklander 591*32b31808SJens Wiklander /* first 2 bytes are protection profile length(in bytes) */ 592*32b31808SJens Wiklander profile_length = (buf[0] << 8) | buf[1]; 593*32b31808SJens Wiklander buf += 2; 594*32b31808SJens Wiklander 595*32b31808SJens Wiklander /* The profile length cannot be bigger than input buffer size - lengths fields */ 596*32b31808SJens Wiklander if (profile_length > len - size_of_lengths || 597*32b31808SJens Wiklander profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */ 598*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 599*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 600*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 601*32b31808SJens Wiklander } 602*32b31808SJens Wiklander /* 603*32b31808SJens Wiklander * parse the extension list values are defined in 604*32b31808SJens Wiklander * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml 605*32b31808SJens Wiklander */ 606*32b31808SJens Wiklander for (j = 0; j < profile_length; j += 2) { 607*32b31808SJens Wiklander uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1]; 608*32b31808SJens Wiklander client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value); 609*32b31808SJens Wiklander 610*32b31808SJens Wiklander if (client_protection != MBEDTLS_TLS_SRTP_UNSET) { 611*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s", 612*32b31808SJens Wiklander mbedtls_ssl_get_srtp_profile_as_string( 613*32b31808SJens Wiklander client_protection))); 614*32b31808SJens Wiklander } else { 615*32b31808SJens Wiklander continue; 616*32b31808SJens Wiklander } 617*32b31808SJens Wiklander /* check if suggested profile is in our list */ 618*32b31808SJens Wiklander for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) { 619*32b31808SJens Wiklander if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) { 620*32b31808SJens Wiklander ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; 621*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s", 622*32b31808SJens Wiklander mbedtls_ssl_get_srtp_profile_as_string( 623*32b31808SJens Wiklander client_protection))); 624*32b31808SJens Wiklander break; 625*32b31808SJens Wiklander } 626*32b31808SJens Wiklander } 627*32b31808SJens Wiklander if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) { 628*32b31808SJens Wiklander break; 629*32b31808SJens Wiklander } 630*32b31808SJens Wiklander } 631*32b31808SJens Wiklander buf += profile_length; /* buf points to the mki length */ 632*32b31808SJens Wiklander mki_length = *buf; 633*32b31808SJens Wiklander buf++; 634*32b31808SJens Wiklander 635*32b31808SJens Wiklander if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH || 636*32b31808SJens Wiklander mki_length + profile_length + size_of_lengths != len) { 637*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 638*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 639*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 640*32b31808SJens Wiklander } 641*32b31808SJens Wiklander 642*32b31808SJens Wiklander /* Parse the mki only if present and mki is supported locally */ 643*32b31808SJens Wiklander if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED && 644*32b31808SJens Wiklander mki_length > 0) { 645*32b31808SJens Wiklander ssl->dtls_srtp_info.mki_len = mki_length; 646*32b31808SJens Wiklander 647*32b31808SJens Wiklander memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length); 648*32b31808SJens Wiklander 649*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value, 650*32b31808SJens Wiklander ssl->dtls_srtp_info.mki_len); 651*32b31808SJens Wiklander } 652*32b31808SJens Wiklander 653*32b31808SJens Wiklander return 0; 654*32b31808SJens Wiklander } 655*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_SRTP */ 656*32b31808SJens Wiklander 657*32b31808SJens Wiklander /* 658*32b31808SJens Wiklander * Auxiliary functions for ServerHello parsing and related actions 659*32b31808SJens Wiklander */ 660*32b31808SJens Wiklander 661*32b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C) 662*32b31808SJens Wiklander /* 663*32b31808SJens Wiklander * Return 0 if the given key uses one of the acceptable curves, -1 otherwise 664*32b31808SJens Wiklander */ 665*32b31808SJens Wiklander #if defined(MBEDTLS_ECDSA_C) 666*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 667*32b31808SJens Wiklander static int ssl_check_key_curve(mbedtls_pk_context *pk, 668*32b31808SJens Wiklander uint16_t *curves_tls_id) 669*32b31808SJens Wiklander { 670*32b31808SJens Wiklander uint16_t *curr_tls_id = curves_tls_id; 671*32b31808SJens Wiklander mbedtls_ecp_group_id grp_id = mbedtls_pk_ec(*pk)->grp.id; 672*32b31808SJens Wiklander mbedtls_ecp_group_id curr_grp_id; 673*32b31808SJens Wiklander 674*32b31808SJens Wiklander while (*curr_tls_id != 0) { 675*32b31808SJens Wiklander curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id); 676*32b31808SJens Wiklander if (curr_grp_id == grp_id) { 677*32b31808SJens Wiklander return 0; 678*32b31808SJens Wiklander } 679*32b31808SJens Wiklander curr_tls_id++; 680*32b31808SJens Wiklander } 681*32b31808SJens Wiklander 682*32b31808SJens Wiklander return -1; 683*32b31808SJens Wiklander } 684*32b31808SJens Wiklander #endif /* MBEDTLS_ECDSA_C */ 685*32b31808SJens Wiklander 686*32b31808SJens Wiklander /* 687*32b31808SJens Wiklander * Try picking a certificate for this ciphersuite, 688*32b31808SJens Wiklander * return 0 on success and -1 on failure. 689*32b31808SJens Wiklander */ 690*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 691*32b31808SJens Wiklander static int ssl_pick_cert(mbedtls_ssl_context *ssl, 692*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info) 693*32b31808SJens Wiklander { 694*32b31808SJens Wiklander mbedtls_ssl_key_cert *cur, *list; 695*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 696*32b31808SJens Wiklander psa_algorithm_t pk_alg = 697*32b31808SJens Wiklander mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info); 698*32b31808SJens Wiklander psa_key_usage_t pk_usage = 699*32b31808SJens Wiklander mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info); 700*32b31808SJens Wiklander #else 701*32b31808SJens Wiklander mbedtls_pk_type_t pk_alg = 702*32b31808SJens Wiklander mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); 703*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 704*32b31808SJens Wiklander uint32_t flags; 705*32b31808SJens Wiklander 706*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 707*32b31808SJens Wiklander if (ssl->handshake->sni_key_cert != NULL) { 708*32b31808SJens Wiklander list = ssl->handshake->sni_key_cert; 709*32b31808SJens Wiklander } else 710*32b31808SJens Wiklander #endif 711*32b31808SJens Wiklander list = ssl->conf->key_cert; 712*32b31808SJens Wiklander 713*32b31808SJens Wiklander int pk_alg_is_none = 0; 714*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 715*32b31808SJens Wiklander pk_alg_is_none = (pk_alg == PSA_ALG_NONE); 716*32b31808SJens Wiklander #else 717*32b31808SJens Wiklander pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE); 718*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 719*32b31808SJens Wiklander if (pk_alg_is_none) { 720*32b31808SJens Wiklander return 0; 721*32b31808SJens Wiklander } 722*32b31808SJens Wiklander 723*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate")); 724*32b31808SJens Wiklander 725*32b31808SJens Wiklander if (list == NULL) { 726*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate")); 727*32b31808SJens Wiklander return -1; 728*32b31808SJens Wiklander } 729*32b31808SJens Wiklander 730*32b31808SJens Wiklander for (cur = list; cur != NULL; cur = cur->next) { 731*32b31808SJens Wiklander flags = 0; 732*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate", 733*32b31808SJens Wiklander cur->cert); 734*32b31808SJens Wiklander 735*32b31808SJens Wiklander int key_type_matches = 0; 736*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 737*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 738*32b31808SJens Wiklander key_type_matches = ((ssl->conf->f_async_sign_start != NULL || 739*32b31808SJens Wiklander ssl->conf->f_async_decrypt_start != NULL || 740*32b31808SJens Wiklander mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) && 741*32b31808SJens Wiklander mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage)); 742*32b31808SJens Wiklander #else 743*32b31808SJens Wiklander key_type_matches = ( 744*32b31808SJens Wiklander mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)); 745*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 746*32b31808SJens Wiklander #else 747*32b31808SJens Wiklander key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg); 748*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 749*32b31808SJens Wiklander if (!key_type_matches) { 750*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type")); 751*32b31808SJens Wiklander continue; 752*32b31808SJens Wiklander } 753*32b31808SJens Wiklander 754*32b31808SJens Wiklander /* 755*32b31808SJens Wiklander * This avoids sending the client a cert it'll reject based on 756*32b31808SJens Wiklander * keyUsage or other extensions. 757*32b31808SJens Wiklander * 758*32b31808SJens Wiklander * It also allows the user to provision different certificates for 759*32b31808SJens Wiklander * different uses based on keyUsage, eg if they want to avoid signing 760*32b31808SJens Wiklander * and decrypting with the same RSA key. 761*32b31808SJens Wiklander */ 762*32b31808SJens Wiklander if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info, 763*32b31808SJens Wiklander MBEDTLS_SSL_IS_SERVER, &flags) != 0) { 764*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: " 765*32b31808SJens Wiklander "(extended) key usage extension")); 766*32b31808SJens Wiklander continue; 767*32b31808SJens Wiklander } 768*32b31808SJens Wiklander 769*32b31808SJens Wiklander #if defined(MBEDTLS_ECDSA_C) 770*32b31808SJens Wiklander if (pk_alg == MBEDTLS_PK_ECDSA && 771*32b31808SJens Wiklander ssl_check_key_curve(&cur->cert->pk, 772*32b31808SJens Wiklander ssl->handshake->curves_tls_id) != 0) { 773*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve")); 774*32b31808SJens Wiklander continue; 775*32b31808SJens Wiklander } 776*32b31808SJens Wiklander #endif 777*32b31808SJens Wiklander 778*32b31808SJens Wiklander /* If we get there, we got a winner */ 779*32b31808SJens Wiklander break; 780*32b31808SJens Wiklander } 781*32b31808SJens Wiklander 782*32b31808SJens Wiklander /* Do not update ssl->handshake->key_cert unless there is a match */ 783*32b31808SJens Wiklander if (cur != NULL) { 784*32b31808SJens Wiklander ssl->handshake->key_cert = cur; 785*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate", 786*32b31808SJens Wiklander ssl->handshake->key_cert->cert); 787*32b31808SJens Wiklander return 0; 788*32b31808SJens Wiklander } 789*32b31808SJens Wiklander 790*32b31808SJens Wiklander return -1; 791*32b31808SJens Wiklander } 792*32b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C */ 793*32b31808SJens Wiklander 794*32b31808SJens Wiklander /* 795*32b31808SJens Wiklander * Check if a given ciphersuite is suitable for use with our config/keys/etc 796*32b31808SJens Wiklander * Sets ciphersuite_info only if the suite matches. 797*32b31808SJens Wiklander */ 798*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 799*32b31808SJens Wiklander static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id, 800*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t **ciphersuite_info) 801*32b31808SJens Wiklander { 802*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite_info; 803*32b31808SJens Wiklander 804*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 805*32b31808SJens Wiklander mbedtls_pk_type_t sig_type; 806*32b31808SJens Wiklander #endif 807*32b31808SJens Wiklander 808*32b31808SJens Wiklander suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id); 809*32b31808SJens Wiklander if (suite_info == NULL) { 810*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 811*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 812*32b31808SJens Wiklander } 813*32b31808SJens Wiklander 814*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)", 815*32b31808SJens Wiklander (unsigned int) suite_id, suite_info->name)); 816*32b31808SJens Wiklander 817*32b31808SJens Wiklander if (suite_info->min_tls_version > ssl->tls_version || 818*32b31808SJens Wiklander suite_info->max_tls_version < ssl->tls_version) { 819*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version")); 820*32b31808SJens Wiklander return 0; 821*32b31808SJens Wiklander } 822*32b31808SJens Wiklander 823*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 824*32b31808SJens Wiklander if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 825*32b31808SJens Wiklander (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) { 826*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake " 827*32b31808SJens Wiklander "not configured or ext missing")); 828*32b31808SJens Wiklander return 0; 829*32b31808SJens Wiklander } 830*32b31808SJens Wiklander #endif 831*32b31808SJens Wiklander 832*32b31808SJens Wiklander 833*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 834*32b31808SJens Wiklander if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) && 835*32b31808SJens Wiklander (ssl->handshake->curves_tls_id == NULL || 836*32b31808SJens Wiklander ssl->handshake->curves_tls_id[0] == 0)) { 837*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: " 838*32b31808SJens Wiklander "no common elliptic curve")); 839*32b31808SJens Wiklander return 0; 840*32b31808SJens Wiklander } 841*32b31808SJens Wiklander #endif 842*32b31808SJens Wiklander 843*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 844*32b31808SJens Wiklander /* If the ciphersuite requires a pre-shared key and we don't 845*32b31808SJens Wiklander * have one, skip it now rather than failing later */ 846*32b31808SJens Wiklander if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) && 847*32b31808SJens Wiklander ssl_conf_has_psk_or_cb(ssl->conf) == 0) { 848*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key")); 849*32b31808SJens Wiklander return 0; 850*32b31808SJens Wiklander } 851*32b31808SJens Wiklander #endif 852*32b31808SJens Wiklander 853*32b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C) 854*32b31808SJens Wiklander /* 855*32b31808SJens Wiklander * Final check: if ciphersuite requires us to have a 856*32b31808SJens Wiklander * certificate/key of a particular type: 857*32b31808SJens Wiklander * - select the appropriate certificate if we have one, or 858*32b31808SJens Wiklander * - try the next ciphersuite if we don't 859*32b31808SJens Wiklander * This must be done last since we modify the key_cert list. 860*32b31808SJens Wiklander */ 861*32b31808SJens Wiklander if (ssl_pick_cert(ssl, suite_info) != 0) { 862*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: " 863*32b31808SJens Wiklander "no suitable certificate")); 864*32b31808SJens Wiklander return 0; 865*32b31808SJens Wiklander } 866*32b31808SJens Wiklander #endif 867*32b31808SJens Wiklander 868*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 869*32b31808SJens Wiklander /* If the ciphersuite requires signing, check whether 870*32b31808SJens Wiklander * a suitable hash algorithm is present. */ 871*32b31808SJens Wiklander sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info); 872*32b31808SJens Wiklander if (sig_type != MBEDTLS_PK_NONE && 873*32b31808SJens Wiklander mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 874*32b31808SJens Wiklander ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) { 875*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm " 876*32b31808SJens Wiklander "for signature algorithm %u", (unsigned) sig_type)); 877*32b31808SJens Wiklander return 0; 878*32b31808SJens Wiklander } 879*32b31808SJens Wiklander 880*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 881*32b31808SJens Wiklander 882*32b31808SJens Wiklander *ciphersuite_info = suite_info; 883*32b31808SJens Wiklander return 0; 884*32b31808SJens Wiklander } 885*32b31808SJens Wiklander 886*32b31808SJens Wiklander /* This function doesn't alert on errors that happen early during 887*32b31808SJens Wiklander ClientHello parsing because they might indicate that the client is 888*32b31808SJens Wiklander not talking SSL/TLS at all and would not understand our alert. */ 889*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 890*32b31808SJens Wiklander static int ssl_parse_client_hello(mbedtls_ssl_context *ssl) 891*32b31808SJens Wiklander { 892*32b31808SJens Wiklander int ret, got_common_suite; 893*32b31808SJens Wiklander size_t i, j; 894*32b31808SJens Wiklander size_t ciph_offset, comp_offset, ext_offset; 895*32b31808SJens Wiklander size_t msg_len, ciph_len, sess_len, comp_len, ext_len; 896*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 897*32b31808SJens Wiklander size_t cookie_offset, cookie_len; 898*32b31808SJens Wiklander #endif 899*32b31808SJens Wiklander unsigned char *buf, *p, *ext; 900*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 901*32b31808SJens Wiklander int renegotiation_info_seen = 0; 902*32b31808SJens Wiklander #endif 903*32b31808SJens Wiklander int handshake_failure = 0; 904*32b31808SJens Wiklander const int *ciphersuites; 905*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 906*32b31808SJens Wiklander 907*32b31808SJens Wiklander /* If there is no signature-algorithm extension present, 908*32b31808SJens Wiklander * we need to fall back to the default values for allowed 909*32b31808SJens Wiklander * signature-hash pairs. */ 910*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 911*32b31808SJens Wiklander int sig_hash_alg_ext_present = 0; 912*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 913*32b31808SJens Wiklander 914*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello")); 915*32b31808SJens Wiklander 916*32b31808SJens Wiklander int renegotiating; 917*32b31808SJens Wiklander 918*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 919*32b31808SJens Wiklander read_record_header: 920*32b31808SJens Wiklander #endif 921*32b31808SJens Wiklander /* 922*32b31808SJens Wiklander * If renegotiating, then the input was read with mbedtls_ssl_read_record(), 923*32b31808SJens Wiklander * otherwise read it ourselves manually in order to support SSLv2 924*32b31808SJens Wiklander * ClientHello, which doesn't use the same record layer format. 925*32b31808SJens Wiklander */ 926*32b31808SJens Wiklander renegotiating = 0; 927*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 928*32b31808SJens Wiklander renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE); 929*32b31808SJens Wiklander #endif 930*32b31808SJens Wiklander if (!renegotiating) { 931*32b31808SJens Wiklander if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) { 932*32b31808SJens Wiklander /* No alert on a read error. */ 933*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); 934*32b31808SJens Wiklander return ret; 935*32b31808SJens Wiklander } 936*32b31808SJens Wiklander } 937*32b31808SJens Wiklander 938*32b31808SJens Wiklander buf = ssl->in_hdr; 939*32b31808SJens Wiklander 940*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl)); 941*32b31808SJens Wiklander 942*32b31808SJens Wiklander /* 943*32b31808SJens Wiklander * TLS Client Hello 944*32b31808SJens Wiklander * 945*32b31808SJens Wiklander * Record layer: 946*32b31808SJens Wiklander * 0 . 0 message type 947*32b31808SJens Wiklander * 1 . 2 protocol version 948*32b31808SJens Wiklander * 3 . 11 DTLS: epoch + record sequence number 949*32b31808SJens Wiklander * 3 . 4 message length 950*32b31808SJens Wiklander */ 951*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d", 952*32b31808SJens Wiklander buf[0])); 953*32b31808SJens Wiklander 954*32b31808SJens Wiklander if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) { 955*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 956*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 957*32b31808SJens Wiklander } 958*32b31808SJens Wiklander 959*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d", 960*32b31808SJens Wiklander (ssl->in_len[0] << 8) | ssl->in_len[1])); 961*32b31808SJens Wiklander 962*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]", 963*32b31808SJens Wiklander buf[1], buf[2])); 964*32b31808SJens Wiklander 965*32b31808SJens Wiklander /* For DTLS if this is the initial handshake, remember the client sequence 966*32b31808SJens Wiklander * number to use it in our next message (RFC 6347 4.2.1) */ 967*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 968*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM 969*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 970*32b31808SJens Wiklander && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 971*32b31808SJens Wiklander #endif 972*32b31808SJens Wiklander ) { 973*32b31808SJens Wiklander /* Epoch should be 0 for initial handshakes */ 974*32b31808SJens Wiklander if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) { 975*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 976*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 977*32b31808SJens Wiklander } 978*32b31808SJens Wiklander 979*32b31808SJens Wiklander memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2, 980*32b31808SJens Wiklander sizeof(ssl->cur_out_ctr) - 2); 981*32b31808SJens Wiklander 982*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 983*32b31808SJens Wiklander if (mbedtls_ssl_dtls_replay_check(ssl) != 0) { 984*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding")); 985*32b31808SJens Wiklander ssl->next_record_offset = 0; 986*32b31808SJens Wiklander ssl->in_left = 0; 987*32b31808SJens Wiklander goto read_record_header; 988*32b31808SJens Wiklander } 989*32b31808SJens Wiklander 990*32b31808SJens Wiklander /* No MAC to check yet, so we can update right now */ 991*32b31808SJens Wiklander mbedtls_ssl_dtls_replay_update(ssl); 992*32b31808SJens Wiklander #endif 993*32b31808SJens Wiklander } 994*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 995*32b31808SJens Wiklander 996*32b31808SJens Wiklander msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1]; 997*32b31808SJens Wiklander 998*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 999*32b31808SJens Wiklander if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 1000*32b31808SJens Wiklander /* Set by mbedtls_ssl_read_record() */ 1001*32b31808SJens Wiklander msg_len = ssl->in_hslen; 1002*32b31808SJens Wiklander } else 1003*32b31808SJens Wiklander #endif 1004*32b31808SJens Wiklander { 1005*32b31808SJens Wiklander if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) { 1006*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1007*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1008*32b31808SJens Wiklander } 1009*32b31808SJens Wiklander 1010*32b31808SJens Wiklander if ((ret = mbedtls_ssl_fetch_input(ssl, 1011*32b31808SJens Wiklander mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) { 1012*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); 1013*32b31808SJens Wiklander return ret; 1014*32b31808SJens Wiklander } 1015*32b31808SJens Wiklander 1016*32b31808SJens Wiklander /* Done reading this record, get ready for the next one */ 1017*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 1018*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1019*32b31808SJens Wiklander ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl); 1020*32b31808SJens Wiklander } else 1021*32b31808SJens Wiklander #endif 1022*32b31808SJens Wiklander ssl->in_left = 0; 1023*32b31808SJens Wiklander } 1024*32b31808SJens Wiklander 1025*32b31808SJens Wiklander buf = ssl->in_msg; 1026*32b31808SJens Wiklander 1027*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len); 1028*32b31808SJens Wiklander 1029*32b31808SJens Wiklander ret = ssl->handshake->update_checksum(ssl, buf, msg_len); 1030*32b31808SJens Wiklander if (0 != ret) { 1031*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); 1032*32b31808SJens Wiklander return ret; 1033*32b31808SJens Wiklander } 1034*32b31808SJens Wiklander 1035*32b31808SJens Wiklander /* 1036*32b31808SJens Wiklander * Handshake layer: 1037*32b31808SJens Wiklander * 0 . 0 handshake type 1038*32b31808SJens Wiklander * 1 . 3 handshake length 1039*32b31808SJens Wiklander * 4 . 5 DTLS only: message sequence number 1040*32b31808SJens Wiklander * 6 . 8 DTLS only: fragment offset 1041*32b31808SJens Wiklander * 9 . 11 DTLS only: fragment length 1042*32b31808SJens Wiklander */ 1043*32b31808SJens Wiklander if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) { 1044*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1045*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1046*32b31808SJens Wiklander } 1047*32b31808SJens Wiklander 1048*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0])); 1049*32b31808SJens Wiklander 1050*32b31808SJens Wiklander if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) { 1051*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1052*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 1053*32b31808SJens Wiklander } 1054*32b31808SJens Wiklander { 1055*32b31808SJens Wiklander size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1); 1056*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u", 1057*32b31808SJens Wiklander (unsigned) handshake_len)); 1058*32b31808SJens Wiklander 1059*32b31808SJens Wiklander /* The record layer has a record size limit of 2^14 - 1 and 1060*32b31808SJens Wiklander * fragmentation is not supported, so buf[1] should be zero. */ 1061*32b31808SJens Wiklander if (buf[1] != 0) { 1062*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0", 1063*32b31808SJens Wiklander (unsigned) buf[1])); 1064*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1065*32b31808SJens Wiklander } 1066*32b31808SJens Wiklander 1067*32b31808SJens Wiklander /* We don't support fragmentation of ClientHello (yet?) */ 1068*32b31808SJens Wiklander if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) { 1069*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u", 1070*32b31808SJens Wiklander (unsigned) msg_len, 1071*32b31808SJens Wiklander (unsigned) mbedtls_ssl_hs_hdr_len(ssl), 1072*32b31808SJens Wiklander (unsigned) handshake_len)); 1073*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1074*32b31808SJens Wiklander } 1075*32b31808SJens Wiklander } 1076*32b31808SJens Wiklander 1077*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 1078*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1079*32b31808SJens Wiklander /* 1080*32b31808SJens Wiklander * Copy the client's handshake message_seq on initial handshakes, 1081*32b31808SJens Wiklander * check sequence number on renego. 1082*32b31808SJens Wiklander */ 1083*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 1084*32b31808SJens Wiklander if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 1085*32b31808SJens Wiklander /* This couldn't be done in ssl_prepare_handshake_record() */ 1086*32b31808SJens Wiklander unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) | 1087*32b31808SJens Wiklander ssl->in_msg[5]; 1088*32b31808SJens Wiklander 1089*32b31808SJens Wiklander if (cli_msg_seq != ssl->handshake->in_msg_seq) { 1090*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: " 1091*32b31808SJens Wiklander "%u (expected %u)", cli_msg_seq, 1092*32b31808SJens Wiklander ssl->handshake->in_msg_seq)); 1093*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1094*32b31808SJens Wiklander } 1095*32b31808SJens Wiklander 1096*32b31808SJens Wiklander ssl->handshake->in_msg_seq++; 1097*32b31808SJens Wiklander } else 1098*32b31808SJens Wiklander #endif 1099*32b31808SJens Wiklander { 1100*32b31808SJens Wiklander unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) | 1101*32b31808SJens Wiklander ssl->in_msg[5]; 1102*32b31808SJens Wiklander ssl->handshake->out_msg_seq = cli_msg_seq; 1103*32b31808SJens Wiklander ssl->handshake->in_msg_seq = cli_msg_seq + 1; 1104*32b31808SJens Wiklander } 1105*32b31808SJens Wiklander { 1106*32b31808SJens Wiklander /* 1107*32b31808SJens Wiklander * For now we don't support fragmentation, so make sure 1108*32b31808SJens Wiklander * fragment_offset == 0 and fragment_length == length 1109*32b31808SJens Wiklander */ 1110*32b31808SJens Wiklander size_t fragment_offset, fragment_length, length; 1111*32b31808SJens Wiklander fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6); 1112*32b31808SJens Wiklander fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9); 1113*32b31808SJens Wiklander length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1); 1114*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG( 1115*32b31808SJens Wiklander 4, ("fragment_offset=%u fragment_length=%u length=%u", 1116*32b31808SJens Wiklander (unsigned) fragment_offset, (unsigned) fragment_length, 1117*32b31808SJens Wiklander (unsigned) length)); 1118*32b31808SJens Wiklander if (fragment_offset != 0 || length != fragment_length) { 1119*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported")); 1120*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1121*32b31808SJens Wiklander } 1122*32b31808SJens Wiklander } 1123*32b31808SJens Wiklander } 1124*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1125*32b31808SJens Wiklander 1126*32b31808SJens Wiklander buf += mbedtls_ssl_hs_hdr_len(ssl); 1127*32b31808SJens Wiklander msg_len -= mbedtls_ssl_hs_hdr_len(ssl); 1128*32b31808SJens Wiklander 1129*32b31808SJens Wiklander /* 1130*32b31808SJens Wiklander * ClientHello layer: 1131*32b31808SJens Wiklander * 0 . 1 protocol version 1132*32b31808SJens Wiklander * 2 . 33 random bytes (starting with 4 bytes of Unix time) 1133*32b31808SJens Wiklander * 34 . 35 session id length (1 byte) 1134*32b31808SJens Wiklander * 35 . 34+x session id 1135*32b31808SJens Wiklander * 35+x . 35+x DTLS only: cookie length (1 byte) 1136*32b31808SJens Wiklander * 36+x . .. DTLS only: cookie 1137*32b31808SJens Wiklander * .. . .. ciphersuite list length (2 bytes) 1138*32b31808SJens Wiklander * .. . .. ciphersuite list 1139*32b31808SJens Wiklander * .. . .. compression alg. list length (1 byte) 1140*32b31808SJens Wiklander * .. . .. compression alg. list 1141*32b31808SJens Wiklander * .. . .. extensions length (2 bytes, optional) 1142*32b31808SJens Wiklander * .. . .. extensions (optional) 1143*32b31808SJens Wiklander */ 1144*32b31808SJens Wiklander 1145*32b31808SJens Wiklander /* 1146*32b31808SJens Wiklander * Minimal length (with everything empty and extensions omitted) is 1147*32b31808SJens Wiklander * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can 1148*32b31808SJens Wiklander * read at least up to session id length without worrying. 1149*32b31808SJens Wiklander */ 1150*32b31808SJens Wiklander if (msg_len < 38) { 1151*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1152*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1153*32b31808SJens Wiklander } 1154*32b31808SJens Wiklander 1155*32b31808SJens Wiklander /* 1156*32b31808SJens Wiklander * Check and save the protocol version 1157*32b31808SJens Wiklander */ 1158*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2); 1159*32b31808SJens Wiklander 1160*32b31808SJens Wiklander ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport); 1161*32b31808SJens Wiklander ssl->session_negotiate->tls_version = ssl->tls_version; 1162*32b31808SJens Wiklander 1163*32b31808SJens Wiklander if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { 1164*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2")); 1165*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1166*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); 1167*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; 1168*32b31808SJens Wiklander } 1169*32b31808SJens Wiklander 1170*32b31808SJens Wiklander /* 1171*32b31808SJens Wiklander * Save client random (inc. Unix time) 1172*32b31808SJens Wiklander */ 1173*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32); 1174*32b31808SJens Wiklander 1175*32b31808SJens Wiklander memcpy(ssl->handshake->randbytes, buf + 2, 32); 1176*32b31808SJens Wiklander 1177*32b31808SJens Wiklander /* 1178*32b31808SJens Wiklander * Check the session ID length and save session ID 1179*32b31808SJens Wiklander */ 1180*32b31808SJens Wiklander sess_len = buf[34]; 1181*32b31808SJens Wiklander 1182*32b31808SJens Wiklander if (sess_len > sizeof(ssl->session_negotiate->id) || 1183*32b31808SJens Wiklander sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */ 1184*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1185*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1186*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1187*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1188*32b31808SJens Wiklander } 1189*32b31808SJens Wiklander 1190*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len); 1191*32b31808SJens Wiklander 1192*32b31808SJens Wiklander ssl->session_negotiate->id_len = sess_len; 1193*32b31808SJens Wiklander memset(ssl->session_negotiate->id, 0, 1194*32b31808SJens Wiklander sizeof(ssl->session_negotiate->id)); 1195*32b31808SJens Wiklander memcpy(ssl->session_negotiate->id, buf + 35, 1196*32b31808SJens Wiklander ssl->session_negotiate->id_len); 1197*32b31808SJens Wiklander 1198*32b31808SJens Wiklander /* 1199*32b31808SJens Wiklander * Check the cookie length and content 1200*32b31808SJens Wiklander */ 1201*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 1202*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1203*32b31808SJens Wiklander cookie_offset = 35 + sess_len; 1204*32b31808SJens Wiklander cookie_len = buf[cookie_offset]; 1205*32b31808SJens Wiklander 1206*32b31808SJens Wiklander if (cookie_offset + 1 + cookie_len + 2 > msg_len) { 1207*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1208*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1209*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1210*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1211*32b31808SJens Wiklander } 1212*32b31808SJens Wiklander 1213*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie", 1214*32b31808SJens Wiklander buf + cookie_offset + 1, cookie_len); 1215*32b31808SJens Wiklander 1216*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 1217*32b31808SJens Wiklander if (ssl->conf->f_cookie_check != NULL 1218*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 1219*32b31808SJens Wiklander && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 1220*32b31808SJens Wiklander #endif 1221*32b31808SJens Wiklander ) { 1222*32b31808SJens Wiklander if (ssl->conf->f_cookie_check(ssl->conf->p_cookie, 1223*32b31808SJens Wiklander buf + cookie_offset + 1, cookie_len, 1224*32b31808SJens Wiklander ssl->cli_id, ssl->cli_id_len) != 0) { 1225*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed")); 1226*32b31808SJens Wiklander ssl->handshake->cookie_verify_result = 1; 1227*32b31808SJens Wiklander } else { 1228*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed")); 1229*32b31808SJens Wiklander ssl->handshake->cookie_verify_result = 0; 1230*32b31808SJens Wiklander } 1231*32b31808SJens Wiklander } else 1232*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 1233*32b31808SJens Wiklander { 1234*32b31808SJens Wiklander /* We know we didn't send a cookie, so it should be empty */ 1235*32b31808SJens Wiklander if (cookie_len != 0) { 1236*32b31808SJens Wiklander /* This may be an attacker's probe, so don't send an alert */ 1237*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1238*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1239*32b31808SJens Wiklander } 1240*32b31808SJens Wiklander 1241*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped")); 1242*32b31808SJens Wiklander } 1243*32b31808SJens Wiklander 1244*32b31808SJens Wiklander /* 1245*32b31808SJens Wiklander * Check the ciphersuitelist length (will be parsed later) 1246*32b31808SJens Wiklander */ 1247*32b31808SJens Wiklander ciph_offset = cookie_offset + 1 + cookie_len; 1248*32b31808SJens Wiklander } else 1249*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1250*32b31808SJens Wiklander ciph_offset = 35 + sess_len; 1251*32b31808SJens Wiklander 1252*32b31808SJens Wiklander ciph_len = (buf[ciph_offset + 0] << 8) 1253*32b31808SJens Wiklander | (buf[ciph_offset + 1]); 1254*32b31808SJens Wiklander 1255*32b31808SJens Wiklander if (ciph_len < 2 || 1256*32b31808SJens Wiklander ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ 1257*32b31808SJens Wiklander (ciph_len % 2) != 0) { 1258*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1259*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1260*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1261*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1262*32b31808SJens Wiklander } 1263*32b31808SJens Wiklander 1264*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist", 1265*32b31808SJens Wiklander buf + ciph_offset + 2, ciph_len); 1266*32b31808SJens Wiklander 1267*32b31808SJens Wiklander /* 1268*32b31808SJens Wiklander * Check the compression algorithm's length. 1269*32b31808SJens Wiklander * The list contents are ignored because implementing 1270*32b31808SJens Wiklander * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only 1271*32b31808SJens Wiklander * option supported by Mbed TLS. 1272*32b31808SJens Wiklander */ 1273*32b31808SJens Wiklander comp_offset = ciph_offset + 2 + ciph_len; 1274*32b31808SJens Wiklander 1275*32b31808SJens Wiklander comp_len = buf[comp_offset]; 1276*32b31808SJens Wiklander 1277*32b31808SJens Wiklander if (comp_len < 1 || 1278*32b31808SJens Wiklander comp_len > 16 || 1279*32b31808SJens Wiklander comp_len + comp_offset + 1 > msg_len) { 1280*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1281*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1282*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1283*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1284*32b31808SJens Wiklander } 1285*32b31808SJens Wiklander 1286*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression", 1287*32b31808SJens Wiklander buf + comp_offset + 1, comp_len); 1288*32b31808SJens Wiklander 1289*32b31808SJens Wiklander /* 1290*32b31808SJens Wiklander * Check the extension length 1291*32b31808SJens Wiklander */ 1292*32b31808SJens Wiklander ext_offset = comp_offset + 1 + comp_len; 1293*32b31808SJens Wiklander if (msg_len > ext_offset) { 1294*32b31808SJens Wiklander if (msg_len < ext_offset + 2) { 1295*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1296*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1297*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1298*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1299*32b31808SJens Wiklander } 1300*32b31808SJens Wiklander 1301*32b31808SJens Wiklander ext_len = (buf[ext_offset + 0] << 8) 1302*32b31808SJens Wiklander | (buf[ext_offset + 1]); 1303*32b31808SJens Wiklander 1304*32b31808SJens Wiklander if (msg_len != ext_offset + 2 + ext_len) { 1305*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1306*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1307*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1308*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1309*32b31808SJens Wiklander } 1310*32b31808SJens Wiklander } else { 1311*32b31808SJens Wiklander ext_len = 0; 1312*32b31808SJens Wiklander } 1313*32b31808SJens Wiklander 1314*32b31808SJens Wiklander ext = buf + ext_offset + 2; 1315*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len); 1316*32b31808SJens Wiklander 1317*32b31808SJens Wiklander while (ext_len != 0) { 1318*32b31808SJens Wiklander unsigned int ext_id; 1319*32b31808SJens Wiklander unsigned int ext_size; 1320*32b31808SJens Wiklander if (ext_len < 4) { 1321*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1322*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1323*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1324*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1325*32b31808SJens Wiklander } 1326*32b31808SJens Wiklander ext_id = ((ext[0] << 8) | (ext[1])); 1327*32b31808SJens Wiklander ext_size = ((ext[2] << 8) | (ext[3])); 1328*32b31808SJens Wiklander 1329*32b31808SJens Wiklander if (ext_size + 4 > ext_len) { 1330*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1331*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1332*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1333*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 1334*32b31808SJens Wiklander } 1335*32b31808SJens Wiklander switch (ext_id) { 1336*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1337*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_SERVERNAME: 1338*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension")); 1339*32b31808SJens Wiklander ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4, 1340*32b31808SJens Wiklander ext + 4 + ext_size); 1341*32b31808SJens Wiklander if (ret != 0) { 1342*32b31808SJens Wiklander return ret; 1343*32b31808SJens Wiklander } 1344*32b31808SJens Wiklander break; 1345*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1346*32b31808SJens Wiklander 1347*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 1348*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension")); 1349*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 1350*32b31808SJens Wiklander renegotiation_info_seen = 1; 1351*32b31808SJens Wiklander #endif 1352*32b31808SJens Wiklander 1353*32b31808SJens Wiklander ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size); 1354*32b31808SJens Wiklander if (ret != 0) { 1355*32b31808SJens Wiklander return ret; 1356*32b31808SJens Wiklander } 1357*32b31808SJens Wiklander break; 1358*32b31808SJens Wiklander 1359*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 1360*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_SIG_ALG: 1361*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension")); 1362*32b31808SJens Wiklander 1363*32b31808SJens Wiklander ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size); 1364*32b31808SJens Wiklander if (ret != 0) { 1365*32b31808SJens Wiklander return ret; 1366*32b31808SJens Wiklander } 1367*32b31808SJens Wiklander 1368*32b31808SJens Wiklander sig_hash_alg_ext_present = 1; 1369*32b31808SJens Wiklander break; 1370*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 1371*32b31808SJens Wiklander 1372*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1373*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1374*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: 1375*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension")); 1376*32b31808SJens Wiklander 1377*32b31808SJens Wiklander ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size); 1378*32b31808SJens Wiklander if (ret != 0) { 1379*32b31808SJens Wiklander return ret; 1380*32b31808SJens Wiklander } 1381*32b31808SJens Wiklander break; 1382*32b31808SJens Wiklander 1383*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 1384*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension")); 1385*32b31808SJens Wiklander ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; 1386*32b31808SJens Wiklander 1387*32b31808SJens Wiklander ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size); 1388*32b31808SJens Wiklander if (ret != 0) { 1389*32b31808SJens Wiklander return ret; 1390*32b31808SJens Wiklander } 1391*32b31808SJens Wiklander break; 1392*32b31808SJens Wiklander #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 1393*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1394*32b31808SJens Wiklander 1395*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1396*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 1397*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension")); 1398*32b31808SJens Wiklander 1399*32b31808SJens Wiklander ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size); 1400*32b31808SJens Wiklander if (ret != 0) { 1401*32b31808SJens Wiklander return ret; 1402*32b31808SJens Wiklander } 1403*32b31808SJens Wiklander break; 1404*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1405*32b31808SJens Wiklander 1406*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1407*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 1408*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension")); 1409*32b31808SJens Wiklander 1410*32b31808SJens Wiklander ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size); 1411*32b31808SJens Wiklander if (ret != 0) { 1412*32b31808SJens Wiklander return ret; 1413*32b31808SJens Wiklander } 1414*32b31808SJens Wiklander break; 1415*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 1416*32b31808SJens Wiklander 1417*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1418*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_CID: 1419*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension")); 1420*32b31808SJens Wiklander 1421*32b31808SJens Wiklander ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size); 1422*32b31808SJens Wiklander if (ret != 0) { 1423*32b31808SJens Wiklander return ret; 1424*32b31808SJens Wiklander } 1425*32b31808SJens Wiklander break; 1426*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1427*32b31808SJens Wiklander 1428*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1429*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 1430*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension")); 1431*32b31808SJens Wiklander 1432*32b31808SJens Wiklander ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size); 1433*32b31808SJens Wiklander if (ret != 0) { 1434*32b31808SJens Wiklander return ret; 1435*32b31808SJens Wiklander } 1436*32b31808SJens Wiklander break; 1437*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 1438*32b31808SJens Wiklander 1439*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1440*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 1441*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension")); 1442*32b31808SJens Wiklander 1443*32b31808SJens Wiklander ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size); 1444*32b31808SJens Wiklander if (ret != 0) { 1445*32b31808SJens Wiklander return ret; 1446*32b31808SJens Wiklander } 1447*32b31808SJens Wiklander break; 1448*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 1449*32b31808SJens Wiklander 1450*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1451*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_SESSION_TICKET: 1452*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension")); 1453*32b31808SJens Wiklander 1454*32b31808SJens Wiklander ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size); 1455*32b31808SJens Wiklander if (ret != 0) { 1456*32b31808SJens Wiklander return ret; 1457*32b31808SJens Wiklander } 1458*32b31808SJens Wiklander break; 1459*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1460*32b31808SJens Wiklander 1461*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ALPN) 1462*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_ALPN: 1463*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); 1464*32b31808SJens Wiklander 1465*32b31808SJens Wiklander ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4, 1466*32b31808SJens Wiklander ext + 4 + ext_size); 1467*32b31808SJens Wiklander if (ret != 0) { 1468*32b31808SJens Wiklander return ret; 1469*32b31808SJens Wiklander } 1470*32b31808SJens Wiklander break; 1471*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1472*32b31808SJens Wiklander 1473*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_SRTP) 1474*32b31808SJens Wiklander case MBEDTLS_TLS_EXT_USE_SRTP: 1475*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension")); 1476*32b31808SJens Wiklander 1477*32b31808SJens Wiklander ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size); 1478*32b31808SJens Wiklander if (ret != 0) { 1479*32b31808SJens Wiklander return ret; 1480*32b31808SJens Wiklander } 1481*32b31808SJens Wiklander break; 1482*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_SRTP */ 1483*32b31808SJens Wiklander 1484*32b31808SJens Wiklander default: 1485*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)", 1486*32b31808SJens Wiklander ext_id)); 1487*32b31808SJens Wiklander } 1488*32b31808SJens Wiklander 1489*32b31808SJens Wiklander ext_len -= 4 + ext_size; 1490*32b31808SJens Wiklander ext += 4 + ext_size; 1491*32b31808SJens Wiklander } 1492*32b31808SJens Wiklander 1493*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 1494*32b31808SJens Wiklander 1495*32b31808SJens Wiklander /* 1496*32b31808SJens Wiklander * Try to fall back to default hash SHA1 if the client 1497*32b31808SJens Wiklander * hasn't provided any preferred signature-hash combinations. 1498*32b31808SJens Wiklander */ 1499*32b31808SJens Wiklander if (!sig_hash_alg_ext_present) { 1500*32b31808SJens Wiklander uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; 1501*32b31808SJens Wiklander const uint16_t default_sig_algs[] = { 1502*32b31808SJens Wiklander #if defined(MBEDTLS_ECDSA_C) 1503*32b31808SJens Wiklander MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, 1504*32b31808SJens Wiklander MBEDTLS_SSL_HASH_SHA1), 1505*32b31808SJens Wiklander #endif 1506*32b31808SJens Wiklander #if defined(MBEDTLS_RSA_C) 1507*32b31808SJens Wiklander MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, 1508*32b31808SJens Wiklander MBEDTLS_SSL_HASH_SHA1), 1509*32b31808SJens Wiklander #endif 1510*32b31808SJens Wiklander MBEDTLS_TLS_SIG_NONE 1511*32b31808SJens Wiklander }; 1512*32b31808SJens Wiklander 1513*32b31808SJens Wiklander MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0]) 1514*32b31808SJens Wiklander <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE, 1515*32b31808SJens Wiklander "default_sig_algs is too big"); 1516*32b31808SJens Wiklander 1517*32b31808SJens Wiklander memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs)); 1518*32b31808SJens Wiklander } 1519*32b31808SJens Wiklander 1520*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 1521*32b31808SJens Wiklander 1522*32b31808SJens Wiklander /* 1523*32b31808SJens Wiklander * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 1524*32b31808SJens Wiklander */ 1525*32b31808SJens Wiklander for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) { 1526*32b31808SJens Wiklander if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) { 1527*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO ")); 1528*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 1529*32b31808SJens Wiklander if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 1530*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV " 1531*32b31808SJens Wiklander "during renegotiation")); 1532*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1533*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 1534*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1535*32b31808SJens Wiklander } 1536*32b31808SJens Wiklander #endif 1537*32b31808SJens Wiklander ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 1538*32b31808SJens Wiklander break; 1539*32b31808SJens Wiklander } 1540*32b31808SJens Wiklander } 1541*32b31808SJens Wiklander 1542*32b31808SJens Wiklander /* 1543*32b31808SJens Wiklander * Renegotiation security checks 1544*32b31808SJens Wiklander */ 1545*32b31808SJens Wiklander if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && 1546*32b31808SJens Wiklander ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) { 1547*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake")); 1548*32b31808SJens Wiklander handshake_failure = 1; 1549*32b31808SJens Wiklander } 1550*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 1551*32b31808SJens Wiklander else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1552*32b31808SJens Wiklander ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 1553*32b31808SJens Wiklander renegotiation_info_seen == 0) { 1554*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)")); 1555*32b31808SJens Wiklander handshake_failure = 1; 1556*32b31808SJens Wiklander } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1557*32b31808SJens Wiklander ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1558*32b31808SJens Wiklander ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) { 1559*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed")); 1560*32b31808SJens Wiklander handshake_failure = 1; 1561*32b31808SJens Wiklander } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1562*32b31808SJens Wiklander ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1563*32b31808SJens Wiklander renegotiation_info_seen == 1) { 1564*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)")); 1565*32b31808SJens Wiklander handshake_failure = 1; 1566*32b31808SJens Wiklander } 1567*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1568*32b31808SJens Wiklander 1569*32b31808SJens Wiklander if (handshake_failure == 1) { 1570*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1571*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 1572*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1573*32b31808SJens Wiklander } 1574*32b31808SJens Wiklander 1575*32b31808SJens Wiklander /* 1576*32b31808SJens Wiklander * Server certification selection (after processing TLS extensions) 1577*32b31808SJens Wiklander */ 1578*32b31808SJens Wiklander if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) { 1579*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret); 1580*32b31808SJens Wiklander return ret; 1581*32b31808SJens Wiklander } 1582*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1583*32b31808SJens Wiklander ssl->handshake->sni_name = NULL; 1584*32b31808SJens Wiklander ssl->handshake->sni_name_len = 0; 1585*32b31808SJens Wiklander #endif 1586*32b31808SJens Wiklander 1587*32b31808SJens Wiklander /* 1588*32b31808SJens Wiklander * Search for a matching ciphersuite 1589*32b31808SJens Wiklander * (At the end because we need information from the EC-based extensions 1590*32b31808SJens Wiklander * and certificate from the SNI callback triggered by the SNI extension 1591*32b31808SJens Wiklander * or certificate from server certificate selection callback.) 1592*32b31808SJens Wiklander */ 1593*32b31808SJens Wiklander got_common_suite = 0; 1594*32b31808SJens Wiklander ciphersuites = ssl->conf->ciphersuite_list; 1595*32b31808SJens Wiklander ciphersuite_info = NULL; 1596*32b31808SJens Wiklander 1597*32b31808SJens Wiklander if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) { 1598*32b31808SJens Wiklander for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) { 1599*32b31808SJens Wiklander for (i = 0; ciphersuites[i] != 0; i++) { 1600*32b31808SJens Wiklander if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) { 1601*32b31808SJens Wiklander continue; 1602*32b31808SJens Wiklander } 1603*32b31808SJens Wiklander 1604*32b31808SJens Wiklander got_common_suite = 1; 1605*32b31808SJens Wiklander 1606*32b31808SJens Wiklander if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i], 1607*32b31808SJens Wiklander &ciphersuite_info)) != 0) { 1608*32b31808SJens Wiklander return ret; 1609*32b31808SJens Wiklander } 1610*32b31808SJens Wiklander 1611*32b31808SJens Wiklander if (ciphersuite_info != NULL) { 1612*32b31808SJens Wiklander goto have_ciphersuite; 1613*32b31808SJens Wiklander } 1614*32b31808SJens Wiklander } 1615*32b31808SJens Wiklander } 1616*32b31808SJens Wiklander } else { 1617*32b31808SJens Wiklander for (i = 0; ciphersuites[i] != 0; i++) { 1618*32b31808SJens Wiklander for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) { 1619*32b31808SJens Wiklander if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) { 1620*32b31808SJens Wiklander continue; 1621*32b31808SJens Wiklander } 1622*32b31808SJens Wiklander 1623*32b31808SJens Wiklander got_common_suite = 1; 1624*32b31808SJens Wiklander 1625*32b31808SJens Wiklander if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i], 1626*32b31808SJens Wiklander &ciphersuite_info)) != 0) { 1627*32b31808SJens Wiklander return ret; 1628*32b31808SJens Wiklander } 1629*32b31808SJens Wiklander 1630*32b31808SJens Wiklander if (ciphersuite_info != NULL) { 1631*32b31808SJens Wiklander goto have_ciphersuite; 1632*32b31808SJens Wiklander } 1633*32b31808SJens Wiklander } 1634*32b31808SJens Wiklander } 1635*32b31808SJens Wiklander } 1636*32b31808SJens Wiklander 1637*32b31808SJens Wiklander if (got_common_suite) { 1638*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, " 1639*32b31808SJens Wiklander "but none of them usable")); 1640*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1641*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 1642*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1643*32b31808SJens Wiklander } else { 1644*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common")); 1645*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1646*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 1647*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1648*32b31808SJens Wiklander } 1649*32b31808SJens Wiklander 1650*32b31808SJens Wiklander have_ciphersuite: 1651*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name)); 1652*32b31808SJens Wiklander 1653*32b31808SJens Wiklander ssl->session_negotiate->ciphersuite = ciphersuites[i]; 1654*32b31808SJens Wiklander ssl->handshake->ciphersuite_info = ciphersuite_info; 1655*32b31808SJens Wiklander 1656*32b31808SJens Wiklander ssl->state++; 1657*32b31808SJens Wiklander 1658*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 1659*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1660*32b31808SJens Wiklander mbedtls_ssl_recv_flight_completed(ssl); 1661*32b31808SJens Wiklander } 1662*32b31808SJens Wiklander #endif 1663*32b31808SJens Wiklander 1664*32b31808SJens Wiklander /* Debugging-only output for testsuite */ 1665*32b31808SJens Wiklander #if defined(MBEDTLS_DEBUG_C) && \ 1666*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 1667*32b31808SJens Wiklander mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info); 1668*32b31808SJens Wiklander if (sig_alg != MBEDTLS_PK_NONE) { 1669*32b31808SJens Wiklander unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 1670*32b31808SJens Wiklander ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); 1671*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u", 1672*32b31808SJens Wiklander sig_hash)); 1673*32b31808SJens Wiklander } else { 1674*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm " 1675*32b31808SJens Wiklander "%u - should not happen", (unsigned) sig_alg)); 1676*32b31808SJens Wiklander } 1677*32b31808SJens Wiklander #endif 1678*32b31808SJens Wiklander 1679*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello")); 1680*32b31808SJens Wiklander 1681*32b31808SJens Wiklander return 0; 1682*32b31808SJens Wiklander } 1683*32b31808SJens Wiklander 1684*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1685*32b31808SJens Wiklander static void ssl_write_cid_ext(mbedtls_ssl_context *ssl, 1686*32b31808SJens Wiklander unsigned char *buf, 1687*32b31808SJens Wiklander size_t *olen) 1688*32b31808SJens Wiklander { 1689*32b31808SJens Wiklander unsigned char *p = buf; 1690*32b31808SJens Wiklander size_t ext_len; 1691*32b31808SJens Wiklander const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 1692*32b31808SJens Wiklander 1693*32b31808SJens Wiklander *olen = 0; 1694*32b31808SJens Wiklander 1695*32b31808SJens Wiklander /* Skip writing the extension if we don't want to use it or if 1696*32b31808SJens Wiklander * the client hasn't offered it. */ 1697*32b31808SJens Wiklander if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) { 1698*32b31808SJens Wiklander return; 1699*32b31808SJens Wiklander } 1700*32b31808SJens Wiklander 1701*32b31808SJens Wiklander /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX 1702*32b31808SJens Wiklander * which is at most 255, so the increment cannot overflow. */ 1703*32b31808SJens Wiklander if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) { 1704*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); 1705*32b31808SJens Wiklander return; 1706*32b31808SJens Wiklander } 1707*32b31808SJens Wiklander 1708*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension")); 1709*32b31808SJens Wiklander 1710*32b31808SJens Wiklander /* 1711*32b31808SJens Wiklander * struct { 1712*32b31808SJens Wiklander * opaque cid<0..2^8-1>; 1713*32b31808SJens Wiklander * } ConnectionId; 1714*32b31808SJens Wiklander */ 1715*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0); 1716*32b31808SJens Wiklander p += 2; 1717*32b31808SJens Wiklander ext_len = (size_t) ssl->own_cid_len + 1; 1718*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); 1719*32b31808SJens Wiklander p += 2; 1720*32b31808SJens Wiklander 1721*32b31808SJens Wiklander *p++ = (uint8_t) ssl->own_cid_len; 1722*32b31808SJens Wiklander memcpy(p, ssl->own_cid, ssl->own_cid_len); 1723*32b31808SJens Wiklander 1724*32b31808SJens Wiklander *olen = ssl->own_cid_len + 5; 1725*32b31808SJens Wiklander } 1726*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1727*32b31808SJens Wiklander 1728*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 1729*32b31808SJens Wiklander static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, 1730*32b31808SJens Wiklander unsigned char *buf, 1731*32b31808SJens Wiklander size_t *olen) 1732*32b31808SJens Wiklander { 1733*32b31808SJens Wiklander unsigned char *p = buf; 1734*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite = NULL; 1735*32b31808SJens Wiklander 1736*32b31808SJens Wiklander /* 1737*32b31808SJens Wiklander * RFC 7366: "If a server receives an encrypt-then-MAC request extension 1738*32b31808SJens Wiklander * from a client and then selects a stream or Authenticated Encryption 1739*32b31808SJens Wiklander * with Associated Data (AEAD) ciphersuite, it MUST NOT send an 1740*32b31808SJens Wiklander * encrypt-then-MAC response extension back to the client." 1741*32b31808SJens Wiklander */ 1742*32b31808SJens Wiklander suite = mbedtls_ssl_ciphersuite_from_id( 1743*32b31808SJens Wiklander ssl->session_negotiate->ciphersuite); 1744*32b31808SJens Wiklander if (suite == NULL) { 1745*32b31808SJens Wiklander ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; 1746*32b31808SJens Wiklander } else { 1747*32b31808SJens Wiklander mbedtls_ssl_mode_t ssl_mode = 1748*32b31808SJens Wiklander mbedtls_ssl_get_mode_from_ciphersuite( 1749*32b31808SJens Wiklander ssl->session_negotiate->encrypt_then_mac, 1750*32b31808SJens Wiklander suite); 1751*32b31808SJens Wiklander 1752*32b31808SJens Wiklander if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) { 1753*32b31808SJens Wiklander ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; 1754*32b31808SJens Wiklander } 1755*32b31808SJens Wiklander } 1756*32b31808SJens Wiklander 1757*32b31808SJens Wiklander if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) { 1758*32b31808SJens Wiklander *olen = 0; 1759*32b31808SJens Wiklander return; 1760*32b31808SJens Wiklander } 1761*32b31808SJens Wiklander 1762*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension")); 1763*32b31808SJens Wiklander 1764*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0); 1765*32b31808SJens Wiklander p += 2; 1766*32b31808SJens Wiklander 1767*32b31808SJens Wiklander *p++ = 0x00; 1768*32b31808SJens Wiklander *p++ = 0x00; 1769*32b31808SJens Wiklander 1770*32b31808SJens Wiklander *olen = 4; 1771*32b31808SJens Wiklander } 1772*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 1773*32b31808SJens Wiklander 1774*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1775*32b31808SJens Wiklander static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl, 1776*32b31808SJens Wiklander unsigned char *buf, 1777*32b31808SJens Wiklander size_t *olen) 1778*32b31808SJens Wiklander { 1779*32b31808SJens Wiklander unsigned char *p = buf; 1780*32b31808SJens Wiklander 1781*32b31808SJens Wiklander if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) { 1782*32b31808SJens Wiklander *olen = 0; 1783*32b31808SJens Wiklander return; 1784*32b31808SJens Wiklander } 1785*32b31808SJens Wiklander 1786*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret " 1787*32b31808SJens Wiklander "extension")); 1788*32b31808SJens Wiklander 1789*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0); 1790*32b31808SJens Wiklander p += 2; 1791*32b31808SJens Wiklander 1792*32b31808SJens Wiklander *p++ = 0x00; 1793*32b31808SJens Wiklander *p++ = 0x00; 1794*32b31808SJens Wiklander 1795*32b31808SJens Wiklander *olen = 4; 1796*32b31808SJens Wiklander } 1797*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 1798*32b31808SJens Wiklander 1799*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1800*32b31808SJens Wiklander static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl, 1801*32b31808SJens Wiklander unsigned char *buf, 1802*32b31808SJens Wiklander size_t *olen) 1803*32b31808SJens Wiklander { 1804*32b31808SJens Wiklander unsigned char *p = buf; 1805*32b31808SJens Wiklander 1806*32b31808SJens Wiklander if (ssl->handshake->new_session_ticket == 0) { 1807*32b31808SJens Wiklander *olen = 0; 1808*32b31808SJens Wiklander return; 1809*32b31808SJens Wiklander } 1810*32b31808SJens Wiklander 1811*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension")); 1812*32b31808SJens Wiklander 1813*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0); 1814*32b31808SJens Wiklander p += 2; 1815*32b31808SJens Wiklander 1816*32b31808SJens Wiklander *p++ = 0x00; 1817*32b31808SJens Wiklander *p++ = 0x00; 1818*32b31808SJens Wiklander 1819*32b31808SJens Wiklander *olen = 4; 1820*32b31808SJens Wiklander } 1821*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1822*32b31808SJens Wiklander 1823*32b31808SJens Wiklander static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl, 1824*32b31808SJens Wiklander unsigned char *buf, 1825*32b31808SJens Wiklander size_t *olen) 1826*32b31808SJens Wiklander { 1827*32b31808SJens Wiklander unsigned char *p = buf; 1828*32b31808SJens Wiklander 1829*32b31808SJens Wiklander if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) { 1830*32b31808SJens Wiklander *olen = 0; 1831*32b31808SJens Wiklander return; 1832*32b31808SJens Wiklander } 1833*32b31808SJens Wiklander 1834*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension")); 1835*32b31808SJens Wiklander 1836*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0); 1837*32b31808SJens Wiklander p += 2; 1838*32b31808SJens Wiklander 1839*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 1840*32b31808SJens Wiklander if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 1841*32b31808SJens Wiklander *p++ = 0x00; 1842*32b31808SJens Wiklander *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF; 1843*32b31808SJens Wiklander *p++ = ssl->verify_data_len * 2 & 0xFF; 1844*32b31808SJens Wiklander 1845*32b31808SJens Wiklander memcpy(p, ssl->peer_verify_data, ssl->verify_data_len); 1846*32b31808SJens Wiklander p += ssl->verify_data_len; 1847*32b31808SJens Wiklander memcpy(p, ssl->own_verify_data, ssl->verify_data_len); 1848*32b31808SJens Wiklander p += ssl->verify_data_len; 1849*32b31808SJens Wiklander } else 1850*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1851*32b31808SJens Wiklander { 1852*32b31808SJens Wiklander *p++ = 0x00; 1853*32b31808SJens Wiklander *p++ = 0x01; 1854*32b31808SJens Wiklander *p++ = 0x00; 1855*32b31808SJens Wiklander } 1856*32b31808SJens Wiklander 1857*32b31808SJens Wiklander *olen = p - buf; 1858*32b31808SJens Wiklander } 1859*32b31808SJens Wiklander 1860*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1861*32b31808SJens Wiklander static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, 1862*32b31808SJens Wiklander unsigned char *buf, 1863*32b31808SJens Wiklander size_t *olen) 1864*32b31808SJens Wiklander { 1865*32b31808SJens Wiklander unsigned char *p = buf; 1866*32b31808SJens Wiklander 1867*32b31808SJens Wiklander if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) { 1868*32b31808SJens Wiklander *olen = 0; 1869*32b31808SJens Wiklander return; 1870*32b31808SJens Wiklander } 1871*32b31808SJens Wiklander 1872*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension")); 1873*32b31808SJens Wiklander 1874*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0); 1875*32b31808SJens Wiklander p += 2; 1876*32b31808SJens Wiklander 1877*32b31808SJens Wiklander *p++ = 0x00; 1878*32b31808SJens Wiklander *p++ = 1; 1879*32b31808SJens Wiklander 1880*32b31808SJens Wiklander *p++ = ssl->session_negotiate->mfl_code; 1881*32b31808SJens Wiklander 1882*32b31808SJens Wiklander *olen = 5; 1883*32b31808SJens Wiklander } 1884*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 1885*32b31808SJens Wiklander 1886*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1887*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1888*32b31808SJens Wiklander static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl, 1889*32b31808SJens Wiklander unsigned char *buf, 1890*32b31808SJens Wiklander size_t *olen) 1891*32b31808SJens Wiklander { 1892*32b31808SJens Wiklander unsigned char *p = buf; 1893*32b31808SJens Wiklander ((void) ssl); 1894*32b31808SJens Wiklander 1895*32b31808SJens Wiklander if ((ssl->handshake->cli_exts & 1896*32b31808SJens Wiklander MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) { 1897*32b31808SJens Wiklander *olen = 0; 1898*32b31808SJens Wiklander return; 1899*32b31808SJens Wiklander } 1900*32b31808SJens Wiklander 1901*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension")); 1902*32b31808SJens Wiklander 1903*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0); 1904*32b31808SJens Wiklander p += 2; 1905*32b31808SJens Wiklander 1906*32b31808SJens Wiklander *p++ = 0x00; 1907*32b31808SJens Wiklander *p++ = 2; 1908*32b31808SJens Wiklander 1909*32b31808SJens Wiklander *p++ = 1; 1910*32b31808SJens Wiklander *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 1911*32b31808SJens Wiklander 1912*32b31808SJens Wiklander *olen = 6; 1913*32b31808SJens Wiklander } 1914*32b31808SJens Wiklander #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1915*32b31808SJens Wiklander 1916*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1917*32b31808SJens Wiklander static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl, 1918*32b31808SJens Wiklander unsigned char *buf, 1919*32b31808SJens Wiklander size_t *olen) 1920*32b31808SJens Wiklander { 1921*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1922*32b31808SJens Wiklander unsigned char *p = buf; 1923*32b31808SJens Wiklander const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 1924*32b31808SJens Wiklander size_t kkpp_len; 1925*32b31808SJens Wiklander 1926*32b31808SJens Wiklander *olen = 0; 1927*32b31808SJens Wiklander 1928*32b31808SJens Wiklander /* Skip costly computation if not needed */ 1929*32b31808SJens Wiklander if (ssl->handshake->ciphersuite_info->key_exchange != 1930*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 1931*32b31808SJens Wiklander return; 1932*32b31808SJens Wiklander } 1933*32b31808SJens Wiklander 1934*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension")); 1935*32b31808SJens Wiklander 1936*32b31808SJens Wiklander if (end - p < 4) { 1937*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); 1938*32b31808SJens Wiklander return; 1939*32b31808SJens Wiklander } 1940*32b31808SJens Wiklander 1941*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0); 1942*32b31808SJens Wiklander p += 2; 1943*32b31808SJens Wiklander 1944*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 1945*32b31808SJens Wiklander ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, 1946*32b31808SJens Wiklander p + 2, end - p - 2, &kkpp_len, 1947*32b31808SJens Wiklander MBEDTLS_ECJPAKE_ROUND_ONE); 1948*32b31808SJens Wiklander if (ret != 0) { 1949*32b31808SJens Wiklander psa_destroy_key(ssl->handshake->psa_pake_password); 1950*32b31808SJens Wiklander psa_pake_abort(&ssl->handshake->psa_pake_ctx); 1951*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); 1952*32b31808SJens Wiklander return; 1953*32b31808SJens Wiklander } 1954*32b31808SJens Wiklander #else 1955*32b31808SJens Wiklander ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx, 1956*32b31808SJens Wiklander p + 2, end - p - 2, &kkpp_len, 1957*32b31808SJens Wiklander ssl->conf->f_rng, ssl->conf->p_rng); 1958*32b31808SJens Wiklander if (ret != 0) { 1959*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret); 1960*32b31808SJens Wiklander return; 1961*32b31808SJens Wiklander } 1962*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1963*32b31808SJens Wiklander 1964*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0); 1965*32b31808SJens Wiklander p += 2; 1966*32b31808SJens Wiklander 1967*32b31808SJens Wiklander *olen = kkpp_len + 4; 1968*32b31808SJens Wiklander } 1969*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1970*32b31808SJens Wiklander 1971*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS) 1972*32b31808SJens Wiklander static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl, 1973*32b31808SJens Wiklander unsigned char *buf, 1974*32b31808SJens Wiklander size_t *olen) 1975*32b31808SJens Wiklander { 1976*32b31808SJens Wiklander size_t mki_len = 0, ext_len = 0; 1977*32b31808SJens Wiklander uint16_t profile_value = 0; 1978*32b31808SJens Wiklander const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 1979*32b31808SJens Wiklander 1980*32b31808SJens Wiklander *olen = 0; 1981*32b31808SJens Wiklander 1982*32b31808SJens Wiklander if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || 1983*32b31808SJens Wiklander (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) { 1984*32b31808SJens Wiklander return; 1985*32b31808SJens Wiklander } 1986*32b31808SJens Wiklander 1987*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension")); 1988*32b31808SJens Wiklander 1989*32b31808SJens Wiklander if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { 1990*32b31808SJens Wiklander mki_len = ssl->dtls_srtp_info.mki_len; 1991*32b31808SJens Wiklander } 1992*32b31808SJens Wiklander 1993*32b31808SJens Wiklander /* The extension total size is 9 bytes : 1994*32b31808SJens Wiklander * - 2 bytes for the extension tag 1995*32b31808SJens Wiklander * - 2 bytes for the total size 1996*32b31808SJens Wiklander * - 2 bytes for the protection profile length 1997*32b31808SJens Wiklander * - 2 bytes for the protection profile 1998*32b31808SJens Wiklander * - 1 byte for the mki length 1999*32b31808SJens Wiklander * + the actual mki length 2000*32b31808SJens Wiklander * Check we have enough room in the output buffer */ 2001*32b31808SJens Wiklander if ((size_t) (end - buf) < mki_len + 9) { 2002*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); 2003*32b31808SJens Wiklander return; 2004*32b31808SJens Wiklander } 2005*32b31808SJens Wiklander 2006*32b31808SJens Wiklander /* extension */ 2007*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0); 2008*32b31808SJens Wiklander /* 2009*32b31808SJens Wiklander * total length 5 and mki value: only one profile(2 bytes) 2010*32b31808SJens Wiklander * and length(2 bytes) and srtp_mki ) 2011*32b31808SJens Wiklander */ 2012*32b31808SJens Wiklander ext_len = 5 + mki_len; 2013*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2); 2014*32b31808SJens Wiklander 2015*32b31808SJens Wiklander /* protection profile length: 2 */ 2016*32b31808SJens Wiklander buf[4] = 0x00; 2017*32b31808SJens Wiklander buf[5] = 0x02; 2018*32b31808SJens Wiklander profile_value = mbedtls_ssl_check_srtp_profile_value( 2019*32b31808SJens Wiklander ssl->dtls_srtp_info.chosen_dtls_srtp_profile); 2020*32b31808SJens Wiklander if (profile_value != MBEDTLS_TLS_SRTP_UNSET) { 2021*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6); 2022*32b31808SJens Wiklander } else { 2023*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile")); 2024*32b31808SJens Wiklander return; 2025*32b31808SJens Wiklander } 2026*32b31808SJens Wiklander 2027*32b31808SJens Wiklander buf[8] = mki_len & 0xFF; 2028*32b31808SJens Wiklander memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len); 2029*32b31808SJens Wiklander 2030*32b31808SJens Wiklander *olen = 9 + mki_len; 2031*32b31808SJens Wiklander } 2032*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_SRTP */ 2033*32b31808SJens Wiklander 2034*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 2035*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2036*32b31808SJens Wiklander static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl) 2037*32b31808SJens Wiklander { 2038*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2039*32b31808SJens Wiklander unsigned char *p = ssl->out_msg + 4; 2040*32b31808SJens Wiklander unsigned char *cookie_len_byte; 2041*32b31808SJens Wiklander 2042*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request")); 2043*32b31808SJens Wiklander 2044*32b31808SJens Wiklander /* 2045*32b31808SJens Wiklander * struct { 2046*32b31808SJens Wiklander * ProtocolVersion server_version; 2047*32b31808SJens Wiklander * opaque cookie<0..2^8-1>; 2048*32b31808SJens Wiklander * } HelloVerifyRequest; 2049*32b31808SJens Wiklander */ 2050*32b31808SJens Wiklander 2051*32b31808SJens Wiklander /* The RFC is not clear on this point, but sending the actual negotiated 2052*32b31808SJens Wiklander * version looks like the most interoperable thing to do. */ 2053*32b31808SJens Wiklander mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version); 2054*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2); 2055*32b31808SJens Wiklander p += 2; 2056*32b31808SJens Wiklander 2057*32b31808SJens Wiklander /* If we get here, f_cookie_check is not null */ 2058*32b31808SJens Wiklander if (ssl->conf->f_cookie_write == NULL) { 2059*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks")); 2060*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2061*32b31808SJens Wiklander } 2062*32b31808SJens Wiklander 2063*32b31808SJens Wiklander /* Skip length byte until we know the length */ 2064*32b31808SJens Wiklander cookie_len_byte = p++; 2065*32b31808SJens Wiklander 2066*32b31808SJens Wiklander if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie, 2067*32b31808SJens Wiklander &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN, 2068*32b31808SJens Wiklander ssl->cli_id, ssl->cli_id_len)) != 0) { 2069*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret); 2070*32b31808SJens Wiklander return ret; 2071*32b31808SJens Wiklander } 2072*32b31808SJens Wiklander 2073*32b31808SJens Wiklander *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1)); 2074*32b31808SJens Wiklander 2075*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte); 2076*32b31808SJens Wiklander 2077*32b31808SJens Wiklander ssl->out_msglen = p - ssl->out_msg; 2078*32b31808SJens Wiklander ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 2079*32b31808SJens Wiklander ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 2080*32b31808SJens Wiklander 2081*32b31808SJens Wiklander ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; 2082*32b31808SJens Wiklander 2083*32b31808SJens Wiklander if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 2084*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 2085*32b31808SJens Wiklander return ret; 2086*32b31808SJens Wiklander } 2087*32b31808SJens Wiklander 2088*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 2089*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 2090*32b31808SJens Wiklander (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 2091*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); 2092*32b31808SJens Wiklander return ret; 2093*32b31808SJens Wiklander } 2094*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 2095*32b31808SJens Wiklander 2096*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request")); 2097*32b31808SJens Wiklander 2098*32b31808SJens Wiklander return 0; 2099*32b31808SJens Wiklander } 2100*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 2101*32b31808SJens Wiklander 2102*32b31808SJens Wiklander static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl) 2103*32b31808SJens Wiklander { 2104*32b31808SJens Wiklander int ret; 2105*32b31808SJens Wiklander mbedtls_ssl_session session_tmp; 2106*32b31808SJens Wiklander mbedtls_ssl_session * const session = ssl->session_negotiate; 2107*32b31808SJens Wiklander 2108*32b31808SJens Wiklander /* Resume is 0 by default, see ssl_handshake_init(). 2109*32b31808SJens Wiklander * It may be already set to 1 by ssl_parse_session_ticket_ext(). */ 2110*32b31808SJens Wiklander if (ssl->handshake->resume == 1) { 2111*32b31808SJens Wiklander return; 2112*32b31808SJens Wiklander } 2113*32b31808SJens Wiklander if (session->id_len == 0) { 2114*32b31808SJens Wiklander return; 2115*32b31808SJens Wiklander } 2116*32b31808SJens Wiklander if (ssl->conf->f_get_cache == NULL) { 2117*32b31808SJens Wiklander return; 2118*32b31808SJens Wiklander } 2119*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 2120*32b31808SJens Wiklander if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 2121*32b31808SJens Wiklander return; 2122*32b31808SJens Wiklander } 2123*32b31808SJens Wiklander #endif 2124*32b31808SJens Wiklander 2125*32b31808SJens Wiklander mbedtls_ssl_session_init(&session_tmp); 2126*32b31808SJens Wiklander 2127*32b31808SJens Wiklander ret = ssl->conf->f_get_cache(ssl->conf->p_cache, 2128*32b31808SJens Wiklander session->id, 2129*32b31808SJens Wiklander session->id_len, 2130*32b31808SJens Wiklander &session_tmp); 2131*32b31808SJens Wiklander if (ret != 0) { 2132*32b31808SJens Wiklander goto exit; 2133*32b31808SJens Wiklander } 2134*32b31808SJens Wiklander 2135*32b31808SJens Wiklander if (session->ciphersuite != session_tmp.ciphersuite) { 2136*32b31808SJens Wiklander /* Mismatch between cached and negotiated session */ 2137*32b31808SJens Wiklander goto exit; 2138*32b31808SJens Wiklander } 2139*32b31808SJens Wiklander 2140*32b31808SJens Wiklander /* Move semantics */ 2141*32b31808SJens Wiklander mbedtls_ssl_session_free(session); 2142*32b31808SJens Wiklander *session = session_tmp; 2143*32b31808SJens Wiklander memset(&session_tmp, 0, sizeof(session_tmp)); 2144*32b31808SJens Wiklander 2145*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache")); 2146*32b31808SJens Wiklander ssl->handshake->resume = 1; 2147*32b31808SJens Wiklander 2148*32b31808SJens Wiklander exit: 2149*32b31808SJens Wiklander 2150*32b31808SJens Wiklander mbedtls_ssl_session_free(&session_tmp); 2151*32b31808SJens Wiklander } 2152*32b31808SJens Wiklander 2153*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2154*32b31808SJens Wiklander static int ssl_write_server_hello(mbedtls_ssl_context *ssl) 2155*32b31808SJens Wiklander { 2156*32b31808SJens Wiklander #if defined(MBEDTLS_HAVE_TIME) 2157*32b31808SJens Wiklander mbedtls_time_t t; 2158*32b31808SJens Wiklander #endif 2159*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2160*32b31808SJens Wiklander size_t olen, ext_len = 0, n; 2161*32b31808SJens Wiklander unsigned char *buf, *p; 2162*32b31808SJens Wiklander 2163*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello")); 2164*32b31808SJens Wiklander 2165*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 2166*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 2167*32b31808SJens Wiklander ssl->handshake->cookie_verify_result != 0) { 2168*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated")); 2169*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); 2170*32b31808SJens Wiklander 2171*32b31808SJens Wiklander return ssl_write_hello_verify_request(ssl); 2172*32b31808SJens Wiklander } 2173*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 2174*32b31808SJens Wiklander 2175*32b31808SJens Wiklander if (ssl->conf->f_rng == NULL) { 2176*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); 2177*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_NO_RNG; 2178*32b31808SJens Wiklander } 2179*32b31808SJens Wiklander 2180*32b31808SJens Wiklander /* 2181*32b31808SJens Wiklander * 0 . 0 handshake type 2182*32b31808SJens Wiklander * 1 . 3 handshake length 2183*32b31808SJens Wiklander * 4 . 5 protocol version 2184*32b31808SJens Wiklander * 6 . 9 UNIX time() 2185*32b31808SJens Wiklander * 10 . 37 random bytes 2186*32b31808SJens Wiklander */ 2187*32b31808SJens Wiklander buf = ssl->out_msg; 2188*32b31808SJens Wiklander p = buf + 4; 2189*32b31808SJens Wiklander 2190*32b31808SJens Wiklander mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version); 2191*32b31808SJens Wiklander p += 2; 2192*32b31808SJens Wiklander 2193*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]", 2194*32b31808SJens Wiklander buf[4], buf[5])); 2195*32b31808SJens Wiklander 2196*32b31808SJens Wiklander #if defined(MBEDTLS_HAVE_TIME) 2197*32b31808SJens Wiklander t = mbedtls_time(NULL); 2198*32b31808SJens Wiklander MBEDTLS_PUT_UINT32_BE(t, p, 0); 2199*32b31808SJens Wiklander p += 4; 2200*32b31808SJens Wiklander 2201*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG, 2202*32b31808SJens Wiklander (long long) t)); 2203*32b31808SJens Wiklander #else 2204*32b31808SJens Wiklander if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) { 2205*32b31808SJens Wiklander return ret; 2206*32b31808SJens Wiklander } 2207*32b31808SJens Wiklander 2208*32b31808SJens Wiklander p += 4; 2209*32b31808SJens Wiklander #endif /* MBEDTLS_HAVE_TIME */ 2210*32b31808SJens Wiklander 2211*32b31808SJens Wiklander if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 28)) != 0) { 2212*32b31808SJens Wiklander return ret; 2213*32b31808SJens Wiklander } 2214*32b31808SJens Wiklander 2215*32b31808SJens Wiklander p += 28; 2216*32b31808SJens Wiklander 2217*32b31808SJens Wiklander memcpy(ssl->handshake->randbytes + 32, buf + 6, 32); 2218*32b31808SJens Wiklander 2219*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32); 2220*32b31808SJens Wiklander 2221*32b31808SJens Wiklander ssl_handle_id_based_session_resumption(ssl); 2222*32b31808SJens Wiklander 2223*32b31808SJens Wiklander if (ssl->handshake->resume == 0) { 2224*32b31808SJens Wiklander /* 2225*32b31808SJens Wiklander * New session, create a new session id, 2226*32b31808SJens Wiklander * unless we're about to issue a session ticket 2227*32b31808SJens Wiklander */ 2228*32b31808SJens Wiklander ssl->state++; 2229*32b31808SJens Wiklander 2230*32b31808SJens Wiklander #if defined(MBEDTLS_HAVE_TIME) 2231*32b31808SJens Wiklander ssl->session_negotiate->start = mbedtls_time(NULL); 2232*32b31808SJens Wiklander #endif 2233*32b31808SJens Wiklander 2234*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 2235*32b31808SJens Wiklander if (ssl->handshake->new_session_ticket != 0) { 2236*32b31808SJens Wiklander ssl->session_negotiate->id_len = n = 0; 2237*32b31808SJens Wiklander memset(ssl->session_negotiate->id, 0, 32); 2238*32b31808SJens Wiklander } else 2239*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 2240*32b31808SJens Wiklander { 2241*32b31808SJens Wiklander ssl->session_negotiate->id_len = n = 32; 2242*32b31808SJens Wiklander if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id, 2243*32b31808SJens Wiklander n)) != 0) { 2244*32b31808SJens Wiklander return ret; 2245*32b31808SJens Wiklander } 2246*32b31808SJens Wiklander } 2247*32b31808SJens Wiklander } else { 2248*32b31808SJens Wiklander /* 2249*32b31808SJens Wiklander * Resuming a session 2250*32b31808SJens Wiklander */ 2251*32b31808SJens Wiklander n = ssl->session_negotiate->id_len; 2252*32b31808SJens Wiklander ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 2253*32b31808SJens Wiklander 2254*32b31808SJens Wiklander if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { 2255*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); 2256*32b31808SJens Wiklander return ret; 2257*32b31808SJens Wiklander } 2258*32b31808SJens Wiklander } 2259*32b31808SJens Wiklander 2260*32b31808SJens Wiklander /* 2261*32b31808SJens Wiklander * 38 . 38 session id length 2262*32b31808SJens Wiklander * 39 . 38+n session id 2263*32b31808SJens Wiklander * 39+n . 40+n chosen ciphersuite 2264*32b31808SJens Wiklander * 41+n . 41+n chosen compression alg. 2265*32b31808SJens Wiklander * 42+n . 43+n extensions length 2266*32b31808SJens Wiklander * 44+n . 43+n+m extensions 2267*32b31808SJens Wiklander */ 2268*32b31808SJens Wiklander *p++ = (unsigned char) ssl->session_negotiate->id_len; 2269*32b31808SJens Wiklander memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len); 2270*32b31808SJens Wiklander p += ssl->session_negotiate->id_len; 2271*32b31808SJens Wiklander 2272*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n)); 2273*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n); 2274*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed", 2275*32b31808SJens Wiklander ssl->handshake->resume ? "a" : "no")); 2276*32b31808SJens Wiklander 2277*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0); 2278*32b31808SJens Wiklander p += 2; 2279*32b31808SJens Wiklander *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL); 2280*32b31808SJens Wiklander 2281*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s", 2282*32b31808SJens Wiklander mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite))); 2283*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X", 2284*32b31808SJens Wiklander (unsigned int) MBEDTLS_SSL_COMPRESS_NULL)); 2285*32b31808SJens Wiklander 2286*32b31808SJens Wiklander /* 2287*32b31808SJens Wiklander * First write extensions, then the total length 2288*32b31808SJens Wiklander */ 2289*32b31808SJens Wiklander ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen); 2290*32b31808SJens Wiklander ext_len += olen; 2291*32b31808SJens Wiklander 2292*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 2293*32b31808SJens Wiklander ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen); 2294*32b31808SJens Wiklander ext_len += olen; 2295*32b31808SJens Wiklander #endif 2296*32b31808SJens Wiklander 2297*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 2298*32b31808SJens Wiklander ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen); 2299*32b31808SJens Wiklander ext_len += olen; 2300*32b31808SJens Wiklander #endif 2301*32b31808SJens Wiklander 2302*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2303*32b31808SJens Wiklander ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen); 2304*32b31808SJens Wiklander ext_len += olen; 2305*32b31808SJens Wiklander #endif 2306*32b31808SJens Wiklander 2307*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 2308*32b31808SJens Wiklander ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen); 2309*32b31808SJens Wiklander ext_len += olen; 2310*32b31808SJens Wiklander #endif 2311*32b31808SJens Wiklander 2312*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 2313*32b31808SJens Wiklander ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen); 2314*32b31808SJens Wiklander ext_len += olen; 2315*32b31808SJens Wiklander #endif 2316*32b31808SJens Wiklander 2317*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 2318*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2319*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite = 2320*32b31808SJens Wiklander mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); 2321*32b31808SJens Wiklander if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) { 2322*32b31808SJens Wiklander ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen); 2323*32b31808SJens Wiklander ext_len += olen; 2324*32b31808SJens Wiklander } 2325*32b31808SJens Wiklander #endif 2326*32b31808SJens Wiklander 2327*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2328*32b31808SJens Wiklander ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen); 2329*32b31808SJens Wiklander ext_len += olen; 2330*32b31808SJens Wiklander #endif 2331*32b31808SJens Wiklander 2332*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ALPN) 2333*32b31808SJens Wiklander unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4; 2334*32b31808SJens Wiklander if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen)) 2335*32b31808SJens Wiklander != 0) { 2336*32b31808SJens Wiklander return ret; 2337*32b31808SJens Wiklander } 2338*32b31808SJens Wiklander 2339*32b31808SJens Wiklander ext_len += olen; 2340*32b31808SJens Wiklander #endif 2341*32b31808SJens Wiklander 2342*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_SRTP) 2343*32b31808SJens Wiklander ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen); 2344*32b31808SJens Wiklander ext_len += olen; 2345*32b31808SJens Wiklander #endif 2346*32b31808SJens Wiklander 2347*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, 2348*32b31808SJens Wiklander ext_len)); 2349*32b31808SJens Wiklander 2350*32b31808SJens Wiklander if (ext_len > 0) { 2351*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); 2352*32b31808SJens Wiklander p += 2 + ext_len; 2353*32b31808SJens Wiklander } 2354*32b31808SJens Wiklander 2355*32b31808SJens Wiklander ssl->out_msglen = p - buf; 2356*32b31808SJens Wiklander ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 2357*32b31808SJens Wiklander ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; 2358*32b31808SJens Wiklander 2359*32b31808SJens Wiklander ret = mbedtls_ssl_write_handshake_msg(ssl); 2360*32b31808SJens Wiklander 2361*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); 2362*32b31808SJens Wiklander 2363*32b31808SJens Wiklander return ret; 2364*32b31808SJens Wiklander } 2365*32b31808SJens Wiklander 2366*32b31808SJens Wiklander #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 2367*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2368*32b31808SJens Wiklander static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) 2369*32b31808SJens Wiklander { 2370*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2371*32b31808SJens Wiklander ssl->handshake->ciphersuite_info; 2372*32b31808SJens Wiklander 2373*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); 2374*32b31808SJens Wiklander 2375*32b31808SJens Wiklander if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { 2376*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); 2377*32b31808SJens Wiklander ssl->state++; 2378*32b31808SJens Wiklander return 0; 2379*32b31808SJens Wiklander } 2380*32b31808SJens Wiklander 2381*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 2382*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2383*32b31808SJens Wiklander } 2384*32b31808SJens Wiklander #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 2385*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2386*32b31808SJens Wiklander static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) 2387*32b31808SJens Wiklander { 2388*32b31808SJens Wiklander int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2389*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2390*32b31808SJens Wiklander ssl->handshake->ciphersuite_info; 2391*32b31808SJens Wiklander uint16_t dn_size, total_dn_size; /* excluding length bytes */ 2392*32b31808SJens Wiklander size_t ct_len, sa_len; /* including length bytes */ 2393*32b31808SJens Wiklander unsigned char *buf, *p; 2394*32b31808SJens Wiklander const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 2395*32b31808SJens Wiklander const mbedtls_x509_crt *crt; 2396*32b31808SJens Wiklander int authmode; 2397*32b31808SJens Wiklander 2398*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); 2399*32b31808SJens Wiklander 2400*32b31808SJens Wiklander ssl->state++; 2401*32b31808SJens Wiklander 2402*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2403*32b31808SJens Wiklander if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) { 2404*32b31808SJens Wiklander authmode = ssl->handshake->sni_authmode; 2405*32b31808SJens Wiklander } else 2406*32b31808SJens Wiklander #endif 2407*32b31808SJens Wiklander authmode = ssl->conf->authmode; 2408*32b31808SJens Wiklander 2409*32b31808SJens Wiklander if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) || 2410*32b31808SJens Wiklander authmode == MBEDTLS_SSL_VERIFY_NONE) { 2411*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); 2412*32b31808SJens Wiklander return 0; 2413*32b31808SJens Wiklander } 2414*32b31808SJens Wiklander 2415*32b31808SJens Wiklander /* 2416*32b31808SJens Wiklander * 0 . 0 handshake type 2417*32b31808SJens Wiklander * 1 . 3 handshake length 2418*32b31808SJens Wiklander * 4 . 4 cert type count 2419*32b31808SJens Wiklander * 5 .. m-1 cert types 2420*32b31808SJens Wiklander * m .. m+1 sig alg length (TLS 1.2 only) 2421*32b31808SJens Wiklander * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 2422*32b31808SJens Wiklander * n .. n+1 length of all DNs 2423*32b31808SJens Wiklander * n+2 .. n+3 length of DN 1 2424*32b31808SJens Wiklander * n+4 .. ... Distinguished Name #1 2425*32b31808SJens Wiklander * ... .. ... length of DN 2, etc. 2426*32b31808SJens Wiklander */ 2427*32b31808SJens Wiklander buf = ssl->out_msg; 2428*32b31808SJens Wiklander p = buf + 4; 2429*32b31808SJens Wiklander 2430*32b31808SJens Wiklander /* 2431*32b31808SJens Wiklander * Supported certificate types 2432*32b31808SJens Wiklander * 2433*32b31808SJens Wiklander * ClientCertificateType certificate_types<1..2^8-1>; 2434*32b31808SJens Wiklander * enum { (255) } ClientCertificateType; 2435*32b31808SJens Wiklander */ 2436*32b31808SJens Wiklander ct_len = 0; 2437*32b31808SJens Wiklander 2438*32b31808SJens Wiklander #if defined(MBEDTLS_RSA_C) 2439*32b31808SJens Wiklander p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; 2440*32b31808SJens Wiklander #endif 2441*32b31808SJens Wiklander #if defined(MBEDTLS_ECDSA_C) 2442*32b31808SJens Wiklander p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; 2443*32b31808SJens Wiklander #endif 2444*32b31808SJens Wiklander 2445*32b31808SJens Wiklander p[0] = (unsigned char) ct_len++; 2446*32b31808SJens Wiklander p += ct_len; 2447*32b31808SJens Wiklander 2448*32b31808SJens Wiklander sa_len = 0; 2449*32b31808SJens Wiklander 2450*32b31808SJens Wiklander /* 2451*32b31808SJens Wiklander * Add signature_algorithms for verify (TLS 1.2) 2452*32b31808SJens Wiklander * 2453*32b31808SJens Wiklander * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; 2454*32b31808SJens Wiklander * 2455*32b31808SJens Wiklander * struct { 2456*32b31808SJens Wiklander * HashAlgorithm hash; 2457*32b31808SJens Wiklander * SignatureAlgorithm signature; 2458*32b31808SJens Wiklander * } SignatureAndHashAlgorithm; 2459*32b31808SJens Wiklander * 2460*32b31808SJens Wiklander * enum { (255) } HashAlgorithm; 2461*32b31808SJens Wiklander * enum { (255) } SignatureAlgorithm; 2462*32b31808SJens Wiklander */ 2463*32b31808SJens Wiklander const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); 2464*32b31808SJens Wiklander if (sig_alg == NULL) { 2465*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_BAD_CONFIG; 2466*32b31808SJens Wiklander } 2467*32b31808SJens Wiklander 2468*32b31808SJens Wiklander for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 2469*32b31808SJens Wiklander unsigned char hash = MBEDTLS_BYTE_1(*sig_alg); 2470*32b31808SJens Wiklander 2471*32b31808SJens Wiklander if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) { 2472*32b31808SJens Wiklander continue; 2473*32b31808SJens Wiklander } 2474*32b31808SJens Wiklander if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) { 2475*32b31808SJens Wiklander continue; 2476*32b31808SJens Wiklander } 2477*32b31808SJens Wiklander 2478*32b31808SJens Wiklander /* Write elements at offsets starting from 1 (offset 0 is for the 2479*32b31808SJens Wiklander * length). Thus the offset of each element is the length of the 2480*32b31808SJens Wiklander * partial list including that element. */ 2481*32b31808SJens Wiklander sa_len += 2; 2482*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len); 2483*32b31808SJens Wiklander 2484*32b31808SJens Wiklander } 2485*32b31808SJens Wiklander 2486*32b31808SJens Wiklander /* Fill in list length. */ 2487*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(sa_len, p, 0); 2488*32b31808SJens Wiklander sa_len += 2; 2489*32b31808SJens Wiklander p += sa_len; 2490*32b31808SJens Wiklander 2491*32b31808SJens Wiklander /* 2492*32b31808SJens Wiklander * DistinguishedName certificate_authorities<0..2^16-1>; 2493*32b31808SJens Wiklander * opaque DistinguishedName<1..2^16-1>; 2494*32b31808SJens Wiklander */ 2495*32b31808SJens Wiklander p += 2; 2496*32b31808SJens Wiklander 2497*32b31808SJens Wiklander total_dn_size = 0; 2498*32b31808SJens Wiklander 2499*32b31808SJens Wiklander if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) { 2500*32b31808SJens Wiklander /* NOTE: If trusted certificates are provisioned 2501*32b31808SJens Wiklander * via a CA callback (configured through 2502*32b31808SJens Wiklander * `mbedtls_ssl_conf_ca_cb()`, then the 2503*32b31808SJens Wiklander * CertificateRequest is currently left empty. */ 2504*32b31808SJens Wiklander 2505*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 2506*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2507*32b31808SJens Wiklander if (ssl->handshake->dn_hints != NULL) { 2508*32b31808SJens Wiklander crt = ssl->handshake->dn_hints; 2509*32b31808SJens Wiklander } else 2510*32b31808SJens Wiklander #endif 2511*32b31808SJens Wiklander if (ssl->conf->dn_hints != NULL) { 2512*32b31808SJens Wiklander crt = ssl->conf->dn_hints; 2513*32b31808SJens Wiklander } else 2514*32b31808SJens Wiklander #endif 2515*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2516*32b31808SJens Wiklander if (ssl->handshake->sni_ca_chain != NULL) { 2517*32b31808SJens Wiklander crt = ssl->handshake->sni_ca_chain; 2518*32b31808SJens Wiklander } else 2519*32b31808SJens Wiklander #endif 2520*32b31808SJens Wiklander crt = ssl->conf->ca_chain; 2521*32b31808SJens Wiklander 2522*32b31808SJens Wiklander while (crt != NULL && crt->version != 0) { 2523*32b31808SJens Wiklander /* It follows from RFC 5280 A.1 that this length 2524*32b31808SJens Wiklander * can be represented in at most 11 bits. */ 2525*32b31808SJens Wiklander dn_size = (uint16_t) crt->subject_raw.len; 2526*32b31808SJens Wiklander 2527*32b31808SJens Wiklander if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) { 2528*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short")); 2529*32b31808SJens Wiklander break; 2530*32b31808SJens Wiklander } 2531*32b31808SJens Wiklander 2532*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(dn_size, p, 0); 2533*32b31808SJens Wiklander p += 2; 2534*32b31808SJens Wiklander memcpy(p, crt->subject_raw.p, dn_size); 2535*32b31808SJens Wiklander p += dn_size; 2536*32b31808SJens Wiklander 2537*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size); 2538*32b31808SJens Wiklander 2539*32b31808SJens Wiklander total_dn_size += 2 + dn_size; 2540*32b31808SJens Wiklander crt = crt->next; 2541*32b31808SJens Wiklander } 2542*32b31808SJens Wiklander } 2543*32b31808SJens Wiklander 2544*32b31808SJens Wiklander ssl->out_msglen = p - buf; 2545*32b31808SJens Wiklander ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 2546*32b31808SJens Wiklander ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; 2547*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len); 2548*32b31808SJens Wiklander 2549*32b31808SJens Wiklander ret = mbedtls_ssl_write_handshake_msg(ssl); 2550*32b31808SJens Wiklander 2551*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request")); 2552*32b31808SJens Wiklander 2553*32b31808SJens Wiklander return ret; 2554*32b31808SJens Wiklander } 2555*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 2556*32b31808SJens Wiklander 2557*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 2558*32b31808SJens Wiklander (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2559*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)) 2560*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2561*32b31808SJens Wiklander static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) 2562*32b31808SJens Wiklander { 2563*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2564*32b31808SJens Wiklander psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2565*32b31808SJens Wiklander unsigned char buf[ 2566*32b31808SJens Wiklander PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; 2567*32b31808SJens Wiklander psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; 2568*32b31808SJens Wiklander uint16_t tls_id = 0; 2569*32b31808SJens Wiklander psa_ecc_family_t ecc_family; 2570*32b31808SJens Wiklander size_t key_len; 2571*32b31808SJens Wiklander mbedtls_pk_context *pk; 2572*32b31808SJens Wiklander mbedtls_ecp_keypair *key; 2573*32b31808SJens Wiklander 2574*32b31808SJens Wiklander pk = mbedtls_ssl_own_key(ssl); 2575*32b31808SJens Wiklander 2576*32b31808SJens Wiklander if (pk == NULL) { 2577*32b31808SJens Wiklander return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; 2578*32b31808SJens Wiklander } 2579*32b31808SJens Wiklander 2580*32b31808SJens Wiklander switch (mbedtls_pk_get_type(pk)) { 2581*32b31808SJens Wiklander case MBEDTLS_PK_OPAQUE: 2582*32b31808SJens Wiklander if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { 2583*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; 2584*32b31808SJens Wiklander } 2585*32b31808SJens Wiklander 2586*32b31808SJens Wiklander ssl->handshake->ecdh_psa_privkey = 2587*32b31808SJens Wiklander *((mbedtls_svc_key_id_t *) pk->pk_ctx); 2588*32b31808SJens Wiklander 2589*32b31808SJens Wiklander /* Key should not be destroyed in the TLS library */ 2590*32b31808SJens Wiklander ssl->handshake->ecdh_psa_privkey_is_external = 1; 2591*32b31808SJens Wiklander 2592*32b31808SJens Wiklander status = psa_get_key_attributes(ssl->handshake->ecdh_psa_privkey, 2593*32b31808SJens Wiklander &key_attributes); 2594*32b31808SJens Wiklander if (status != PSA_SUCCESS) { 2595*32b31808SJens Wiklander ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 2596*32b31808SJens Wiklander return PSA_TO_MBEDTLS_ERR(status); 2597*32b31808SJens Wiklander } 2598*32b31808SJens Wiklander 2599*32b31808SJens Wiklander ssl->handshake->ecdh_psa_type = psa_get_key_type(&key_attributes); 2600*32b31808SJens Wiklander ssl->handshake->ecdh_bits = psa_get_key_bits(&key_attributes); 2601*32b31808SJens Wiklander 2602*32b31808SJens Wiklander psa_reset_key_attributes(&key_attributes); 2603*32b31808SJens Wiklander 2604*32b31808SJens Wiklander ret = 0; 2605*32b31808SJens Wiklander break; 2606*32b31808SJens Wiklander case MBEDTLS_PK_ECKEY: 2607*32b31808SJens Wiklander case MBEDTLS_PK_ECKEY_DH: 2608*32b31808SJens Wiklander case MBEDTLS_PK_ECDSA: 2609*32b31808SJens Wiklander key = mbedtls_pk_ec(*pk); 2610*32b31808SJens Wiklander if (key == NULL) { 2611*32b31808SJens Wiklander return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; 2612*32b31808SJens Wiklander } 2613*32b31808SJens Wiklander 2614*32b31808SJens Wiklander tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(key->grp.id); 2615*32b31808SJens Wiklander if (tls_id == 0) { 2616*32b31808SJens Wiklander /* This elliptic curve is not supported */ 2617*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 2618*32b31808SJens Wiklander } 2619*32b31808SJens Wiklander 2620*32b31808SJens Wiklander /* If the above conversion to TLS ID was fine, then also this one will 2621*32b31808SJens Wiklander be, so there is no need to check the return value here */ 2622*32b31808SJens Wiklander mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ecc_family, 2623*32b31808SJens Wiklander &ssl->handshake->ecdh_bits); 2624*32b31808SJens Wiklander 2625*32b31808SJens Wiklander ssl->handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family); 2626*32b31808SJens Wiklander 2627*32b31808SJens Wiklander key_attributes = psa_key_attributes_init(); 2628*32b31808SJens Wiklander psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 2629*32b31808SJens Wiklander psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); 2630*32b31808SJens Wiklander psa_set_key_type(&key_attributes, 2631*32b31808SJens Wiklander PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->ecdh_psa_type)); 2632*32b31808SJens Wiklander psa_set_key_bits(&key_attributes, ssl->handshake->ecdh_bits); 2633*32b31808SJens Wiklander 2634*32b31808SJens Wiklander key_len = PSA_BITS_TO_BYTES(key->grp.pbits); 2635*32b31808SJens Wiklander ret = mbedtls_ecp_write_key(key, buf, key_len); 2636*32b31808SJens Wiklander if (ret != 0) { 2637*32b31808SJens Wiklander goto cleanup; 2638*32b31808SJens Wiklander } 2639*32b31808SJens Wiklander 2640*32b31808SJens Wiklander status = psa_import_key(&key_attributes, buf, key_len, 2641*32b31808SJens Wiklander &ssl->handshake->ecdh_psa_privkey); 2642*32b31808SJens Wiklander if (status != PSA_SUCCESS) { 2643*32b31808SJens Wiklander ret = PSA_TO_MBEDTLS_ERR(status); 2644*32b31808SJens Wiklander goto cleanup; 2645*32b31808SJens Wiklander } 2646*32b31808SJens Wiklander 2647*32b31808SJens Wiklander ret = 0; 2648*32b31808SJens Wiklander break; 2649*32b31808SJens Wiklander default: 2650*32b31808SJens Wiklander ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; 2651*32b31808SJens Wiklander } 2652*32b31808SJens Wiklander 2653*32b31808SJens Wiklander cleanup: 2654*32b31808SJens Wiklander mbedtls_platform_zeroize(buf, sizeof(buf)); 2655*32b31808SJens Wiklander 2656*32b31808SJens Wiklander return ret; 2657*32b31808SJens Wiklander } 2658*32b31808SJens Wiklander #elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2659*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2660*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2661*32b31808SJens Wiklander static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) 2662*32b31808SJens Wiklander { 2663*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2664*32b31808SJens Wiklander 2665*32b31808SJens Wiklander const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl); 2666*32b31808SJens Wiklander if (private_key == NULL) { 2667*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key")); 2668*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 2669*32b31808SJens Wiklander } 2670*32b31808SJens Wiklander 2671*32b31808SJens Wiklander if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) { 2672*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable")); 2673*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; 2674*32b31808SJens Wiklander } 2675*32b31808SJens Wiklander 2676*32b31808SJens Wiklander if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, 2677*32b31808SJens Wiklander mbedtls_pk_ec(*mbedtls_ssl_own_key(ssl)), 2678*32b31808SJens Wiklander MBEDTLS_ECDH_OURS)) != 0) { 2679*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret); 2680*32b31808SJens Wiklander return ret; 2681*32b31808SJens Wiklander } 2682*32b31808SJens Wiklander 2683*32b31808SJens Wiklander return 0; 2684*32b31808SJens Wiklander } 2685*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 2686*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2687*32b31808SJens Wiklander 2688*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ 2689*32b31808SJens Wiklander defined(MBEDTLS_SSL_ASYNC_PRIVATE) 2690*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2691*32b31808SJens Wiklander static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl, 2692*32b31808SJens Wiklander size_t *signature_len) 2693*32b31808SJens Wiklander { 2694*32b31808SJens Wiklander /* Append the signature to ssl->out_msg, leaving 2 bytes for the 2695*32b31808SJens Wiklander * signature length which will be added in ssl_write_server_key_exchange 2696*32b31808SJens Wiklander * after the call to ssl_prepare_server_key_exchange. 2697*32b31808SJens Wiklander * ssl_write_server_key_exchange also takes care of incrementing 2698*32b31808SJens Wiklander * ssl->out_msglen. */ 2699*32b31808SJens Wiklander unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2; 2700*32b31808SJens Wiklander size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN 2701*32b31808SJens Wiklander - sig_start); 2702*32b31808SJens Wiklander int ret = ssl->conf->f_async_resume(ssl, 2703*32b31808SJens Wiklander sig_start, signature_len, sig_max_len); 2704*32b31808SJens Wiklander if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { 2705*32b31808SJens Wiklander ssl->handshake->async_in_progress = 0; 2706*32b31808SJens Wiklander mbedtls_ssl_set_async_operation_data(ssl, NULL); 2707*32b31808SJens Wiklander } 2708*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret); 2709*32b31808SJens Wiklander return ret; 2710*32b31808SJens Wiklander } 2711*32b31808SJens Wiklander #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && 2712*32b31808SJens Wiklander defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ 2713*32b31808SJens Wiklander 2714*32b31808SJens Wiklander /* Prepare the ServerKeyExchange message, up to and including 2715*32b31808SJens Wiklander * calculating the signature if any, but excluding formatting the 2716*32b31808SJens Wiklander * signature and sending the message. */ 2717*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2718*32b31808SJens Wiklander static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl, 2719*32b31808SJens Wiklander size_t *signature_len) 2720*32b31808SJens Wiklander { 2721*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2722*32b31808SJens Wiklander ssl->handshake->ciphersuite_info; 2723*32b31808SJens Wiklander 2724*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED) 2725*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 2726*32b31808SJens Wiklander unsigned char *dig_signed = NULL; 2727*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ 2728*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */ 2729*32b31808SJens Wiklander 2730*32b31808SJens Wiklander (void) ciphersuite_info; /* unused in some configurations */ 2731*32b31808SJens Wiklander #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 2732*32b31808SJens Wiklander (void) signature_len; 2733*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ 2734*32b31808SJens Wiklander 2735*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 2736*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 2737*32b31808SJens Wiklander size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf); 2738*32b31808SJens Wiklander #else 2739*32b31808SJens Wiklander size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf); 2740*32b31808SJens Wiklander #endif 2741*32b31808SJens Wiklander #endif 2742*32b31808SJens Wiklander 2743*32b31808SJens Wiklander ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */ 2744*32b31808SJens Wiklander 2745*32b31808SJens Wiklander /* 2746*32b31808SJens Wiklander * 2747*32b31808SJens Wiklander * Part 1: Provide key exchange parameters for chosen ciphersuite. 2748*32b31808SJens Wiklander * 2749*32b31808SJens Wiklander */ 2750*32b31808SJens Wiklander 2751*32b31808SJens Wiklander /* 2752*32b31808SJens Wiklander * - ECJPAKE key exchanges 2753*32b31808SJens Wiklander */ 2754*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2755*32b31808SJens Wiklander if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 2756*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2757*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 2758*32b31808SJens Wiklander unsigned char *out_p = ssl->out_msg + ssl->out_msglen; 2759*32b31808SJens Wiklander unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - 2760*32b31808SJens Wiklander ssl->out_msglen; 2761*32b31808SJens Wiklander size_t output_offset = 0; 2762*32b31808SJens Wiklander size_t output_len = 0; 2763*32b31808SJens Wiklander 2764*32b31808SJens Wiklander /* 2765*32b31808SJens Wiklander * The first 3 bytes are: 2766*32b31808SJens Wiklander * [0] MBEDTLS_ECP_TLS_NAMED_CURVE 2767*32b31808SJens Wiklander * [1, 2] elliptic curve's TLS ID 2768*32b31808SJens Wiklander * 2769*32b31808SJens Wiklander * However since we only support secp256r1 for now, we hardcode its 2770*32b31808SJens Wiklander * TLS ID here 2771*32b31808SJens Wiklander */ 2772*32b31808SJens Wiklander uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( 2773*32b31808SJens Wiklander MBEDTLS_ECP_DP_SECP256R1); 2774*32b31808SJens Wiklander if (tls_id == 0) { 2775*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2776*32b31808SJens Wiklander } 2777*32b31808SJens Wiklander *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; 2778*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1); 2779*32b31808SJens Wiklander output_offset += 3; 2780*32b31808SJens Wiklander 2781*32b31808SJens Wiklander ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, 2782*32b31808SJens Wiklander out_p + output_offset, 2783*32b31808SJens Wiklander end_p - out_p - output_offset, &output_len, 2784*32b31808SJens Wiklander MBEDTLS_ECJPAKE_ROUND_TWO); 2785*32b31808SJens Wiklander if (ret != 0) { 2786*32b31808SJens Wiklander psa_destroy_key(ssl->handshake->psa_pake_password); 2787*32b31808SJens Wiklander psa_pake_abort(&ssl->handshake->psa_pake_ctx); 2788*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); 2789*32b31808SJens Wiklander return ret; 2790*32b31808SJens Wiklander } 2791*32b31808SJens Wiklander 2792*32b31808SJens Wiklander output_offset += output_len; 2793*32b31808SJens Wiklander ssl->out_msglen += output_offset; 2794*32b31808SJens Wiklander #else 2795*32b31808SJens Wiklander size_t len = 0; 2796*32b31808SJens Wiklander 2797*32b31808SJens Wiklander ret = mbedtls_ecjpake_write_round_two( 2798*32b31808SJens Wiklander &ssl->handshake->ecjpake_ctx, 2799*32b31808SJens Wiklander ssl->out_msg + ssl->out_msglen, 2800*32b31808SJens Wiklander MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len, 2801*32b31808SJens Wiklander ssl->conf->f_rng, ssl->conf->p_rng); 2802*32b31808SJens Wiklander if (ret != 0) { 2803*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret); 2804*32b31808SJens Wiklander return ret; 2805*32b31808SJens Wiklander } 2806*32b31808SJens Wiklander 2807*32b31808SJens Wiklander ssl->out_msglen += len; 2808*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2809*32b31808SJens Wiklander } 2810*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2811*32b31808SJens Wiklander 2812*32b31808SJens Wiklander /* 2813*32b31808SJens Wiklander * For (EC)DHE key exchanges with PSK, parameters are prefixed by support 2814*32b31808SJens Wiklander * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, 2815*32b31808SJens Wiklander * we use empty support identity hints here. 2816*32b31808SJens Wiklander **/ 2817*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 2818*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 2819*32b31808SJens Wiklander if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 2820*32b31808SJens Wiklander ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { 2821*32b31808SJens Wiklander ssl->out_msg[ssl->out_msglen++] = 0x00; 2822*32b31808SJens Wiklander ssl->out_msg[ssl->out_msglen++] = 0x00; 2823*32b31808SJens Wiklander } 2824*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || 2825*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 2826*32b31808SJens Wiklander 2827*32b31808SJens Wiklander /* 2828*32b31808SJens Wiklander * - DHE key exchanges 2829*32b31808SJens Wiklander */ 2830*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) 2831*32b31808SJens Wiklander if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) { 2832*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2833*32b31808SJens Wiklander size_t len = 0; 2834*32b31808SJens Wiklander 2835*32b31808SJens Wiklander if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) { 2836*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set")); 2837*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2838*32b31808SJens Wiklander } 2839*32b31808SJens Wiklander 2840*32b31808SJens Wiklander /* 2841*32b31808SJens Wiklander * Ephemeral DH parameters: 2842*32b31808SJens Wiklander * 2843*32b31808SJens Wiklander * struct { 2844*32b31808SJens Wiklander * opaque dh_p<1..2^16-1>; 2845*32b31808SJens Wiklander * opaque dh_g<1..2^16-1>; 2846*32b31808SJens Wiklander * opaque dh_Ys<1..2^16-1>; 2847*32b31808SJens Wiklander * } ServerDHParams; 2848*32b31808SJens Wiklander */ 2849*32b31808SJens Wiklander if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx, 2850*32b31808SJens Wiklander &ssl->conf->dhm_P, 2851*32b31808SJens Wiklander &ssl->conf->dhm_G)) != 0) { 2852*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret); 2853*32b31808SJens Wiklander return ret; 2854*32b31808SJens Wiklander } 2855*32b31808SJens Wiklander 2856*32b31808SJens Wiklander if ((ret = mbedtls_dhm_make_params( 2857*32b31808SJens Wiklander &ssl->handshake->dhm_ctx, 2858*32b31808SJens Wiklander (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx), 2859*32b31808SJens Wiklander ssl->out_msg + ssl->out_msglen, &len, 2860*32b31808SJens Wiklander ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 2861*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret); 2862*32b31808SJens Wiklander return ret; 2863*32b31808SJens Wiklander } 2864*32b31808SJens Wiklander 2865*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 2866*32b31808SJens Wiklander dig_signed = ssl->out_msg + ssl->out_msglen; 2867*32b31808SJens Wiklander #endif 2868*32b31808SJens Wiklander 2869*32b31808SJens Wiklander ssl->out_msglen += len; 2870*32b31808SJens Wiklander 2871*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X); 2872*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P); 2873*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G); 2874*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX); 2875*32b31808SJens Wiklander } 2876*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */ 2877*32b31808SJens Wiklander 2878*32b31808SJens Wiklander /* 2879*32b31808SJens Wiklander * - ECDHE key exchanges 2880*32b31808SJens Wiklander */ 2881*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) 2882*32b31808SJens Wiklander if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) { 2883*32b31808SJens Wiklander /* 2884*32b31808SJens Wiklander * Ephemeral ECDH parameters: 2885*32b31808SJens Wiklander * 2886*32b31808SJens Wiklander * struct { 2887*32b31808SJens Wiklander * ECParameters curve_params; 2888*32b31808SJens Wiklander * ECPoint public; 2889*32b31808SJens Wiklander * } ServerECDHParams; 2890*32b31808SJens Wiklander */ 2891*32b31808SJens Wiklander uint16_t *curr_tls_id = ssl->handshake->curves_tls_id; 2892*32b31808SJens Wiklander const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 2893*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2894*32b31808SJens Wiklander size_t len = 0; 2895*32b31808SJens Wiklander 2896*32b31808SJens Wiklander /* Match our preference list against the offered curves */ 2897*32b31808SJens Wiklander if ((group_list == NULL) || (curr_tls_id == NULL)) { 2898*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_BAD_CONFIG; 2899*32b31808SJens Wiklander } 2900*32b31808SJens Wiklander for (; *group_list != 0; group_list++) { 2901*32b31808SJens Wiklander for (curr_tls_id = ssl->handshake->curves_tls_id; 2902*32b31808SJens Wiklander *curr_tls_id != 0; curr_tls_id++) { 2903*32b31808SJens Wiklander if (*curr_tls_id == *group_list) { 2904*32b31808SJens Wiklander goto curve_matching_done; 2905*32b31808SJens Wiklander } 2906*32b31808SJens Wiklander } 2907*32b31808SJens Wiklander } 2908*32b31808SJens Wiklander 2909*32b31808SJens Wiklander curve_matching_done: 2910*32b31808SJens Wiklander if (*curr_tls_id == 0) { 2911*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE")); 2912*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 2913*32b31808SJens Wiklander } 2914*32b31808SJens Wiklander 2915*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s", 2916*32b31808SJens Wiklander mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id))); 2917*32b31808SJens Wiklander 2918*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 2919*32b31808SJens Wiklander psa_status_t status = PSA_ERROR_GENERIC_ERROR; 2920*32b31808SJens Wiklander psa_key_attributes_t key_attributes; 2921*32b31808SJens Wiklander mbedtls_ssl_handshake_params *handshake = ssl->handshake; 2922*32b31808SJens Wiklander uint8_t *p = ssl->out_msg + ssl->out_msglen; 2923*32b31808SJens Wiklander const size_t header_size = 4; // curve_type(1), namedcurve(2), 2924*32b31808SJens Wiklander // data length(1) 2925*32b31808SJens Wiklander const size_t data_length_size = 1; 2926*32b31808SJens Wiklander psa_ecc_family_t ec_psa_family = 0; 2927*32b31808SJens Wiklander size_t ec_bits = 0; 2928*32b31808SJens Wiklander 2929*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); 2930*32b31808SJens Wiklander 2931*32b31808SJens Wiklander /* Convert EC's TLS ID to PSA key type. */ 2932*32b31808SJens Wiklander if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id, 2933*32b31808SJens Wiklander &ec_psa_family, 2934*32b31808SJens Wiklander &ec_bits) == PSA_ERROR_NOT_SUPPORTED) { 2935*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse.")); 2936*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 2937*32b31808SJens Wiklander } 2938*32b31808SJens Wiklander handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family); 2939*32b31808SJens Wiklander handshake->ecdh_bits = ec_bits; 2940*32b31808SJens Wiklander 2941*32b31808SJens Wiklander key_attributes = psa_key_attributes_init(); 2942*32b31808SJens Wiklander psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 2943*32b31808SJens Wiklander psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); 2944*32b31808SJens Wiklander psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); 2945*32b31808SJens Wiklander psa_set_key_bits(&key_attributes, handshake->ecdh_bits); 2946*32b31808SJens Wiklander 2947*32b31808SJens Wiklander /* 2948*32b31808SJens Wiklander * ECParameters curve_params 2949*32b31808SJens Wiklander * 2950*32b31808SJens Wiklander * First byte is curve_type, always named_curve 2951*32b31808SJens Wiklander */ 2952*32b31808SJens Wiklander *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE; 2953*32b31808SJens Wiklander 2954*32b31808SJens Wiklander /* 2955*32b31808SJens Wiklander * Next two bytes are the namedcurve value 2956*32b31808SJens Wiklander */ 2957*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0); 2958*32b31808SJens Wiklander p += 2; 2959*32b31808SJens Wiklander 2960*32b31808SJens Wiklander /* Generate ECDH private key. */ 2961*32b31808SJens Wiklander status = psa_generate_key(&key_attributes, 2962*32b31808SJens Wiklander &handshake->ecdh_psa_privkey); 2963*32b31808SJens Wiklander if (status != PSA_SUCCESS) { 2964*32b31808SJens Wiklander ret = PSA_TO_MBEDTLS_ERR(status); 2965*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret); 2966*32b31808SJens Wiklander return ret; 2967*32b31808SJens Wiklander } 2968*32b31808SJens Wiklander 2969*32b31808SJens Wiklander /* 2970*32b31808SJens Wiklander * ECPoint public 2971*32b31808SJens Wiklander * 2972*32b31808SJens Wiklander * First byte is data length. 2973*32b31808SJens Wiklander * It will be filled later. p holds now the data length location. 2974*32b31808SJens Wiklander */ 2975*32b31808SJens Wiklander 2976*32b31808SJens Wiklander /* Export the public part of the ECDH private key from PSA. 2977*32b31808SJens Wiklander * Make one byte space for the length. 2978*32b31808SJens Wiklander */ 2979*32b31808SJens Wiklander unsigned char *own_pubkey = p + data_length_size; 2980*32b31808SJens Wiklander 2981*32b31808SJens Wiklander size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN 2982*32b31808SJens Wiklander - (own_pubkey - ssl->out_msg)); 2983*32b31808SJens Wiklander 2984*32b31808SJens Wiklander status = psa_export_public_key(handshake->ecdh_psa_privkey, 2985*32b31808SJens Wiklander own_pubkey, own_pubkey_max_len, 2986*32b31808SJens Wiklander &len); 2987*32b31808SJens Wiklander if (status != PSA_SUCCESS) { 2988*32b31808SJens Wiklander ret = PSA_TO_MBEDTLS_ERR(status); 2989*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret); 2990*32b31808SJens Wiklander (void) psa_destroy_key(handshake->ecdh_psa_privkey); 2991*32b31808SJens Wiklander handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 2992*32b31808SJens Wiklander return ret; 2993*32b31808SJens Wiklander } 2994*32b31808SJens Wiklander 2995*32b31808SJens Wiklander /* Store the length of the exported public key. */ 2996*32b31808SJens Wiklander *p = (uint8_t) len; 2997*32b31808SJens Wiklander 2998*32b31808SJens Wiklander /* Determine full message length. */ 2999*32b31808SJens Wiklander len += header_size; 3000*32b31808SJens Wiklander #else 3001*32b31808SJens Wiklander mbedtls_ecp_group_id curr_grp_id = 3002*32b31808SJens Wiklander mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id); 3003*32b31808SJens Wiklander 3004*32b31808SJens Wiklander if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx, 3005*32b31808SJens Wiklander curr_grp_id)) != 0) { 3006*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret); 3007*32b31808SJens Wiklander return ret; 3008*32b31808SJens Wiklander } 3009*32b31808SJens Wiklander 3010*32b31808SJens Wiklander if ((ret = mbedtls_ecdh_make_params( 3011*32b31808SJens Wiklander &ssl->handshake->ecdh_ctx, &len, 3012*32b31808SJens Wiklander ssl->out_msg + ssl->out_msglen, 3013*32b31808SJens Wiklander MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, 3014*32b31808SJens Wiklander ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 3015*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret); 3016*32b31808SJens Wiklander return ret; 3017*32b31808SJens Wiklander } 3018*32b31808SJens Wiklander 3019*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 3020*32b31808SJens Wiklander MBEDTLS_DEBUG_ECDH_Q); 3021*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3022*32b31808SJens Wiklander 3023*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 3024*32b31808SJens Wiklander dig_signed = ssl->out_msg + ssl->out_msglen; 3025*32b31808SJens Wiklander #endif 3026*32b31808SJens Wiklander 3027*32b31808SJens Wiklander ssl->out_msglen += len; 3028*32b31808SJens Wiklander } 3029*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */ 3030*32b31808SJens Wiklander 3031*32b31808SJens Wiklander /* 3032*32b31808SJens Wiklander * 3033*32b31808SJens Wiklander * Part 2: For key exchanges involving the server signing the 3034*32b31808SJens Wiklander * exchange parameters, compute and add the signature here. 3035*32b31808SJens Wiklander * 3036*32b31808SJens Wiklander */ 3037*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 3038*32b31808SJens Wiklander if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) { 3039*32b31808SJens Wiklander if (dig_signed == NULL) { 3040*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3041*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3042*32b31808SJens Wiklander } 3043*32b31808SJens Wiklander 3044*32b31808SJens Wiklander size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; 3045*32b31808SJens Wiklander size_t hashlen = 0; 3046*32b31808SJens Wiklander unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; 3047*32b31808SJens Wiklander 3048*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3049*32b31808SJens Wiklander 3050*32b31808SJens Wiklander /* 3051*32b31808SJens Wiklander * 2.1: Choose hash algorithm: 3052*32b31808SJens Wiklander * For TLS 1.2, obey signature-hash-algorithm extension 3053*32b31808SJens Wiklander * to choose appropriate hash. 3054*32b31808SJens Wiklander */ 3055*32b31808SJens Wiklander 3056*32b31808SJens Wiklander mbedtls_pk_type_t sig_alg = 3057*32b31808SJens Wiklander mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); 3058*32b31808SJens Wiklander 3059*32b31808SJens Wiklander unsigned int sig_hash = 3060*32b31808SJens Wiklander mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 3061*32b31808SJens Wiklander ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); 3062*32b31808SJens Wiklander 3063*32b31808SJens Wiklander mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash); 3064*32b31808SJens Wiklander 3065*32b31808SJens Wiklander /* For TLS 1.2, obey signature-hash-algorithm extension 3066*32b31808SJens Wiklander * (RFC 5246, Sec. 7.4.1.4.1). */ 3067*32b31808SJens Wiklander if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) { 3068*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3069*32b31808SJens Wiklander /* (... because we choose a cipher suite 3070*32b31808SJens Wiklander * only if there is a matching hash.) */ 3071*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3072*32b31808SJens Wiklander } 3073*32b31808SJens Wiklander 3074*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg)); 3075*32b31808SJens Wiklander 3076*32b31808SJens Wiklander /* 3077*32b31808SJens Wiklander * 2.2: Compute the hash to be signed 3078*32b31808SJens Wiklander */ 3079*32b31808SJens Wiklander if (md_alg != MBEDTLS_MD_NONE) { 3080*32b31808SJens Wiklander ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen, 3081*32b31808SJens Wiklander dig_signed, 3082*32b31808SJens Wiklander dig_signed_len, 3083*32b31808SJens Wiklander md_alg); 3084*32b31808SJens Wiklander if (ret != 0) { 3085*32b31808SJens Wiklander return ret; 3086*32b31808SJens Wiklander } 3087*32b31808SJens Wiklander } else { 3088*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3089*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3090*32b31808SJens Wiklander } 3091*32b31808SJens Wiklander 3092*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen); 3093*32b31808SJens Wiklander 3094*32b31808SJens Wiklander /* 3095*32b31808SJens Wiklander * 2.3: Compute and add the signature 3096*32b31808SJens Wiklander */ 3097*32b31808SJens Wiklander /* 3098*32b31808SJens Wiklander * We need to specify signature and hash algorithm explicitly through 3099*32b31808SJens Wiklander * a prefix to the signature. 3100*32b31808SJens Wiklander * 3101*32b31808SJens Wiklander * struct { 3102*32b31808SJens Wiklander * HashAlgorithm hash; 3103*32b31808SJens Wiklander * SignatureAlgorithm signature; 3104*32b31808SJens Wiklander * } SignatureAndHashAlgorithm; 3105*32b31808SJens Wiklander * 3106*32b31808SJens Wiklander * struct { 3107*32b31808SJens Wiklander * SignatureAndHashAlgorithm algorithm; 3108*32b31808SJens Wiklander * opaque signature<0..2^16-1>; 3109*32b31808SJens Wiklander * } DigitallySigned; 3110*32b31808SJens Wiklander * 3111*32b31808SJens Wiklander */ 3112*32b31808SJens Wiklander 3113*32b31808SJens Wiklander ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg); 3114*32b31808SJens Wiklander ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg); 3115*32b31808SJens Wiklander 3116*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3117*32b31808SJens Wiklander if (ssl->conf->f_async_sign_start != NULL) { 3118*32b31808SJens Wiklander ret = ssl->conf->f_async_sign_start(ssl, 3119*32b31808SJens Wiklander mbedtls_ssl_own_cert(ssl), 3120*32b31808SJens Wiklander md_alg, hash, hashlen); 3121*32b31808SJens Wiklander switch (ret) { 3122*32b31808SJens Wiklander case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: 3123*32b31808SJens Wiklander /* act as if f_async_sign was null */ 3124*32b31808SJens Wiklander break; 3125*32b31808SJens Wiklander case 0: 3126*32b31808SJens Wiklander ssl->handshake->async_in_progress = 1; 3127*32b31808SJens Wiklander return ssl_resume_server_key_exchange(ssl, signature_len); 3128*32b31808SJens Wiklander case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: 3129*32b31808SJens Wiklander ssl->handshake->async_in_progress = 1; 3130*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; 3131*32b31808SJens Wiklander default: 3132*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret); 3133*32b31808SJens Wiklander return ret; 3134*32b31808SJens Wiklander } 3135*32b31808SJens Wiklander } 3136*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3137*32b31808SJens Wiklander 3138*32b31808SJens Wiklander if (mbedtls_ssl_own_key(ssl) == NULL) { 3139*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key")); 3140*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 3141*32b31808SJens Wiklander } 3142*32b31808SJens Wiklander 3143*32b31808SJens Wiklander /* Append the signature to ssl->out_msg, leaving 2 bytes for the 3144*32b31808SJens Wiklander * signature length which will be added in ssl_write_server_key_exchange 3145*32b31808SJens Wiklander * after the call to ssl_prepare_server_key_exchange. 3146*32b31808SJens Wiklander * ssl_write_server_key_exchange also takes care of incrementing 3147*32b31808SJens Wiklander * ssl->out_msglen. */ 3148*32b31808SJens Wiklander if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl), 3149*32b31808SJens Wiklander md_alg, hash, hashlen, 3150*32b31808SJens Wiklander ssl->out_msg + ssl->out_msglen + 2, 3151*32b31808SJens Wiklander out_buf_len - ssl->out_msglen - 2, 3152*32b31808SJens Wiklander signature_len, 3153*32b31808SJens Wiklander ssl->conf->f_rng, 3154*32b31808SJens Wiklander ssl->conf->p_rng)) != 0) { 3155*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); 3156*32b31808SJens Wiklander return ret; 3157*32b31808SJens Wiklander } 3158*32b31808SJens Wiklander } 3159*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ 3160*32b31808SJens Wiklander 3161*32b31808SJens Wiklander return 0; 3162*32b31808SJens Wiklander } 3163*32b31808SJens Wiklander 3164*32b31808SJens Wiklander /* Prepare the ServerKeyExchange message and send it. For ciphersuites 3165*32b31808SJens Wiklander * that do not include a ServerKeyExchange message, do nothing. Either 3166*32b31808SJens Wiklander * way, if successful, move on to the next step in the SSL state 3167*32b31808SJens Wiklander * machine. */ 3168*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 3169*32b31808SJens Wiklander static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl) 3170*32b31808SJens Wiklander { 3171*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3172*32b31808SJens Wiklander size_t signature_len = 0; 3173*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) 3174*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3175*32b31808SJens Wiklander ssl->handshake->ciphersuite_info; 3176*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ 3177*32b31808SJens Wiklander 3178*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange")); 3179*32b31808SJens Wiklander 3180*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) 3181*32b31808SJens Wiklander /* Extract static ECDH parameters and abort if ServerKeyExchange 3182*32b31808SJens Wiklander * is not needed. */ 3183*32b31808SJens Wiklander if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) { 3184*32b31808SJens Wiklander /* For suites involving ECDH, extract DH parameters 3185*32b31808SJens Wiklander * from certificate at this point. */ 3186*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) 3187*32b31808SJens Wiklander if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) { 3188*32b31808SJens Wiklander ret = ssl_get_ecdh_params_from_cert(ssl); 3189*32b31808SJens Wiklander if (ret != 0) { 3190*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret); 3191*32b31808SJens Wiklander return ret; 3192*32b31808SJens Wiklander } 3193*32b31808SJens Wiklander } 3194*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */ 3195*32b31808SJens Wiklander 3196*32b31808SJens Wiklander /* Key exchanges not involving ephemeral keys don't use 3197*32b31808SJens Wiklander * ServerKeyExchange, so end here. */ 3198*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange")); 3199*32b31808SJens Wiklander ssl->state++; 3200*32b31808SJens Wiklander return 0; 3201*32b31808SJens Wiklander } 3202*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ 3203*32b31808SJens Wiklander 3204*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ 3205*32b31808SJens Wiklander defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3206*32b31808SJens Wiklander /* If we have already prepared the message and there is an ongoing 3207*32b31808SJens Wiklander * signature operation, resume signing. */ 3208*32b31808SJens Wiklander if (ssl->handshake->async_in_progress != 0) { 3209*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation")); 3210*32b31808SJens Wiklander ret = ssl_resume_server_key_exchange(ssl, &signature_len); 3211*32b31808SJens Wiklander } else 3212*32b31808SJens Wiklander #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && 3213*32b31808SJens Wiklander defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ 3214*32b31808SJens Wiklander { 3215*32b31808SJens Wiklander /* ServerKeyExchange is needed. Prepare the message. */ 3216*32b31808SJens Wiklander ret = ssl_prepare_server_key_exchange(ssl, &signature_len); 3217*32b31808SJens Wiklander } 3218*32b31808SJens Wiklander 3219*32b31808SJens Wiklander if (ret != 0) { 3220*32b31808SJens Wiklander /* If we're starting to write a new message, set ssl->out_msglen 3221*32b31808SJens Wiklander * to 0. But if we're resuming after an asynchronous message, 3222*32b31808SJens Wiklander * out_msglen is the amount of data written so far and mst be 3223*32b31808SJens Wiklander * preserved. */ 3224*32b31808SJens Wiklander if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { 3225*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)")); 3226*32b31808SJens Wiklander } else { 3227*32b31808SJens Wiklander ssl->out_msglen = 0; 3228*32b31808SJens Wiklander } 3229*32b31808SJens Wiklander return ret; 3230*32b31808SJens Wiklander } 3231*32b31808SJens Wiklander 3232*32b31808SJens Wiklander /* If there is a signature, write its length. 3233*32b31808SJens Wiklander * ssl_prepare_server_key_exchange already wrote the signature 3234*32b31808SJens Wiklander * itself at its proper place in the output buffer. */ 3235*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 3236*32b31808SJens Wiklander if (signature_len != 0) { 3237*32b31808SJens Wiklander ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len); 3238*32b31808SJens Wiklander ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len); 3239*32b31808SJens Wiklander 3240*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "my signature", 3241*32b31808SJens Wiklander ssl->out_msg + ssl->out_msglen, 3242*32b31808SJens Wiklander signature_len); 3243*32b31808SJens Wiklander 3244*32b31808SJens Wiklander /* Skip over the already-written signature */ 3245*32b31808SJens Wiklander ssl->out_msglen += signature_len; 3246*32b31808SJens Wiklander } 3247*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ 3248*32b31808SJens Wiklander 3249*32b31808SJens Wiklander /* Add header and send. */ 3250*32b31808SJens Wiklander ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3251*32b31808SJens Wiklander ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; 3252*32b31808SJens Wiklander 3253*32b31808SJens Wiklander ssl->state++; 3254*32b31808SJens Wiklander 3255*32b31808SJens Wiklander if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 3256*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 3257*32b31808SJens Wiklander return ret; 3258*32b31808SJens Wiklander } 3259*32b31808SJens Wiklander 3260*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange")); 3261*32b31808SJens Wiklander return 0; 3262*32b31808SJens Wiklander } 3263*32b31808SJens Wiklander 3264*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 3265*32b31808SJens Wiklander static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl) 3266*32b31808SJens Wiklander { 3267*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3268*32b31808SJens Wiklander 3269*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done")); 3270*32b31808SJens Wiklander 3271*32b31808SJens Wiklander ssl->out_msglen = 4; 3272*32b31808SJens Wiklander ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3273*32b31808SJens Wiklander ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; 3274*32b31808SJens Wiklander 3275*32b31808SJens Wiklander ssl->state++; 3276*32b31808SJens Wiklander 3277*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 3278*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 3279*32b31808SJens Wiklander mbedtls_ssl_send_flight_completed(ssl); 3280*32b31808SJens Wiklander } 3281*32b31808SJens Wiklander #endif 3282*32b31808SJens Wiklander 3283*32b31808SJens Wiklander if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 3284*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 3285*32b31808SJens Wiklander return ret; 3286*32b31808SJens Wiklander } 3287*32b31808SJens Wiklander 3288*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 3289*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 3290*32b31808SJens Wiklander (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 3291*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); 3292*32b31808SJens Wiklander return ret; 3293*32b31808SJens Wiklander } 3294*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3295*32b31808SJens Wiklander 3296*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done")); 3297*32b31808SJens Wiklander 3298*32b31808SJens Wiklander return 0; 3299*32b31808SJens Wiklander } 3300*32b31808SJens Wiklander 3301*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 3302*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 3303*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 3304*32b31808SJens Wiklander static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p, 3305*32b31808SJens Wiklander const unsigned char *end) 3306*32b31808SJens Wiklander { 3307*32b31808SJens Wiklander int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3308*32b31808SJens Wiklander size_t n; 3309*32b31808SJens Wiklander 3310*32b31808SJens Wiklander /* 3311*32b31808SJens Wiklander * Receive G^Y mod P, premaster = (G^Y)^X mod P 3312*32b31808SJens Wiklander */ 3313*32b31808SJens Wiklander if (*p + 2 > end) { 3314*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3315*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3316*32b31808SJens Wiklander } 3317*32b31808SJens Wiklander 3318*32b31808SJens Wiklander n = ((*p)[0] << 8) | (*p)[1]; 3319*32b31808SJens Wiklander *p += 2; 3320*32b31808SJens Wiklander 3321*32b31808SJens Wiklander if (*p + n > end) { 3322*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3323*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3324*32b31808SJens Wiklander } 3325*32b31808SJens Wiklander 3326*32b31808SJens Wiklander if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) { 3327*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret); 3328*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3329*32b31808SJens Wiklander } 3330*32b31808SJens Wiklander 3331*32b31808SJens Wiklander *p += n; 3332*32b31808SJens Wiklander 3333*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY); 3334*32b31808SJens Wiklander 3335*32b31808SJens Wiklander return ret; 3336*32b31808SJens Wiklander } 3337*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 3338*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 3339*32b31808SJens Wiklander 3340*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 3341*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 3342*32b31808SJens Wiklander 3343*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3344*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 3345*32b31808SJens Wiklander static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl, 3346*32b31808SJens Wiklander unsigned char *peer_pms, 3347*32b31808SJens Wiklander size_t *peer_pmslen, 3348*32b31808SJens Wiklander size_t peer_pmssize) 3349*32b31808SJens Wiklander { 3350*32b31808SJens Wiklander int ret = ssl->conf->f_async_resume(ssl, 3351*32b31808SJens Wiklander peer_pms, peer_pmslen, peer_pmssize); 3352*32b31808SJens Wiklander if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { 3353*32b31808SJens Wiklander ssl->handshake->async_in_progress = 0; 3354*32b31808SJens Wiklander mbedtls_ssl_set_async_operation_data(ssl, NULL); 3355*32b31808SJens Wiklander } 3356*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret); 3357*32b31808SJens Wiklander return ret; 3358*32b31808SJens Wiklander } 3359*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3360*32b31808SJens Wiklander 3361*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 3362*32b31808SJens Wiklander static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl, 3363*32b31808SJens Wiklander const unsigned char *p, 3364*32b31808SJens Wiklander const unsigned char *end, 3365*32b31808SJens Wiklander unsigned char *peer_pms, 3366*32b31808SJens Wiklander size_t *peer_pmslen, 3367*32b31808SJens Wiklander size_t peer_pmssize) 3368*32b31808SJens Wiklander { 3369*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3370*32b31808SJens Wiklander 3371*32b31808SJens Wiklander mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl); 3372*32b31808SJens Wiklander if (own_cert == NULL) { 3373*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate")); 3374*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; 3375*32b31808SJens Wiklander } 3376*32b31808SJens Wiklander mbedtls_pk_context *public_key = &own_cert->pk; 3377*32b31808SJens Wiklander mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl); 3378*32b31808SJens Wiklander size_t len = mbedtls_pk_get_len(public_key); 3379*32b31808SJens Wiklander 3380*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3381*32b31808SJens Wiklander /* If we have already started decoding the message and there is an ongoing 3382*32b31808SJens Wiklander * decryption operation, resume signing. */ 3383*32b31808SJens Wiklander if (ssl->handshake->async_in_progress != 0) { 3384*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation")); 3385*32b31808SJens Wiklander return ssl_resume_decrypt_pms(ssl, 3386*32b31808SJens Wiklander peer_pms, peer_pmslen, peer_pmssize); 3387*32b31808SJens Wiklander } 3388*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3389*32b31808SJens Wiklander 3390*32b31808SJens Wiklander /* 3391*32b31808SJens Wiklander * Prepare to decrypt the premaster using own private RSA key 3392*32b31808SJens Wiklander */ 3393*32b31808SJens Wiklander if (p + 2 > end) { 3394*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3395*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3396*32b31808SJens Wiklander } 3397*32b31808SJens Wiklander if (*p++ != MBEDTLS_BYTE_1(len) || 3398*32b31808SJens Wiklander *p++ != MBEDTLS_BYTE_0(len)) { 3399*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3400*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3401*32b31808SJens Wiklander } 3402*32b31808SJens Wiklander 3403*32b31808SJens Wiklander if (p + len != end) { 3404*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3405*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3406*32b31808SJens Wiklander } 3407*32b31808SJens Wiklander 3408*32b31808SJens Wiklander /* 3409*32b31808SJens Wiklander * Decrypt the premaster secret 3410*32b31808SJens Wiklander */ 3411*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3412*32b31808SJens Wiklander if (ssl->conf->f_async_decrypt_start != NULL) { 3413*32b31808SJens Wiklander ret = ssl->conf->f_async_decrypt_start(ssl, 3414*32b31808SJens Wiklander mbedtls_ssl_own_cert(ssl), 3415*32b31808SJens Wiklander p, len); 3416*32b31808SJens Wiklander switch (ret) { 3417*32b31808SJens Wiklander case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: 3418*32b31808SJens Wiklander /* act as if f_async_decrypt_start was null */ 3419*32b31808SJens Wiklander break; 3420*32b31808SJens Wiklander case 0: 3421*32b31808SJens Wiklander ssl->handshake->async_in_progress = 1; 3422*32b31808SJens Wiklander return ssl_resume_decrypt_pms(ssl, 3423*32b31808SJens Wiklander peer_pms, 3424*32b31808SJens Wiklander peer_pmslen, 3425*32b31808SJens Wiklander peer_pmssize); 3426*32b31808SJens Wiklander case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: 3427*32b31808SJens Wiklander ssl->handshake->async_in_progress = 1; 3428*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; 3429*32b31808SJens Wiklander default: 3430*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret); 3431*32b31808SJens Wiklander return ret; 3432*32b31808SJens Wiklander } 3433*32b31808SJens Wiklander } 3434*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3435*32b31808SJens Wiklander 3436*32b31808SJens Wiklander if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) { 3437*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key")); 3438*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 3439*32b31808SJens Wiklander } 3440*32b31808SJens Wiklander 3441*32b31808SJens Wiklander ret = mbedtls_pk_decrypt(private_key, p, len, 3442*32b31808SJens Wiklander peer_pms, peer_pmslen, peer_pmssize, 3443*32b31808SJens Wiklander ssl->conf->f_rng, ssl->conf->p_rng); 3444*32b31808SJens Wiklander return ret; 3445*32b31808SJens Wiklander } 3446*32b31808SJens Wiklander 3447*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 3448*32b31808SJens Wiklander static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl, 3449*32b31808SJens Wiklander const unsigned char *p, 3450*32b31808SJens Wiklander const unsigned char *end, 3451*32b31808SJens Wiklander size_t pms_offset) 3452*32b31808SJens Wiklander { 3453*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3454*32b31808SJens Wiklander unsigned char *pms = ssl->handshake->premaster + pms_offset; 3455*32b31808SJens Wiklander unsigned char ver[2]; 3456*32b31808SJens Wiklander unsigned char fake_pms[48], peer_pms[48]; 3457*32b31808SJens Wiklander unsigned char mask; 3458*32b31808SJens Wiklander size_t i, peer_pmslen; 3459*32b31808SJens Wiklander unsigned int diff; 3460*32b31808SJens Wiklander 3461*32b31808SJens Wiklander /* In case of a failure in decryption, the decryption may write less than 3462*32b31808SJens Wiklander * 2 bytes of output, but we always read the first two bytes. It doesn't 3463*32b31808SJens Wiklander * matter in the end because diff will be nonzero in that case due to 3464*32b31808SJens Wiklander * ret being nonzero, and we only care whether diff is 0. 3465*32b31808SJens Wiklander * But do initialize peer_pms and peer_pmslen for robustness anyway. This 3466*32b31808SJens Wiklander * also makes memory analyzers happy (don't access uninitialized memory, 3467*32b31808SJens Wiklander * even if it's an unsigned char). */ 3468*32b31808SJens Wiklander peer_pms[0] = peer_pms[1] = ~0; 3469*32b31808SJens Wiklander peer_pmslen = 0; 3470*32b31808SJens Wiklander 3471*32b31808SJens Wiklander ret = ssl_decrypt_encrypted_pms(ssl, p, end, 3472*32b31808SJens Wiklander peer_pms, 3473*32b31808SJens Wiklander &peer_pmslen, 3474*32b31808SJens Wiklander sizeof(peer_pms)); 3475*32b31808SJens Wiklander 3476*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3477*32b31808SJens Wiklander if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { 3478*32b31808SJens Wiklander return ret; 3479*32b31808SJens Wiklander } 3480*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3481*32b31808SJens Wiklander 3482*32b31808SJens Wiklander mbedtls_ssl_write_version(ver, ssl->conf->transport, 3483*32b31808SJens Wiklander ssl->session_negotiate->tls_version); 3484*32b31808SJens Wiklander 3485*32b31808SJens Wiklander /* Avoid data-dependent branches while checking for invalid 3486*32b31808SJens Wiklander * padding, to protect against timing-based Bleichenbacher-type 3487*32b31808SJens Wiklander * attacks. */ 3488*32b31808SJens Wiklander diff = (unsigned int) ret; 3489*32b31808SJens Wiklander diff |= peer_pmslen ^ 48; 3490*32b31808SJens Wiklander diff |= peer_pms[0] ^ ver[0]; 3491*32b31808SJens Wiklander diff |= peer_pms[1] ^ ver[1]; 3492*32b31808SJens Wiklander 3493*32b31808SJens Wiklander /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ 3494*32b31808SJens Wiklander mask = mbedtls_ct_uint_mask(diff); 3495*32b31808SJens Wiklander 3496*32b31808SJens Wiklander /* 3497*32b31808SJens Wiklander * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding 3498*32b31808SJens Wiklander * must not cause the connection to end immediately; instead, send a 3499*32b31808SJens Wiklander * bad_record_mac later in the handshake. 3500*32b31808SJens Wiklander * To protect against timing-based variants of the attack, we must 3501*32b31808SJens Wiklander * not have any branch that depends on whether the decryption was 3502*32b31808SJens Wiklander * successful. In particular, always generate the fake premaster secret, 3503*32b31808SJens Wiklander * regardless of whether it will ultimately influence the output or not. 3504*32b31808SJens Wiklander */ 3505*32b31808SJens Wiklander ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms)); 3506*32b31808SJens Wiklander if (ret != 0) { 3507*32b31808SJens Wiklander /* It's ok to abort on an RNG failure, since this does not reveal 3508*32b31808SJens Wiklander * anything about the RSA decryption. */ 3509*32b31808SJens Wiklander return ret; 3510*32b31808SJens Wiklander } 3511*32b31808SJens Wiklander 3512*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DEBUG_ALL) 3513*32b31808SJens Wiklander if (diff != 0) { 3514*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3515*32b31808SJens Wiklander } 3516*32b31808SJens Wiklander #endif 3517*32b31808SJens Wiklander 3518*32b31808SJens Wiklander if (sizeof(ssl->handshake->premaster) < pms_offset || 3519*32b31808SJens Wiklander sizeof(ssl->handshake->premaster) - pms_offset < 48) { 3520*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3521*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3522*32b31808SJens Wiklander } 3523*32b31808SJens Wiklander ssl->handshake->pmslen = 48; 3524*32b31808SJens Wiklander 3525*32b31808SJens Wiklander /* Set pms to either the true or the fake PMS, without 3526*32b31808SJens Wiklander * data-dependent branches. */ 3527*32b31808SJens Wiklander for (i = 0; i < ssl->handshake->pmslen; i++) { 3528*32b31808SJens Wiklander pms[i] = (mask & fake_pms[i]) | ((~mask) & peer_pms[i]); 3529*32b31808SJens Wiklander } 3530*32b31808SJens Wiklander 3531*32b31808SJens Wiklander return 0; 3532*32b31808SJens Wiklander } 3533*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 3534*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 3535*32b31808SJens Wiklander 3536*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 3537*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 3538*32b31808SJens Wiklander static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p, 3539*32b31808SJens Wiklander const unsigned char *end) 3540*32b31808SJens Wiklander { 3541*32b31808SJens Wiklander int ret = 0; 3542*32b31808SJens Wiklander uint16_t n; 3543*32b31808SJens Wiklander 3544*32b31808SJens Wiklander if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) { 3545*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key")); 3546*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 3547*32b31808SJens Wiklander } 3548*32b31808SJens Wiklander 3549*32b31808SJens Wiklander /* 3550*32b31808SJens Wiklander * Receive client pre-shared key identity name 3551*32b31808SJens Wiklander */ 3552*32b31808SJens Wiklander if (end - *p < 2) { 3553*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3554*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3555*32b31808SJens Wiklander } 3556*32b31808SJens Wiklander 3557*32b31808SJens Wiklander n = ((*p)[0] << 8) | (*p)[1]; 3558*32b31808SJens Wiklander *p += 2; 3559*32b31808SJens Wiklander 3560*32b31808SJens Wiklander if (n == 0 || n > end - *p) { 3561*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3562*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3563*32b31808SJens Wiklander } 3564*32b31808SJens Wiklander 3565*32b31808SJens Wiklander if (ssl->conf->f_psk != NULL) { 3566*32b31808SJens Wiklander if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) { 3567*32b31808SJens Wiklander ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 3568*32b31808SJens Wiklander } 3569*32b31808SJens Wiklander } else { 3570*32b31808SJens Wiklander /* Identity is not a big secret since clients send it in the clear, 3571*32b31808SJens Wiklander * but treat it carefully anyway, just in case */ 3572*32b31808SJens Wiklander if (n != ssl->conf->psk_identity_len || 3573*32b31808SJens Wiklander mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) { 3574*32b31808SJens Wiklander ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 3575*32b31808SJens Wiklander } 3576*32b31808SJens Wiklander } 3577*32b31808SJens Wiklander 3578*32b31808SJens Wiklander if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { 3579*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n); 3580*32b31808SJens Wiklander mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3581*32b31808SJens Wiklander MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY); 3582*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 3583*32b31808SJens Wiklander } 3584*32b31808SJens Wiklander 3585*32b31808SJens Wiklander *p += n; 3586*32b31808SJens Wiklander 3587*32b31808SJens Wiklander return 0; 3588*32b31808SJens Wiklander } 3589*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 3590*32b31808SJens Wiklander 3591*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 3592*32b31808SJens Wiklander static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) 3593*32b31808SJens Wiklander { 3594*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3595*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 3596*32b31808SJens Wiklander unsigned char *p, *end; 3597*32b31808SJens Wiklander 3598*32b31808SJens Wiklander ciphersuite_info = ssl->handshake->ciphersuite_info; 3599*32b31808SJens Wiklander 3600*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange")); 3601*32b31808SJens Wiklander 3602*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \ 3603*32b31808SJens Wiklander (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 3604*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)) 3605*32b31808SJens Wiklander if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 3606*32b31808SJens Wiklander ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) && 3607*32b31808SJens Wiklander (ssl->handshake->async_in_progress != 0)) { 3608*32b31808SJens Wiklander /* We've already read a record and there is an asynchronous 3609*32b31808SJens Wiklander * operation in progress to decrypt it. So skip reading the 3610*32b31808SJens Wiklander * record. */ 3611*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record")); 3612*32b31808SJens Wiklander } else 3613*32b31808SJens Wiklander #endif 3614*32b31808SJens Wiklander if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 3615*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 3616*32b31808SJens Wiklander return ret; 3617*32b31808SJens Wiklander } 3618*32b31808SJens Wiklander 3619*32b31808SJens Wiklander p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); 3620*32b31808SJens Wiklander end = ssl->in_msg + ssl->in_hslen; 3621*32b31808SJens Wiklander 3622*32b31808SJens Wiklander if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 3623*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3624*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 3625*32b31808SJens Wiklander } 3626*32b31808SJens Wiklander 3627*32b31808SJens Wiklander if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) { 3628*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3629*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 3630*32b31808SJens Wiklander } 3631*32b31808SJens Wiklander 3632*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 3633*32b31808SJens Wiklander if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) { 3634*32b31808SJens Wiklander if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) { 3635*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret); 3636*32b31808SJens Wiklander return ret; 3637*32b31808SJens Wiklander } 3638*32b31808SJens Wiklander 3639*32b31808SJens Wiklander if (p != end) { 3640*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); 3641*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3642*32b31808SJens Wiklander } 3643*32b31808SJens Wiklander 3644*32b31808SJens Wiklander if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, 3645*32b31808SJens Wiklander ssl->handshake->premaster, 3646*32b31808SJens Wiklander MBEDTLS_PREMASTER_SIZE, 3647*32b31808SJens Wiklander &ssl->handshake->pmslen, 3648*32b31808SJens Wiklander ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 3649*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); 3650*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3651*32b31808SJens Wiklander } 3652*32b31808SJens Wiklander 3653*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); 3654*32b31808SJens Wiklander } else 3655*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 3656*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 3657*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 3658*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 3659*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 3660*32b31808SJens Wiklander if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 3661*32b31808SJens Wiklander ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 3662*32b31808SJens Wiklander ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 3663*32b31808SJens Wiklander ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { 3664*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 3665*32b31808SJens Wiklander size_t data_len = (size_t) (*p++); 3666*32b31808SJens Wiklander size_t buf_len = (size_t) (end - p); 3667*32b31808SJens Wiklander psa_status_t status = PSA_ERROR_GENERIC_ERROR; 3668*32b31808SJens Wiklander mbedtls_ssl_handshake_params *handshake = ssl->handshake; 3669*32b31808SJens Wiklander 3670*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("Read the peer's public key.")); 3671*32b31808SJens Wiklander 3672*32b31808SJens Wiklander /* 3673*32b31808SJens Wiklander * We must have at least two bytes (1 for length, at least 1 for data) 3674*32b31808SJens Wiklander */ 3675*32b31808SJens Wiklander if (buf_len < 2) { 3676*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length")); 3677*32b31808SJens Wiklander return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; 3678*32b31808SJens Wiklander } 3679*32b31808SJens Wiklander 3680*32b31808SJens Wiklander if (data_len < 1 || data_len > buf_len) { 3681*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length")); 3682*32b31808SJens Wiklander return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; 3683*32b31808SJens Wiklander } 3684*32b31808SJens Wiklander 3685*32b31808SJens Wiklander /* Store peer's ECDH public key. */ 3686*32b31808SJens Wiklander memcpy(handshake->ecdh_psa_peerkey, p, data_len); 3687*32b31808SJens Wiklander handshake->ecdh_psa_peerkey_len = data_len; 3688*32b31808SJens Wiklander 3689*32b31808SJens Wiklander /* Compute ECDH shared secret. */ 3690*32b31808SJens Wiklander status = psa_raw_key_agreement( 3691*32b31808SJens Wiklander PSA_ALG_ECDH, handshake->ecdh_psa_privkey, 3692*32b31808SJens Wiklander handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, 3693*32b31808SJens Wiklander handshake->premaster, sizeof(handshake->premaster), 3694*32b31808SJens Wiklander &handshake->pmslen); 3695*32b31808SJens Wiklander if (status != PSA_SUCCESS) { 3696*32b31808SJens Wiklander ret = PSA_TO_MBEDTLS_ERR(status); 3697*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret); 3698*32b31808SJens Wiklander if (handshake->ecdh_psa_privkey_is_external == 0) { 3699*32b31808SJens Wiklander (void) psa_destroy_key(handshake->ecdh_psa_privkey); 3700*32b31808SJens Wiklander } 3701*32b31808SJens Wiklander handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3702*32b31808SJens Wiklander return ret; 3703*32b31808SJens Wiklander } 3704*32b31808SJens Wiklander 3705*32b31808SJens Wiklander if (handshake->ecdh_psa_privkey_is_external == 0) { 3706*32b31808SJens Wiklander status = psa_destroy_key(handshake->ecdh_psa_privkey); 3707*32b31808SJens Wiklander 3708*32b31808SJens Wiklander if (status != PSA_SUCCESS) { 3709*32b31808SJens Wiklander ret = PSA_TO_MBEDTLS_ERR(status); 3710*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); 3711*32b31808SJens Wiklander return ret; 3712*32b31808SJens Wiklander } 3713*32b31808SJens Wiklander } 3714*32b31808SJens Wiklander handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3715*32b31808SJens Wiklander #else 3716*32b31808SJens Wiklander if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx, 3717*32b31808SJens Wiklander p, end - p)) != 0) { 3718*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret); 3719*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3720*32b31808SJens Wiklander } 3721*32b31808SJens Wiklander 3722*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 3723*32b31808SJens Wiklander MBEDTLS_DEBUG_ECDH_QP); 3724*32b31808SJens Wiklander 3725*32b31808SJens Wiklander if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, 3726*32b31808SJens Wiklander &ssl->handshake->pmslen, 3727*32b31808SJens Wiklander ssl->handshake->premaster, 3728*32b31808SJens Wiklander MBEDTLS_MPI_MAX_SIZE, 3729*32b31808SJens Wiklander ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 3730*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); 3731*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3732*32b31808SJens Wiklander } 3733*32b31808SJens Wiklander 3734*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 3735*32b31808SJens Wiklander MBEDTLS_DEBUG_ECDH_Z); 3736*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3737*32b31808SJens Wiklander } else 3738*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 3739*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 3740*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 3741*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 3742*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 3743*32b31808SJens Wiklander if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { 3744*32b31808SJens Wiklander if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { 3745*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); 3746*32b31808SJens Wiklander return ret; 3747*32b31808SJens Wiklander } 3748*32b31808SJens Wiklander 3749*32b31808SJens Wiklander if (p != end) { 3750*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); 3751*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3752*32b31808SJens Wiklander } 3753*32b31808SJens Wiklander 3754*32b31808SJens Wiklander #if !defined(MBEDTLS_USE_PSA_CRYPTO) 3755*32b31808SJens Wiklander if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, 3756*32b31808SJens Wiklander ciphersuite_info->key_exchange)) != 0) { 3757*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); 3758*32b31808SJens Wiklander return ret; 3759*32b31808SJens Wiklander } 3760*32b31808SJens Wiklander #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 3761*32b31808SJens Wiklander } else 3762*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 3763*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 3764*32b31808SJens Wiklander if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 3765*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3766*32b31808SJens Wiklander if (ssl->handshake->async_in_progress != 0) { 3767*32b31808SJens Wiklander /* There is an asynchronous operation in progress to 3768*32b31808SJens Wiklander * decrypt the encrypted premaster secret, so skip 3769*32b31808SJens Wiklander * directly to resuming this operation. */ 3770*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed")); 3771*32b31808SJens Wiklander /* Update p to skip the PSK identity. ssl_parse_encrypted_pms 3772*32b31808SJens Wiklander * won't actually use it, but maintain p anyway for robustness. */ 3773*32b31808SJens Wiklander p += ssl->conf->psk_identity_len + 2; 3774*32b31808SJens Wiklander } else 3775*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3776*32b31808SJens Wiklander if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { 3777*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); 3778*32b31808SJens Wiklander return ret; 3779*32b31808SJens Wiklander } 3780*32b31808SJens Wiklander 3781*32b31808SJens Wiklander if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) { 3782*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret); 3783*32b31808SJens Wiklander return ret; 3784*32b31808SJens Wiklander } 3785*32b31808SJens Wiklander 3786*32b31808SJens Wiklander #if !defined(MBEDTLS_USE_PSA_CRYPTO) 3787*32b31808SJens Wiklander if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, 3788*32b31808SJens Wiklander ciphersuite_info->key_exchange)) != 0) { 3789*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); 3790*32b31808SJens Wiklander return ret; 3791*32b31808SJens Wiklander } 3792*32b31808SJens Wiklander #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 3793*32b31808SJens Wiklander } else 3794*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 3795*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 3796*32b31808SJens Wiklander if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 3797*32b31808SJens Wiklander if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { 3798*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); 3799*32b31808SJens Wiklander return ret; 3800*32b31808SJens Wiklander } 3801*32b31808SJens Wiklander if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) { 3802*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret); 3803*32b31808SJens Wiklander return ret; 3804*32b31808SJens Wiklander } 3805*32b31808SJens Wiklander 3806*32b31808SJens Wiklander if (p != end) { 3807*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); 3808*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3809*32b31808SJens Wiklander } 3810*32b31808SJens Wiklander 3811*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 3812*32b31808SJens Wiklander unsigned char *pms = ssl->handshake->premaster; 3813*32b31808SJens Wiklander unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster); 3814*32b31808SJens Wiklander size_t pms_len; 3815*32b31808SJens Wiklander 3816*32b31808SJens Wiklander /* Write length only when we know the actual value */ 3817*32b31808SJens Wiklander if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, 3818*32b31808SJens Wiklander pms + 2, pms_end - (pms + 2), &pms_len, 3819*32b31808SJens Wiklander ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 3820*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); 3821*32b31808SJens Wiklander return ret; 3822*32b31808SJens Wiklander } 3823*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0); 3824*32b31808SJens Wiklander pms += 2 + pms_len; 3825*32b31808SJens Wiklander 3826*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); 3827*32b31808SJens Wiklander #else 3828*32b31808SJens Wiklander if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, 3829*32b31808SJens Wiklander ciphersuite_info->key_exchange)) != 0) { 3830*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); 3831*32b31808SJens Wiklander return ret; 3832*32b31808SJens Wiklander } 3833*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3834*32b31808SJens Wiklander } else 3835*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 3836*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 3837*32b31808SJens Wiklander if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { 3838*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 3839*32b31808SJens Wiklander psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3840*32b31808SJens Wiklander psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; 3841*32b31808SJens Wiklander uint8_t ecpoint_len; 3842*32b31808SJens Wiklander 3843*32b31808SJens Wiklander mbedtls_ssl_handshake_params *handshake = ssl->handshake; 3844*32b31808SJens Wiklander 3845*32b31808SJens Wiklander if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { 3846*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); 3847*32b31808SJens Wiklander psa_destroy_key(handshake->ecdh_psa_privkey); 3848*32b31808SJens Wiklander handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3849*32b31808SJens Wiklander return ret; 3850*32b31808SJens Wiklander } 3851*32b31808SJens Wiklander 3852*32b31808SJens Wiklander /* Keep a copy of the peer's public key */ 3853*32b31808SJens Wiklander if (p >= end) { 3854*32b31808SJens Wiklander psa_destroy_key(handshake->ecdh_psa_privkey); 3855*32b31808SJens Wiklander handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3856*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3857*32b31808SJens Wiklander } 3858*32b31808SJens Wiklander 3859*32b31808SJens Wiklander ecpoint_len = *(p++); 3860*32b31808SJens Wiklander if ((size_t) (end - p) < ecpoint_len) { 3861*32b31808SJens Wiklander psa_destroy_key(handshake->ecdh_psa_privkey); 3862*32b31808SJens Wiklander handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3863*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3864*32b31808SJens Wiklander } 3865*32b31808SJens Wiklander 3866*32b31808SJens Wiklander if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) { 3867*32b31808SJens Wiklander psa_destroy_key(handshake->ecdh_psa_privkey); 3868*32b31808SJens Wiklander handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3869*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 3870*32b31808SJens Wiklander } 3871*32b31808SJens Wiklander 3872*32b31808SJens Wiklander memcpy(handshake->ecdh_psa_peerkey, p, ecpoint_len); 3873*32b31808SJens Wiklander handshake->ecdh_psa_peerkey_len = ecpoint_len; 3874*32b31808SJens Wiklander p += ecpoint_len; 3875*32b31808SJens Wiklander 3876*32b31808SJens Wiklander /* As RFC 5489 section 2, the premaster secret is formed as follows: 3877*32b31808SJens Wiklander * - a uint16 containing the length (in octets) of the ECDH computation 3878*32b31808SJens Wiklander * - the octet string produced by the ECDH computation 3879*32b31808SJens Wiklander * - a uint16 containing the length (in octets) of the PSK 3880*32b31808SJens Wiklander * - the PSK itself 3881*32b31808SJens Wiklander */ 3882*32b31808SJens Wiklander unsigned char *psm = ssl->handshake->premaster; 3883*32b31808SJens Wiklander const unsigned char * const psm_end = 3884*32b31808SJens Wiklander psm + sizeof(ssl->handshake->premaster); 3885*32b31808SJens Wiklander /* uint16 to store length (in octets) of the ECDH computation */ 3886*32b31808SJens Wiklander const size_t zlen_size = 2; 3887*32b31808SJens Wiklander size_t zlen = 0; 3888*32b31808SJens Wiklander 3889*32b31808SJens Wiklander /* Compute ECDH shared secret. */ 3890*32b31808SJens Wiklander status = psa_raw_key_agreement(PSA_ALG_ECDH, 3891*32b31808SJens Wiklander handshake->ecdh_psa_privkey, 3892*32b31808SJens Wiklander handshake->ecdh_psa_peerkey, 3893*32b31808SJens Wiklander handshake->ecdh_psa_peerkey_len, 3894*32b31808SJens Wiklander psm + zlen_size, 3895*32b31808SJens Wiklander psm_end - (psm + zlen_size), 3896*32b31808SJens Wiklander &zlen); 3897*32b31808SJens Wiklander 3898*32b31808SJens Wiklander destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey); 3899*32b31808SJens Wiklander handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3900*32b31808SJens Wiklander 3901*32b31808SJens Wiklander if (status != PSA_SUCCESS) { 3902*32b31808SJens Wiklander return PSA_TO_MBEDTLS_ERR(status); 3903*32b31808SJens Wiklander } else if (destruction_status != PSA_SUCCESS) { 3904*32b31808SJens Wiklander return PSA_TO_MBEDTLS_ERR(destruction_status); 3905*32b31808SJens Wiklander } 3906*32b31808SJens Wiklander 3907*32b31808SJens Wiklander /* Write the ECDH computation length before the ECDH computation */ 3908*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(zlen, psm, 0); 3909*32b31808SJens Wiklander psm += zlen_size + zlen; 3910*32b31808SJens Wiklander 3911*32b31808SJens Wiklander #else /* MBEDTLS_USE_PSA_CRYPTO */ 3912*32b31808SJens Wiklander if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { 3913*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); 3914*32b31808SJens Wiklander return ret; 3915*32b31808SJens Wiklander } 3916*32b31808SJens Wiklander 3917*32b31808SJens Wiklander if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx, 3918*32b31808SJens Wiklander p, end - p)) != 0) { 3919*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret); 3920*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 3921*32b31808SJens Wiklander } 3922*32b31808SJens Wiklander 3923*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 3924*32b31808SJens Wiklander MBEDTLS_DEBUG_ECDH_QP); 3925*32b31808SJens Wiklander 3926*32b31808SJens Wiklander if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, 3927*32b31808SJens Wiklander ciphersuite_info->key_exchange)) != 0) { 3928*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); 3929*32b31808SJens Wiklander return ret; 3930*32b31808SJens Wiklander } 3931*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3932*32b31808SJens Wiklander } else 3933*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 3934*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 3935*32b31808SJens Wiklander if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { 3936*32b31808SJens Wiklander if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) { 3937*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret); 3938*32b31808SJens Wiklander return ret; 3939*32b31808SJens Wiklander } 3940*32b31808SJens Wiklander } else 3941*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 3942*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 3943*32b31808SJens Wiklander if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 3944*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 3945*32b31808SJens Wiklander if ((ret = mbedtls_psa_ecjpake_read_round( 3946*32b31808SJens Wiklander &ssl->handshake->psa_pake_ctx, p, end - p, 3947*32b31808SJens Wiklander MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) { 3948*32b31808SJens Wiklander psa_destroy_key(ssl->handshake->psa_pake_password); 3949*32b31808SJens Wiklander psa_pake_abort(&ssl->handshake->psa_pake_ctx); 3950*32b31808SJens Wiklander 3951*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret); 3952*32b31808SJens Wiklander return ret; 3953*32b31808SJens Wiklander } 3954*32b31808SJens Wiklander #else 3955*32b31808SJens Wiklander ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx, 3956*32b31808SJens Wiklander p, end - p); 3957*32b31808SJens Wiklander if (ret != 0) { 3958*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret); 3959*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3960*32b31808SJens Wiklander } 3961*32b31808SJens Wiklander 3962*32b31808SJens Wiklander ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx, 3963*32b31808SJens Wiklander ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 3964*32b31808SJens Wiklander ssl->conf->f_rng, ssl->conf->p_rng); 3965*32b31808SJens Wiklander if (ret != 0) { 3966*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret); 3967*32b31808SJens Wiklander return ret; 3968*32b31808SJens Wiklander } 3969*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3970*32b31808SJens Wiklander } else 3971*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 3972*32b31808SJens Wiklander { 3973*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3974*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3975*32b31808SJens Wiklander } 3976*32b31808SJens Wiklander 3977*32b31808SJens Wiklander if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { 3978*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); 3979*32b31808SJens Wiklander return ret; 3980*32b31808SJens Wiklander } 3981*32b31808SJens Wiklander 3982*32b31808SJens Wiklander ssl->state++; 3983*32b31808SJens Wiklander 3984*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange")); 3985*32b31808SJens Wiklander 3986*32b31808SJens Wiklander return 0; 3987*32b31808SJens Wiklander } 3988*32b31808SJens Wiklander 3989*32b31808SJens Wiklander #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 3990*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 3991*32b31808SJens Wiklander static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) 3992*32b31808SJens Wiklander { 3993*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3994*32b31808SJens Wiklander ssl->handshake->ciphersuite_info; 3995*32b31808SJens Wiklander 3996*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); 3997*32b31808SJens Wiklander 3998*32b31808SJens Wiklander if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { 3999*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); 4000*32b31808SJens Wiklander ssl->state++; 4001*32b31808SJens Wiklander return 0; 4002*32b31808SJens Wiklander } 4003*32b31808SJens Wiklander 4004*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 4005*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 4006*32b31808SJens Wiklander } 4007*32b31808SJens Wiklander #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 4008*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 4009*32b31808SJens Wiklander static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) 4010*32b31808SJens Wiklander { 4011*32b31808SJens Wiklander int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4012*32b31808SJens Wiklander size_t i, sig_len; 4013*32b31808SJens Wiklander unsigned char hash[48]; 4014*32b31808SJens Wiklander unsigned char *hash_start = hash; 4015*32b31808SJens Wiklander size_t hashlen; 4016*32b31808SJens Wiklander mbedtls_pk_type_t pk_alg; 4017*32b31808SJens Wiklander mbedtls_md_type_t md_alg; 4018*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 4019*32b31808SJens Wiklander ssl->handshake->ciphersuite_info; 4020*32b31808SJens Wiklander mbedtls_pk_context *peer_pk; 4021*32b31808SJens Wiklander 4022*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); 4023*32b31808SJens Wiklander 4024*32b31808SJens Wiklander if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { 4025*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); 4026*32b31808SJens Wiklander ssl->state++; 4027*32b31808SJens Wiklander return 0; 4028*32b31808SJens Wiklander } 4029*32b31808SJens Wiklander 4030*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 4031*32b31808SJens Wiklander if (ssl->session_negotiate->peer_cert == NULL) { 4032*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); 4033*32b31808SJens Wiklander ssl->state++; 4034*32b31808SJens Wiklander return 0; 4035*32b31808SJens Wiklander } 4036*32b31808SJens Wiklander #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4037*32b31808SJens Wiklander if (ssl->session_negotiate->peer_cert_digest == NULL) { 4038*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); 4039*32b31808SJens Wiklander ssl->state++; 4040*32b31808SJens Wiklander return 0; 4041*32b31808SJens Wiklander } 4042*32b31808SJens Wiklander #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4043*32b31808SJens Wiklander 4044*32b31808SJens Wiklander /* Read the message without adding it to the checksum */ 4045*32b31808SJens Wiklander ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */); 4046*32b31808SJens Wiklander if (0 != ret) { 4047*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret); 4048*32b31808SJens Wiklander return ret; 4049*32b31808SJens Wiklander } 4050*32b31808SJens Wiklander 4051*32b31808SJens Wiklander ssl->state++; 4052*32b31808SJens Wiklander 4053*32b31808SJens Wiklander /* Process the message contents */ 4054*32b31808SJens Wiklander if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || 4055*32b31808SJens Wiklander ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) { 4056*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); 4057*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 4058*32b31808SJens Wiklander } 4059*32b31808SJens Wiklander 4060*32b31808SJens Wiklander i = mbedtls_ssl_hs_hdr_len(ssl); 4061*32b31808SJens Wiklander 4062*32b31808SJens Wiklander #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 4063*32b31808SJens Wiklander peer_pk = &ssl->handshake->peer_pubkey; 4064*32b31808SJens Wiklander #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4065*32b31808SJens Wiklander if (ssl->session_negotiate->peer_cert == NULL) { 4066*32b31808SJens Wiklander /* Should never happen */ 4067*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 4068*32b31808SJens Wiklander } 4069*32b31808SJens Wiklander peer_pk = &ssl->session_negotiate->peer_cert->pk; 4070*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4071*32b31808SJens Wiklander 4072*32b31808SJens Wiklander /* 4073*32b31808SJens Wiklander * struct { 4074*32b31808SJens Wiklander * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only 4075*32b31808SJens Wiklander * opaque signature<0..2^16-1>; 4076*32b31808SJens Wiklander * } DigitallySigned; 4077*32b31808SJens Wiklander */ 4078*32b31808SJens Wiklander if (i + 2 > ssl->in_hslen) { 4079*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); 4080*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 4081*32b31808SJens Wiklander } 4082*32b31808SJens Wiklander 4083*32b31808SJens Wiklander /* 4084*32b31808SJens Wiklander * Hash 4085*32b31808SJens Wiklander */ 4086*32b31808SJens Wiklander md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]); 4087*32b31808SJens Wiklander 4088*32b31808SJens Wiklander if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) { 4089*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" 4090*32b31808SJens Wiklander " for verify message")); 4091*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 4092*32b31808SJens Wiklander } 4093*32b31808SJens Wiklander 4094*32b31808SJens Wiklander #if !defined(MBEDTLS_MD_SHA1) 4095*32b31808SJens Wiklander if (MBEDTLS_MD_SHA1 == md_alg) { 4096*32b31808SJens Wiklander hash_start += 16; 4097*32b31808SJens Wiklander } 4098*32b31808SJens Wiklander #endif 4099*32b31808SJens Wiklander 4100*32b31808SJens Wiklander /* Info from md_alg will be used instead */ 4101*32b31808SJens Wiklander hashlen = 0; 4102*32b31808SJens Wiklander 4103*32b31808SJens Wiklander i++; 4104*32b31808SJens Wiklander 4105*32b31808SJens Wiklander /* 4106*32b31808SJens Wiklander * Signature 4107*32b31808SJens Wiklander */ 4108*32b31808SJens Wiklander if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i])) 4109*32b31808SJens Wiklander == MBEDTLS_PK_NONE) { 4110*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" 4111*32b31808SJens Wiklander " for verify message")); 4112*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 4113*32b31808SJens Wiklander } 4114*32b31808SJens Wiklander 4115*32b31808SJens Wiklander /* 4116*32b31808SJens Wiklander * Check the certificate's key type matches the signature alg 4117*32b31808SJens Wiklander */ 4118*32b31808SJens Wiklander if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { 4119*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); 4120*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 4121*32b31808SJens Wiklander } 4122*32b31808SJens Wiklander 4123*32b31808SJens Wiklander i++; 4124*32b31808SJens Wiklander 4125*32b31808SJens Wiklander if (i + 2 > ssl->in_hslen) { 4126*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); 4127*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 4128*32b31808SJens Wiklander } 4129*32b31808SJens Wiklander 4130*32b31808SJens Wiklander sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i+1]; 4131*32b31808SJens Wiklander i += 2; 4132*32b31808SJens Wiklander 4133*32b31808SJens Wiklander if (i + sig_len != ssl->in_hslen) { 4134*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); 4135*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; 4136*32b31808SJens Wiklander } 4137*32b31808SJens Wiklander 4138*32b31808SJens Wiklander /* Calculate hash and verify signature */ 4139*32b31808SJens Wiklander { 4140*32b31808SJens Wiklander size_t dummy_hlen; 4141*32b31808SJens Wiklander ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen); 4142*32b31808SJens Wiklander if (0 != ret) { 4143*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret); 4144*32b31808SJens Wiklander return ret; 4145*32b31808SJens Wiklander } 4146*32b31808SJens Wiklander } 4147*32b31808SJens Wiklander 4148*32b31808SJens Wiklander if ((ret = mbedtls_pk_verify(peer_pk, 4149*32b31808SJens Wiklander md_alg, hash_start, hashlen, 4150*32b31808SJens Wiklander ssl->in_msg + i, sig_len)) != 0) { 4151*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); 4152*32b31808SJens Wiklander return ret; 4153*32b31808SJens Wiklander } 4154*32b31808SJens Wiklander 4155*32b31808SJens Wiklander ret = mbedtls_ssl_update_handshake_status(ssl); 4156*32b31808SJens Wiklander if (0 != ret) { 4157*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret); 4158*32b31808SJens Wiklander return ret; 4159*32b31808SJens Wiklander } 4160*32b31808SJens Wiklander 4161*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify")); 4162*32b31808SJens Wiklander 4163*32b31808SJens Wiklander return ret; 4164*32b31808SJens Wiklander } 4165*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 4166*32b31808SJens Wiklander 4167*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 4168*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 4169*32b31808SJens Wiklander static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl) 4170*32b31808SJens Wiklander { 4171*32b31808SJens Wiklander int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4172*32b31808SJens Wiklander size_t tlen; 4173*32b31808SJens Wiklander uint32_t lifetime; 4174*32b31808SJens Wiklander 4175*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket")); 4176*32b31808SJens Wiklander 4177*32b31808SJens Wiklander ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 4178*32b31808SJens Wiklander ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; 4179*32b31808SJens Wiklander 4180*32b31808SJens Wiklander /* 4181*32b31808SJens Wiklander * struct { 4182*32b31808SJens Wiklander * uint32 ticket_lifetime_hint; 4183*32b31808SJens Wiklander * opaque ticket<0..2^16-1>; 4184*32b31808SJens Wiklander * } NewSessionTicket; 4185*32b31808SJens Wiklander * 4186*32b31808SJens Wiklander * 4 . 7 ticket_lifetime_hint (0 = unspecified) 4187*32b31808SJens Wiklander * 8 . 9 ticket_len (n) 4188*32b31808SJens Wiklander * 10 . 9+n ticket content 4189*32b31808SJens Wiklander */ 4190*32b31808SJens Wiklander 4191*32b31808SJens Wiklander if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket, 4192*32b31808SJens Wiklander ssl->session_negotiate, 4193*32b31808SJens Wiklander ssl->out_msg + 10, 4194*32b31808SJens Wiklander ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, 4195*32b31808SJens Wiklander &tlen, &lifetime)) != 0) { 4196*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret); 4197*32b31808SJens Wiklander tlen = 0; 4198*32b31808SJens Wiklander } 4199*32b31808SJens Wiklander 4200*32b31808SJens Wiklander MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4); 4201*32b31808SJens Wiklander MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8); 4202*32b31808SJens Wiklander ssl->out_msglen = 10 + tlen; 4203*32b31808SJens Wiklander 4204*32b31808SJens Wiklander /* 4205*32b31808SJens Wiklander * Morally equivalent to updating ssl->state, but NewSessionTicket and 4206*32b31808SJens Wiklander * ChangeCipherSpec share the same state. 4207*32b31808SJens Wiklander */ 4208*32b31808SJens Wiklander ssl->handshake->new_session_ticket = 0; 4209*32b31808SJens Wiklander 4210*32b31808SJens Wiklander if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 4211*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 4212*32b31808SJens Wiklander return ret; 4213*32b31808SJens Wiklander } 4214*32b31808SJens Wiklander 4215*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket")); 4216*32b31808SJens Wiklander 4217*32b31808SJens Wiklander return 0; 4218*32b31808SJens Wiklander } 4219*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 4220*32b31808SJens Wiklander 4221*32b31808SJens Wiklander /* 4222*32b31808SJens Wiklander * SSL handshake -- server side -- single step 4223*32b31808SJens Wiklander */ 4224*32b31808SJens Wiklander int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl) 4225*32b31808SJens Wiklander { 4226*32b31808SJens Wiklander int ret = 0; 4227*32b31808SJens Wiklander 4228*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state)); 4229*32b31808SJens Wiklander 4230*32b31808SJens Wiklander switch (ssl->state) { 4231*32b31808SJens Wiklander case MBEDTLS_SSL_HELLO_REQUEST: 4232*32b31808SJens Wiklander ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 4233*32b31808SJens Wiklander break; 4234*32b31808SJens Wiklander 4235*32b31808SJens Wiklander /* 4236*32b31808SJens Wiklander * <== ClientHello 4237*32b31808SJens Wiklander */ 4238*32b31808SJens Wiklander case MBEDTLS_SSL_CLIENT_HELLO: 4239*32b31808SJens Wiklander ret = ssl_parse_client_hello(ssl); 4240*32b31808SJens Wiklander break; 4241*32b31808SJens Wiklander 4242*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 4243*32b31808SJens Wiklander case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: 4244*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED; 4245*32b31808SJens Wiklander #endif 4246*32b31808SJens Wiklander 4247*32b31808SJens Wiklander /* 4248*32b31808SJens Wiklander * ==> ServerHello 4249*32b31808SJens Wiklander * Certificate 4250*32b31808SJens Wiklander * ( ServerKeyExchange ) 4251*32b31808SJens Wiklander * ( CertificateRequest ) 4252*32b31808SJens Wiklander * ServerHelloDone 4253*32b31808SJens Wiklander */ 4254*32b31808SJens Wiklander case MBEDTLS_SSL_SERVER_HELLO: 4255*32b31808SJens Wiklander ret = ssl_write_server_hello(ssl); 4256*32b31808SJens Wiklander break; 4257*32b31808SJens Wiklander 4258*32b31808SJens Wiklander case MBEDTLS_SSL_SERVER_CERTIFICATE: 4259*32b31808SJens Wiklander ret = mbedtls_ssl_write_certificate(ssl); 4260*32b31808SJens Wiklander break; 4261*32b31808SJens Wiklander 4262*32b31808SJens Wiklander case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 4263*32b31808SJens Wiklander ret = ssl_write_server_key_exchange(ssl); 4264*32b31808SJens Wiklander break; 4265*32b31808SJens Wiklander 4266*32b31808SJens Wiklander case MBEDTLS_SSL_CERTIFICATE_REQUEST: 4267*32b31808SJens Wiklander ret = ssl_write_certificate_request(ssl); 4268*32b31808SJens Wiklander break; 4269*32b31808SJens Wiklander 4270*32b31808SJens Wiklander case MBEDTLS_SSL_SERVER_HELLO_DONE: 4271*32b31808SJens Wiklander ret = ssl_write_server_hello_done(ssl); 4272*32b31808SJens Wiklander break; 4273*32b31808SJens Wiklander 4274*32b31808SJens Wiklander /* 4275*32b31808SJens Wiklander * <== ( Certificate/Alert ) 4276*32b31808SJens Wiklander * ClientKeyExchange 4277*32b31808SJens Wiklander * ( CertificateVerify ) 4278*32b31808SJens Wiklander * ChangeCipherSpec 4279*32b31808SJens Wiklander * Finished 4280*32b31808SJens Wiklander */ 4281*32b31808SJens Wiklander case MBEDTLS_SSL_CLIENT_CERTIFICATE: 4282*32b31808SJens Wiklander ret = mbedtls_ssl_parse_certificate(ssl); 4283*32b31808SJens Wiklander break; 4284*32b31808SJens Wiklander 4285*32b31808SJens Wiklander case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 4286*32b31808SJens Wiklander ret = ssl_parse_client_key_exchange(ssl); 4287*32b31808SJens Wiklander break; 4288*32b31808SJens Wiklander 4289*32b31808SJens Wiklander case MBEDTLS_SSL_CERTIFICATE_VERIFY: 4290*32b31808SJens Wiklander ret = ssl_parse_certificate_verify(ssl); 4291*32b31808SJens Wiklander break; 4292*32b31808SJens Wiklander 4293*32b31808SJens Wiklander case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 4294*32b31808SJens Wiklander ret = mbedtls_ssl_parse_change_cipher_spec(ssl); 4295*32b31808SJens Wiklander break; 4296*32b31808SJens Wiklander 4297*32b31808SJens Wiklander case MBEDTLS_SSL_CLIENT_FINISHED: 4298*32b31808SJens Wiklander ret = mbedtls_ssl_parse_finished(ssl); 4299*32b31808SJens Wiklander break; 4300*32b31808SJens Wiklander 4301*32b31808SJens Wiklander /* 4302*32b31808SJens Wiklander * ==> ( NewSessionTicket ) 4303*32b31808SJens Wiklander * ChangeCipherSpec 4304*32b31808SJens Wiklander * Finished 4305*32b31808SJens Wiklander */ 4306*32b31808SJens Wiklander case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 4307*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 4308*32b31808SJens Wiklander if (ssl->handshake->new_session_ticket != 0) { 4309*32b31808SJens Wiklander ret = ssl_write_new_session_ticket(ssl); 4310*32b31808SJens Wiklander } else 4311*32b31808SJens Wiklander #endif 4312*32b31808SJens Wiklander ret = mbedtls_ssl_write_change_cipher_spec(ssl); 4313*32b31808SJens Wiklander break; 4314*32b31808SJens Wiklander 4315*32b31808SJens Wiklander case MBEDTLS_SSL_SERVER_FINISHED: 4316*32b31808SJens Wiklander ret = mbedtls_ssl_write_finished(ssl); 4317*32b31808SJens Wiklander break; 4318*32b31808SJens Wiklander 4319*32b31808SJens Wiklander case MBEDTLS_SSL_FLUSH_BUFFERS: 4320*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); 4321*32b31808SJens Wiklander ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 4322*32b31808SJens Wiklander break; 4323*32b31808SJens Wiklander 4324*32b31808SJens Wiklander case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 4325*32b31808SJens Wiklander mbedtls_ssl_handshake_wrapup(ssl); 4326*32b31808SJens Wiklander break; 4327*32b31808SJens Wiklander 4328*32b31808SJens Wiklander default: 4329*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); 4330*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4331*32b31808SJens Wiklander } 4332*32b31808SJens Wiklander 4333*32b31808SJens Wiklander return ret; 4334*32b31808SJens Wiklander } 4335*32b31808SJens Wiklander 4336*32b31808SJens Wiklander void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order) 4337*32b31808SJens Wiklander { 4338*32b31808SJens Wiklander conf->respect_cli_pref = order; 4339*32b31808SJens Wiklander } 4340*32b31808SJens Wiklander 4341*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */ 4342