1 /* 2 * TLS server-side functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 #include "common.h" 21 22 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) 23 24 #include "mbedtls/platform.h" 25 26 #include "mbedtls/ssl.h" 27 #include "ssl_misc.h" 28 #include "mbedtls/debug.h" 29 #include "mbedtls/error.h" 30 #include "mbedtls/platform_util.h" 31 #include "constant_time_internal.h" 32 #include "mbedtls/constant_time.h" 33 #include "hash_info.h" 34 35 #include <string.h> 36 37 #if defined(MBEDTLS_USE_PSA_CRYPTO) 38 #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ 39 psa_to_ssl_errors, \ 40 psa_generic_status_to_mbedtls) 41 #endif 42 43 #if defined(MBEDTLS_ECP_C) 44 #include "mbedtls/ecp.h" 45 #endif 46 47 #if defined(MBEDTLS_HAVE_TIME) 48 #include "mbedtls/platform_time.h" 49 #endif 50 51 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 52 int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl, 53 const unsigned char *info, 54 size_t ilen) 55 { 56 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) { 57 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 58 } 59 60 mbedtls_free(ssl->cli_id); 61 62 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) { 63 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 64 } 65 66 memcpy(ssl->cli_id, info, ilen); 67 ssl->cli_id_len = ilen; 68 69 return 0; 70 } 71 72 void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf, 73 mbedtls_ssl_cookie_write_t *f_cookie_write, 74 mbedtls_ssl_cookie_check_t *f_cookie_check, 75 void *p_cookie) 76 { 77 conf->f_cookie_write = f_cookie_write; 78 conf->f_cookie_check = f_cookie_check; 79 conf->p_cookie = p_cookie; 80 } 81 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 82 83 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 84 MBEDTLS_CHECK_RETURN_CRITICAL 85 static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf) 86 { 87 if (conf->f_psk != NULL) { 88 return 1; 89 } 90 91 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) { 92 return 0; 93 } 94 95 96 #if defined(MBEDTLS_USE_PSA_CRYPTO) 97 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 98 return 1; 99 } 100 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 101 102 if (conf->psk != NULL && conf->psk_len != 0) { 103 return 1; 104 } 105 106 return 0; 107 } 108 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 109 110 MBEDTLS_CHECK_RETURN_CRITICAL 111 static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl, 112 const unsigned char *buf, 113 size_t len) 114 { 115 #if defined(MBEDTLS_SSL_RENEGOTIATION) 116 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 117 /* Check verify-data in constant-time. The length OTOH is no secret */ 118 if (len != 1 + ssl->verify_data_len || 119 buf[0] != ssl->verify_data_len || 120 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data, 121 ssl->verify_data_len) != 0) { 122 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info")); 123 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 124 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 125 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 126 } 127 } else 128 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 129 { 130 if (len != 1 || buf[0] != 0x0) { 131 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info")); 132 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 133 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 134 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 135 } 136 137 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 138 } 139 140 return 0; 141 } 142 143 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 144 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 145 /* 146 * Function for parsing a supported groups (TLS 1.3) or supported elliptic 147 * curves (TLS 1.2) extension. 148 * 149 * The "extension_data" field of a supported groups extension contains a 150 * "NamedGroupList" value (TLS 1.3 RFC8446): 151 * enum { 152 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), 153 * x25519(0x001D), x448(0x001E), 154 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102), 155 * ffdhe6144(0x0103), ffdhe8192(0x0104), 156 * ffdhe_private_use(0x01FC..0x01FF), 157 * ecdhe_private_use(0xFE00..0xFEFF), 158 * (0xFFFF) 159 * } NamedGroup; 160 * struct { 161 * NamedGroup named_group_list<2..2^16-1>; 162 * } NamedGroupList; 163 * 164 * The "extension_data" field of a supported elliptic curves extension contains 165 * a "NamedCurveList" value (TLS 1.2 RFC 8422): 166 * enum { 167 * deprecated(1..22), 168 * secp256r1 (23), secp384r1 (24), secp521r1 (25), 169 * x25519(29), x448(30), 170 * reserved (0xFE00..0xFEFF), 171 * deprecated(0xFF01..0xFF02), 172 * (0xFFFF) 173 * } NamedCurve; 174 * struct { 175 * NamedCurve named_curve_list<2..2^16-1> 176 * } NamedCurveList; 177 * 178 * The TLS 1.3 supported groups extension was defined to be a compatible 179 * generalization of the TLS 1.2 supported elliptic curves extension. They both 180 * share the same extension identifier. 181 * 182 * DHE groups are not supported yet. 183 */ 184 MBEDTLS_CHECK_RETURN_CRITICAL 185 static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl, 186 const unsigned char *buf, 187 size_t len) 188 { 189 size_t list_size, our_size; 190 const unsigned char *p; 191 uint16_t *curves_tls_id; 192 193 if (len < 2) { 194 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 195 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 196 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 197 return MBEDTLS_ERR_SSL_DECODE_ERROR; 198 } 199 list_size = ((buf[0] << 8) | (buf[1])); 200 if (list_size + 2 != len || 201 list_size % 2 != 0) { 202 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 203 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 204 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 205 return MBEDTLS_ERR_SSL_DECODE_ERROR; 206 } 207 208 /* Should never happen unless client duplicates the extension */ 209 if (ssl->handshake->curves_tls_id != NULL) { 210 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 211 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 212 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 213 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 214 } 215 216 /* Don't allow our peer to make us allocate too much memory, 217 * and leave room for a final 0 */ 218 our_size = list_size / 2 + 1; 219 if (our_size > MBEDTLS_ECP_DP_MAX) { 220 our_size = MBEDTLS_ECP_DP_MAX; 221 } 222 223 if ((curves_tls_id = mbedtls_calloc(our_size, 224 sizeof(*curves_tls_id))) == NULL) { 225 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 226 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 227 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 228 } 229 230 ssl->handshake->curves_tls_id = curves_tls_id; 231 232 p = buf + 2; 233 while (list_size > 0 && our_size > 1) { 234 uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0); 235 236 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) != 237 MBEDTLS_ECP_DP_NONE) { 238 *curves_tls_id++ = curr_tls_id; 239 our_size--; 240 } 241 242 list_size -= 2; 243 p += 2; 244 } 245 246 return 0; 247 } 248 249 MBEDTLS_CHECK_RETURN_CRITICAL 250 static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl, 251 const unsigned char *buf, 252 size_t len) 253 { 254 size_t list_size; 255 const unsigned char *p; 256 257 if (len == 0 || (size_t) (buf[0] + 1) != len) { 258 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 259 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 260 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 261 return MBEDTLS_ERR_SSL_DECODE_ERROR; 262 } 263 list_size = buf[0]; 264 265 p = buf + 1; 266 while (list_size > 0) { 267 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 268 p[0] == MBEDTLS_ECP_PF_COMPRESSED) { 269 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 270 (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)) 271 ssl->handshake->ecdh_ctx.point_format = p[0]; 272 #endif /* !MBEDTLS_USE_PSA_CRYPTO && 273 ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ 274 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 275 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 276 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, 277 p[0]); 278 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 279 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0])); 280 return 0; 281 } 282 283 list_size--; 284 p++; 285 } 286 287 return 0; 288 } 289 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 290 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 291 292 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 293 MBEDTLS_CHECK_RETURN_CRITICAL 294 static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl, 295 const unsigned char *buf, 296 size_t len) 297 { 298 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 299 300 #if defined(MBEDTLS_USE_PSA_CRYPTO) 301 if (ssl->handshake->psa_pake_ctx_is_ok != 1) 302 #else 303 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) 304 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 305 { 306 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension")); 307 return 0; 308 } 309 310 #if defined(MBEDTLS_USE_PSA_CRYPTO) 311 if ((ret = mbedtls_psa_ecjpake_read_round( 312 &ssl->handshake->psa_pake_ctx, buf, len, 313 MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) { 314 psa_destroy_key(ssl->handshake->psa_pake_password); 315 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 316 317 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret); 318 mbedtls_ssl_send_alert_message( 319 ssl, 320 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 321 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 322 323 return ret; 324 } 325 #else 326 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx, 327 buf, len)) != 0) { 328 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret); 329 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 330 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 331 return ret; 332 } 333 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 334 335 /* Only mark the extension as OK when we're sure it is */ 336 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; 337 338 return 0; 339 } 340 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 341 342 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 343 MBEDTLS_CHECK_RETURN_CRITICAL 344 static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, 345 const unsigned char *buf, 346 size_t len) 347 { 348 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) { 349 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 350 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 351 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 352 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 353 } 354 355 ssl->session_negotiate->mfl_code = buf[0]; 356 357 return 0; 358 } 359 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 360 361 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 362 MBEDTLS_CHECK_RETURN_CRITICAL 363 static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl, 364 const unsigned char *buf, 365 size_t len) 366 { 367 size_t peer_cid_len; 368 369 /* CID extension only makes sense in DTLS */ 370 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 371 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 372 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 373 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 374 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 375 } 376 377 /* 378 * struct { 379 * opaque cid<0..2^8-1>; 380 * } ConnectionId; 381 */ 382 383 if (len < 1) { 384 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 385 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 386 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 387 return MBEDTLS_ERR_SSL_DECODE_ERROR; 388 } 389 390 peer_cid_len = *buf++; 391 len--; 392 393 if (len != peer_cid_len) { 394 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 395 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 396 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 397 return MBEDTLS_ERR_SSL_DECODE_ERROR; 398 } 399 400 /* Ignore CID if the user has disabled its use. */ 401 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { 402 /* Leave ssl->handshake->cid_in_use in its default 403 * value of MBEDTLS_SSL_CID_DISABLED. */ 404 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled")); 405 return 0; 406 } 407 408 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) { 409 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 410 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 411 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); 412 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 413 } 414 415 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; 416 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; 417 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len); 418 419 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated")); 420 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len); 421 422 return 0; 423 } 424 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 425 426 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 427 MBEDTLS_CHECK_RETURN_CRITICAL 428 static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, 429 const unsigned char *buf, 430 size_t len) 431 { 432 if (len != 0) { 433 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 434 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 435 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 436 return MBEDTLS_ERR_SSL_DECODE_ERROR; 437 } 438 439 ((void) buf); 440 441 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) { 442 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 443 } 444 445 return 0; 446 } 447 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 448 449 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 450 MBEDTLS_CHECK_RETURN_CRITICAL 451 static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl, 452 const unsigned char *buf, 453 size_t len) 454 { 455 if (len != 0) { 456 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 457 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 458 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 459 return MBEDTLS_ERR_SSL_DECODE_ERROR; 460 } 461 462 ((void) buf); 463 464 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { 465 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 466 } 467 468 return 0; 469 } 470 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 471 472 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 473 MBEDTLS_CHECK_RETURN_CRITICAL 474 static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl, 475 unsigned char *buf, 476 size_t len) 477 { 478 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 479 mbedtls_ssl_session session; 480 481 mbedtls_ssl_session_init(&session); 482 483 if (ssl->conf->f_ticket_parse == NULL || 484 ssl->conf->f_ticket_write == NULL) { 485 return 0; 486 } 487 488 /* Remember the client asked us to send a new ticket */ 489 ssl->handshake->new_session_ticket = 1; 490 491 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len)); 492 493 if (len == 0) { 494 return 0; 495 } 496 497 #if defined(MBEDTLS_SSL_RENEGOTIATION) 498 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 499 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating")); 500 return 0; 501 } 502 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 503 504 /* 505 * Failures are ok: just ignore the ticket and proceed. 506 */ 507 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session, 508 buf, len)) != 0) { 509 mbedtls_ssl_session_free(&session); 510 511 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) { 512 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); 513 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) { 514 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired")); 515 } else { 516 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret); 517 } 518 519 return 0; 520 } 521 522 /* 523 * Keep the session ID sent by the client, since we MUST send it back to 524 * inform them we're accepting the ticket (RFC 5077 section 3.4) 525 */ 526 session.id_len = ssl->session_negotiate->id_len; 527 memcpy(&session.id, ssl->session_negotiate->id, session.id_len); 528 529 mbedtls_ssl_session_free(ssl->session_negotiate); 530 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session)); 531 532 /* Zeroize instead of free as we copied the content */ 533 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session)); 534 535 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket")); 536 537 ssl->handshake->resume = 1; 538 539 /* Don't send a new ticket after all, this one is OK */ 540 ssl->handshake->new_session_ticket = 0; 541 542 return 0; 543 } 544 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 545 546 #if defined(MBEDTLS_SSL_DTLS_SRTP) 547 MBEDTLS_CHECK_RETURN_CRITICAL 548 static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl, 549 const unsigned char *buf, 550 size_t len) 551 { 552 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET; 553 size_t i, j; 554 size_t profile_length; 555 uint16_t mki_length; 556 /*! 2 bytes for profile length and 1 byte for mki len */ 557 const size_t size_of_lengths = 3; 558 559 /* If use_srtp is not configured, just ignore the extension */ 560 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || 561 (ssl->conf->dtls_srtp_profile_list == NULL) || 562 (ssl->conf->dtls_srtp_profile_list_len == 0)) { 563 return 0; 564 } 565 566 /* RFC5764 section 4.1.1 567 * uint8 SRTPProtectionProfile[2]; 568 * 569 * struct { 570 * SRTPProtectionProfiles SRTPProtectionProfiles; 571 * opaque srtp_mki<0..255>; 572 * } UseSRTPData; 573 574 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; 575 */ 576 577 /* 578 * Min length is 5: at least one protection profile(2 bytes) 579 * and length(2 bytes) + srtp_mki length(1 byte) 580 * Check here that we have at least 2 bytes of protection profiles length 581 * and one of srtp_mki length 582 */ 583 if (len < size_of_lengths) { 584 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 585 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 586 return MBEDTLS_ERR_SSL_DECODE_ERROR; 587 } 588 589 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET; 590 591 /* first 2 bytes are protection profile length(in bytes) */ 592 profile_length = (buf[0] << 8) | buf[1]; 593 buf += 2; 594 595 /* The profile length cannot be bigger than input buffer size - lengths fields */ 596 if (profile_length > len - size_of_lengths || 597 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */ 598 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 599 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 600 return MBEDTLS_ERR_SSL_DECODE_ERROR; 601 } 602 /* 603 * parse the extension list values are defined in 604 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml 605 */ 606 for (j = 0; j < profile_length; j += 2) { 607 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1]; 608 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value); 609 610 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) { 611 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s", 612 mbedtls_ssl_get_srtp_profile_as_string( 613 client_protection))); 614 } else { 615 continue; 616 } 617 /* check if suggested profile is in our list */ 618 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) { 619 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) { 620 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; 621 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s", 622 mbedtls_ssl_get_srtp_profile_as_string( 623 client_protection))); 624 break; 625 } 626 } 627 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) { 628 break; 629 } 630 } 631 buf += profile_length; /* buf points to the mki length */ 632 mki_length = *buf; 633 buf++; 634 635 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH || 636 mki_length + profile_length + size_of_lengths != len) { 637 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 638 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 639 return MBEDTLS_ERR_SSL_DECODE_ERROR; 640 } 641 642 /* Parse the mki only if present and mki is supported locally */ 643 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED && 644 mki_length > 0) { 645 ssl->dtls_srtp_info.mki_len = mki_length; 646 647 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length); 648 649 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value, 650 ssl->dtls_srtp_info.mki_len); 651 } 652 653 return 0; 654 } 655 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 656 657 /* 658 * Auxiliary functions for ServerHello parsing and related actions 659 */ 660 661 #if defined(MBEDTLS_X509_CRT_PARSE_C) 662 /* 663 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise 664 */ 665 #if defined(MBEDTLS_ECDSA_C) 666 MBEDTLS_CHECK_RETURN_CRITICAL 667 static int ssl_check_key_curve(mbedtls_pk_context *pk, 668 uint16_t *curves_tls_id) 669 { 670 uint16_t *curr_tls_id = curves_tls_id; 671 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec(*pk)->grp.id; 672 mbedtls_ecp_group_id curr_grp_id; 673 674 while (*curr_tls_id != 0) { 675 curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id); 676 if (curr_grp_id == grp_id) { 677 return 0; 678 } 679 curr_tls_id++; 680 } 681 682 return -1; 683 } 684 #endif /* MBEDTLS_ECDSA_C */ 685 686 /* 687 * Try picking a certificate for this ciphersuite, 688 * return 0 on success and -1 on failure. 689 */ 690 MBEDTLS_CHECK_RETURN_CRITICAL 691 static int ssl_pick_cert(mbedtls_ssl_context *ssl, 692 const mbedtls_ssl_ciphersuite_t *ciphersuite_info) 693 { 694 mbedtls_ssl_key_cert *cur, *list; 695 #if defined(MBEDTLS_USE_PSA_CRYPTO) 696 psa_algorithm_t pk_alg = 697 mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info); 698 psa_key_usage_t pk_usage = 699 mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info); 700 #else 701 mbedtls_pk_type_t pk_alg = 702 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); 703 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 704 uint32_t flags; 705 706 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 707 if (ssl->handshake->sni_key_cert != NULL) { 708 list = ssl->handshake->sni_key_cert; 709 } else 710 #endif 711 list = ssl->conf->key_cert; 712 713 int pk_alg_is_none = 0; 714 #if defined(MBEDTLS_USE_PSA_CRYPTO) 715 pk_alg_is_none = (pk_alg == PSA_ALG_NONE); 716 #else 717 pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE); 718 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 719 if (pk_alg_is_none) { 720 return 0; 721 } 722 723 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate")); 724 725 if (list == NULL) { 726 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate")); 727 return -1; 728 } 729 730 for (cur = list; cur != NULL; cur = cur->next) { 731 flags = 0; 732 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate", 733 cur->cert); 734 735 int key_type_matches = 0; 736 #if defined(MBEDTLS_USE_PSA_CRYPTO) 737 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 738 key_type_matches = ((ssl->conf->f_async_sign_start != NULL || 739 ssl->conf->f_async_decrypt_start != NULL || 740 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) && 741 mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage)); 742 #else 743 key_type_matches = ( 744 mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)); 745 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 746 #else 747 key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg); 748 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 749 if (!key_type_matches) { 750 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type")); 751 continue; 752 } 753 754 /* 755 * This avoids sending the client a cert it'll reject based on 756 * keyUsage or other extensions. 757 * 758 * It also allows the user to provision different certificates for 759 * different uses based on keyUsage, eg if they want to avoid signing 760 * and decrypting with the same RSA key. 761 */ 762 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info, 763 MBEDTLS_SSL_IS_SERVER, &flags) != 0) { 764 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: " 765 "(extended) key usage extension")); 766 continue; 767 } 768 769 #if defined(MBEDTLS_ECDSA_C) 770 if (pk_alg == MBEDTLS_PK_ECDSA && 771 ssl_check_key_curve(&cur->cert->pk, 772 ssl->handshake->curves_tls_id) != 0) { 773 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve")); 774 continue; 775 } 776 #endif 777 778 /* If we get there, we got a winner */ 779 break; 780 } 781 782 /* Do not update ssl->handshake->key_cert unless there is a match */ 783 if (cur != NULL) { 784 ssl->handshake->key_cert = cur; 785 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate", 786 ssl->handshake->key_cert->cert); 787 return 0; 788 } 789 790 return -1; 791 } 792 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 793 794 /* 795 * Check if a given ciphersuite is suitable for use with our config/keys/etc 796 * Sets ciphersuite_info only if the suite matches. 797 */ 798 MBEDTLS_CHECK_RETURN_CRITICAL 799 static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id, 800 const mbedtls_ssl_ciphersuite_t **ciphersuite_info) 801 { 802 const mbedtls_ssl_ciphersuite_t *suite_info; 803 804 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 805 mbedtls_pk_type_t sig_type; 806 #endif 807 808 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id); 809 if (suite_info == NULL) { 810 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 811 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 812 } 813 814 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)", 815 (unsigned int) suite_id, suite_info->name)); 816 817 if (suite_info->min_tls_version > ssl->tls_version || 818 suite_info->max_tls_version < ssl->tls_version) { 819 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version")); 820 return 0; 821 } 822 823 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 824 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 825 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) { 826 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake " 827 "not configured or ext missing")); 828 return 0; 829 } 830 #endif 831 832 833 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 834 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) && 835 (ssl->handshake->curves_tls_id == NULL || 836 ssl->handshake->curves_tls_id[0] == 0)) { 837 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: " 838 "no common elliptic curve")); 839 return 0; 840 } 841 #endif 842 843 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 844 /* If the ciphersuite requires a pre-shared key and we don't 845 * have one, skip it now rather than failing later */ 846 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) && 847 ssl_conf_has_psk_or_cb(ssl->conf) == 0) { 848 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key")); 849 return 0; 850 } 851 #endif 852 853 #if defined(MBEDTLS_X509_CRT_PARSE_C) 854 /* 855 * Final check: if ciphersuite requires us to have a 856 * certificate/key of a particular type: 857 * - select the appropriate certificate if we have one, or 858 * - try the next ciphersuite if we don't 859 * This must be done last since we modify the key_cert list. 860 */ 861 if (ssl_pick_cert(ssl, suite_info) != 0) { 862 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: " 863 "no suitable certificate")); 864 return 0; 865 } 866 #endif 867 868 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 869 /* If the ciphersuite requires signing, check whether 870 * a suitable hash algorithm is present. */ 871 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info); 872 if (sig_type != MBEDTLS_PK_NONE && 873 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 874 ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) { 875 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm " 876 "for signature algorithm %u", (unsigned) sig_type)); 877 return 0; 878 } 879 880 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 881 882 *ciphersuite_info = suite_info; 883 return 0; 884 } 885 886 /* This function doesn't alert on errors that happen early during 887 ClientHello parsing because they might indicate that the client is 888 not talking SSL/TLS at all and would not understand our alert. */ 889 MBEDTLS_CHECK_RETURN_CRITICAL 890 static int ssl_parse_client_hello(mbedtls_ssl_context *ssl) 891 { 892 int ret, got_common_suite; 893 size_t i, j; 894 size_t ciph_offset, comp_offset, ext_offset; 895 size_t msg_len, ciph_len, sess_len, comp_len, ext_len; 896 #if defined(MBEDTLS_SSL_PROTO_DTLS) 897 size_t cookie_offset, cookie_len; 898 #endif 899 unsigned char *buf, *p, *ext; 900 #if defined(MBEDTLS_SSL_RENEGOTIATION) 901 int renegotiation_info_seen = 0; 902 #endif 903 int handshake_failure = 0; 904 const int *ciphersuites; 905 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 906 907 /* If there is no signature-algorithm extension present, 908 * we need to fall back to the default values for allowed 909 * signature-hash pairs. */ 910 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 911 int sig_hash_alg_ext_present = 0; 912 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 913 914 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello")); 915 916 int renegotiating; 917 918 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 919 read_record_header: 920 #endif 921 /* 922 * If renegotiating, then the input was read with mbedtls_ssl_read_record(), 923 * otherwise read it ourselves manually in order to support SSLv2 924 * ClientHello, which doesn't use the same record layer format. 925 */ 926 renegotiating = 0; 927 #if defined(MBEDTLS_SSL_RENEGOTIATION) 928 renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE); 929 #endif 930 if (!renegotiating) { 931 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) { 932 /* No alert on a read error. */ 933 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); 934 return ret; 935 } 936 } 937 938 buf = ssl->in_hdr; 939 940 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl)); 941 942 /* 943 * TLS Client Hello 944 * 945 * Record layer: 946 * 0 . 0 message type 947 * 1 . 2 protocol version 948 * 3 . 11 DTLS: epoch + record sequence number 949 * 3 . 4 message length 950 */ 951 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d", 952 buf[0])); 953 954 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) { 955 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 956 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 957 } 958 959 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d", 960 (ssl->in_len[0] << 8) | ssl->in_len[1])); 961 962 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]", 963 buf[1], buf[2])); 964 965 /* For DTLS if this is the initial handshake, remember the client sequence 966 * number to use it in our next message (RFC 6347 4.2.1) */ 967 #if defined(MBEDTLS_SSL_PROTO_DTLS) 968 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM 969 #if defined(MBEDTLS_SSL_RENEGOTIATION) 970 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 971 #endif 972 ) { 973 /* Epoch should be 0 for initial handshakes */ 974 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) { 975 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 976 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 977 } 978 979 memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2, 980 sizeof(ssl->cur_out_ctr) - 2); 981 982 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 983 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) { 984 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding")); 985 ssl->next_record_offset = 0; 986 ssl->in_left = 0; 987 goto read_record_header; 988 } 989 990 /* No MAC to check yet, so we can update right now */ 991 mbedtls_ssl_dtls_replay_update(ssl); 992 #endif 993 } 994 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 995 996 msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1]; 997 998 #if defined(MBEDTLS_SSL_RENEGOTIATION) 999 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 1000 /* Set by mbedtls_ssl_read_record() */ 1001 msg_len = ssl->in_hslen; 1002 } else 1003 #endif 1004 { 1005 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) { 1006 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1007 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1008 } 1009 1010 if ((ret = mbedtls_ssl_fetch_input(ssl, 1011 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) { 1012 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); 1013 return ret; 1014 } 1015 1016 /* Done reading this record, get ready for the next one */ 1017 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1018 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1019 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl); 1020 } else 1021 #endif 1022 ssl->in_left = 0; 1023 } 1024 1025 buf = ssl->in_msg; 1026 1027 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len); 1028 1029 ret = ssl->handshake->update_checksum(ssl, buf, msg_len); 1030 if (0 != ret) { 1031 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); 1032 return ret; 1033 } 1034 1035 /* 1036 * Handshake layer: 1037 * 0 . 0 handshake type 1038 * 1 . 3 handshake length 1039 * 4 . 5 DTLS only: message sequence number 1040 * 6 . 8 DTLS only: fragment offset 1041 * 9 . 11 DTLS only: fragment length 1042 */ 1043 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) { 1044 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1045 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1046 } 1047 1048 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0])); 1049 1050 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) { 1051 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1052 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 1053 } 1054 { 1055 size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1); 1056 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u", 1057 (unsigned) handshake_len)); 1058 1059 /* The record layer has a record size limit of 2^14 - 1 and 1060 * fragmentation is not supported, so buf[1] should be zero. */ 1061 if (buf[1] != 0) { 1062 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0", 1063 (unsigned) buf[1])); 1064 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1065 } 1066 1067 /* We don't support fragmentation of ClientHello (yet?) */ 1068 if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) { 1069 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u", 1070 (unsigned) msg_len, 1071 (unsigned) mbedtls_ssl_hs_hdr_len(ssl), 1072 (unsigned) handshake_len)); 1073 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1074 } 1075 } 1076 1077 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1078 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1079 /* 1080 * Copy the client's handshake message_seq on initial handshakes, 1081 * check sequence number on renego. 1082 */ 1083 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1084 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 1085 /* This couldn't be done in ssl_prepare_handshake_record() */ 1086 unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) | 1087 ssl->in_msg[5]; 1088 1089 if (cli_msg_seq != ssl->handshake->in_msg_seq) { 1090 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: " 1091 "%u (expected %u)", cli_msg_seq, 1092 ssl->handshake->in_msg_seq)); 1093 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1094 } 1095 1096 ssl->handshake->in_msg_seq++; 1097 } else 1098 #endif 1099 { 1100 unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) | 1101 ssl->in_msg[5]; 1102 ssl->handshake->out_msg_seq = cli_msg_seq; 1103 ssl->handshake->in_msg_seq = cli_msg_seq + 1; 1104 } 1105 { 1106 /* 1107 * For now we don't support fragmentation, so make sure 1108 * fragment_offset == 0 and fragment_length == length 1109 */ 1110 size_t fragment_offset, fragment_length, length; 1111 fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6); 1112 fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9); 1113 length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1); 1114 MBEDTLS_SSL_DEBUG_MSG( 1115 4, ("fragment_offset=%u fragment_length=%u length=%u", 1116 (unsigned) fragment_offset, (unsigned) fragment_length, 1117 (unsigned) length)); 1118 if (fragment_offset != 0 || length != fragment_length) { 1119 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported")); 1120 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1121 } 1122 } 1123 } 1124 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1125 1126 buf += mbedtls_ssl_hs_hdr_len(ssl); 1127 msg_len -= mbedtls_ssl_hs_hdr_len(ssl); 1128 1129 /* 1130 * ClientHello layer: 1131 * 0 . 1 protocol version 1132 * 2 . 33 random bytes (starting with 4 bytes of Unix time) 1133 * 34 . 35 session id length (1 byte) 1134 * 35 . 34+x session id 1135 * 35+x . 35+x DTLS only: cookie length (1 byte) 1136 * 36+x . .. DTLS only: cookie 1137 * .. . .. ciphersuite list length (2 bytes) 1138 * .. . .. ciphersuite list 1139 * .. . .. compression alg. list length (1 byte) 1140 * .. . .. compression alg. list 1141 * .. . .. extensions length (2 bytes, optional) 1142 * .. . .. extensions (optional) 1143 */ 1144 1145 /* 1146 * Minimal length (with everything empty and extensions omitted) is 1147 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can 1148 * read at least up to session id length without worrying. 1149 */ 1150 if (msg_len < 38) { 1151 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1152 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1153 } 1154 1155 /* 1156 * Check and save the protocol version 1157 */ 1158 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2); 1159 1160 ssl->tls_version = mbedtls_ssl_read_version(buf, ssl->conf->transport); 1161 ssl->session_negotiate->tls_version = ssl->tls_version; 1162 1163 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { 1164 MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2")); 1165 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1166 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); 1167 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; 1168 } 1169 1170 /* 1171 * Save client random (inc. Unix time) 1172 */ 1173 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32); 1174 1175 memcpy(ssl->handshake->randbytes, buf + 2, 32); 1176 1177 /* 1178 * Check the session ID length and save session ID 1179 */ 1180 sess_len = buf[34]; 1181 1182 if (sess_len > sizeof(ssl->session_negotiate->id) || 1183 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */ 1184 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1185 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1186 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1187 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1188 } 1189 1190 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len); 1191 1192 ssl->session_negotiate->id_len = sess_len; 1193 memset(ssl->session_negotiate->id, 0, 1194 sizeof(ssl->session_negotiate->id)); 1195 memcpy(ssl->session_negotiate->id, buf + 35, 1196 ssl->session_negotiate->id_len); 1197 1198 /* 1199 * Check the cookie length and content 1200 */ 1201 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1202 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1203 cookie_offset = 35 + sess_len; 1204 cookie_len = buf[cookie_offset]; 1205 1206 if (cookie_offset + 1 + cookie_len + 2 > msg_len) { 1207 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1208 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1209 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1210 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1211 } 1212 1213 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie", 1214 buf + cookie_offset + 1, cookie_len); 1215 1216 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 1217 if (ssl->conf->f_cookie_check != NULL 1218 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1219 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 1220 #endif 1221 ) { 1222 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie, 1223 buf + cookie_offset + 1, cookie_len, 1224 ssl->cli_id, ssl->cli_id_len) != 0) { 1225 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed")); 1226 ssl->handshake->cookie_verify_result = 1; 1227 } else { 1228 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed")); 1229 ssl->handshake->cookie_verify_result = 0; 1230 } 1231 } else 1232 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 1233 { 1234 /* We know we didn't send a cookie, so it should be empty */ 1235 if (cookie_len != 0) { 1236 /* This may be an attacker's probe, so don't send an alert */ 1237 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1238 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1239 } 1240 1241 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped")); 1242 } 1243 1244 /* 1245 * Check the ciphersuitelist length (will be parsed later) 1246 */ 1247 ciph_offset = cookie_offset + 1 + cookie_len; 1248 } else 1249 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1250 ciph_offset = 35 + sess_len; 1251 1252 ciph_len = (buf[ciph_offset + 0] << 8) 1253 | (buf[ciph_offset + 1]); 1254 1255 if (ciph_len < 2 || 1256 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ 1257 (ciph_len % 2) != 0) { 1258 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1259 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1260 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1261 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1262 } 1263 1264 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist", 1265 buf + ciph_offset + 2, ciph_len); 1266 1267 /* 1268 * Check the compression algorithm's length. 1269 * The list contents are ignored because implementing 1270 * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only 1271 * option supported by Mbed TLS. 1272 */ 1273 comp_offset = ciph_offset + 2 + ciph_len; 1274 1275 comp_len = buf[comp_offset]; 1276 1277 if (comp_len < 1 || 1278 comp_len > 16 || 1279 comp_len + comp_offset + 1 > msg_len) { 1280 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1281 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1282 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1283 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1284 } 1285 1286 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression", 1287 buf + comp_offset + 1, comp_len); 1288 1289 /* 1290 * Check the extension length 1291 */ 1292 ext_offset = comp_offset + 1 + comp_len; 1293 if (msg_len > ext_offset) { 1294 if (msg_len < ext_offset + 2) { 1295 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1296 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1297 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1298 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1299 } 1300 1301 ext_len = (buf[ext_offset + 0] << 8) 1302 | (buf[ext_offset + 1]); 1303 1304 if (msg_len != ext_offset + 2 + ext_len) { 1305 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1306 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1307 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1308 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1309 } 1310 } else { 1311 ext_len = 0; 1312 } 1313 1314 ext = buf + ext_offset + 2; 1315 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len); 1316 1317 while (ext_len != 0) { 1318 unsigned int ext_id; 1319 unsigned int ext_size; 1320 if (ext_len < 4) { 1321 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1322 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1323 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1324 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1325 } 1326 ext_id = ((ext[0] << 8) | (ext[1])); 1327 ext_size = ((ext[2] << 8) | (ext[3])); 1328 1329 if (ext_size + 4 > ext_len) { 1330 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1331 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1332 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 1333 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1334 } 1335 switch (ext_id) { 1336 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1337 case MBEDTLS_TLS_EXT_SERVERNAME: 1338 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension")); 1339 ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4, 1340 ext + 4 + ext_size); 1341 if (ret != 0) { 1342 return ret; 1343 } 1344 break; 1345 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1346 1347 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 1348 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension")); 1349 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1350 renegotiation_info_seen = 1; 1351 #endif 1352 1353 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size); 1354 if (ret != 0) { 1355 return ret; 1356 } 1357 break; 1358 1359 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 1360 case MBEDTLS_TLS_EXT_SIG_ALG: 1361 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension")); 1362 1363 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size); 1364 if (ret != 0) { 1365 return ret; 1366 } 1367 1368 sig_hash_alg_ext_present = 1; 1369 break; 1370 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 1371 1372 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1373 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1374 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: 1375 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension")); 1376 1377 ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size); 1378 if (ret != 0) { 1379 return ret; 1380 } 1381 break; 1382 1383 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 1384 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension")); 1385 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; 1386 1387 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size); 1388 if (ret != 0) { 1389 return ret; 1390 } 1391 break; 1392 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 1393 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1394 1395 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1396 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 1397 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension")); 1398 1399 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size); 1400 if (ret != 0) { 1401 return ret; 1402 } 1403 break; 1404 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1405 1406 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1407 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 1408 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension")); 1409 1410 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size); 1411 if (ret != 0) { 1412 return ret; 1413 } 1414 break; 1415 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 1416 1417 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1418 case MBEDTLS_TLS_EXT_CID: 1419 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension")); 1420 1421 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size); 1422 if (ret != 0) { 1423 return ret; 1424 } 1425 break; 1426 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1427 1428 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1429 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 1430 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension")); 1431 1432 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size); 1433 if (ret != 0) { 1434 return ret; 1435 } 1436 break; 1437 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 1438 1439 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1440 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 1441 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension")); 1442 1443 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size); 1444 if (ret != 0) { 1445 return ret; 1446 } 1447 break; 1448 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 1449 1450 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1451 case MBEDTLS_TLS_EXT_SESSION_TICKET: 1452 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension")); 1453 1454 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size); 1455 if (ret != 0) { 1456 return ret; 1457 } 1458 break; 1459 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1460 1461 #if defined(MBEDTLS_SSL_ALPN) 1462 case MBEDTLS_TLS_EXT_ALPN: 1463 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); 1464 1465 ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4, 1466 ext + 4 + ext_size); 1467 if (ret != 0) { 1468 return ret; 1469 } 1470 break; 1471 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1472 1473 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1474 case MBEDTLS_TLS_EXT_USE_SRTP: 1475 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension")); 1476 1477 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size); 1478 if (ret != 0) { 1479 return ret; 1480 } 1481 break; 1482 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 1483 1484 default: 1485 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)", 1486 ext_id)); 1487 } 1488 1489 ext_len -= 4 + ext_size; 1490 ext += 4 + ext_size; 1491 } 1492 1493 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 1494 1495 /* 1496 * Try to fall back to default hash SHA1 if the client 1497 * hasn't provided any preferred signature-hash combinations. 1498 */ 1499 if (!sig_hash_alg_ext_present) { 1500 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; 1501 const uint16_t default_sig_algs[] = { 1502 #if defined(MBEDTLS_ECDSA_C) 1503 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, 1504 MBEDTLS_SSL_HASH_SHA1), 1505 #endif 1506 #if defined(MBEDTLS_RSA_C) 1507 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, 1508 MBEDTLS_SSL_HASH_SHA1), 1509 #endif 1510 MBEDTLS_TLS_SIG_NONE 1511 }; 1512 1513 MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0]) 1514 <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE, 1515 "default_sig_algs is too big"); 1516 1517 memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs)); 1518 } 1519 1520 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 1521 1522 /* 1523 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 1524 */ 1525 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) { 1526 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) { 1527 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO ")); 1528 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1529 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 1530 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV " 1531 "during renegotiation")); 1532 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1533 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 1534 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1535 } 1536 #endif 1537 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 1538 break; 1539 } 1540 } 1541 1542 /* 1543 * Renegotiation security checks 1544 */ 1545 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && 1546 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) { 1547 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake")); 1548 handshake_failure = 1; 1549 } 1550 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1551 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1552 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 1553 renegotiation_info_seen == 0) { 1554 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)")); 1555 handshake_failure = 1; 1556 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1557 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1558 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) { 1559 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed")); 1560 handshake_failure = 1; 1561 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1562 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1563 renegotiation_info_seen == 1) { 1564 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)")); 1565 handshake_failure = 1; 1566 } 1567 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1568 1569 if (handshake_failure == 1) { 1570 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1571 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 1572 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1573 } 1574 1575 /* 1576 * Server certification selection (after processing TLS extensions) 1577 */ 1578 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) { 1579 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret); 1580 return ret; 1581 } 1582 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1583 ssl->handshake->sni_name = NULL; 1584 ssl->handshake->sni_name_len = 0; 1585 #endif 1586 1587 /* 1588 * Search for a matching ciphersuite 1589 * (At the end because we need information from the EC-based extensions 1590 * and certificate from the SNI callback triggered by the SNI extension 1591 * or certificate from server certificate selection callback.) 1592 */ 1593 got_common_suite = 0; 1594 ciphersuites = ssl->conf->ciphersuite_list; 1595 ciphersuite_info = NULL; 1596 1597 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) { 1598 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) { 1599 for (i = 0; ciphersuites[i] != 0; i++) { 1600 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) { 1601 continue; 1602 } 1603 1604 got_common_suite = 1; 1605 1606 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i], 1607 &ciphersuite_info)) != 0) { 1608 return ret; 1609 } 1610 1611 if (ciphersuite_info != NULL) { 1612 goto have_ciphersuite; 1613 } 1614 } 1615 } 1616 } else { 1617 for (i = 0; ciphersuites[i] != 0; i++) { 1618 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) { 1619 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) { 1620 continue; 1621 } 1622 1623 got_common_suite = 1; 1624 1625 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i], 1626 &ciphersuite_info)) != 0) { 1627 return ret; 1628 } 1629 1630 if (ciphersuite_info != NULL) { 1631 goto have_ciphersuite; 1632 } 1633 } 1634 } 1635 } 1636 1637 if (got_common_suite) { 1638 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, " 1639 "but none of them usable")); 1640 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1641 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 1642 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1643 } else { 1644 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common")); 1645 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1646 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); 1647 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1648 } 1649 1650 have_ciphersuite: 1651 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name)); 1652 1653 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 1654 ssl->handshake->ciphersuite_info = ciphersuite_info; 1655 1656 ssl->state++; 1657 1658 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1659 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1660 mbedtls_ssl_recv_flight_completed(ssl); 1661 } 1662 #endif 1663 1664 /* Debugging-only output for testsuite */ 1665 #if defined(MBEDTLS_DEBUG_C) && \ 1666 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 1667 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info); 1668 if (sig_alg != MBEDTLS_PK_NONE) { 1669 unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 1670 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); 1671 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u", 1672 sig_hash)); 1673 } else { 1674 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm " 1675 "%u - should not happen", (unsigned) sig_alg)); 1676 } 1677 #endif 1678 1679 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello")); 1680 1681 return 0; 1682 } 1683 1684 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1685 static void ssl_write_cid_ext(mbedtls_ssl_context *ssl, 1686 unsigned char *buf, 1687 size_t *olen) 1688 { 1689 unsigned char *p = buf; 1690 size_t ext_len; 1691 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 1692 1693 *olen = 0; 1694 1695 /* Skip writing the extension if we don't want to use it or if 1696 * the client hasn't offered it. */ 1697 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) { 1698 return; 1699 } 1700 1701 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX 1702 * which is at most 255, so the increment cannot overflow. */ 1703 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) { 1704 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); 1705 return; 1706 } 1707 1708 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension")); 1709 1710 /* 1711 * struct { 1712 * opaque cid<0..2^8-1>; 1713 * } ConnectionId; 1714 */ 1715 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0); 1716 p += 2; 1717 ext_len = (size_t) ssl->own_cid_len + 1; 1718 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); 1719 p += 2; 1720 1721 *p++ = (uint8_t) ssl->own_cid_len; 1722 memcpy(p, ssl->own_cid, ssl->own_cid_len); 1723 1724 *olen = ssl->own_cid_len + 5; 1725 } 1726 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1727 1728 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 1729 static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, 1730 unsigned char *buf, 1731 size_t *olen) 1732 { 1733 unsigned char *p = buf; 1734 const mbedtls_ssl_ciphersuite_t *suite = NULL; 1735 1736 /* 1737 * RFC 7366: "If a server receives an encrypt-then-MAC request extension 1738 * from a client and then selects a stream or Authenticated Encryption 1739 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an 1740 * encrypt-then-MAC response extension back to the client." 1741 */ 1742 suite = mbedtls_ssl_ciphersuite_from_id( 1743 ssl->session_negotiate->ciphersuite); 1744 if (suite == NULL) { 1745 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; 1746 } else { 1747 mbedtls_ssl_mode_t ssl_mode = 1748 mbedtls_ssl_get_mode_from_ciphersuite( 1749 ssl->session_negotiate->encrypt_then_mac, 1750 suite); 1751 1752 if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) { 1753 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; 1754 } 1755 } 1756 1757 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) { 1758 *olen = 0; 1759 return; 1760 } 1761 1762 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension")); 1763 1764 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0); 1765 p += 2; 1766 1767 *p++ = 0x00; 1768 *p++ = 0x00; 1769 1770 *olen = 4; 1771 } 1772 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 1773 1774 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1775 static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl, 1776 unsigned char *buf, 1777 size_t *olen) 1778 { 1779 unsigned char *p = buf; 1780 1781 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) { 1782 *olen = 0; 1783 return; 1784 } 1785 1786 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret " 1787 "extension")); 1788 1789 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0); 1790 p += 2; 1791 1792 *p++ = 0x00; 1793 *p++ = 0x00; 1794 1795 *olen = 4; 1796 } 1797 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 1798 1799 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1800 static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl, 1801 unsigned char *buf, 1802 size_t *olen) 1803 { 1804 unsigned char *p = buf; 1805 1806 if (ssl->handshake->new_session_ticket == 0) { 1807 *olen = 0; 1808 return; 1809 } 1810 1811 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension")); 1812 1813 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0); 1814 p += 2; 1815 1816 *p++ = 0x00; 1817 *p++ = 0x00; 1818 1819 *olen = 4; 1820 } 1821 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1822 1823 static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl, 1824 unsigned char *buf, 1825 size_t *olen) 1826 { 1827 unsigned char *p = buf; 1828 1829 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) { 1830 *olen = 0; 1831 return; 1832 } 1833 1834 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension")); 1835 1836 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0); 1837 p += 2; 1838 1839 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1840 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 1841 *p++ = 0x00; 1842 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF; 1843 *p++ = ssl->verify_data_len * 2 & 0xFF; 1844 1845 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len); 1846 p += ssl->verify_data_len; 1847 memcpy(p, ssl->own_verify_data, ssl->verify_data_len); 1848 p += ssl->verify_data_len; 1849 } else 1850 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1851 { 1852 *p++ = 0x00; 1853 *p++ = 0x01; 1854 *p++ = 0x00; 1855 } 1856 1857 *olen = p - buf; 1858 } 1859 1860 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1861 static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, 1862 unsigned char *buf, 1863 size_t *olen) 1864 { 1865 unsigned char *p = buf; 1866 1867 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) { 1868 *olen = 0; 1869 return; 1870 } 1871 1872 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension")); 1873 1874 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0); 1875 p += 2; 1876 1877 *p++ = 0x00; 1878 *p++ = 1; 1879 1880 *p++ = ssl->session_negotiate->mfl_code; 1881 1882 *olen = 5; 1883 } 1884 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 1885 1886 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1887 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1888 static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl, 1889 unsigned char *buf, 1890 size_t *olen) 1891 { 1892 unsigned char *p = buf; 1893 ((void) ssl); 1894 1895 if ((ssl->handshake->cli_exts & 1896 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) { 1897 *olen = 0; 1898 return; 1899 } 1900 1901 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension")); 1902 1903 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0); 1904 p += 2; 1905 1906 *p++ = 0x00; 1907 *p++ = 2; 1908 1909 *p++ = 1; 1910 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 1911 1912 *olen = 6; 1913 } 1914 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1915 1916 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1917 static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl, 1918 unsigned char *buf, 1919 size_t *olen) 1920 { 1921 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1922 unsigned char *p = buf; 1923 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 1924 size_t kkpp_len; 1925 1926 *olen = 0; 1927 1928 /* Skip costly computation if not needed */ 1929 if (ssl->handshake->ciphersuite_info->key_exchange != 1930 MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 1931 return; 1932 } 1933 1934 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension")); 1935 1936 if (end - p < 4) { 1937 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); 1938 return; 1939 } 1940 1941 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0); 1942 p += 2; 1943 1944 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1945 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, 1946 p + 2, end - p - 2, &kkpp_len, 1947 MBEDTLS_ECJPAKE_ROUND_ONE); 1948 if (ret != 0) { 1949 psa_destroy_key(ssl->handshake->psa_pake_password); 1950 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 1951 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); 1952 return; 1953 } 1954 #else 1955 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx, 1956 p + 2, end - p - 2, &kkpp_len, 1957 ssl->conf->f_rng, ssl->conf->p_rng); 1958 if (ret != 0) { 1959 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret); 1960 return; 1961 } 1962 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1963 1964 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0); 1965 p += 2; 1966 1967 *olen = kkpp_len + 4; 1968 } 1969 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1970 1971 #if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS) 1972 static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl, 1973 unsigned char *buf, 1974 size_t *olen) 1975 { 1976 size_t mki_len = 0, ext_len = 0; 1977 uint16_t profile_value = 0; 1978 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 1979 1980 *olen = 0; 1981 1982 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || 1983 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) { 1984 return; 1985 } 1986 1987 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension")); 1988 1989 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { 1990 mki_len = ssl->dtls_srtp_info.mki_len; 1991 } 1992 1993 /* The extension total size is 9 bytes : 1994 * - 2 bytes for the extension tag 1995 * - 2 bytes for the total size 1996 * - 2 bytes for the protection profile length 1997 * - 2 bytes for the protection profile 1998 * - 1 byte for the mki length 1999 * + the actual mki length 2000 * Check we have enough room in the output buffer */ 2001 if ((size_t) (end - buf) < mki_len + 9) { 2002 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); 2003 return; 2004 } 2005 2006 /* extension */ 2007 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0); 2008 /* 2009 * total length 5 and mki value: only one profile(2 bytes) 2010 * and length(2 bytes) and srtp_mki ) 2011 */ 2012 ext_len = 5 + mki_len; 2013 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2); 2014 2015 /* protection profile length: 2 */ 2016 buf[4] = 0x00; 2017 buf[5] = 0x02; 2018 profile_value = mbedtls_ssl_check_srtp_profile_value( 2019 ssl->dtls_srtp_info.chosen_dtls_srtp_profile); 2020 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) { 2021 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6); 2022 } else { 2023 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile")); 2024 return; 2025 } 2026 2027 buf[8] = mki_len & 0xFF; 2028 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len); 2029 2030 *olen = 9 + mki_len; 2031 } 2032 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 2033 2034 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 2035 MBEDTLS_CHECK_RETURN_CRITICAL 2036 static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl) 2037 { 2038 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2039 unsigned char *p = ssl->out_msg + 4; 2040 unsigned char *cookie_len_byte; 2041 2042 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request")); 2043 2044 /* 2045 * struct { 2046 * ProtocolVersion server_version; 2047 * opaque cookie<0..2^8-1>; 2048 * } HelloVerifyRequest; 2049 */ 2050 2051 /* The RFC is not clear on this point, but sending the actual negotiated 2052 * version looks like the most interoperable thing to do. */ 2053 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version); 2054 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2); 2055 p += 2; 2056 2057 /* If we get here, f_cookie_check is not null */ 2058 if (ssl->conf->f_cookie_write == NULL) { 2059 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks")); 2060 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2061 } 2062 2063 /* Skip length byte until we know the length */ 2064 cookie_len_byte = p++; 2065 2066 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie, 2067 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN, 2068 ssl->cli_id, ssl->cli_id_len)) != 0) { 2069 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret); 2070 return ret; 2071 } 2072 2073 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1)); 2074 2075 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte); 2076 2077 ssl->out_msglen = p - ssl->out_msg; 2078 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 2079 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 2080 2081 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; 2082 2083 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 2084 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 2085 return ret; 2086 } 2087 2088 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2089 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 2090 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 2091 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); 2092 return ret; 2093 } 2094 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 2095 2096 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request")); 2097 2098 return 0; 2099 } 2100 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 2101 2102 static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl) 2103 { 2104 int ret; 2105 mbedtls_ssl_session session_tmp; 2106 mbedtls_ssl_session * const session = ssl->session_negotiate; 2107 2108 /* Resume is 0 by default, see ssl_handshake_init(). 2109 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */ 2110 if (ssl->handshake->resume == 1) { 2111 return; 2112 } 2113 if (session->id_len == 0) { 2114 return; 2115 } 2116 if (ssl->conf->f_get_cache == NULL) { 2117 return; 2118 } 2119 #if defined(MBEDTLS_SSL_RENEGOTIATION) 2120 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { 2121 return; 2122 } 2123 #endif 2124 2125 mbedtls_ssl_session_init(&session_tmp); 2126 2127 ret = ssl->conf->f_get_cache(ssl->conf->p_cache, 2128 session->id, 2129 session->id_len, 2130 &session_tmp); 2131 if (ret != 0) { 2132 goto exit; 2133 } 2134 2135 if (session->ciphersuite != session_tmp.ciphersuite) { 2136 /* Mismatch between cached and negotiated session */ 2137 goto exit; 2138 } 2139 2140 /* Move semantics */ 2141 mbedtls_ssl_session_free(session); 2142 *session = session_tmp; 2143 memset(&session_tmp, 0, sizeof(session_tmp)); 2144 2145 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache")); 2146 ssl->handshake->resume = 1; 2147 2148 exit: 2149 2150 mbedtls_ssl_session_free(&session_tmp); 2151 } 2152 2153 MBEDTLS_CHECK_RETURN_CRITICAL 2154 static int ssl_write_server_hello(mbedtls_ssl_context *ssl) 2155 { 2156 #if defined(MBEDTLS_HAVE_TIME) 2157 mbedtls_time_t t; 2158 #endif 2159 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2160 size_t olen, ext_len = 0, n; 2161 unsigned char *buf, *p; 2162 2163 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello")); 2164 2165 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 2166 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 2167 ssl->handshake->cookie_verify_result != 0) { 2168 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated")); 2169 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); 2170 2171 return ssl_write_hello_verify_request(ssl); 2172 } 2173 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 2174 2175 if (ssl->conf->f_rng == NULL) { 2176 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); 2177 return MBEDTLS_ERR_SSL_NO_RNG; 2178 } 2179 2180 /* 2181 * 0 . 0 handshake type 2182 * 1 . 3 handshake length 2183 * 4 . 5 protocol version 2184 * 6 . 9 UNIX time() 2185 * 10 . 37 random bytes 2186 */ 2187 buf = ssl->out_msg; 2188 p = buf + 4; 2189 2190 mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version); 2191 p += 2; 2192 2193 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]", 2194 buf[4], buf[5])); 2195 2196 #if defined(MBEDTLS_HAVE_TIME) 2197 t = mbedtls_time(NULL); 2198 MBEDTLS_PUT_UINT32_BE(t, p, 0); 2199 p += 4; 2200 2201 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG, 2202 (long long) t)); 2203 #else 2204 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) { 2205 return ret; 2206 } 2207 2208 p += 4; 2209 #endif /* MBEDTLS_HAVE_TIME */ 2210 2211 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 28)) != 0) { 2212 return ret; 2213 } 2214 2215 p += 28; 2216 2217 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32); 2218 2219 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32); 2220 2221 ssl_handle_id_based_session_resumption(ssl); 2222 2223 if (ssl->handshake->resume == 0) { 2224 /* 2225 * New session, create a new session id, 2226 * unless we're about to issue a session ticket 2227 */ 2228 ssl->state++; 2229 2230 #if defined(MBEDTLS_HAVE_TIME) 2231 ssl->session_negotiate->start = mbedtls_time(NULL); 2232 #endif 2233 2234 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 2235 if (ssl->handshake->new_session_ticket != 0) { 2236 ssl->session_negotiate->id_len = n = 0; 2237 memset(ssl->session_negotiate->id, 0, 32); 2238 } else 2239 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 2240 { 2241 ssl->session_negotiate->id_len = n = 32; 2242 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id, 2243 n)) != 0) { 2244 return ret; 2245 } 2246 } 2247 } else { 2248 /* 2249 * Resuming a session 2250 */ 2251 n = ssl->session_negotiate->id_len; 2252 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 2253 2254 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { 2255 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); 2256 return ret; 2257 } 2258 } 2259 2260 /* 2261 * 38 . 38 session id length 2262 * 39 . 38+n session id 2263 * 39+n . 40+n chosen ciphersuite 2264 * 41+n . 41+n chosen compression alg. 2265 * 42+n . 43+n extensions length 2266 * 44+n . 43+n+m extensions 2267 */ 2268 *p++ = (unsigned char) ssl->session_negotiate->id_len; 2269 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len); 2270 p += ssl->session_negotiate->id_len; 2271 2272 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n)); 2273 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n); 2274 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed", 2275 ssl->handshake->resume ? "a" : "no")); 2276 2277 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0); 2278 p += 2; 2279 *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL); 2280 2281 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s", 2282 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite))); 2283 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X", 2284 (unsigned int) MBEDTLS_SSL_COMPRESS_NULL)); 2285 2286 /* 2287 * First write extensions, then the total length 2288 */ 2289 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen); 2290 ext_len += olen; 2291 2292 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 2293 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen); 2294 ext_len += olen; 2295 #endif 2296 2297 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 2298 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen); 2299 ext_len += olen; 2300 #endif 2301 2302 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2303 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen); 2304 ext_len += olen; 2305 #endif 2306 2307 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 2308 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen); 2309 ext_len += olen; 2310 #endif 2311 2312 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 2313 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen); 2314 ext_len += olen; 2315 #endif 2316 2317 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 2318 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2319 const mbedtls_ssl_ciphersuite_t *suite = 2320 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); 2321 if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) { 2322 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen); 2323 ext_len += olen; 2324 } 2325 #endif 2326 2327 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2328 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen); 2329 ext_len += olen; 2330 #endif 2331 2332 #if defined(MBEDTLS_SSL_ALPN) 2333 unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4; 2334 if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen)) 2335 != 0) { 2336 return ret; 2337 } 2338 2339 ext_len += olen; 2340 #endif 2341 2342 #if defined(MBEDTLS_SSL_DTLS_SRTP) 2343 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen); 2344 ext_len += olen; 2345 #endif 2346 2347 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, 2348 ext_len)); 2349 2350 if (ext_len > 0) { 2351 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); 2352 p += 2 + ext_len; 2353 } 2354 2355 ssl->out_msglen = p - buf; 2356 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 2357 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; 2358 2359 ret = mbedtls_ssl_write_handshake_msg(ssl); 2360 2361 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); 2362 2363 return ret; 2364 } 2365 2366 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 2367 MBEDTLS_CHECK_RETURN_CRITICAL 2368 static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) 2369 { 2370 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2371 ssl->handshake->ciphersuite_info; 2372 2373 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); 2374 2375 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { 2376 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); 2377 ssl->state++; 2378 return 0; 2379 } 2380 2381 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 2382 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2383 } 2384 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 2385 MBEDTLS_CHECK_RETURN_CRITICAL 2386 static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) 2387 { 2388 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2389 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2390 ssl->handshake->ciphersuite_info; 2391 uint16_t dn_size, total_dn_size; /* excluding length bytes */ 2392 size_t ct_len, sa_len; /* including length bytes */ 2393 unsigned char *buf, *p; 2394 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; 2395 const mbedtls_x509_crt *crt; 2396 int authmode; 2397 2398 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); 2399 2400 ssl->state++; 2401 2402 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2403 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) { 2404 authmode = ssl->handshake->sni_authmode; 2405 } else 2406 #endif 2407 authmode = ssl->conf->authmode; 2408 2409 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) || 2410 authmode == MBEDTLS_SSL_VERIFY_NONE) { 2411 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); 2412 return 0; 2413 } 2414 2415 /* 2416 * 0 . 0 handshake type 2417 * 1 . 3 handshake length 2418 * 4 . 4 cert type count 2419 * 5 .. m-1 cert types 2420 * m .. m+1 sig alg length (TLS 1.2 only) 2421 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 2422 * n .. n+1 length of all DNs 2423 * n+2 .. n+3 length of DN 1 2424 * n+4 .. ... Distinguished Name #1 2425 * ... .. ... length of DN 2, etc. 2426 */ 2427 buf = ssl->out_msg; 2428 p = buf + 4; 2429 2430 /* 2431 * Supported certificate types 2432 * 2433 * ClientCertificateType certificate_types<1..2^8-1>; 2434 * enum { (255) } ClientCertificateType; 2435 */ 2436 ct_len = 0; 2437 2438 #if defined(MBEDTLS_RSA_C) 2439 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; 2440 #endif 2441 #if defined(MBEDTLS_ECDSA_C) 2442 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; 2443 #endif 2444 2445 p[0] = (unsigned char) ct_len++; 2446 p += ct_len; 2447 2448 sa_len = 0; 2449 2450 /* 2451 * Add signature_algorithms for verify (TLS 1.2) 2452 * 2453 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; 2454 * 2455 * struct { 2456 * HashAlgorithm hash; 2457 * SignatureAlgorithm signature; 2458 * } SignatureAndHashAlgorithm; 2459 * 2460 * enum { (255) } HashAlgorithm; 2461 * enum { (255) } SignatureAlgorithm; 2462 */ 2463 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); 2464 if (sig_alg == NULL) { 2465 return MBEDTLS_ERR_SSL_BAD_CONFIG; 2466 } 2467 2468 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 2469 unsigned char hash = MBEDTLS_BYTE_1(*sig_alg); 2470 2471 if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) { 2472 continue; 2473 } 2474 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) { 2475 continue; 2476 } 2477 2478 /* Write elements at offsets starting from 1 (offset 0 is for the 2479 * length). Thus the offset of each element is the length of the 2480 * partial list including that element. */ 2481 sa_len += 2; 2482 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len); 2483 2484 } 2485 2486 /* Fill in list length. */ 2487 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0); 2488 sa_len += 2; 2489 p += sa_len; 2490 2491 /* 2492 * DistinguishedName certificate_authorities<0..2^16-1>; 2493 * opaque DistinguishedName<1..2^16-1>; 2494 */ 2495 p += 2; 2496 2497 total_dn_size = 0; 2498 2499 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) { 2500 /* NOTE: If trusted certificates are provisioned 2501 * via a CA callback (configured through 2502 * `mbedtls_ssl_conf_ca_cb()`, then the 2503 * CertificateRequest is currently left empty. */ 2504 2505 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 2506 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2507 if (ssl->handshake->dn_hints != NULL) { 2508 crt = ssl->handshake->dn_hints; 2509 } else 2510 #endif 2511 if (ssl->conf->dn_hints != NULL) { 2512 crt = ssl->conf->dn_hints; 2513 } else 2514 #endif 2515 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2516 if (ssl->handshake->sni_ca_chain != NULL) { 2517 crt = ssl->handshake->sni_ca_chain; 2518 } else 2519 #endif 2520 crt = ssl->conf->ca_chain; 2521 2522 while (crt != NULL && crt->version != 0) { 2523 /* It follows from RFC 5280 A.1 that this length 2524 * can be represented in at most 11 bits. */ 2525 dn_size = (uint16_t) crt->subject_raw.len; 2526 2527 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) { 2528 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short")); 2529 break; 2530 } 2531 2532 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0); 2533 p += 2; 2534 memcpy(p, crt->subject_raw.p, dn_size); 2535 p += dn_size; 2536 2537 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size); 2538 2539 total_dn_size += 2 + dn_size; 2540 crt = crt->next; 2541 } 2542 } 2543 2544 ssl->out_msglen = p - buf; 2545 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 2546 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; 2547 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len); 2548 2549 ret = mbedtls_ssl_write_handshake_msg(ssl); 2550 2551 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request")); 2552 2553 return ret; 2554 } 2555 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 2556 2557 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 2558 (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2559 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)) 2560 MBEDTLS_CHECK_RETURN_CRITICAL 2561 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) 2562 { 2563 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2564 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2565 unsigned char buf[ 2566 PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; 2567 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; 2568 uint16_t tls_id = 0; 2569 psa_ecc_family_t ecc_family; 2570 size_t key_len; 2571 mbedtls_pk_context *pk; 2572 mbedtls_ecp_keypair *key; 2573 2574 pk = mbedtls_ssl_own_key(ssl); 2575 2576 if (pk == NULL) { 2577 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; 2578 } 2579 2580 switch (mbedtls_pk_get_type(pk)) { 2581 case MBEDTLS_PK_OPAQUE: 2582 if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { 2583 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; 2584 } 2585 2586 ssl->handshake->ecdh_psa_privkey = 2587 *((mbedtls_svc_key_id_t *) pk->pk_ctx); 2588 2589 /* Key should not be destroyed in the TLS library */ 2590 ssl->handshake->ecdh_psa_privkey_is_external = 1; 2591 2592 status = psa_get_key_attributes(ssl->handshake->ecdh_psa_privkey, 2593 &key_attributes); 2594 if (status != PSA_SUCCESS) { 2595 ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 2596 return PSA_TO_MBEDTLS_ERR(status); 2597 } 2598 2599 ssl->handshake->ecdh_psa_type = psa_get_key_type(&key_attributes); 2600 ssl->handshake->ecdh_bits = psa_get_key_bits(&key_attributes); 2601 2602 psa_reset_key_attributes(&key_attributes); 2603 2604 ret = 0; 2605 break; 2606 case MBEDTLS_PK_ECKEY: 2607 case MBEDTLS_PK_ECKEY_DH: 2608 case MBEDTLS_PK_ECDSA: 2609 key = mbedtls_pk_ec(*pk); 2610 if (key == NULL) { 2611 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; 2612 } 2613 2614 tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(key->grp.id); 2615 if (tls_id == 0) { 2616 /* This elliptic curve is not supported */ 2617 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 2618 } 2619 2620 /* If the above conversion to TLS ID was fine, then also this one will 2621 be, so there is no need to check the return value here */ 2622 mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ecc_family, 2623 &ssl->handshake->ecdh_bits); 2624 2625 ssl->handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family); 2626 2627 key_attributes = psa_key_attributes_init(); 2628 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 2629 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); 2630 psa_set_key_type(&key_attributes, 2631 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->ecdh_psa_type)); 2632 psa_set_key_bits(&key_attributes, ssl->handshake->ecdh_bits); 2633 2634 key_len = PSA_BITS_TO_BYTES(key->grp.pbits); 2635 ret = mbedtls_ecp_write_key(key, buf, key_len); 2636 if (ret != 0) { 2637 goto cleanup; 2638 } 2639 2640 status = psa_import_key(&key_attributes, buf, key_len, 2641 &ssl->handshake->ecdh_psa_privkey); 2642 if (status != PSA_SUCCESS) { 2643 ret = PSA_TO_MBEDTLS_ERR(status); 2644 goto cleanup; 2645 } 2646 2647 ret = 0; 2648 break; 2649 default: 2650 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; 2651 } 2652 2653 cleanup: 2654 mbedtls_platform_zeroize(buf, sizeof(buf)); 2655 2656 return ret; 2657 } 2658 #elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2659 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2660 MBEDTLS_CHECK_RETURN_CRITICAL 2661 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) 2662 { 2663 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2664 2665 const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl); 2666 if (private_key == NULL) { 2667 MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key")); 2668 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 2669 } 2670 2671 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) { 2672 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable")); 2673 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; 2674 } 2675 2676 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, 2677 mbedtls_pk_ec(*mbedtls_ssl_own_key(ssl)), 2678 MBEDTLS_ECDH_OURS)) != 0) { 2679 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret); 2680 return ret; 2681 } 2682 2683 return 0; 2684 } 2685 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 2686 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2687 2688 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ 2689 defined(MBEDTLS_SSL_ASYNC_PRIVATE) 2690 MBEDTLS_CHECK_RETURN_CRITICAL 2691 static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl, 2692 size_t *signature_len) 2693 { 2694 /* Append the signature to ssl->out_msg, leaving 2 bytes for the 2695 * signature length which will be added in ssl_write_server_key_exchange 2696 * after the call to ssl_prepare_server_key_exchange. 2697 * ssl_write_server_key_exchange also takes care of incrementing 2698 * ssl->out_msglen. */ 2699 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2; 2700 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN 2701 - sig_start); 2702 int ret = ssl->conf->f_async_resume(ssl, 2703 sig_start, signature_len, sig_max_len); 2704 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { 2705 ssl->handshake->async_in_progress = 0; 2706 mbedtls_ssl_set_async_operation_data(ssl, NULL); 2707 } 2708 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret); 2709 return ret; 2710 } 2711 #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && 2712 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ 2713 2714 /* Prepare the ServerKeyExchange message, up to and including 2715 * calculating the signature if any, but excluding formatting the 2716 * signature and sending the message. */ 2717 MBEDTLS_CHECK_RETURN_CRITICAL 2718 static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl, 2719 size_t *signature_len) 2720 { 2721 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2722 ssl->handshake->ciphersuite_info; 2723 2724 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED) 2725 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 2726 unsigned char *dig_signed = NULL; 2727 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ 2728 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */ 2729 2730 (void) ciphersuite_info; /* unused in some configurations */ 2731 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 2732 (void) signature_len; 2733 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ 2734 2735 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 2736 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 2737 size_t out_buf_len = ssl->out_buf_len - (ssl->out_msg - ssl->out_buf); 2738 #else 2739 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (ssl->out_msg - ssl->out_buf); 2740 #endif 2741 #endif 2742 2743 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */ 2744 2745 /* 2746 * 2747 * Part 1: Provide key exchange parameters for chosen ciphersuite. 2748 * 2749 */ 2750 2751 /* 2752 * - ECJPAKE key exchanges 2753 */ 2754 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2755 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 2756 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2757 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2758 unsigned char *out_p = ssl->out_msg + ssl->out_msglen; 2759 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - 2760 ssl->out_msglen; 2761 size_t output_offset = 0; 2762 size_t output_len = 0; 2763 2764 /* 2765 * The first 3 bytes are: 2766 * [0] MBEDTLS_ECP_TLS_NAMED_CURVE 2767 * [1, 2] elliptic curve's TLS ID 2768 * 2769 * However since we only support secp256r1 for now, we hardcode its 2770 * TLS ID here 2771 */ 2772 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( 2773 MBEDTLS_ECP_DP_SECP256R1); 2774 if (tls_id == 0) { 2775 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2776 } 2777 *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; 2778 MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1); 2779 output_offset += 3; 2780 2781 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, 2782 out_p + output_offset, 2783 end_p - out_p - output_offset, &output_len, 2784 MBEDTLS_ECJPAKE_ROUND_TWO); 2785 if (ret != 0) { 2786 psa_destroy_key(ssl->handshake->psa_pake_password); 2787 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 2788 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); 2789 return ret; 2790 } 2791 2792 output_offset += output_len; 2793 ssl->out_msglen += output_offset; 2794 #else 2795 size_t len = 0; 2796 2797 ret = mbedtls_ecjpake_write_round_two( 2798 &ssl->handshake->ecjpake_ctx, 2799 ssl->out_msg + ssl->out_msglen, 2800 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len, 2801 ssl->conf->f_rng, ssl->conf->p_rng); 2802 if (ret != 0) { 2803 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret); 2804 return ret; 2805 } 2806 2807 ssl->out_msglen += len; 2808 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2809 } 2810 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2811 2812 /* 2813 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support 2814 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, 2815 * we use empty support identity hints here. 2816 **/ 2817 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 2818 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 2819 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 2820 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { 2821 ssl->out_msg[ssl->out_msglen++] = 0x00; 2822 ssl->out_msg[ssl->out_msglen++] = 0x00; 2823 } 2824 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || 2825 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 2826 2827 /* 2828 * - DHE key exchanges 2829 */ 2830 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) 2831 if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) { 2832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2833 size_t len = 0; 2834 2835 if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) { 2836 MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set")); 2837 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2838 } 2839 2840 /* 2841 * Ephemeral DH parameters: 2842 * 2843 * struct { 2844 * opaque dh_p<1..2^16-1>; 2845 * opaque dh_g<1..2^16-1>; 2846 * opaque dh_Ys<1..2^16-1>; 2847 * } ServerDHParams; 2848 */ 2849 if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx, 2850 &ssl->conf->dhm_P, 2851 &ssl->conf->dhm_G)) != 0) { 2852 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret); 2853 return ret; 2854 } 2855 2856 if ((ret = mbedtls_dhm_make_params( 2857 &ssl->handshake->dhm_ctx, 2858 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx), 2859 ssl->out_msg + ssl->out_msglen, &len, 2860 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 2861 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret); 2862 return ret; 2863 } 2864 2865 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 2866 dig_signed = ssl->out_msg + ssl->out_msglen; 2867 #endif 2868 2869 ssl->out_msglen += len; 2870 2871 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X); 2872 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P); 2873 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G); 2874 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX); 2875 } 2876 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */ 2877 2878 /* 2879 * - ECDHE key exchanges 2880 */ 2881 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) 2882 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) { 2883 /* 2884 * Ephemeral ECDH parameters: 2885 * 2886 * struct { 2887 * ECParameters curve_params; 2888 * ECPoint public; 2889 * } ServerECDHParams; 2890 */ 2891 uint16_t *curr_tls_id = ssl->handshake->curves_tls_id; 2892 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 2893 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2894 size_t len = 0; 2895 2896 /* Match our preference list against the offered curves */ 2897 if ((group_list == NULL) || (curr_tls_id == NULL)) { 2898 return MBEDTLS_ERR_SSL_BAD_CONFIG; 2899 } 2900 for (; *group_list != 0; group_list++) { 2901 for (curr_tls_id = ssl->handshake->curves_tls_id; 2902 *curr_tls_id != 0; curr_tls_id++) { 2903 if (*curr_tls_id == *group_list) { 2904 goto curve_matching_done; 2905 } 2906 } 2907 } 2908 2909 curve_matching_done: 2910 if (*curr_tls_id == 0) { 2911 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE")); 2912 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 2913 } 2914 2915 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s", 2916 mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id))); 2917 2918 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2919 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 2920 psa_key_attributes_t key_attributes; 2921 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 2922 uint8_t *p = ssl->out_msg + ssl->out_msglen; 2923 const size_t header_size = 4; // curve_type(1), namedcurve(2), 2924 // data length(1) 2925 const size_t data_length_size = 1; 2926 psa_ecc_family_t ec_psa_family = 0; 2927 size_t ec_bits = 0; 2928 2929 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); 2930 2931 /* Convert EC's TLS ID to PSA key type. */ 2932 if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id, 2933 &ec_psa_family, 2934 &ec_bits) == PSA_ERROR_NOT_SUPPORTED) { 2935 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse.")); 2936 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 2937 } 2938 handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family); 2939 handshake->ecdh_bits = ec_bits; 2940 2941 key_attributes = psa_key_attributes_init(); 2942 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 2943 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); 2944 psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); 2945 psa_set_key_bits(&key_attributes, handshake->ecdh_bits); 2946 2947 /* 2948 * ECParameters curve_params 2949 * 2950 * First byte is curve_type, always named_curve 2951 */ 2952 *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE; 2953 2954 /* 2955 * Next two bytes are the namedcurve value 2956 */ 2957 MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0); 2958 p += 2; 2959 2960 /* Generate ECDH private key. */ 2961 status = psa_generate_key(&key_attributes, 2962 &handshake->ecdh_psa_privkey); 2963 if (status != PSA_SUCCESS) { 2964 ret = PSA_TO_MBEDTLS_ERR(status); 2965 MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret); 2966 return ret; 2967 } 2968 2969 /* 2970 * ECPoint public 2971 * 2972 * First byte is data length. 2973 * It will be filled later. p holds now the data length location. 2974 */ 2975 2976 /* Export the public part of the ECDH private key from PSA. 2977 * Make one byte space for the length. 2978 */ 2979 unsigned char *own_pubkey = p + data_length_size; 2980 2981 size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN 2982 - (own_pubkey - ssl->out_msg)); 2983 2984 status = psa_export_public_key(handshake->ecdh_psa_privkey, 2985 own_pubkey, own_pubkey_max_len, 2986 &len); 2987 if (status != PSA_SUCCESS) { 2988 ret = PSA_TO_MBEDTLS_ERR(status); 2989 MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret); 2990 (void) psa_destroy_key(handshake->ecdh_psa_privkey); 2991 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 2992 return ret; 2993 } 2994 2995 /* Store the length of the exported public key. */ 2996 *p = (uint8_t) len; 2997 2998 /* Determine full message length. */ 2999 len += header_size; 3000 #else 3001 mbedtls_ecp_group_id curr_grp_id = 3002 mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id); 3003 3004 if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx, 3005 curr_grp_id)) != 0) { 3006 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret); 3007 return ret; 3008 } 3009 3010 if ((ret = mbedtls_ecdh_make_params( 3011 &ssl->handshake->ecdh_ctx, &len, 3012 ssl->out_msg + ssl->out_msglen, 3013 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, 3014 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 3015 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret); 3016 return ret; 3017 } 3018 3019 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 3020 MBEDTLS_DEBUG_ECDH_Q); 3021 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3022 3023 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 3024 dig_signed = ssl->out_msg + ssl->out_msglen; 3025 #endif 3026 3027 ssl->out_msglen += len; 3028 } 3029 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */ 3030 3031 /* 3032 * 3033 * Part 2: For key exchanges involving the server signing the 3034 * exchange parameters, compute and add the signature here. 3035 * 3036 */ 3037 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 3038 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) { 3039 if (dig_signed == NULL) { 3040 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3041 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3042 } 3043 3044 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; 3045 size_t hashlen = 0; 3046 unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; 3047 3048 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3049 3050 /* 3051 * 2.1: Choose hash algorithm: 3052 * For TLS 1.2, obey signature-hash-algorithm extension 3053 * to choose appropriate hash. 3054 */ 3055 3056 mbedtls_pk_type_t sig_alg = 3057 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); 3058 3059 unsigned int sig_hash = 3060 mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 3061 ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); 3062 3063 mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash); 3064 3065 /* For TLS 1.2, obey signature-hash-algorithm extension 3066 * (RFC 5246, Sec. 7.4.1.4.1). */ 3067 if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) { 3068 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3069 /* (... because we choose a cipher suite 3070 * only if there is a matching hash.) */ 3071 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3072 } 3073 3074 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg)); 3075 3076 /* 3077 * 2.2: Compute the hash to be signed 3078 */ 3079 if (md_alg != MBEDTLS_MD_NONE) { 3080 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen, 3081 dig_signed, 3082 dig_signed_len, 3083 md_alg); 3084 if (ret != 0) { 3085 return ret; 3086 } 3087 } else { 3088 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3089 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3090 } 3091 3092 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen); 3093 3094 /* 3095 * 2.3: Compute and add the signature 3096 */ 3097 /* 3098 * We need to specify signature and hash algorithm explicitly through 3099 * a prefix to the signature. 3100 * 3101 * struct { 3102 * HashAlgorithm hash; 3103 * SignatureAlgorithm signature; 3104 * } SignatureAndHashAlgorithm; 3105 * 3106 * struct { 3107 * SignatureAndHashAlgorithm algorithm; 3108 * opaque signature<0..2^16-1>; 3109 * } DigitallySigned; 3110 * 3111 */ 3112 3113 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg); 3114 ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg); 3115 3116 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3117 if (ssl->conf->f_async_sign_start != NULL) { 3118 ret = ssl->conf->f_async_sign_start(ssl, 3119 mbedtls_ssl_own_cert(ssl), 3120 md_alg, hash, hashlen); 3121 switch (ret) { 3122 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: 3123 /* act as if f_async_sign was null */ 3124 break; 3125 case 0: 3126 ssl->handshake->async_in_progress = 1; 3127 return ssl_resume_server_key_exchange(ssl, signature_len); 3128 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: 3129 ssl->handshake->async_in_progress = 1; 3130 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; 3131 default: 3132 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret); 3133 return ret; 3134 } 3135 } 3136 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3137 3138 if (mbedtls_ssl_own_key(ssl) == NULL) { 3139 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key")); 3140 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 3141 } 3142 3143 /* Append the signature to ssl->out_msg, leaving 2 bytes for the 3144 * signature length which will be added in ssl_write_server_key_exchange 3145 * after the call to ssl_prepare_server_key_exchange. 3146 * ssl_write_server_key_exchange also takes care of incrementing 3147 * ssl->out_msglen. */ 3148 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl), 3149 md_alg, hash, hashlen, 3150 ssl->out_msg + ssl->out_msglen + 2, 3151 out_buf_len - ssl->out_msglen - 2, 3152 signature_len, 3153 ssl->conf->f_rng, 3154 ssl->conf->p_rng)) != 0) { 3155 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); 3156 return ret; 3157 } 3158 } 3159 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ 3160 3161 return 0; 3162 } 3163 3164 /* Prepare the ServerKeyExchange message and send it. For ciphersuites 3165 * that do not include a ServerKeyExchange message, do nothing. Either 3166 * way, if successful, move on to the next step in the SSL state 3167 * machine. */ 3168 MBEDTLS_CHECK_RETURN_CRITICAL 3169 static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl) 3170 { 3171 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3172 size_t signature_len = 0; 3173 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) 3174 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3175 ssl->handshake->ciphersuite_info; 3176 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ 3177 3178 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange")); 3179 3180 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) 3181 /* Extract static ECDH parameters and abort if ServerKeyExchange 3182 * is not needed. */ 3183 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) { 3184 /* For suites involving ECDH, extract DH parameters 3185 * from certificate at this point. */ 3186 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) 3187 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) { 3188 ret = ssl_get_ecdh_params_from_cert(ssl); 3189 if (ret != 0) { 3190 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret); 3191 return ret; 3192 } 3193 } 3194 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */ 3195 3196 /* Key exchanges not involving ephemeral keys don't use 3197 * ServerKeyExchange, so end here. */ 3198 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange")); 3199 ssl->state++; 3200 return 0; 3201 } 3202 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ 3203 3204 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ 3205 defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3206 /* If we have already prepared the message and there is an ongoing 3207 * signature operation, resume signing. */ 3208 if (ssl->handshake->async_in_progress != 0) { 3209 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation")); 3210 ret = ssl_resume_server_key_exchange(ssl, &signature_len); 3211 } else 3212 #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && 3213 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ 3214 { 3215 /* ServerKeyExchange is needed. Prepare the message. */ 3216 ret = ssl_prepare_server_key_exchange(ssl, &signature_len); 3217 } 3218 3219 if (ret != 0) { 3220 /* If we're starting to write a new message, set ssl->out_msglen 3221 * to 0. But if we're resuming after an asynchronous message, 3222 * out_msglen is the amount of data written so far and mst be 3223 * preserved. */ 3224 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { 3225 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)")); 3226 } else { 3227 ssl->out_msglen = 0; 3228 } 3229 return ret; 3230 } 3231 3232 /* If there is a signature, write its length. 3233 * ssl_prepare_server_key_exchange already wrote the signature 3234 * itself at its proper place in the output buffer. */ 3235 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) 3236 if (signature_len != 0) { 3237 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len); 3238 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len); 3239 3240 MBEDTLS_SSL_DEBUG_BUF(3, "my signature", 3241 ssl->out_msg + ssl->out_msglen, 3242 signature_len); 3243 3244 /* Skip over the already-written signature */ 3245 ssl->out_msglen += signature_len; 3246 } 3247 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ 3248 3249 /* Add header and send. */ 3250 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3251 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; 3252 3253 ssl->state++; 3254 3255 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 3256 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 3257 return ret; 3258 } 3259 3260 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange")); 3261 return 0; 3262 } 3263 3264 MBEDTLS_CHECK_RETURN_CRITICAL 3265 static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl) 3266 { 3267 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3268 3269 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done")); 3270 3271 ssl->out_msglen = 4; 3272 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3273 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; 3274 3275 ssl->state++; 3276 3277 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3278 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 3279 mbedtls_ssl_send_flight_completed(ssl); 3280 } 3281 #endif 3282 3283 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 3284 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 3285 return ret; 3286 } 3287 3288 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3289 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 3290 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 3291 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); 3292 return ret; 3293 } 3294 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3295 3296 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done")); 3297 3298 return 0; 3299 } 3300 3301 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 3302 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 3303 MBEDTLS_CHECK_RETURN_CRITICAL 3304 static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p, 3305 const unsigned char *end) 3306 { 3307 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3308 size_t n; 3309 3310 /* 3311 * Receive G^Y mod P, premaster = (G^Y)^X mod P 3312 */ 3313 if (*p + 2 > end) { 3314 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3315 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3316 } 3317 3318 n = ((*p)[0] << 8) | (*p)[1]; 3319 *p += 2; 3320 3321 if (*p + n > end) { 3322 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3323 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3324 } 3325 3326 if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) { 3327 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret); 3328 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3329 } 3330 3331 *p += n; 3332 3333 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY); 3334 3335 return ret; 3336 } 3337 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 3338 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 3339 3340 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 3341 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 3342 3343 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3344 MBEDTLS_CHECK_RETURN_CRITICAL 3345 static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl, 3346 unsigned char *peer_pms, 3347 size_t *peer_pmslen, 3348 size_t peer_pmssize) 3349 { 3350 int ret = ssl->conf->f_async_resume(ssl, 3351 peer_pms, peer_pmslen, peer_pmssize); 3352 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { 3353 ssl->handshake->async_in_progress = 0; 3354 mbedtls_ssl_set_async_operation_data(ssl, NULL); 3355 } 3356 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret); 3357 return ret; 3358 } 3359 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3360 3361 MBEDTLS_CHECK_RETURN_CRITICAL 3362 static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl, 3363 const unsigned char *p, 3364 const unsigned char *end, 3365 unsigned char *peer_pms, 3366 size_t *peer_pmslen, 3367 size_t peer_pmssize) 3368 { 3369 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3370 3371 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl); 3372 if (own_cert == NULL) { 3373 MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate")); 3374 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; 3375 } 3376 mbedtls_pk_context *public_key = &own_cert->pk; 3377 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl); 3378 size_t len = mbedtls_pk_get_len(public_key); 3379 3380 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3381 /* If we have already started decoding the message and there is an ongoing 3382 * decryption operation, resume signing. */ 3383 if (ssl->handshake->async_in_progress != 0) { 3384 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation")); 3385 return ssl_resume_decrypt_pms(ssl, 3386 peer_pms, peer_pmslen, peer_pmssize); 3387 } 3388 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3389 3390 /* 3391 * Prepare to decrypt the premaster using own private RSA key 3392 */ 3393 if (p + 2 > end) { 3394 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3395 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3396 } 3397 if (*p++ != MBEDTLS_BYTE_1(len) || 3398 *p++ != MBEDTLS_BYTE_0(len)) { 3399 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3400 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3401 } 3402 3403 if (p + len != end) { 3404 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3405 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3406 } 3407 3408 /* 3409 * Decrypt the premaster secret 3410 */ 3411 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3412 if (ssl->conf->f_async_decrypt_start != NULL) { 3413 ret = ssl->conf->f_async_decrypt_start(ssl, 3414 mbedtls_ssl_own_cert(ssl), 3415 p, len); 3416 switch (ret) { 3417 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: 3418 /* act as if f_async_decrypt_start was null */ 3419 break; 3420 case 0: 3421 ssl->handshake->async_in_progress = 1; 3422 return ssl_resume_decrypt_pms(ssl, 3423 peer_pms, 3424 peer_pmslen, 3425 peer_pmssize); 3426 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: 3427 ssl->handshake->async_in_progress = 1; 3428 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; 3429 default: 3430 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret); 3431 return ret; 3432 } 3433 } 3434 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3435 3436 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) { 3437 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key")); 3438 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 3439 } 3440 3441 ret = mbedtls_pk_decrypt(private_key, p, len, 3442 peer_pms, peer_pmslen, peer_pmssize, 3443 ssl->conf->f_rng, ssl->conf->p_rng); 3444 return ret; 3445 } 3446 3447 MBEDTLS_CHECK_RETURN_CRITICAL 3448 static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl, 3449 const unsigned char *p, 3450 const unsigned char *end, 3451 size_t pms_offset) 3452 { 3453 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3454 unsigned char *pms = ssl->handshake->premaster + pms_offset; 3455 unsigned char ver[2]; 3456 unsigned char fake_pms[48], peer_pms[48]; 3457 unsigned char mask; 3458 size_t i, peer_pmslen; 3459 unsigned int diff; 3460 3461 /* In case of a failure in decryption, the decryption may write less than 3462 * 2 bytes of output, but we always read the first two bytes. It doesn't 3463 * matter in the end because diff will be nonzero in that case due to 3464 * ret being nonzero, and we only care whether diff is 0. 3465 * But do initialize peer_pms and peer_pmslen for robustness anyway. This 3466 * also makes memory analyzers happy (don't access uninitialized memory, 3467 * even if it's an unsigned char). */ 3468 peer_pms[0] = peer_pms[1] = ~0; 3469 peer_pmslen = 0; 3470 3471 ret = ssl_decrypt_encrypted_pms(ssl, p, end, 3472 peer_pms, 3473 &peer_pmslen, 3474 sizeof(peer_pms)); 3475 3476 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3477 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { 3478 return ret; 3479 } 3480 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3481 3482 mbedtls_ssl_write_version(ver, ssl->conf->transport, 3483 ssl->session_negotiate->tls_version); 3484 3485 /* Avoid data-dependent branches while checking for invalid 3486 * padding, to protect against timing-based Bleichenbacher-type 3487 * attacks. */ 3488 diff = (unsigned int) ret; 3489 diff |= peer_pmslen ^ 48; 3490 diff |= peer_pms[0] ^ ver[0]; 3491 diff |= peer_pms[1] ^ ver[1]; 3492 3493 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ 3494 mask = mbedtls_ct_uint_mask(diff); 3495 3496 /* 3497 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding 3498 * must not cause the connection to end immediately; instead, send a 3499 * bad_record_mac later in the handshake. 3500 * To protect against timing-based variants of the attack, we must 3501 * not have any branch that depends on whether the decryption was 3502 * successful. In particular, always generate the fake premaster secret, 3503 * regardless of whether it will ultimately influence the output or not. 3504 */ 3505 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms)); 3506 if (ret != 0) { 3507 /* It's ok to abort on an RNG failure, since this does not reveal 3508 * anything about the RSA decryption. */ 3509 return ret; 3510 } 3511 3512 #if defined(MBEDTLS_SSL_DEBUG_ALL) 3513 if (diff != 0) { 3514 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3515 } 3516 #endif 3517 3518 if (sizeof(ssl->handshake->premaster) < pms_offset || 3519 sizeof(ssl->handshake->premaster) - pms_offset < 48) { 3520 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3521 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3522 } 3523 ssl->handshake->pmslen = 48; 3524 3525 /* Set pms to either the true or the fake PMS, without 3526 * data-dependent branches. */ 3527 for (i = 0; i < ssl->handshake->pmslen; i++) { 3528 pms[i] = (mask & fake_pms[i]) | ((~mask) & peer_pms[i]); 3529 } 3530 3531 return 0; 3532 } 3533 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 3534 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 3535 3536 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 3537 MBEDTLS_CHECK_RETURN_CRITICAL 3538 static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p, 3539 const unsigned char *end) 3540 { 3541 int ret = 0; 3542 uint16_t n; 3543 3544 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) { 3545 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key")); 3546 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 3547 } 3548 3549 /* 3550 * Receive client pre-shared key identity name 3551 */ 3552 if (end - *p < 2) { 3553 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3554 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3555 } 3556 3557 n = ((*p)[0] << 8) | (*p)[1]; 3558 *p += 2; 3559 3560 if (n == 0 || n > end - *p) { 3561 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3562 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3563 } 3564 3565 if (ssl->conf->f_psk != NULL) { 3566 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) { 3567 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 3568 } 3569 } else { 3570 /* Identity is not a big secret since clients send it in the clear, 3571 * but treat it carefully anyway, just in case */ 3572 if (n != ssl->conf->psk_identity_len || 3573 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) { 3574 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 3575 } 3576 } 3577 3578 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { 3579 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n); 3580 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3581 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY); 3582 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 3583 } 3584 3585 *p += n; 3586 3587 return 0; 3588 } 3589 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 3590 3591 MBEDTLS_CHECK_RETURN_CRITICAL 3592 static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) 3593 { 3594 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3595 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 3596 unsigned char *p, *end; 3597 3598 ciphersuite_info = ssl->handshake->ciphersuite_info; 3599 3600 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange")); 3601 3602 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \ 3603 (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 3604 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)) 3605 if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 3606 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) && 3607 (ssl->handshake->async_in_progress != 0)) { 3608 /* We've already read a record and there is an asynchronous 3609 * operation in progress to decrypt it. So skip reading the 3610 * record. */ 3611 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record")); 3612 } else 3613 #endif 3614 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 3615 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 3616 return ret; 3617 } 3618 3619 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); 3620 end = ssl->in_msg + ssl->in_hslen; 3621 3622 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 3623 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3624 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 3625 } 3626 3627 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) { 3628 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); 3629 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 3630 } 3631 3632 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 3633 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) { 3634 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) { 3635 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret); 3636 return ret; 3637 } 3638 3639 if (p != end) { 3640 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); 3641 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3642 } 3643 3644 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, 3645 ssl->handshake->premaster, 3646 MBEDTLS_PREMASTER_SIZE, 3647 &ssl->handshake->pmslen, 3648 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 3649 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); 3650 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3651 } 3652 3653 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); 3654 } else 3655 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 3656 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 3657 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 3658 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 3659 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 3660 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 3661 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 3662 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 3663 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { 3664 #if defined(MBEDTLS_USE_PSA_CRYPTO) 3665 size_t data_len = (size_t) (*p++); 3666 size_t buf_len = (size_t) (end - p); 3667 psa_status_t status = PSA_ERROR_GENERIC_ERROR; 3668 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 3669 3670 MBEDTLS_SSL_DEBUG_MSG(1, ("Read the peer's public key.")); 3671 3672 /* 3673 * We must have at least two bytes (1 for length, at least 1 for data) 3674 */ 3675 if (buf_len < 2) { 3676 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length")); 3677 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; 3678 } 3679 3680 if (data_len < 1 || data_len > buf_len) { 3681 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length")); 3682 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; 3683 } 3684 3685 /* Store peer's ECDH public key. */ 3686 memcpy(handshake->ecdh_psa_peerkey, p, data_len); 3687 handshake->ecdh_psa_peerkey_len = data_len; 3688 3689 /* Compute ECDH shared secret. */ 3690 status = psa_raw_key_agreement( 3691 PSA_ALG_ECDH, handshake->ecdh_psa_privkey, 3692 handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, 3693 handshake->premaster, sizeof(handshake->premaster), 3694 &handshake->pmslen); 3695 if (status != PSA_SUCCESS) { 3696 ret = PSA_TO_MBEDTLS_ERR(status); 3697 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret); 3698 if (handshake->ecdh_psa_privkey_is_external == 0) { 3699 (void) psa_destroy_key(handshake->ecdh_psa_privkey); 3700 } 3701 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3702 return ret; 3703 } 3704 3705 if (handshake->ecdh_psa_privkey_is_external == 0) { 3706 status = psa_destroy_key(handshake->ecdh_psa_privkey); 3707 3708 if (status != PSA_SUCCESS) { 3709 ret = PSA_TO_MBEDTLS_ERR(status); 3710 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); 3711 return ret; 3712 } 3713 } 3714 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3715 #else 3716 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx, 3717 p, end - p)) != 0) { 3718 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret); 3719 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3720 } 3721 3722 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 3723 MBEDTLS_DEBUG_ECDH_QP); 3724 3725 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, 3726 &ssl->handshake->pmslen, 3727 ssl->handshake->premaster, 3728 MBEDTLS_MPI_MAX_SIZE, 3729 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 3730 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); 3731 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3732 } 3733 3734 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 3735 MBEDTLS_DEBUG_ECDH_Z); 3736 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3737 } else 3738 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 3739 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 3740 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 3741 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 3742 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 3743 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { 3744 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { 3745 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); 3746 return ret; 3747 } 3748 3749 if (p != end) { 3750 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); 3751 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3752 } 3753 3754 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 3755 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, 3756 ciphersuite_info->key_exchange)) != 0) { 3757 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); 3758 return ret; 3759 } 3760 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 3761 } else 3762 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 3763 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 3764 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 3765 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3766 if (ssl->handshake->async_in_progress != 0) { 3767 /* There is an asynchronous operation in progress to 3768 * decrypt the encrypted premaster secret, so skip 3769 * directly to resuming this operation. */ 3770 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed")); 3771 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms 3772 * won't actually use it, but maintain p anyway for robustness. */ 3773 p += ssl->conf->psk_identity_len + 2; 3774 } else 3775 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3776 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { 3777 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); 3778 return ret; 3779 } 3780 3781 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) { 3782 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret); 3783 return ret; 3784 } 3785 3786 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 3787 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, 3788 ciphersuite_info->key_exchange)) != 0) { 3789 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); 3790 return ret; 3791 } 3792 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 3793 } else 3794 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 3795 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 3796 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 3797 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { 3798 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); 3799 return ret; 3800 } 3801 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) { 3802 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret); 3803 return ret; 3804 } 3805 3806 if (p != end) { 3807 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); 3808 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3809 } 3810 3811 #if defined(MBEDTLS_USE_PSA_CRYPTO) 3812 unsigned char *pms = ssl->handshake->premaster; 3813 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster); 3814 size_t pms_len; 3815 3816 /* Write length only when we know the actual value */ 3817 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, 3818 pms + 2, pms_end - (pms + 2), &pms_len, 3819 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 3820 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); 3821 return ret; 3822 } 3823 MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0); 3824 pms += 2 + pms_len; 3825 3826 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); 3827 #else 3828 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, 3829 ciphersuite_info->key_exchange)) != 0) { 3830 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); 3831 return ret; 3832 } 3833 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3834 } else 3835 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 3836 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 3837 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { 3838 #if defined(MBEDTLS_USE_PSA_CRYPTO) 3839 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 3840 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; 3841 uint8_t ecpoint_len; 3842 3843 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 3844 3845 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { 3846 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); 3847 psa_destroy_key(handshake->ecdh_psa_privkey); 3848 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3849 return ret; 3850 } 3851 3852 /* Keep a copy of the peer's public key */ 3853 if (p >= end) { 3854 psa_destroy_key(handshake->ecdh_psa_privkey); 3855 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3856 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3857 } 3858 3859 ecpoint_len = *(p++); 3860 if ((size_t) (end - p) < ecpoint_len) { 3861 psa_destroy_key(handshake->ecdh_psa_privkey); 3862 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3863 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3864 } 3865 3866 if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) { 3867 psa_destroy_key(handshake->ecdh_psa_privkey); 3868 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3869 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 3870 } 3871 3872 memcpy(handshake->ecdh_psa_peerkey, p, ecpoint_len); 3873 handshake->ecdh_psa_peerkey_len = ecpoint_len; 3874 p += ecpoint_len; 3875 3876 /* As RFC 5489 section 2, the premaster secret is formed as follows: 3877 * - a uint16 containing the length (in octets) of the ECDH computation 3878 * - the octet string produced by the ECDH computation 3879 * - a uint16 containing the length (in octets) of the PSK 3880 * - the PSK itself 3881 */ 3882 unsigned char *psm = ssl->handshake->premaster; 3883 const unsigned char * const psm_end = 3884 psm + sizeof(ssl->handshake->premaster); 3885 /* uint16 to store length (in octets) of the ECDH computation */ 3886 const size_t zlen_size = 2; 3887 size_t zlen = 0; 3888 3889 /* Compute ECDH shared secret. */ 3890 status = psa_raw_key_agreement(PSA_ALG_ECDH, 3891 handshake->ecdh_psa_privkey, 3892 handshake->ecdh_psa_peerkey, 3893 handshake->ecdh_psa_peerkey_len, 3894 psm + zlen_size, 3895 psm_end - (psm + zlen_size), 3896 &zlen); 3897 3898 destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey); 3899 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; 3900 3901 if (status != PSA_SUCCESS) { 3902 return PSA_TO_MBEDTLS_ERR(status); 3903 } else if (destruction_status != PSA_SUCCESS) { 3904 return PSA_TO_MBEDTLS_ERR(destruction_status); 3905 } 3906 3907 /* Write the ECDH computation length before the ECDH computation */ 3908 MBEDTLS_PUT_UINT16_BE(zlen, psm, 0); 3909 psm += zlen_size + zlen; 3910 3911 #else /* MBEDTLS_USE_PSA_CRYPTO */ 3912 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { 3913 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); 3914 return ret; 3915 } 3916 3917 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx, 3918 p, end - p)) != 0) { 3919 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret); 3920 return MBEDTLS_ERR_SSL_DECODE_ERROR; 3921 } 3922 3923 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 3924 MBEDTLS_DEBUG_ECDH_QP); 3925 3926 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, 3927 ciphersuite_info->key_exchange)) != 0) { 3928 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); 3929 return ret; 3930 } 3931 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3932 } else 3933 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 3934 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 3935 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { 3936 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) { 3937 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret); 3938 return ret; 3939 } 3940 } else 3941 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 3942 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 3943 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 3944 #if defined(MBEDTLS_USE_PSA_CRYPTO) 3945 if ((ret = mbedtls_psa_ecjpake_read_round( 3946 &ssl->handshake->psa_pake_ctx, p, end - p, 3947 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) { 3948 psa_destroy_key(ssl->handshake->psa_pake_password); 3949 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 3950 3951 MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret); 3952 return ret; 3953 } 3954 #else 3955 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx, 3956 p, end - p); 3957 if (ret != 0) { 3958 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret); 3959 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3960 } 3961 3962 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx, 3963 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 3964 ssl->conf->f_rng, ssl->conf->p_rng); 3965 if (ret != 0) { 3966 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret); 3967 return ret; 3968 } 3969 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3970 } else 3971 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 3972 { 3973 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 3974 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3975 } 3976 3977 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { 3978 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); 3979 return ret; 3980 } 3981 3982 ssl->state++; 3983 3984 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange")); 3985 3986 return 0; 3987 } 3988 3989 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 3990 MBEDTLS_CHECK_RETURN_CRITICAL 3991 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) 3992 { 3993 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3994 ssl->handshake->ciphersuite_info; 3995 3996 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); 3997 3998 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { 3999 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); 4000 ssl->state++; 4001 return 0; 4002 } 4003 4004 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 4005 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 4006 } 4007 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 4008 MBEDTLS_CHECK_RETURN_CRITICAL 4009 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) 4010 { 4011 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4012 size_t i, sig_len; 4013 unsigned char hash[48]; 4014 unsigned char *hash_start = hash; 4015 size_t hashlen; 4016 mbedtls_pk_type_t pk_alg; 4017 mbedtls_md_type_t md_alg; 4018 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 4019 ssl->handshake->ciphersuite_info; 4020 mbedtls_pk_context *peer_pk; 4021 4022 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); 4023 4024 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { 4025 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); 4026 ssl->state++; 4027 return 0; 4028 } 4029 4030 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 4031 if (ssl->session_negotiate->peer_cert == NULL) { 4032 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); 4033 ssl->state++; 4034 return 0; 4035 } 4036 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4037 if (ssl->session_negotiate->peer_cert_digest == NULL) { 4038 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); 4039 ssl->state++; 4040 return 0; 4041 } 4042 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4043 4044 /* Read the message without adding it to the checksum */ 4045 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */); 4046 if (0 != ret) { 4047 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret); 4048 return ret; 4049 } 4050 4051 ssl->state++; 4052 4053 /* Process the message contents */ 4054 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || 4055 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) { 4056 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); 4057 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 4058 } 4059 4060 i = mbedtls_ssl_hs_hdr_len(ssl); 4061 4062 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 4063 peer_pk = &ssl->handshake->peer_pubkey; 4064 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4065 if (ssl->session_negotiate->peer_cert == NULL) { 4066 /* Should never happen */ 4067 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 4068 } 4069 peer_pk = &ssl->session_negotiate->peer_cert->pk; 4070 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4071 4072 /* 4073 * struct { 4074 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only 4075 * opaque signature<0..2^16-1>; 4076 * } DigitallySigned; 4077 */ 4078 if (i + 2 > ssl->in_hslen) { 4079 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); 4080 return MBEDTLS_ERR_SSL_DECODE_ERROR; 4081 } 4082 4083 /* 4084 * Hash 4085 */ 4086 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]); 4087 4088 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) { 4089 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" 4090 " for verify message")); 4091 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 4092 } 4093 4094 #if !defined(MBEDTLS_MD_SHA1) 4095 if (MBEDTLS_MD_SHA1 == md_alg) { 4096 hash_start += 16; 4097 } 4098 #endif 4099 4100 /* Info from md_alg will be used instead */ 4101 hashlen = 0; 4102 4103 i++; 4104 4105 /* 4106 * Signature 4107 */ 4108 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i])) 4109 == MBEDTLS_PK_NONE) { 4110 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" 4111 " for verify message")); 4112 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 4113 } 4114 4115 /* 4116 * Check the certificate's key type matches the signature alg 4117 */ 4118 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { 4119 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); 4120 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 4121 } 4122 4123 i++; 4124 4125 if (i + 2 > ssl->in_hslen) { 4126 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); 4127 return MBEDTLS_ERR_SSL_DECODE_ERROR; 4128 } 4129 4130 sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i+1]; 4131 i += 2; 4132 4133 if (i + sig_len != ssl->in_hslen) { 4134 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); 4135 return MBEDTLS_ERR_SSL_DECODE_ERROR; 4136 } 4137 4138 /* Calculate hash and verify signature */ 4139 { 4140 size_t dummy_hlen; 4141 ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen); 4142 if (0 != ret) { 4143 MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret); 4144 return ret; 4145 } 4146 } 4147 4148 if ((ret = mbedtls_pk_verify(peer_pk, 4149 md_alg, hash_start, hashlen, 4150 ssl->in_msg + i, sig_len)) != 0) { 4151 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); 4152 return ret; 4153 } 4154 4155 ret = mbedtls_ssl_update_handshake_status(ssl); 4156 if (0 != ret) { 4157 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret); 4158 return ret; 4159 } 4160 4161 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify")); 4162 4163 return ret; 4164 } 4165 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 4166 4167 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 4168 MBEDTLS_CHECK_RETURN_CRITICAL 4169 static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl) 4170 { 4171 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4172 size_t tlen; 4173 uint32_t lifetime; 4174 4175 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket")); 4176 4177 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 4178 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; 4179 4180 /* 4181 * struct { 4182 * uint32 ticket_lifetime_hint; 4183 * opaque ticket<0..2^16-1>; 4184 * } NewSessionTicket; 4185 * 4186 * 4 . 7 ticket_lifetime_hint (0 = unspecified) 4187 * 8 . 9 ticket_len (n) 4188 * 10 . 9+n ticket content 4189 */ 4190 4191 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket, 4192 ssl->session_negotiate, 4193 ssl->out_msg + 10, 4194 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, 4195 &tlen, &lifetime)) != 0) { 4196 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret); 4197 tlen = 0; 4198 } 4199 4200 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4); 4201 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8); 4202 ssl->out_msglen = 10 + tlen; 4203 4204 /* 4205 * Morally equivalent to updating ssl->state, but NewSessionTicket and 4206 * ChangeCipherSpec share the same state. 4207 */ 4208 ssl->handshake->new_session_ticket = 0; 4209 4210 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 4211 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 4212 return ret; 4213 } 4214 4215 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket")); 4216 4217 return 0; 4218 } 4219 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 4220 4221 /* 4222 * SSL handshake -- server side -- single step 4223 */ 4224 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl) 4225 { 4226 int ret = 0; 4227 4228 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state)); 4229 4230 switch (ssl->state) { 4231 case MBEDTLS_SSL_HELLO_REQUEST: 4232 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 4233 break; 4234 4235 /* 4236 * <== ClientHello 4237 */ 4238 case MBEDTLS_SSL_CLIENT_HELLO: 4239 ret = ssl_parse_client_hello(ssl); 4240 break; 4241 4242 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4243 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: 4244 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED; 4245 #endif 4246 4247 /* 4248 * ==> ServerHello 4249 * Certificate 4250 * ( ServerKeyExchange ) 4251 * ( CertificateRequest ) 4252 * ServerHelloDone 4253 */ 4254 case MBEDTLS_SSL_SERVER_HELLO: 4255 ret = ssl_write_server_hello(ssl); 4256 break; 4257 4258 case MBEDTLS_SSL_SERVER_CERTIFICATE: 4259 ret = mbedtls_ssl_write_certificate(ssl); 4260 break; 4261 4262 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 4263 ret = ssl_write_server_key_exchange(ssl); 4264 break; 4265 4266 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 4267 ret = ssl_write_certificate_request(ssl); 4268 break; 4269 4270 case MBEDTLS_SSL_SERVER_HELLO_DONE: 4271 ret = ssl_write_server_hello_done(ssl); 4272 break; 4273 4274 /* 4275 * <== ( Certificate/Alert ) 4276 * ClientKeyExchange 4277 * ( CertificateVerify ) 4278 * ChangeCipherSpec 4279 * Finished 4280 */ 4281 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 4282 ret = mbedtls_ssl_parse_certificate(ssl); 4283 break; 4284 4285 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 4286 ret = ssl_parse_client_key_exchange(ssl); 4287 break; 4288 4289 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 4290 ret = ssl_parse_certificate_verify(ssl); 4291 break; 4292 4293 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 4294 ret = mbedtls_ssl_parse_change_cipher_spec(ssl); 4295 break; 4296 4297 case MBEDTLS_SSL_CLIENT_FINISHED: 4298 ret = mbedtls_ssl_parse_finished(ssl); 4299 break; 4300 4301 /* 4302 * ==> ( NewSessionTicket ) 4303 * ChangeCipherSpec 4304 * Finished 4305 */ 4306 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 4307 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 4308 if (ssl->handshake->new_session_ticket != 0) { 4309 ret = ssl_write_new_session_ticket(ssl); 4310 } else 4311 #endif 4312 ret = mbedtls_ssl_write_change_cipher_spec(ssl); 4313 break; 4314 4315 case MBEDTLS_SSL_SERVER_FINISHED: 4316 ret = mbedtls_ssl_write_finished(ssl); 4317 break; 4318 4319 case MBEDTLS_SSL_FLUSH_BUFFERS: 4320 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); 4321 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 4322 break; 4323 4324 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 4325 mbedtls_ssl_handshake_wrapup(ssl); 4326 break; 4327 4328 default: 4329 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); 4330 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4331 } 4332 4333 return ret; 4334 } 4335 4336 void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order) 4337 { 4338 conf->respect_cli_pref = order; 4339 } 4340 4341 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */ 4342