| 1 | /* |
| 2 | * TLS server-side functions |
| 3 | * |
| 4 | * Copyright The Mbed TLS Contributors |
| 5 | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
| 6 | */ |
| 7 | |
| 8 | #include "common.h" |
| 9 | |
| 10 | #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) |
| 11 | |
| 12 | #include "mbedtls/platform.h" |
| 13 | |
| 14 | #include "mbedtls/ssl.h" |
| 15 | #include "ssl_misc.h" |
| 16 | #include "debug_internal.h" |
| 17 | #include "mbedtls/error.h" |
| 18 | #include "mbedtls/platform_util.h" |
| 19 | #include "constant_time_internal.h" |
| 20 | #include "mbedtls/constant_time.h" |
| 21 | |
| 22 | #include <string.h> |
| 23 | |
| 24 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 25 | /* Define a local translating function to save code size by not using too many |
| 26 | * arguments in each translating place. */ |
| 27 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \ |
| 28 | defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) |
| 29 | static int local_err_translation(psa_status_t status) |
| 30 | { |
| 31 | return psa_status_to_mbedtls(status, psa_to_ssl_errors, |
| 32 | ARRAY_LENGTH(psa_to_ssl_errors), |
| 33 | psa_generic_status_to_mbedtls); |
| 34 | } |
| 35 | #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) |
| 36 | #endif |
| 37 | #endif |
| 38 | |
| 39 | #if defined(MBEDTLS_ECP_C) |
| 40 | #include "mbedtls/ecp.h" |
| 41 | #endif |
| 42 | |
| 43 | #if defined(MBEDTLS_HAVE_TIME) |
| 44 | #include "mbedtls/platform_time.h" |
| 45 | #endif |
| 46 | |
| 47 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| 48 | int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl, |
| 49 | const unsigned char *info, |
| 50 | size_t ilen) |
| 51 | { |
| 52 | if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) { |
| 53 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 54 | } |
| 55 | |
| 56 | mbedtls_free(ssl->cli_id); |
| 57 | |
| 58 | if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) { |
| 59 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| 60 | } |
| 61 | |
| 62 | memcpy(ssl->cli_id, info, ilen); |
| 63 | ssl->cli_id_len = ilen; |
| 64 | |
| 65 | return 0; |
| 66 | } |
| 67 | |
| 68 | void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf, |
| 69 | mbedtls_ssl_cookie_write_t *f_cookie_write, |
| 70 | mbedtls_ssl_cookie_check_t *f_cookie_check, |
| 71 | void *p_cookie) |
| 72 | { |
| 73 | conf->f_cookie_write = f_cookie_write; |
| 74 | conf->f_cookie_check = f_cookie_check; |
| 75 | conf->p_cookie = p_cookie; |
| 76 | } |
| 77 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| 78 | |
| 79 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| 80 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 81 | static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf) |
| 82 | { |
| 83 | if (conf->f_psk != NULL) { |
| 84 | return 1; |
| 85 | } |
| 86 | |
| 87 | if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) { |
| 88 | return 0; |
| 89 | } |
| 90 | |
| 91 | |
| 92 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 93 | if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { |
| 94 | return 1; |
| 95 | } |
| 96 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 97 | |
| 98 | if (conf->psk != NULL && conf->psk_len != 0) { |
| 99 | return 1; |
| 100 | } |
| 101 | |
| 102 | return 0; |
| 103 | } |
| 104 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| 105 | |
| 106 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 107 | static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl, |
| 108 | const unsigned char *buf, |
| 109 | size_t len) |
| 110 | { |
| 111 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 112 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| 113 | /* Check verify-data in constant-time. The length OTOH is no secret */ |
| 114 | if (len != 1 + ssl->verify_data_len || |
| 115 | buf[0] != ssl->verify_data_len || |
| 116 | mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data, |
| 117 | ssl->verify_data_len) != 0) { |
| 118 | MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info")); |
| 119 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 120 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 121 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 122 | } |
| 123 | } else |
| 124 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| 125 | { |
| 126 | if (len != 1 || buf[0] != 0x0) { |
| 127 | MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info")); |
| 128 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 129 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 130 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 131 | } |
| 132 | |
| 133 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| 134 | } |
| 135 | |
| 136 | return 0; |
| 137 | } |
| 138 | |
| 139 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \ |
| 140 | defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \ |
| 141 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 142 | /* |
| 143 | * Function for parsing a supported groups (TLS 1.3) or supported elliptic |
| 144 | * curves (TLS 1.2) extension. |
| 145 | * |
| 146 | * The "extension_data" field of a supported groups extension contains a |
| 147 | * "NamedGroupList" value (TLS 1.3 RFC8446): |
| 148 | * enum { |
| 149 | * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019), |
| 150 | * x25519(0x001D), x448(0x001E), |
| 151 | * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102), |
| 152 | * ffdhe6144(0x0103), ffdhe8192(0x0104), |
| 153 | * ffdhe_private_use(0x01FC..0x01FF), |
| 154 | * ecdhe_private_use(0xFE00..0xFEFF), |
| 155 | * (0xFFFF) |
| 156 | * } NamedGroup; |
| 157 | * struct { |
| 158 | * NamedGroup named_group_list<2..2^16-1>; |
| 159 | * } NamedGroupList; |
| 160 | * |
| 161 | * The "extension_data" field of a supported elliptic curves extension contains |
| 162 | * a "NamedCurveList" value (TLS 1.2 RFC 8422): |
| 163 | * enum { |
| 164 | * deprecated(1..22), |
| 165 | * secp256r1 (23), secp384r1 (24), secp521r1 (25), |
| 166 | * x25519(29), x448(30), |
| 167 | * reserved (0xFE00..0xFEFF), |
| 168 | * deprecated(0xFF01..0xFF02), |
| 169 | * (0xFFFF) |
| 170 | * } NamedCurve; |
| 171 | * struct { |
| 172 | * NamedCurve named_curve_list<2..2^16-1> |
| 173 | * } NamedCurveList; |
| 174 | * |
| 175 | * The TLS 1.3 supported groups extension was defined to be a compatible |
| 176 | * generalization of the TLS 1.2 supported elliptic curves extension. They both |
| 177 | * share the same extension identifier. |
| 178 | * |
| 179 | */ |
| 180 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 181 | static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl, |
| 182 | const unsigned char *buf, |
| 183 | size_t len) |
| 184 | { |
| 185 | size_t list_size, our_size; |
| 186 | const unsigned char *p; |
| 187 | uint16_t *curves_tls_id; |
| 188 | |
| 189 | if (len < 2) { |
| 190 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 191 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 192 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 193 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 194 | } |
| 195 | list_size = MBEDTLS_GET_UINT16_BE(buf, 0); |
| 196 | if (list_size + 2 != len || |
| 197 | list_size % 2 != 0) { |
| 198 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 199 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 200 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 201 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 202 | } |
| 203 | |
| 204 | /* Should never happen unless client duplicates the extension */ |
| 205 | if (ssl->handshake->curves_tls_id != NULL) { |
| 206 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 207 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 208 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 209 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 210 | } |
| 211 | |
| 212 | /* Don't allow our peer to make us allocate too much memory, |
| 213 | * and leave room for a final 0 */ |
| 214 | our_size = list_size / 2 + 1; |
| 215 | if (our_size > MBEDTLS_ECP_DP_MAX) { |
| 216 | our_size = MBEDTLS_ECP_DP_MAX; |
| 217 | } |
| 218 | |
| 219 | if ((curves_tls_id = mbedtls_calloc(our_size, |
| 220 | sizeof(*curves_tls_id))) == NULL) { |
| 221 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 222 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
| 223 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| 224 | } |
| 225 | |
| 226 | ssl->handshake->curves_tls_id = curves_tls_id; |
| 227 | |
| 228 | p = buf + 2; |
| 229 | while (list_size > 0 && our_size > 1) { |
| 230 | uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0); |
| 231 | |
| 232 | if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) != |
| 233 | MBEDTLS_ECP_DP_NONE) { |
| 234 | *curves_tls_id++ = curr_tls_id; |
| 235 | our_size--; |
| 236 | } |
| 237 | |
| 238 | list_size -= 2; |
| 239 | p += 2; |
| 240 | } |
| 241 | |
| 242 | return 0; |
| 243 | } |
| 244 | |
| 245 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 246 | static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl, |
| 247 | const unsigned char *buf, |
| 248 | size_t len) |
| 249 | { |
| 250 | size_t list_size; |
| 251 | const unsigned char *p; |
| 252 | |
| 253 | if (len == 0 || (size_t) (buf[0] + 1) != len) { |
| 254 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 255 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 256 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 257 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 258 | } |
| 259 | list_size = buf[0]; |
| 260 | |
| 261 | p = buf + 1; |
| 262 | while (list_size > 0) { |
| 263 | if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || |
| 264 | p[0] == MBEDTLS_ECP_PF_COMPRESSED) { |
| 265 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| 266 | defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) |
| 267 | ssl->handshake->ecdh_ctx.point_format = p[0]; |
| 268 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */ |
| 269 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
| 270 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 271 | mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx, |
| 272 | p[0]); |
| 273 | #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 274 | MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0])); |
| 275 | return 0; |
| 276 | } |
| 277 | |
| 278 | list_size--; |
| 279 | p++; |
| 280 | } |
| 281 | |
| 282 | return 0; |
| 283 | } |
| 284 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || |
| 285 | MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED || |
| 286 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 287 | |
| 288 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 289 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 290 | static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl, |
| 291 | const unsigned char *buf, |
| 292 | size_t len) |
| 293 | { |
| 294 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 295 | |
| 296 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 297 | if (ssl->handshake->psa_pake_ctx_is_ok != 1) |
| 298 | #else |
| 299 | if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) |
| 300 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 301 | { |
| 302 | MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension")); |
| 303 | return 0; |
| 304 | } |
| 305 | |
| 306 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 307 | if ((ret = mbedtls_psa_ecjpake_read_round( |
| 308 | &ssl->handshake->psa_pake_ctx, buf, len, |
| 309 | MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) { |
| 310 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 311 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 312 | |
| 313 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret); |
| 314 | mbedtls_ssl_send_alert_message( |
| 315 | ssl, |
| 316 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 317 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 318 | |
| 319 | return ret; |
| 320 | } |
| 321 | #else |
| 322 | if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx, |
| 323 | buf, len)) != 0) { |
| 324 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret); |
| 325 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 326 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 327 | return ret; |
| 328 | } |
| 329 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 330 | |
| 331 | /* Only mark the extension as OK when we're sure it is */ |
| 332 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; |
| 333 | |
| 334 | return 0; |
| 335 | } |
| 336 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 337 | |
| 338 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| 339 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 340 | static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
| 341 | const unsigned char *buf, |
| 342 | size_t len) |
| 343 | { |
| 344 | if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) { |
| 345 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 346 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 347 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 348 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 349 | } |
| 350 | |
| 351 | ssl->session_negotiate->mfl_code = buf[0]; |
| 352 | |
| 353 | return 0; |
| 354 | } |
| 355 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| 356 | |
| 357 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| 358 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 359 | static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl, |
| 360 | const unsigned char *buf, |
| 361 | size_t len) |
| 362 | { |
| 363 | size_t peer_cid_len; |
| 364 | |
| 365 | /* CID extension only makes sense in DTLS */ |
| 366 | if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 367 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 368 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 369 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 370 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 371 | } |
| 372 | |
| 373 | /* |
| 374 | * struct { |
| 375 | * opaque cid<0..2^8-1>; |
| 376 | * } ConnectionId; |
| 377 | */ |
| 378 | |
| 379 | if (len < 1) { |
| 380 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 381 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 382 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 383 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 384 | } |
| 385 | |
| 386 | peer_cid_len = *buf++; |
| 387 | len--; |
| 388 | |
| 389 | if (len != peer_cid_len) { |
| 390 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 391 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 392 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 393 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 394 | } |
| 395 | |
| 396 | /* Ignore CID if the user has disabled its use. */ |
| 397 | if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { |
| 398 | /* Leave ssl->handshake->cid_in_use in its default |
| 399 | * value of MBEDTLS_SSL_CID_DISABLED. */ |
| 400 | MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled")); |
| 401 | return 0; |
| 402 | } |
| 403 | |
| 404 | if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) { |
| 405 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 406 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 407 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
| 408 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 409 | } |
| 410 | |
| 411 | ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; |
| 412 | ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; |
| 413 | memcpy(ssl->handshake->peer_cid, buf, peer_cid_len); |
| 414 | |
| 415 | MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated")); |
| 416 | MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len); |
| 417 | |
| 418 | return 0; |
| 419 | } |
| 420 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| 421 | |
| 422 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| 423 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 424 | static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
| 425 | const unsigned char *buf, |
| 426 | size_t len) |
| 427 | { |
| 428 | if (len != 0) { |
| 429 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 430 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 431 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 432 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 433 | } |
| 434 | |
| 435 | ((void) buf); |
| 436 | |
| 437 | if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) { |
| 438 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; |
| 439 | } |
| 440 | |
| 441 | return 0; |
| 442 | } |
| 443 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| 444 | |
| 445 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| 446 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 447 | static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl, |
| 448 | const unsigned char *buf, |
| 449 | size_t len) |
| 450 | { |
| 451 | if (len != 0) { |
| 452 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 453 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 454 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 455 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 456 | } |
| 457 | |
| 458 | ((void) buf); |
| 459 | |
| 460 | if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { |
| 461 | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; |
| 462 | } |
| 463 | |
| 464 | return 0; |
| 465 | } |
| 466 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| 467 | |
| 468 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 469 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 470 | static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl, |
| 471 | unsigned char *buf, |
| 472 | size_t len) |
| 473 | { |
| 474 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 475 | mbedtls_ssl_session session; |
| 476 | |
| 477 | mbedtls_ssl_session_init(&session); |
| 478 | |
| 479 | if (ssl->conf->f_ticket_parse == NULL || |
| 480 | ssl->conf->f_ticket_write == NULL) { |
| 481 | return 0; |
| 482 | } |
| 483 | |
| 484 | /* Remember the client asked us to send a new ticket */ |
| 485 | ssl->handshake->new_session_ticket = 1; |
| 486 | |
| 487 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len)); |
| 488 | |
| 489 | if (len == 0) { |
| 490 | return 0; |
| 491 | } |
| 492 | |
| 493 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 494 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| 495 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating")); |
| 496 | return 0; |
| 497 | } |
| 498 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| 499 | |
| 500 | /* |
| 501 | * Failures are ok: just ignore the ticket and proceed. |
| 502 | */ |
| 503 | if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session, |
| 504 | buf, len)) != 0) { |
| 505 | mbedtls_ssl_session_free(&session); |
| 506 | |
| 507 | if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) { |
| 508 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); |
| 509 | } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) { |
| 510 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired")); |
| 511 | } else { |
| 512 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret); |
| 513 | } |
| 514 | |
| 515 | return 0; |
| 516 | } |
| 517 | |
| 518 | /* |
| 519 | * Keep the session ID sent by the client, since we MUST send it back to |
| 520 | * inform them we're accepting the ticket (RFC 5077 section 3.4) |
| 521 | */ |
| 522 | session.id_len = ssl->session_negotiate->id_len; |
| 523 | memcpy(&session.id, ssl->session_negotiate->id, session.id_len); |
| 524 | |
| 525 | mbedtls_ssl_session_free(ssl->session_negotiate); |
| 526 | memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session)); |
| 527 | |
| 528 | /* Zeroize instead of free as we copied the content */ |
| 529 | mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session)); |
| 530 | |
| 531 | MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket")); |
| 532 | |
| 533 | ssl->handshake->resume = 1; |
| 534 | |
| 535 | /* Don't send a new ticket after all, this one is OK */ |
| 536 | ssl->handshake->new_session_ticket = 0; |
| 537 | |
| 538 | return 0; |
| 539 | } |
| 540 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 541 | |
| 542 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| 543 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 544 | static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl, |
| 545 | const unsigned char *buf, |
| 546 | size_t len) |
| 547 | { |
| 548 | mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET; |
| 549 | size_t i, j; |
| 550 | size_t profile_length; |
| 551 | uint16_t mki_length; |
| 552 | /*! 2 bytes for profile length and 1 byte for mki len */ |
| 553 | const size_t size_of_lengths = 3; |
| 554 | |
| 555 | /* If use_srtp is not configured, just ignore the extension */ |
| 556 | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
| 557 | (ssl->conf->dtls_srtp_profile_list == NULL) || |
| 558 | (ssl->conf->dtls_srtp_profile_list_len == 0)) { |
| 559 | return 0; |
| 560 | } |
| 561 | |
| 562 | /* RFC5764 section 4.1.1 |
| 563 | * uint8 SRTPProtectionProfile[2]; |
| 564 | * |
| 565 | * struct { |
| 566 | * SRTPProtectionProfiles SRTPProtectionProfiles; |
| 567 | * opaque srtp_mki<0..255>; |
| 568 | * } UseSRTPData; |
| 569 | |
| 570 | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
| 571 | */ |
| 572 | |
| 573 | /* |
| 574 | * Min length is 5: at least one protection profile(2 bytes) |
| 575 | * and length(2 bytes) + srtp_mki length(1 byte) |
| 576 | * Check here that we have at least 2 bytes of protection profiles length |
| 577 | * and one of srtp_mki length |
| 578 | */ |
| 579 | if (len < size_of_lengths) { |
| 580 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 581 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 582 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 583 | } |
| 584 | |
| 585 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET; |
| 586 | |
| 587 | /* first 2 bytes are protection profile length(in bytes) */ |
| 588 | profile_length = (buf[0] << 8) | buf[1]; |
| 589 | buf += 2; |
| 590 | |
| 591 | /* The profile length cannot be bigger than input buffer size - lengths fields */ |
| 592 | if (profile_length > len - size_of_lengths || |
| 593 | profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */ |
| 594 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 595 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 596 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 597 | } |
| 598 | /* |
| 599 | * parse the extension list values are defined in |
| 600 | * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml |
| 601 | */ |
| 602 | for (j = 0; j < profile_length; j += 2) { |
| 603 | uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1]; |
| 604 | client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value); |
| 605 | |
| 606 | if (client_protection != MBEDTLS_TLS_SRTP_UNSET) { |
| 607 | MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s", |
| 608 | mbedtls_ssl_get_srtp_profile_as_string( |
| 609 | client_protection))); |
| 610 | } else { |
| 611 | continue; |
| 612 | } |
| 613 | /* check if suggested profile is in our list */ |
| 614 | for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) { |
| 615 | if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) { |
| 616 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; |
| 617 | MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s", |
| 618 | mbedtls_ssl_get_srtp_profile_as_string( |
| 619 | client_protection))); |
| 620 | break; |
| 621 | } |
| 622 | } |
| 623 | if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) { |
| 624 | break; |
| 625 | } |
| 626 | } |
| 627 | buf += profile_length; /* buf points to the mki length */ |
| 628 | mki_length = *buf; |
| 629 | buf++; |
| 630 | |
| 631 | if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH || |
| 632 | mki_length + profile_length + size_of_lengths != len) { |
| 633 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 634 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 635 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 636 | } |
| 637 | |
| 638 | /* Parse the mki only if present and mki is supported locally */ |
| 639 | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED && |
| 640 | mki_length > 0) { |
| 641 | ssl->dtls_srtp_info.mki_len = mki_length; |
| 642 | |
| 643 | memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length); |
| 644 | |
| 645 | MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value, |
| 646 | ssl->dtls_srtp_info.mki_len); |
| 647 | } |
| 648 | |
| 649 | return 0; |
| 650 | } |
| 651 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 652 | |
| 653 | /* |
| 654 | * Auxiliary functions for ServerHello parsing and related actions |
| 655 | */ |
| 656 | |
| 657 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| 658 | /* |
| 659 | * Return 0 if the given key uses one of the acceptable curves, -1 otherwise |
| 660 | */ |
| 661 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) |
| 662 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 663 | static int ssl_check_key_curve(mbedtls_pk_context *pk, |
| 664 | uint16_t *curves_tls_id) |
| 665 | { |
| 666 | uint16_t *curr_tls_id = curves_tls_id; |
| 667 | mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk); |
| 668 | mbedtls_ecp_group_id curr_grp_id; |
| 669 | |
| 670 | while (*curr_tls_id != 0) { |
| 671 | curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id); |
| 672 | if (curr_grp_id == grp_id) { |
| 673 | return 0; |
| 674 | } |
| 675 | curr_tls_id++; |
| 676 | } |
| 677 | |
| 678 | return -1; |
| 679 | } |
| 680 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED */ |
| 681 | |
| 682 | /* |
| 683 | * Try picking a certificate for this ciphersuite, |
| 684 | * return 0 on success and -1 on failure. |
| 685 | */ |
| 686 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 687 | static int ssl_pick_cert(mbedtls_ssl_context *ssl, |
| 688 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info) |
| 689 | { |
| 690 | mbedtls_ssl_key_cert *cur, *list; |
| 691 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 692 | psa_algorithm_t pk_alg = |
| 693 | mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info); |
| 694 | psa_key_usage_t pk_usage = |
| 695 | mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info); |
| 696 | #else |
| 697 | mbedtls_pk_type_t pk_alg = |
| 698 | mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); |
| 699 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 700 | uint32_t flags; |
| 701 | |
| 702 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 703 | if (ssl->handshake->sni_key_cert != NULL) { |
| 704 | list = ssl->handshake->sni_key_cert; |
| 705 | } else |
| 706 | #endif |
| 707 | list = ssl->conf->key_cert; |
| 708 | |
| 709 | int pk_alg_is_none = 0; |
| 710 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 711 | pk_alg_is_none = (pk_alg == PSA_ALG_NONE); |
| 712 | #else |
| 713 | pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE); |
| 714 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 715 | if (pk_alg_is_none) { |
| 716 | return 0; |
| 717 | } |
| 718 | |
| 719 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate")); |
| 720 | |
| 721 | if (list == NULL) { |
| 722 | MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate")); |
| 723 | return -1; |
| 724 | } |
| 725 | |
| 726 | for (cur = list; cur != NULL; cur = cur->next) { |
| 727 | flags = 0; |
| 728 | MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate", |
| 729 | cur->cert); |
| 730 | |
| 731 | int key_type_matches = 0; |
| 732 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 733 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| 734 | key_type_matches = ((ssl->conf->f_async_sign_start != NULL || |
| 735 | ssl->conf->f_async_decrypt_start != NULL || |
| 736 | mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) && |
| 737 | mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage)); |
| 738 | #else |
| 739 | key_type_matches = ( |
| 740 | mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)); |
| 741 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| 742 | #else |
| 743 | key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg); |
| 744 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 745 | if (!key_type_matches) { |
| 746 | MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type")); |
| 747 | continue; |
| 748 | } |
| 749 | |
| 750 | /* |
| 751 | * This avoids sending the client a cert it'll reject based on |
| 752 | * keyUsage or other extensions. |
| 753 | * |
| 754 | * It also allows the user to provision different certificates for |
| 755 | * different uses based on keyUsage, eg if they want to avoid signing |
| 756 | * and decrypting with the same RSA key. |
| 757 | */ |
| 758 | if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info, |
| 759 | MBEDTLS_SSL_IS_CLIENT, |
| 760 | MBEDTLS_SSL_VERSION_TLS1_2, |
| 761 | &flags) != 0) { |
| 762 | MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: " |
| 763 | "(extended) key usage extension")); |
| 764 | continue; |
| 765 | } |
| 766 | |
| 767 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) |
| 768 | if (pk_alg == MBEDTLS_PK_ECDSA && |
| 769 | ssl_check_key_curve(&cur->cert->pk, |
| 770 | ssl->handshake->curves_tls_id) != 0) { |
| 771 | MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve")); |
| 772 | continue; |
| 773 | } |
| 774 | #endif |
| 775 | |
| 776 | /* If we get there, we got a winner */ |
| 777 | break; |
| 778 | } |
| 779 | |
| 780 | /* Do not update ssl->handshake->key_cert unless there is a match */ |
| 781 | if (cur != NULL) { |
| 782 | ssl->handshake->key_cert = cur; |
| 783 | MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate", |
| 784 | ssl->handshake->key_cert->cert); |
| 785 | return 0; |
| 786 | } |
| 787 | |
| 788 | return -1; |
| 789 | } |
| 790 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
| 791 | |
| 792 | /* |
| 793 | * Check if a given ciphersuite is suitable for use with our config/keys/etc |
| 794 | * Sets ciphersuite_info only if the suite matches. |
| 795 | */ |
| 796 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 797 | static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id, |
| 798 | const mbedtls_ssl_ciphersuite_t **ciphersuite_info) |
| 799 | { |
| 800 | const mbedtls_ssl_ciphersuite_t *suite_info; |
| 801 | |
| 802 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| 803 | mbedtls_pk_type_t sig_type; |
| 804 | #endif |
| 805 | |
| 806 | suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id); |
| 807 | if (suite_info == NULL) { |
| 808 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 809 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 810 | } |
| 811 | |
| 812 | MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)", |
| 813 | (unsigned int) suite_id, suite_info->name)); |
| 814 | |
| 815 | if (suite_info->min_tls_version > ssl->tls_version || |
| 816 | suite_info->max_tls_version < ssl->tls_version) { |
| 817 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version")); |
| 818 | return 0; |
| 819 | } |
| 820 | |
| 821 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 822 | if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && |
| 823 | (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) { |
| 824 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake " |
| 825 | "not configured or ext missing")); |
| 826 | return 0; |
| 827 | } |
| 828 | #endif |
| 829 | |
| 830 | |
| 831 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \ |
| 832 | defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) |
| 833 | if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) && |
| 834 | (ssl->handshake->curves_tls_id == NULL || |
| 835 | ssl->handshake->curves_tls_id[0] == 0)) { |
| 836 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: " |
| 837 | "no common elliptic curve")); |
| 838 | return 0; |
| 839 | } |
| 840 | #endif |
| 841 | |
| 842 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| 843 | /* If the ciphersuite requires a pre-shared key and we don't |
| 844 | * have one, skip it now rather than failing later */ |
| 845 | if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) && |
| 846 | ssl_conf_has_psk_or_cb(ssl->conf) == 0) { |
| 847 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key")); |
| 848 | return 0; |
| 849 | } |
| 850 | #endif |
| 851 | |
| 852 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| 853 | /* |
| 854 | * Final check: if ciphersuite requires us to have a |
| 855 | * certificate/key of a particular type: |
| 856 | * - select the appropriate certificate if we have one, or |
| 857 | * - try the next ciphersuite if we don't |
| 858 | * This must be done last since we modify the key_cert list. |
| 859 | */ |
| 860 | if (ssl_pick_cert(ssl, suite_info) != 0) { |
| 861 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: " |
| 862 | "no suitable certificate")); |
| 863 | return 0; |
| 864 | } |
| 865 | #endif |
| 866 | |
| 867 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| 868 | /* If the ciphersuite requires signing, check whether |
| 869 | * a suitable hash algorithm is present. */ |
| 870 | sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info); |
| 871 | if (sig_type != MBEDTLS_PK_NONE && |
| 872 | mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( |
| 873 | ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) { |
| 874 | MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm " |
| 875 | "for signature algorithm %u", (unsigned) sig_type)); |
| 876 | return 0; |
| 877 | } |
| 878 | |
| 879 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| 880 | |
| 881 | *ciphersuite_info = suite_info; |
| 882 | return 0; |
| 883 | } |
| 884 | |
| 885 | /* This function doesn't alert on errors that happen early during |
| 886 | ClientHello parsing because they might indicate that the client is |
| 887 | not talking SSL/TLS at all and would not understand our alert. */ |
| 888 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 889 | static int ssl_parse_client_hello(mbedtls_ssl_context *ssl) |
| 890 | { |
| 891 | int ret, got_common_suite; |
| 892 | size_t i, j; |
| 893 | size_t ciph_offset, comp_offset, ext_offset; |
| 894 | size_t msg_len, ciph_len, sess_len, comp_len, ext_len; |
| 895 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 896 | size_t cookie_offset, cookie_len; |
| 897 | #endif |
| 898 | unsigned char *buf, *p, *ext; |
| 899 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 900 | int renegotiation_info_seen = 0; |
| 901 | #endif |
| 902 | int handshake_failure = 0; |
| 903 | const int *ciphersuites; |
| 904 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| 905 | |
| 906 | /* If there is no signature-algorithm extension present, |
| 907 | * we need to fall back to the default values for allowed |
| 908 | * signature-hash pairs. */ |
| 909 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| 910 | int sig_hash_alg_ext_present = 0; |
| 911 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| 912 | |
| 913 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello")); |
| 914 | |
| 915 | /* |
| 916 | * Fetch the expected ClientHello handshake message. Do not ask |
| 917 | * mbedtls_ssl_read_record() to update the handshake digest, because the |
| 918 | * ClientHello may already have been read in ssl_tls13_process_client_hello() |
| 919 | * or as a post-handshake message (renegotiation). In those cases we need |
| 920 | * to update the digest ourselves, and it is simpler to do so |
| 921 | * unconditionally than to track whether it is needed. |
| 922 | */ |
| 923 | if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) { |
| 924 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record ", ret); |
| 925 | |
| 926 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 927 | /* |
| 928 | * In the case of an alert message corresponding to the termination of |
| 929 | * a previous connection, `ssl_parse_record_header()` and then |
| 930 | * `mbedtls_ssl_read_record()` may return |
| 931 | * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD because of a non zero epoch. |
| 932 | * |
| 933 | * Historically, the library has returned |
| 934 | * MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE in this situation. |
| 935 | * The sample program dtls_server.c relies on this behavior |
| 936 | * (see |
| 937 | * https://github.com/Mbed-TLS/mbedtls/blob/d5e35a376bee23fad0b17f2e3e94a32ce4017c64/programs/ssl/dtls_server.c#L295), |
| 938 | * and user applications may rely on it as well. |
| 939 | * |
| 940 | * For compatibility, map MBEDTLS_ERR_SSL_UNEXPECTED_RECORD |
| 941 | * to MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE here. |
| 942 | * |
| 943 | * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD does not appear to be |
| 944 | * used to detect a specific error condition, so this mapping |
| 945 | * should not remove any meaningful distinction. |
| 946 | */ |
| 947 | if ((ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) |
| 948 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 949 | && (ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE) |
| 950 | #endif |
| 951 | ) { |
| 952 | if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) { |
| 953 | MBEDTLS_SSL_DEBUG_MSG(1, ("mapping UNEXPECTED_RECORD to UNEXPECTED_MESSAGE")); |
| 954 | ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| 955 | } |
| 956 | } |
| 957 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 958 | |
| 959 | return ret; |
| 960 | } |
| 961 | |
| 962 | /* |
| 963 | * Update the handshake checksum. |
| 964 | * |
| 965 | * Note that the checksum must be updated before parsing the extensions |
| 966 | * because ssl_parse_session_ticket_ext() may decrypt the ticket in place |
| 967 | * and therefore modify the ClientHello message. This occurs when using |
| 968 | * the Mbed TLS ssl_ticket.c implementation. |
| 969 | */ |
| 970 | ret = mbedtls_ssl_update_handshake_status(ssl); |
| 971 | if (0 != ret) { |
| 972 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret); |
| 973 | return ret; |
| 974 | } |
| 975 | |
| 976 | buf = ssl->in_msg; |
| 977 | msg_len = ssl->in_hslen; |
| 978 | |
| 979 | /* |
| 980 | * Handshake layer: |
| 981 | * 0 . 0 handshake type |
| 982 | * 1 . 3 handshake length |
| 983 | * 4 . 5 DTLS only: message sequence number |
| 984 | * 6 . 8 DTLS only: fragment offset |
| 985 | * 9 . 11 DTLS only: fragment length |
| 986 | */ |
| 987 | if ((ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) || |
| 988 | (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO)) { |
| 989 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 990 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| 991 | } |
| 992 | |
| 993 | buf += mbedtls_ssl_hs_hdr_len(ssl); |
| 994 | msg_len -= mbedtls_ssl_hs_hdr_len(ssl); |
| 995 | |
| 996 | /* |
| 997 | * ClientHello layout: |
| 998 | * 0 . 1 protocol version |
| 999 | * 2 . 33 random bytes (starting with 4 bytes of Unix time) |
| 1000 | * 34 . 34 session id length (1 byte) |
| 1001 | * 35 . 34+x session id, where x = session id length from byte 34 |
| 1002 | * 35+x . 35+x DTLS only: cookie length (1 byte) |
| 1003 | * 36+x . .. DTLS only: cookie |
| 1004 | * .. . .. ciphersuite list length (2 bytes) |
| 1005 | * .. . .. ciphersuite list |
| 1006 | * .. . .. compression alg. list length (1 byte) |
| 1007 | * .. . .. compression alg. list |
| 1008 | * .. . .. extensions length (2 bytes, optional) |
| 1009 | * .. . .. extensions (optional) |
| 1010 | */ |
| 1011 | |
| 1012 | /* |
| 1013 | * Minimal length (with everything empty and extensions omitted) is |
| 1014 | * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can |
| 1015 | * read at least up to session id length without worrying. |
| 1016 | */ |
| 1017 | if (msg_len < 38) { |
| 1018 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1019 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1020 | } |
| 1021 | |
| 1022 | /* |
| 1023 | * Check and save the protocol version |
| 1024 | */ |
| 1025 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2); |
| 1026 | |
| 1027 | ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf, |
| 1028 | ssl->conf->transport); |
| 1029 | ssl->session_negotiate->tls_version = ssl->tls_version; |
| 1030 | ssl->session_negotiate->endpoint = ssl->conf->endpoint; |
| 1031 | |
| 1032 | if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { |
| 1033 | MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2")); |
| 1034 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1035 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); |
| 1036 | return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; |
| 1037 | } |
| 1038 | |
| 1039 | /* |
| 1040 | * Save client random (inc. Unix time) |
| 1041 | */ |
| 1042 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32); |
| 1043 | |
| 1044 | memcpy(ssl->handshake->randbytes, buf + 2, 32); |
| 1045 | |
| 1046 | /* |
| 1047 | * Check the session ID length and save session ID |
| 1048 | */ |
| 1049 | sess_len = buf[34]; |
| 1050 | |
| 1051 | if (sess_len > sizeof(ssl->session_negotiate->id) || |
| 1052 | sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */ |
| 1053 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1054 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1055 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1056 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1057 | } |
| 1058 | |
| 1059 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len); |
| 1060 | |
| 1061 | ssl->session_negotiate->id_len = sess_len; |
| 1062 | memset(ssl->session_negotiate->id, 0, |
| 1063 | sizeof(ssl->session_negotiate->id)); |
| 1064 | memcpy(ssl->session_negotiate->id, buf + 35, |
| 1065 | ssl->session_negotiate->id_len); |
| 1066 | |
| 1067 | /* |
| 1068 | * Check the cookie length and content |
| 1069 | */ |
| 1070 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 1071 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 1072 | cookie_offset = 35 + sess_len; |
| 1073 | cookie_len = buf[cookie_offset]; |
| 1074 | |
| 1075 | if (cookie_offset + 1 + cookie_len + 2 > msg_len) { |
| 1076 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1077 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1078 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1079 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1080 | } |
| 1081 | |
| 1082 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie", |
| 1083 | buf + cookie_offset + 1, cookie_len); |
| 1084 | |
| 1085 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| 1086 | if (ssl->conf->f_cookie_check != NULL |
| 1087 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1088 | && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE |
| 1089 | #endif |
| 1090 | ) { |
| 1091 | if (ssl->conf->f_cookie_check(ssl->conf->p_cookie, |
| 1092 | buf + cookie_offset + 1, cookie_len, |
| 1093 | ssl->cli_id, ssl->cli_id_len) != 0) { |
| 1094 | MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed")); |
| 1095 | ssl->handshake->cookie_verify_result = 1; |
| 1096 | } else { |
| 1097 | MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed")); |
| 1098 | ssl->handshake->cookie_verify_result = 0; |
| 1099 | } |
| 1100 | } else |
| 1101 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| 1102 | { |
| 1103 | /* We know we didn't send a cookie, so it should be empty */ |
| 1104 | if (cookie_len != 0) { |
| 1105 | /* This may be an attacker's probe, so don't send an alert */ |
| 1106 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1107 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1108 | } |
| 1109 | |
| 1110 | MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped")); |
| 1111 | } |
| 1112 | |
| 1113 | /* |
| 1114 | * Check the ciphersuitelist length (will be parsed later) |
| 1115 | */ |
| 1116 | ciph_offset = cookie_offset + 1 + cookie_len; |
| 1117 | } else |
| 1118 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 1119 | ciph_offset = 35 + sess_len; |
| 1120 | |
| 1121 | ciph_len = MBEDTLS_GET_UINT16_BE(buf, ciph_offset); |
| 1122 | |
| 1123 | if (ciph_len < 2 || |
| 1124 | ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ |
| 1125 | (ciph_len % 2) != 0) { |
| 1126 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1127 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1128 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1129 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1130 | } |
| 1131 | |
| 1132 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist", |
| 1133 | buf + ciph_offset + 2, ciph_len); |
| 1134 | |
| 1135 | /* |
| 1136 | * Check the compression algorithm's length. |
| 1137 | * The list contents are ignored because implementing |
| 1138 | * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only |
| 1139 | * option supported by Mbed TLS. |
| 1140 | */ |
| 1141 | comp_offset = ciph_offset + 2 + ciph_len; |
| 1142 | |
| 1143 | comp_len = buf[comp_offset]; |
| 1144 | |
| 1145 | if (comp_len < 1 || |
| 1146 | comp_len > 16 || |
| 1147 | comp_len + comp_offset + 1 > msg_len) { |
| 1148 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1149 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1150 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1151 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1152 | } |
| 1153 | |
| 1154 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression", |
| 1155 | buf + comp_offset + 1, comp_len); |
| 1156 | |
| 1157 | /* |
| 1158 | * Check the extension length |
| 1159 | */ |
| 1160 | ext_offset = comp_offset + 1 + comp_len; |
| 1161 | if (msg_len > ext_offset) { |
| 1162 | if (msg_len < ext_offset + 2) { |
| 1163 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1164 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1165 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1166 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1167 | } |
| 1168 | |
| 1169 | ext_len = MBEDTLS_GET_UINT16_BE(buf, ext_offset); |
| 1170 | |
| 1171 | if (msg_len != ext_offset + 2 + ext_len) { |
| 1172 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1173 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1174 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1175 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1176 | } |
| 1177 | } else { |
| 1178 | ext_len = 0; |
| 1179 | } |
| 1180 | |
| 1181 | ext = buf + ext_offset + 2; |
| 1182 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len); |
| 1183 | |
| 1184 | while (ext_len != 0) { |
| 1185 | unsigned int ext_id; |
| 1186 | unsigned int ext_size; |
| 1187 | if (ext_len < 4) { |
| 1188 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1189 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1190 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1191 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1192 | } |
| 1193 | ext_id = MBEDTLS_GET_UINT16_BE(ext, 0); |
| 1194 | ext_size = MBEDTLS_GET_UINT16_BE(ext, 2); |
| 1195 | |
| 1196 | if (ext_size + 4 > ext_len) { |
| 1197 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
| 1198 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1199 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
| 1200 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 1201 | } |
| 1202 | switch (ext_id) { |
| 1203 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 1204 | case MBEDTLS_TLS_EXT_SERVERNAME: |
| 1205 | MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension")); |
| 1206 | ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4, |
| 1207 | ext + 4 + ext_size); |
| 1208 | if (ret != 0) { |
| 1209 | return ret; |
| 1210 | } |
| 1211 | break; |
| 1212 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
| 1213 | |
| 1214 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: |
| 1215 | MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension")); |
| 1216 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1217 | renegotiation_info_seen = 1; |
| 1218 | #endif |
| 1219 | |
| 1220 | ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size); |
| 1221 | if (ret != 0) { |
| 1222 | return ret; |
| 1223 | } |
| 1224 | break; |
| 1225 | |
| 1226 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| 1227 | case MBEDTLS_TLS_EXT_SIG_ALG: |
| 1228 | MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension")); |
| 1229 | |
| 1230 | ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size); |
| 1231 | if (ret != 0) { |
| 1232 | return ret; |
| 1233 | } |
| 1234 | |
| 1235 | sig_hash_alg_ext_present = 1; |
| 1236 | break; |
| 1237 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| 1238 | |
| 1239 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \ |
| 1240 | defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \ |
| 1241 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 1242 | case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: |
| 1243 | MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension")); |
| 1244 | |
| 1245 | ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size); |
| 1246 | if (ret != 0) { |
| 1247 | return ret; |
| 1248 | } |
| 1249 | break; |
| 1250 | |
| 1251 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: |
| 1252 | MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension")); |
| 1253 | ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; |
| 1254 | |
| 1255 | ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size); |
| 1256 | if (ret != 0) { |
| 1257 | return ret; |
| 1258 | } |
| 1259 | break; |
| 1260 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \ |
| 1261 | MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED || |
| 1262 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 1263 | |
| 1264 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 1265 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: |
| 1266 | MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension")); |
| 1267 | |
| 1268 | ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size); |
| 1269 | if (ret != 0) { |
| 1270 | return ret; |
| 1271 | } |
| 1272 | break; |
| 1273 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 1274 | |
| 1275 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| 1276 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: |
| 1277 | MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension")); |
| 1278 | |
| 1279 | ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size); |
| 1280 | if (ret != 0) { |
| 1281 | return ret; |
| 1282 | } |
| 1283 | break; |
| 1284 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| 1285 | |
| 1286 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| 1287 | case MBEDTLS_TLS_EXT_CID: |
| 1288 | MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension")); |
| 1289 | |
| 1290 | ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size); |
| 1291 | if (ret != 0) { |
| 1292 | return ret; |
| 1293 | } |
| 1294 | break; |
| 1295 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| 1296 | |
| 1297 | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
| 1298 | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: |
| 1299 | MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension")); |
| 1300 | |
| 1301 | ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size); |
| 1302 | if (ret != 0) { |
| 1303 | return ret; |
| 1304 | } |
| 1305 | break; |
| 1306 | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
| 1307 | |
| 1308 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| 1309 | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: |
| 1310 | MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension")); |
| 1311 | |
| 1312 | ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size); |
| 1313 | if (ret != 0) { |
| 1314 | return ret; |
| 1315 | } |
| 1316 | break; |
| 1317 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| 1318 | |
| 1319 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 1320 | case MBEDTLS_TLS_EXT_SESSION_TICKET: |
| 1321 | MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension")); |
| 1322 | /* |
| 1323 | * If the Mbed TLS ssl_ticket.c implementation is used, the |
| 1324 | * ticket is decrypted in place. This modifies the ClientHello |
| 1325 | * message in the input buffer. |
| 1326 | */ |
| 1327 | ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size); |
| 1328 | if (ret != 0) { |
| 1329 | return ret; |
| 1330 | } |
| 1331 | break; |
| 1332 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 1333 | |
| 1334 | #if defined(MBEDTLS_SSL_ALPN) |
| 1335 | case MBEDTLS_TLS_EXT_ALPN: |
| 1336 | MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); |
| 1337 | |
| 1338 | ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4, |
| 1339 | ext + 4 + ext_size); |
| 1340 | if (ret != 0) { |
| 1341 | return ret; |
| 1342 | } |
| 1343 | break; |
| 1344 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 1345 | |
| 1346 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| 1347 | case MBEDTLS_TLS_EXT_USE_SRTP: |
| 1348 | MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension")); |
| 1349 | |
| 1350 | ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size); |
| 1351 | if (ret != 0) { |
| 1352 | return ret; |
| 1353 | } |
| 1354 | break; |
| 1355 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 1356 | |
| 1357 | default: |
| 1358 | MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)", |
| 1359 | ext_id)); |
| 1360 | } |
| 1361 | |
| 1362 | ext_len -= 4 + ext_size; |
| 1363 | ext += 4 + ext_size; |
| 1364 | } |
| 1365 | |
| 1366 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| 1367 | |
| 1368 | /* |
| 1369 | * Try to fall back to default hash SHA1 if the client |
| 1370 | * hasn't provided any preferred signature-hash combinations. |
| 1371 | */ |
| 1372 | if (!sig_hash_alg_ext_present) { |
| 1373 | uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; |
| 1374 | const uint16_t default_sig_algs[] = { |
| 1375 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) |
| 1376 | MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, |
| 1377 | MBEDTLS_SSL_HASH_SHA1), |
| 1378 | #endif |
| 1379 | #if defined(MBEDTLS_RSA_C) |
| 1380 | MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, |
| 1381 | MBEDTLS_SSL_HASH_SHA1), |
| 1382 | #endif |
| 1383 | MBEDTLS_TLS_SIG_NONE |
| 1384 | }; |
| 1385 | |
| 1386 | MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0]) |
| 1387 | <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE, |
| 1388 | "default_sig_algs is too big"); |
| 1389 | |
| 1390 | memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs)); |
| 1391 | } |
| 1392 | |
| 1393 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
| 1394 | |
| 1395 | /* |
| 1396 | * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
| 1397 | */ |
| 1398 | for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) { |
| 1399 | if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) { |
| 1400 | MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO ")); |
| 1401 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1402 | if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { |
| 1403 | MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV " |
| 1404 | "during renegotiation")); |
| 1405 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1406 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1407 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1408 | } |
| 1409 | #endif |
| 1410 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
| 1411 | break; |
| 1412 | } |
| 1413 | } |
| 1414 | |
| 1415 | /* |
| 1416 | * Renegotiation security checks |
| 1417 | */ |
| 1418 | if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| 1419 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) { |
| 1420 | MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake")); |
| 1421 | handshake_failure = 1; |
| 1422 | } |
| 1423 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1424 | else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1425 | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && |
| 1426 | renegotiation_info_seen == 0) { |
| 1427 | MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)")); |
| 1428 | handshake_failure = 1; |
| 1429 | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1430 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 1431 | ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) { |
| 1432 | MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed")); |
| 1433 | handshake_failure = 1; |
| 1434 | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
| 1435 | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
| 1436 | renegotiation_info_seen == 1) { |
| 1437 | MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)")); |
| 1438 | handshake_failure = 1; |
| 1439 | } |
| 1440 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| 1441 | |
| 1442 | if (handshake_failure == 1) { |
| 1443 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1444 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1445 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1446 | } |
| 1447 | |
| 1448 | /* |
| 1449 | * Server certification selection (after processing TLS extensions) |
| 1450 | */ |
| 1451 | if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) { |
| 1452 | MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret); |
| 1453 | return ret; |
| 1454 | } |
| 1455 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 1456 | ssl->handshake->sni_name = NULL; |
| 1457 | ssl->handshake->sni_name_len = 0; |
| 1458 | #endif |
| 1459 | |
| 1460 | /* |
| 1461 | * Search for a matching ciphersuite |
| 1462 | * (At the end because we need information from the EC-based extensions |
| 1463 | * and certificate from the SNI callback triggered by the SNI extension |
| 1464 | * or certificate from server certificate selection callback.) |
| 1465 | */ |
| 1466 | got_common_suite = 0; |
| 1467 | ciphersuites = ssl->conf->ciphersuite_list; |
| 1468 | ciphersuite_info = NULL; |
| 1469 | |
| 1470 | if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) { |
| 1471 | for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) { |
| 1472 | for (i = 0; ciphersuites[i] != 0; i++) { |
| 1473 | if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) { |
| 1474 | continue; |
| 1475 | } |
| 1476 | |
| 1477 | got_common_suite = 1; |
| 1478 | |
| 1479 | if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i], |
| 1480 | &ciphersuite_info)) != 0) { |
| 1481 | return ret; |
| 1482 | } |
| 1483 | |
| 1484 | if (ciphersuite_info != NULL) { |
| 1485 | goto have_ciphersuite; |
| 1486 | } |
| 1487 | } |
| 1488 | } |
| 1489 | } else { |
| 1490 | for (i = 0; ciphersuites[i] != 0; i++) { |
| 1491 | for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) { |
| 1492 | if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) { |
| 1493 | continue; |
| 1494 | } |
| 1495 | |
| 1496 | got_common_suite = 1; |
| 1497 | |
| 1498 | if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i], |
| 1499 | &ciphersuite_info)) != 0) { |
| 1500 | return ret; |
| 1501 | } |
| 1502 | |
| 1503 | if (ciphersuite_info != NULL) { |
| 1504 | goto have_ciphersuite; |
| 1505 | } |
| 1506 | } |
| 1507 | } |
| 1508 | } |
| 1509 | |
| 1510 | if (got_common_suite) { |
| 1511 | MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, " |
| 1512 | "but none of them usable")); |
| 1513 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1514 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1515 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1516 | } else { |
| 1517 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common")); |
| 1518 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 1519 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
| 1520 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1521 | } |
| 1522 | |
| 1523 | have_ciphersuite: |
| 1524 | MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name)); |
| 1525 | |
| 1526 | ssl->session_negotiate->ciphersuite = ciphersuites[i]; |
| 1527 | ssl->handshake->ciphersuite_info = ciphersuite_info; |
| 1528 | |
| 1529 | mbedtls_ssl_handshake_increment_state(ssl); |
| 1530 | |
| 1531 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 1532 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 1533 | mbedtls_ssl_recv_flight_completed(ssl); |
| 1534 | } |
| 1535 | #endif |
| 1536 | |
| 1537 | /* Debugging-only output for testsuite */ |
| 1538 | #if defined(MBEDTLS_DEBUG_C) && \ |
| 1539 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
| 1540 | mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info); |
| 1541 | if (sig_alg != MBEDTLS_PK_NONE) { |
| 1542 | unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( |
| 1543 | ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); |
| 1544 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u", |
| 1545 | sig_hash)); |
| 1546 | } else { |
| 1547 | MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm " |
| 1548 | "%u - should not happen", (unsigned) sig_alg)); |
| 1549 | } |
| 1550 | #endif |
| 1551 | |
| 1552 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello")); |
| 1553 | |
| 1554 | return 0; |
| 1555 | } |
| 1556 | |
| 1557 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| 1558 | static void ssl_write_cid_ext(mbedtls_ssl_context *ssl, |
| 1559 | unsigned char *buf, |
| 1560 | size_t *olen) |
| 1561 | { |
| 1562 | unsigned char *p = buf; |
| 1563 | size_t ext_len; |
| 1564 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| 1565 | |
| 1566 | *olen = 0; |
| 1567 | |
| 1568 | /* Skip writing the extension if we don't want to use it or if |
| 1569 | * the client hasn't offered it. */ |
| 1570 | if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) { |
| 1571 | return; |
| 1572 | } |
| 1573 | |
| 1574 | /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX |
| 1575 | * which is at most 255, so the increment cannot overflow. */ |
| 1576 | if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) { |
| 1577 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); |
| 1578 | return; |
| 1579 | } |
| 1580 | |
| 1581 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension")); |
| 1582 | |
| 1583 | /* |
| 1584 | * struct { |
| 1585 | * opaque cid<0..2^8-1>; |
| 1586 | * } ConnectionId; |
| 1587 | */ |
| 1588 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0); |
| 1589 | p += 2; |
| 1590 | ext_len = (size_t) ssl->own_cid_len + 1; |
| 1591 | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
| 1592 | p += 2; |
| 1593 | |
| 1594 | *p++ = (uint8_t) ssl->own_cid_len; |
| 1595 | memcpy(p, ssl->own_cid, ssl->own_cid_len); |
| 1596 | |
| 1597 | *olen = ssl->own_cid_len + 5; |
| 1598 | } |
| 1599 | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
| 1600 | |
| 1601 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) |
| 1602 | static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
| 1603 | unsigned char *buf, |
| 1604 | size_t *olen) |
| 1605 | { |
| 1606 | unsigned char *p = buf; |
| 1607 | const mbedtls_ssl_ciphersuite_t *suite = NULL; |
| 1608 | |
| 1609 | /* |
| 1610 | * RFC 7366: "If a server receives an encrypt-then-MAC request extension |
| 1611 | * from a client and then selects a stream or Authenticated Encryption |
| 1612 | * with Associated Data (AEAD) ciphersuite, it MUST NOT send an |
| 1613 | * encrypt-then-MAC response extension back to the client." |
| 1614 | */ |
| 1615 | suite = mbedtls_ssl_ciphersuite_from_id( |
| 1616 | ssl->session_negotiate->ciphersuite); |
| 1617 | if (suite == NULL) { |
| 1618 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; |
| 1619 | } else { |
| 1620 | mbedtls_ssl_mode_t ssl_mode = |
| 1621 | mbedtls_ssl_get_mode_from_ciphersuite( |
| 1622 | ssl->session_negotiate->encrypt_then_mac, |
| 1623 | suite); |
| 1624 | |
| 1625 | if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) { |
| 1626 | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; |
| 1627 | } |
| 1628 | } |
| 1629 | |
| 1630 | if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) { |
| 1631 | *olen = 0; |
| 1632 | return; |
| 1633 | } |
| 1634 | |
| 1635 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension")); |
| 1636 | |
| 1637 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0); |
| 1638 | p += 2; |
| 1639 | |
| 1640 | *p++ = 0x00; |
| 1641 | *p++ = 0x00; |
| 1642 | |
| 1643 | *olen = 4; |
| 1644 | } |
| 1645 | #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ |
| 1646 | |
| 1647 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| 1648 | static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl, |
| 1649 | unsigned char *buf, |
| 1650 | size_t *olen) |
| 1651 | { |
| 1652 | unsigned char *p = buf; |
| 1653 | |
| 1654 | if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) { |
| 1655 | *olen = 0; |
| 1656 | return; |
| 1657 | } |
| 1658 | |
| 1659 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret " |
| 1660 | "extension")); |
| 1661 | |
| 1662 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0); |
| 1663 | p += 2; |
| 1664 | |
| 1665 | *p++ = 0x00; |
| 1666 | *p++ = 0x00; |
| 1667 | |
| 1668 | *olen = 4; |
| 1669 | } |
| 1670 | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
| 1671 | |
| 1672 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 1673 | static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl, |
| 1674 | unsigned char *buf, |
| 1675 | size_t *olen) |
| 1676 | { |
| 1677 | unsigned char *p = buf; |
| 1678 | |
| 1679 | if (ssl->handshake->new_session_ticket == 0) { |
| 1680 | *olen = 0; |
| 1681 | return; |
| 1682 | } |
| 1683 | |
| 1684 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension")); |
| 1685 | |
| 1686 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0); |
| 1687 | p += 2; |
| 1688 | |
| 1689 | *p++ = 0x00; |
| 1690 | *p++ = 0x00; |
| 1691 | |
| 1692 | *olen = 4; |
| 1693 | } |
| 1694 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 1695 | |
| 1696 | static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl, |
| 1697 | unsigned char *buf, |
| 1698 | size_t *olen) |
| 1699 | { |
| 1700 | unsigned char *p = buf; |
| 1701 | |
| 1702 | if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) { |
| 1703 | *olen = 0; |
| 1704 | return; |
| 1705 | } |
| 1706 | |
| 1707 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension")); |
| 1708 | |
| 1709 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0); |
| 1710 | p += 2; |
| 1711 | |
| 1712 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1713 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| 1714 | *p++ = 0x00; |
| 1715 | *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF; |
| 1716 | *p++ = ssl->verify_data_len * 2 & 0xFF; |
| 1717 | |
| 1718 | memcpy(p, ssl->peer_verify_data, ssl->verify_data_len); |
| 1719 | p += ssl->verify_data_len; |
| 1720 | memcpy(p, ssl->own_verify_data, ssl->verify_data_len); |
| 1721 | p += ssl->verify_data_len; |
| 1722 | } else |
| 1723 | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
| 1724 | { |
| 1725 | *p++ = 0x00; |
| 1726 | *p++ = 0x01; |
| 1727 | *p++ = 0x00; |
| 1728 | } |
| 1729 | |
| 1730 | *olen = (size_t) (p - buf); |
| 1731 | } |
| 1732 | |
| 1733 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| 1734 | static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
| 1735 | unsigned char *buf, |
| 1736 | size_t *olen) |
| 1737 | { |
| 1738 | unsigned char *p = buf; |
| 1739 | |
| 1740 | if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) { |
| 1741 | *olen = 0; |
| 1742 | return; |
| 1743 | } |
| 1744 | |
| 1745 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension")); |
| 1746 | |
| 1747 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0); |
| 1748 | p += 2; |
| 1749 | |
| 1750 | *p++ = 0x00; |
| 1751 | *p++ = 1; |
| 1752 | |
| 1753 | *p++ = ssl->session_negotiate->mfl_code; |
| 1754 | |
| 1755 | *olen = 5; |
| 1756 | } |
| 1757 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
| 1758 | |
| 1759 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \ |
| 1760 | defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \ |
| 1761 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 1762 | static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl, |
| 1763 | unsigned char *buf, |
| 1764 | size_t *olen) |
| 1765 | { |
| 1766 | unsigned char *p = buf; |
| 1767 | ((void) ssl); |
| 1768 | |
| 1769 | if ((ssl->handshake->cli_exts & |
| 1770 | MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) { |
| 1771 | *olen = 0; |
| 1772 | return; |
| 1773 | } |
| 1774 | |
| 1775 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension")); |
| 1776 | |
| 1777 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0); |
| 1778 | p += 2; |
| 1779 | |
| 1780 | *p++ = 0x00; |
| 1781 | *p++ = 2; |
| 1782 | |
| 1783 | *p++ = 1; |
| 1784 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; |
| 1785 | |
| 1786 | *olen = 6; |
| 1787 | } |
| 1788 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || |
| 1789 | MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED || |
| 1790 | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 1791 | |
| 1792 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 1793 | static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl, |
| 1794 | unsigned char *buf, |
| 1795 | size_t *olen) |
| 1796 | { |
| 1797 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 1798 | unsigned char *p = buf; |
| 1799 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| 1800 | size_t kkpp_len; |
| 1801 | |
| 1802 | *olen = 0; |
| 1803 | |
| 1804 | /* Skip costly computation if not needed */ |
| 1805 | if (ssl->handshake->ciphersuite_info->key_exchange != |
| 1806 | MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| 1807 | return; |
| 1808 | } |
| 1809 | |
| 1810 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension")); |
| 1811 | |
| 1812 | if (end - p < 4) { |
| 1813 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); |
| 1814 | return; |
| 1815 | } |
| 1816 | |
| 1817 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0); |
| 1818 | p += 2; |
| 1819 | |
| 1820 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 1821 | ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, |
| 1822 | p + 2, (size_t) (end - p - 2), &kkpp_len, |
| 1823 | MBEDTLS_ECJPAKE_ROUND_ONE); |
| 1824 | if (ret != 0) { |
| 1825 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 1826 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 1827 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); |
| 1828 | return; |
| 1829 | } |
| 1830 | #else |
| 1831 | ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx, |
| 1832 | p + 2, (size_t) (end - p - 2), &kkpp_len, |
| 1833 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 1834 | if (ret != 0) { |
| 1835 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret); |
| 1836 | return; |
| 1837 | } |
| 1838 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 1839 | |
| 1840 | MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0); |
| 1841 | p += 2; |
| 1842 | |
| 1843 | *olen = kkpp_len + 4; |
| 1844 | } |
| 1845 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 1846 | |
| 1847 | #if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS) |
| 1848 | static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl, |
| 1849 | unsigned char *buf, |
| 1850 | size_t *olen) |
| 1851 | { |
| 1852 | size_t mki_len = 0, ext_len = 0; |
| 1853 | uint16_t profile_value = 0; |
| 1854 | const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| 1855 | |
| 1856 | *olen = 0; |
| 1857 | |
| 1858 | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
| 1859 | (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) { |
| 1860 | return; |
| 1861 | } |
| 1862 | |
| 1863 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension")); |
| 1864 | |
| 1865 | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { |
| 1866 | mki_len = ssl->dtls_srtp_info.mki_len; |
| 1867 | } |
| 1868 | |
| 1869 | /* The extension total size is 9 bytes : |
| 1870 | * - 2 bytes for the extension tag |
| 1871 | * - 2 bytes for the total size |
| 1872 | * - 2 bytes for the protection profile length |
| 1873 | * - 2 bytes for the protection profile |
| 1874 | * - 1 byte for the mki length |
| 1875 | * + the actual mki length |
| 1876 | * Check we have enough room in the output buffer */ |
| 1877 | if ((size_t) (end - buf) < mki_len + 9) { |
| 1878 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); |
| 1879 | return; |
| 1880 | } |
| 1881 | |
| 1882 | /* extension */ |
| 1883 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0); |
| 1884 | /* |
| 1885 | * total length 5 and mki value: only one profile(2 bytes) |
| 1886 | * and length(2 bytes) and srtp_mki ) |
| 1887 | */ |
| 1888 | ext_len = 5 + mki_len; |
| 1889 | MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2); |
| 1890 | |
| 1891 | /* protection profile length: 2 */ |
| 1892 | buf[4] = 0x00; |
| 1893 | buf[5] = 0x02; |
| 1894 | profile_value = mbedtls_ssl_check_srtp_profile_value( |
| 1895 | ssl->dtls_srtp_info.chosen_dtls_srtp_profile); |
| 1896 | if (profile_value != MBEDTLS_TLS_SRTP_UNSET) { |
| 1897 | MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6); |
| 1898 | } else { |
| 1899 | MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile")); |
| 1900 | return; |
| 1901 | } |
| 1902 | |
| 1903 | buf[8] = mki_len & 0xFF; |
| 1904 | memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len); |
| 1905 | |
| 1906 | *olen = 9 + mki_len; |
| 1907 | } |
| 1908 | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
| 1909 | |
| 1910 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| 1911 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 1912 | static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl) |
| 1913 | { |
| 1914 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 1915 | unsigned char *p = ssl->out_msg + 4; |
| 1916 | unsigned char *cookie_len_byte; |
| 1917 | |
| 1918 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request")); |
| 1919 | |
| 1920 | /* |
| 1921 | * struct { |
| 1922 | * ProtocolVersion server_version; |
| 1923 | * opaque cookie<0..2^8-1>; |
| 1924 | * } HelloVerifyRequest; |
| 1925 | */ |
| 1926 | |
| 1927 | /* The RFC is not clear on this point, but sending the actual negotiated |
| 1928 | * version looks like the most interoperable thing to do. */ |
| 1929 | mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version); |
| 1930 | MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2); |
| 1931 | p += 2; |
| 1932 | |
| 1933 | /* If we get here, f_cookie_check is not null */ |
| 1934 | if (ssl->conf->f_cookie_write == NULL) { |
| 1935 | MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks")); |
| 1936 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 1937 | } |
| 1938 | |
| 1939 | /* Skip length byte until we know the length */ |
| 1940 | cookie_len_byte = p++; |
| 1941 | |
| 1942 | if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie, |
| 1943 | &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN, |
| 1944 | ssl->cli_id, ssl->cli_id_len)) != 0) { |
| 1945 | MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret); |
| 1946 | return ret; |
| 1947 | } |
| 1948 | |
| 1949 | *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1)); |
| 1950 | |
| 1951 | MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte); |
| 1952 | |
| 1953 | ssl->out_msglen = (size_t) (p - ssl->out_msg); |
| 1954 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 1955 | ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; |
| 1956 | |
| 1957 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT); |
| 1958 | |
| 1959 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 1960 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 1961 | return ret; |
| 1962 | } |
| 1963 | |
| 1964 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 1965 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 1966 | (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { |
| 1967 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); |
| 1968 | return ret; |
| 1969 | } |
| 1970 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 1971 | |
| 1972 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request")); |
| 1973 | |
| 1974 | return 0; |
| 1975 | } |
| 1976 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| 1977 | |
| 1978 | static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl) |
| 1979 | { |
| 1980 | int ret; |
| 1981 | mbedtls_ssl_session session_tmp; |
| 1982 | mbedtls_ssl_session * const session = ssl->session_negotiate; |
| 1983 | |
| 1984 | /* Resume is 0 by default, see ssl_handshake_init(). |
| 1985 | * It may be already set to 1 by ssl_parse_session_ticket_ext(). */ |
| 1986 | if (ssl->handshake->resume == 1) { |
| 1987 | return; |
| 1988 | } |
| 1989 | if (session->id_len == 0) { |
| 1990 | return; |
| 1991 | } |
| 1992 | if (ssl->conf->f_get_cache == NULL) { |
| 1993 | return; |
| 1994 | } |
| 1995 | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
| 1996 | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
| 1997 | return; |
| 1998 | } |
| 1999 | #endif |
| 2000 | |
| 2001 | mbedtls_ssl_session_init(&session_tmp); |
| 2002 | |
| 2003 | ret = ssl->conf->f_get_cache(ssl->conf->p_cache, |
| 2004 | session->id, |
| 2005 | session->id_len, |
| 2006 | &session_tmp); |
| 2007 | if (ret != 0) { |
| 2008 | goto exit; |
| 2009 | } |
| 2010 | |
| 2011 | if (session->ciphersuite != session_tmp.ciphersuite) { |
| 2012 | /* Mismatch between cached and negotiated session */ |
| 2013 | goto exit; |
| 2014 | } |
| 2015 | |
| 2016 | /* Move semantics */ |
| 2017 | mbedtls_ssl_session_free(session); |
| 2018 | *session = session_tmp; |
| 2019 | memset(&session_tmp, 0, sizeof(session_tmp)); |
| 2020 | |
| 2021 | MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache")); |
| 2022 | ssl->handshake->resume = 1; |
| 2023 | |
| 2024 | exit: |
| 2025 | |
| 2026 | mbedtls_ssl_session_free(&session_tmp); |
| 2027 | } |
| 2028 | |
| 2029 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 2030 | static int ssl_write_server_hello(mbedtls_ssl_context *ssl) |
| 2031 | { |
| 2032 | #if defined(MBEDTLS_HAVE_TIME) |
| 2033 | mbedtls_time_t t; |
| 2034 | #endif |
| 2035 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2036 | size_t olen, ext_len = 0, n; |
| 2037 | unsigned char *buf, *p; |
| 2038 | |
| 2039 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello")); |
| 2040 | |
| 2041 | #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) |
| 2042 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 2043 | ssl->handshake->cookie_verify_result != 0) { |
| 2044 | MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated")); |
| 2045 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); |
| 2046 | |
| 2047 | return ssl_write_hello_verify_request(ssl); |
| 2048 | } |
| 2049 | #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ |
| 2050 | |
| 2051 | /* |
| 2052 | * 0 . 0 handshake type |
| 2053 | * 1 . 3 handshake length |
| 2054 | * 4 . 5 protocol version |
| 2055 | * 6 . 9 UNIX time() |
| 2056 | * 10 . 37 random bytes |
| 2057 | */ |
| 2058 | buf = ssl->out_msg; |
| 2059 | p = buf + 4; |
| 2060 | |
| 2061 | mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version); |
| 2062 | p += 2; |
| 2063 | |
| 2064 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]", |
| 2065 | buf[4], buf[5])); |
| 2066 | |
| 2067 | #if defined(MBEDTLS_HAVE_TIME) |
| 2068 | t = mbedtls_time(NULL); |
| 2069 | MBEDTLS_PUT_UINT32_BE(t, p, 0); |
| 2070 | p += 4; |
| 2071 | |
| 2072 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG, |
| 2073 | (long long) t)); |
| 2074 | #else |
| 2075 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) { |
| 2076 | return ret; |
| 2077 | } |
| 2078 | |
| 2079 | p += 4; |
| 2080 | #endif /* MBEDTLS_HAVE_TIME */ |
| 2081 | |
| 2082 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) { |
| 2083 | return ret; |
| 2084 | } |
| 2085 | p += 20; |
| 2086 | |
| 2087 | #if defined(MBEDTLS_SSL_PROTO_TLS1_3) |
| 2088 | /* |
| 2089 | * RFC 8446 |
| 2090 | * TLS 1.3 has a downgrade protection mechanism embedded in the server's |
| 2091 | * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in |
| 2092 | * response to a ClientHello MUST set the last 8 bytes of their Random |
| 2093 | * value specially in their ServerHello. |
| 2094 | */ |
| 2095 | if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) { |
| 2096 | static const unsigned char magic_tls12_downgrade_string[] = |
| 2097 | { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 }; |
| 2098 | |
| 2099 | MBEDTLS_STATIC_ASSERT( |
| 2100 | sizeof(magic_tls12_downgrade_string) == 8, |
| 2101 | "magic_tls12_downgrade_string does not have the expected size"); |
| 2102 | |
| 2103 | memcpy(p, magic_tls12_downgrade_string, |
| 2104 | sizeof(magic_tls12_downgrade_string)); |
| 2105 | } else |
| 2106 | #endif |
| 2107 | { |
| 2108 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) { |
| 2109 | return ret; |
| 2110 | } |
| 2111 | } |
| 2112 | p += 8; |
| 2113 | |
| 2114 | memcpy(ssl->handshake->randbytes + 32, buf + 6, 32); |
| 2115 | |
| 2116 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32); |
| 2117 | |
| 2118 | ssl_handle_id_based_session_resumption(ssl); |
| 2119 | |
| 2120 | if (ssl->handshake->resume == 0) { |
| 2121 | /* |
| 2122 | * New session, create a new session id, |
| 2123 | * unless we're about to issue a session ticket |
| 2124 | */ |
| 2125 | mbedtls_ssl_handshake_increment_state(ssl); |
| 2126 | |
| 2127 | #if defined(MBEDTLS_HAVE_TIME) |
| 2128 | ssl->session_negotiate->start = mbedtls_time(NULL); |
| 2129 | #endif |
| 2130 | |
| 2131 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 2132 | if (ssl->handshake->new_session_ticket != 0) { |
| 2133 | ssl->session_negotiate->id_len = n = 0; |
| 2134 | memset(ssl->session_negotiate->id, 0, 32); |
| 2135 | } else |
| 2136 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 2137 | { |
| 2138 | ssl->session_negotiate->id_len = n = 32; |
| 2139 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id, |
| 2140 | n)) != 0) { |
| 2141 | return ret; |
| 2142 | } |
| 2143 | } |
| 2144 | } else { |
| 2145 | /* |
| 2146 | * Resuming a session |
| 2147 | */ |
| 2148 | n = ssl->session_negotiate->id_len; |
| 2149 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC); |
| 2150 | |
| 2151 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 2152 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| 2153 | return ret; |
| 2154 | } |
| 2155 | } |
| 2156 | |
| 2157 | /* |
| 2158 | * 38 . 38 session id length |
| 2159 | * 39 . 38+n session id |
| 2160 | * 39+n . 40+n chosen ciphersuite |
| 2161 | * 41+n . 41+n chosen compression alg. |
| 2162 | * 42+n . 43+n extensions length |
| 2163 | * 44+n . 43+n+m extensions |
| 2164 | */ |
| 2165 | *p++ = (unsigned char) ssl->session_negotiate->id_len; |
| 2166 | memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len); |
| 2167 | p += ssl->session_negotiate->id_len; |
| 2168 | |
| 2169 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n)); |
| 2170 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n); |
| 2171 | MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed", |
| 2172 | ssl->handshake->resume ? "a" : "no")); |
| 2173 | |
| 2174 | MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0); |
| 2175 | p += 2; |
| 2176 | *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL); |
| 2177 | |
| 2178 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s", |
| 2179 | mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite))); |
| 2180 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X", |
| 2181 | (unsigned int) MBEDTLS_SSL_COMPRESS_NULL)); |
| 2182 | |
| 2183 | /* |
| 2184 | * First write extensions, then the total length |
| 2185 | */ |
| 2186 | ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen); |
| 2187 | ext_len += olen; |
| 2188 | |
| 2189 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
| 2190 | ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen); |
| 2191 | ext_len += olen; |
| 2192 | #endif |
| 2193 | |
| 2194 | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
| 2195 | ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen); |
| 2196 | ext_len += olen; |
| 2197 | #endif |
| 2198 | |
| 2199 | #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) |
| 2200 | ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen); |
| 2201 | ext_len += olen; |
| 2202 | #endif |
| 2203 | |
| 2204 | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
| 2205 | ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen); |
| 2206 | ext_len += olen; |
| 2207 | #endif |
| 2208 | |
| 2209 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 2210 | ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen); |
| 2211 | ext_len += olen; |
| 2212 | #endif |
| 2213 | |
| 2214 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \ |
| 2215 | defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \ |
| 2216 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 2217 | const mbedtls_ssl_ciphersuite_t *suite = |
| 2218 | mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite); |
| 2219 | if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) { |
| 2220 | ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen); |
| 2221 | ext_len += olen; |
| 2222 | } |
| 2223 | #endif |
| 2224 | |
| 2225 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 2226 | ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen); |
| 2227 | ext_len += olen; |
| 2228 | #endif |
| 2229 | |
| 2230 | #if defined(MBEDTLS_SSL_ALPN) |
| 2231 | unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4; |
| 2232 | if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen)) |
| 2233 | != 0) { |
| 2234 | return ret; |
| 2235 | } |
| 2236 | |
| 2237 | ext_len += olen; |
| 2238 | #endif |
| 2239 | |
| 2240 | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
| 2241 | ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen); |
| 2242 | ext_len += olen; |
| 2243 | #endif |
| 2244 | |
| 2245 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, |
| 2246 | ext_len)); |
| 2247 | |
| 2248 | if (ext_len > 0) { |
| 2249 | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
| 2250 | p += 2 + ext_len; |
| 2251 | } |
| 2252 | |
| 2253 | ssl->out_msglen = (size_t) (p - buf); |
| 2254 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 2255 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; |
| 2256 | |
| 2257 | ret = mbedtls_ssl_write_handshake_msg(ssl); |
| 2258 | |
| 2259 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); |
| 2260 | |
| 2261 | return ret; |
| 2262 | } |
| 2263 | |
| 2264 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| 2265 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 2266 | static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) |
| 2267 | { |
| 2268 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| 2269 | ssl->handshake->ciphersuite_info; |
| 2270 | |
| 2271 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); |
| 2272 | |
| 2273 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 2274 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); |
| 2275 | mbedtls_ssl_handshake_increment_state(ssl); |
| 2276 | return 0; |
| 2277 | } |
| 2278 | |
| 2279 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2280 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 2281 | } |
| 2282 | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| 2283 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 2284 | static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) |
| 2285 | { |
| 2286 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| 2287 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| 2288 | ssl->handshake->ciphersuite_info; |
| 2289 | uint16_t dn_size, total_dn_size; /* excluding length bytes */ |
| 2290 | size_t ct_len, sa_len; /* including length bytes */ |
| 2291 | unsigned char *buf, *p; |
| 2292 | const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; |
| 2293 | const mbedtls_x509_crt *crt; |
| 2294 | int authmode; |
| 2295 | |
| 2296 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); |
| 2297 | |
| 2298 | mbedtls_ssl_handshake_increment_state(ssl); |
| 2299 | |
| 2300 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 2301 | if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) { |
| 2302 | authmode = ssl->handshake->sni_authmode; |
| 2303 | } else |
| 2304 | #endif |
| 2305 | authmode = ssl->conf->authmode; |
| 2306 | |
| 2307 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) || |
| 2308 | authmode == MBEDTLS_SSL_VERIFY_NONE) { |
| 2309 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); |
| 2310 | return 0; |
| 2311 | } |
| 2312 | |
| 2313 | /* |
| 2314 | * 0 . 0 handshake type |
| 2315 | * 1 . 3 handshake length |
| 2316 | * 4 . 4 cert type count |
| 2317 | * 5 .. m-1 cert types |
| 2318 | * m .. m+1 sig alg length (TLS 1.2 only) |
| 2319 | * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) |
| 2320 | * n .. n+1 length of all DNs |
| 2321 | * n+2 .. n+3 length of DN 1 |
| 2322 | * n+4 .. ... Distinguished Name #1 |
| 2323 | * ... .. ... length of DN 2, etc. |
| 2324 | */ |
| 2325 | buf = ssl->out_msg; |
| 2326 | p = buf + 4; |
| 2327 | |
| 2328 | /* |
| 2329 | * Supported certificate types |
| 2330 | * |
| 2331 | * ClientCertificateType certificate_types<1..2^8-1>; |
| 2332 | * enum { (255) } ClientCertificateType; |
| 2333 | */ |
| 2334 | ct_len = 0; |
| 2335 | |
| 2336 | #if defined(MBEDTLS_RSA_C) |
| 2337 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; |
| 2338 | #endif |
| 2339 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) |
| 2340 | p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; |
| 2341 | #endif |
| 2342 | |
| 2343 | p[0] = (unsigned char) ct_len++; |
| 2344 | p += ct_len; |
| 2345 | |
| 2346 | sa_len = 0; |
| 2347 | |
| 2348 | /* |
| 2349 | * Add signature_algorithms for verify (TLS 1.2) |
| 2350 | * |
| 2351 | * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; |
| 2352 | * |
| 2353 | * struct { |
| 2354 | * HashAlgorithm hash; |
| 2355 | * SignatureAlgorithm signature; |
| 2356 | * } SignatureAndHashAlgorithm; |
| 2357 | * |
| 2358 | * enum { (255) } HashAlgorithm; |
| 2359 | * enum { (255) } SignatureAlgorithm; |
| 2360 | */ |
| 2361 | const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); |
| 2362 | if (sig_alg == NULL) { |
| 2363 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
| 2364 | } |
| 2365 | |
| 2366 | for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { |
| 2367 | unsigned char hash = MBEDTLS_BYTE_1(*sig_alg); |
| 2368 | |
| 2369 | if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) { |
| 2370 | continue; |
| 2371 | } |
| 2372 | if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) { |
| 2373 | continue; |
| 2374 | } |
| 2375 | |
| 2376 | /* Write elements at offsets starting from 1 (offset 0 is for the |
| 2377 | * length). Thus the offset of each element is the length of the |
| 2378 | * partial list including that element. */ |
| 2379 | sa_len += 2; |
| 2380 | MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len); |
| 2381 | |
| 2382 | } |
| 2383 | |
| 2384 | /* Fill in list length. */ |
| 2385 | MBEDTLS_PUT_UINT16_BE(sa_len, p, 0); |
| 2386 | sa_len += 2; |
| 2387 | p += sa_len; |
| 2388 | |
| 2389 | /* |
| 2390 | * DistinguishedName certificate_authorities<0..2^16-1>; |
| 2391 | * opaque DistinguishedName<1..2^16-1>; |
| 2392 | */ |
| 2393 | p += 2; |
| 2394 | |
| 2395 | total_dn_size = 0; |
| 2396 | |
| 2397 | if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) { |
| 2398 | /* NOTE: If trusted certificates are provisioned |
| 2399 | * via a CA callback (configured through |
| 2400 | * `mbedtls_ssl_conf_ca_cb()`, then the |
| 2401 | * CertificateRequest is currently left empty. */ |
| 2402 | |
| 2403 | #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| 2404 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 2405 | if (ssl->handshake->dn_hints != NULL) { |
| 2406 | crt = ssl->handshake->dn_hints; |
| 2407 | } else |
| 2408 | #endif |
| 2409 | if (ssl->conf->dn_hints != NULL) { |
| 2410 | crt = ssl->conf->dn_hints; |
| 2411 | } else |
| 2412 | #endif |
| 2413 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
| 2414 | if (ssl->handshake->sni_ca_chain != NULL) { |
| 2415 | crt = ssl->handshake->sni_ca_chain; |
| 2416 | } else |
| 2417 | #endif |
| 2418 | crt = ssl->conf->ca_chain; |
| 2419 | |
| 2420 | while (crt != NULL && crt->version != 0) { |
| 2421 | /* It follows from RFC 5280 A.1 that this length |
| 2422 | * can be represented in at most 11 bits. */ |
| 2423 | dn_size = (uint16_t) crt->subject_raw.len; |
| 2424 | |
| 2425 | if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) { |
| 2426 | MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short")); |
| 2427 | break; |
| 2428 | } |
| 2429 | |
| 2430 | MBEDTLS_PUT_UINT16_BE(dn_size, p, 0); |
| 2431 | p += 2; |
| 2432 | memcpy(p, crt->subject_raw.p, dn_size); |
| 2433 | p += dn_size; |
| 2434 | |
| 2435 | MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size); |
| 2436 | |
| 2437 | total_dn_size += (unsigned short) (2 + dn_size); |
| 2438 | crt = crt->next; |
| 2439 | } |
| 2440 | } |
| 2441 | |
| 2442 | ssl->out_msglen = (size_t) (p - buf); |
| 2443 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 2444 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; |
| 2445 | MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len); |
| 2446 | |
| 2447 | ret = mbedtls_ssl_write_handshake_msg(ssl); |
| 2448 | |
| 2449 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request")); |
| 2450 | |
| 2451 | return ret; |
| 2452 | } |
| 2453 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| 2454 | |
| 2455 | #if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 2456 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)) |
| 2457 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 2458 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 2459 | static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) |
| 2460 | { |
| 2461 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2462 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| 2463 | mbedtls_pk_context *pk; |
| 2464 | mbedtls_pk_type_t pk_type; |
| 2465 | psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; |
| 2466 | unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; |
| 2467 | size_t key_len; |
| 2468 | #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA) |
| 2469 | uint16_t tls_id = 0; |
| 2470 | psa_key_type_t key_type = PSA_KEY_TYPE_NONE; |
| 2471 | mbedtls_ecp_group_id grp_id; |
| 2472 | mbedtls_ecp_keypair *key; |
| 2473 | #endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */ |
| 2474 | |
| 2475 | pk = mbedtls_ssl_own_key(ssl); |
| 2476 | |
| 2477 | if (pk == NULL) { |
| 2478 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
| 2479 | } |
| 2480 | |
| 2481 | pk_type = mbedtls_pk_get_type(pk); |
| 2482 | |
| 2483 | switch (pk_type) { |
| 2484 | case MBEDTLS_PK_OPAQUE: |
| 2485 | #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) |
| 2486 | case MBEDTLS_PK_ECKEY: |
| 2487 | case MBEDTLS_PK_ECKEY_DH: |
| 2488 | case MBEDTLS_PK_ECDSA: |
| 2489 | #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ |
| 2490 | if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { |
| 2491 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| 2492 | } |
| 2493 | |
| 2494 | /* Get the attributes of the key previously parsed by PK module in |
| 2495 | * order to extract its type and length (in bits). */ |
| 2496 | status = psa_get_key_attributes(pk->priv_id, &key_attributes); |
| 2497 | if (status != PSA_SUCCESS) { |
| 2498 | ret = PSA_TO_MBEDTLS_ERR(status); |
| 2499 | goto exit; |
| 2500 | } |
| 2501 | ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes); |
| 2502 | ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes); |
| 2503 | |
| 2504 | #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) |
| 2505 | if (pk_type != MBEDTLS_PK_OPAQUE) { |
| 2506 | /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK |
| 2507 | * module and only have ECDSA capabilities. Since we need |
| 2508 | * them for ECDH later, we export and then re-import them with |
| 2509 | * proper flags and algorithm. Of course We also set key's type |
| 2510 | * and bits that we just got above. */ |
| 2511 | key_attributes = psa_key_attributes_init(); |
| 2512 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 2513 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 2514 | psa_set_key_type(&key_attributes, |
| 2515 | PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type)); |
| 2516 | psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits); |
| 2517 | |
| 2518 | status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len); |
| 2519 | if (status != PSA_SUCCESS) { |
| 2520 | ret = PSA_TO_MBEDTLS_ERR(status); |
| 2521 | goto exit; |
| 2522 | } |
| 2523 | status = psa_import_key(&key_attributes, buf, key_len, |
| 2524 | &ssl->handshake->xxdh_psa_privkey); |
| 2525 | if (status != PSA_SUCCESS) { |
| 2526 | ret = PSA_TO_MBEDTLS_ERR(status); |
| 2527 | goto exit; |
| 2528 | } |
| 2529 | |
| 2530 | /* Set this key as owned by the TLS library: it will be its duty |
| 2531 | * to clear it exit. */ |
| 2532 | ssl->handshake->xxdh_psa_privkey_is_external = 0; |
| 2533 | |
| 2534 | ret = 0; |
| 2535 | break; |
| 2536 | } |
| 2537 | #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ |
| 2538 | |
| 2539 | /* Opaque key is created by the user (externally from Mbed TLS) |
| 2540 | * so we assume it already has the right algorithm and flags |
| 2541 | * set. Just copy its ID as reference. */ |
| 2542 | ssl->handshake->xxdh_psa_privkey = pk->priv_id; |
| 2543 | ssl->handshake->xxdh_psa_privkey_is_external = 1; |
| 2544 | ret = 0; |
| 2545 | break; |
| 2546 | |
| 2547 | #if !defined(MBEDTLS_PK_USE_PSA_EC_DATA) |
| 2548 | case MBEDTLS_PK_ECKEY: |
| 2549 | case MBEDTLS_PK_ECKEY_DH: |
| 2550 | case MBEDTLS_PK_ECDSA: |
| 2551 | key = mbedtls_pk_ec_rw(*pk); |
| 2552 | grp_id = mbedtls_pk_get_ec_group_id(pk); |
| 2553 | if (grp_id == MBEDTLS_ECP_DP_NONE) { |
| 2554 | return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; |
| 2555 | } |
| 2556 | tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); |
| 2557 | if (tls_id == 0) { |
| 2558 | /* This elliptic curve is not supported */ |
| 2559 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 2560 | } |
| 2561 | |
| 2562 | /* If the above conversion to TLS ID was fine, then also this one will |
| 2563 | be, so there is no need to check the return value here */ |
| 2564 | mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type, |
| 2565 | &ssl->handshake->xxdh_psa_bits); |
| 2566 | |
| 2567 | ssl->handshake->xxdh_psa_type = key_type; |
| 2568 | |
| 2569 | key_attributes = psa_key_attributes_init(); |
| 2570 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 2571 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 2572 | psa_set_key_type(&key_attributes, |
| 2573 | PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type)); |
| 2574 | psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits); |
| 2575 | |
| 2576 | ret = mbedtls_ecp_write_key_ext(key, &key_len, buf, sizeof(buf)); |
| 2577 | if (ret != 0) { |
| 2578 | mbedtls_platform_zeroize(buf, sizeof(buf)); |
| 2579 | break; |
| 2580 | } |
| 2581 | |
| 2582 | status = psa_import_key(&key_attributes, buf, key_len, |
| 2583 | &ssl->handshake->xxdh_psa_privkey); |
| 2584 | if (status != PSA_SUCCESS) { |
| 2585 | ret = PSA_TO_MBEDTLS_ERR(status); |
| 2586 | mbedtls_platform_zeroize(buf, sizeof(buf)); |
| 2587 | break; |
| 2588 | } |
| 2589 | |
| 2590 | mbedtls_platform_zeroize(buf, sizeof(buf)); |
| 2591 | ret = 0; |
| 2592 | break; |
| 2593 | #endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */ |
| 2594 | default: |
| 2595 | ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| 2596 | } |
| 2597 | |
| 2598 | exit: |
| 2599 | psa_reset_key_attributes(&key_attributes); |
| 2600 | mbedtls_platform_zeroize(buf, sizeof(buf)); |
| 2601 | |
| 2602 | return ret; |
| 2603 | } |
| 2604 | #else /* MBEDTLS_USE_PSA_CRYPTO */ |
| 2605 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 2606 | static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) |
| 2607 | { |
| 2608 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2609 | |
| 2610 | const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl); |
| 2611 | if (private_key == NULL) { |
| 2612 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key")); |
| 2613 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| 2614 | } |
| 2615 | |
| 2616 | if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) { |
| 2617 | MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable")); |
| 2618 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
| 2619 | } |
| 2620 | |
| 2621 | if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, |
| 2622 | mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)), |
| 2623 | MBEDTLS_ECDH_OURS)) != 0) { |
| 2624 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret); |
| 2625 | return ret; |
| 2626 | } |
| 2627 | |
| 2628 | return 0; |
| 2629 | } |
| 2630 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 2631 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || |
| 2632 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| 2633 | |
| 2634 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ |
| 2635 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| 2636 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 2637 | static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl, |
| 2638 | size_t *signature_len) |
| 2639 | { |
| 2640 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the |
| 2641 | * signature length which will be added in ssl_write_server_key_exchange |
| 2642 | * after the call to ssl_prepare_server_key_exchange. |
| 2643 | * ssl_write_server_key_exchange also takes care of incrementing |
| 2644 | * ssl->out_msglen. */ |
| 2645 | unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2; |
| 2646 | size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN |
| 2647 | - sig_start); |
| 2648 | int ret = ssl->conf->f_async_resume(ssl, |
| 2649 | sig_start, signature_len, sig_max_len); |
| 2650 | if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| 2651 | ssl->handshake->async_in_progress = 0; |
| 2652 | mbedtls_ssl_set_async_operation_data(ssl, NULL); |
| 2653 | } |
| 2654 | MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret); |
| 2655 | return ret; |
| 2656 | } |
| 2657 | #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && |
| 2658 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ |
| 2659 | |
| 2660 | /* Prepare the ServerKeyExchange message, up to and including |
| 2661 | * calculating the signature if any, but excluding formatting the |
| 2662 | * signature and sending the message. */ |
| 2663 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 2664 | static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl, |
| 2665 | size_t *signature_len) |
| 2666 | { |
| 2667 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| 2668 | ssl->handshake->ciphersuite_info; |
| 2669 | |
| 2670 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED) |
| 2671 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| 2672 | unsigned char *dig_signed = NULL; |
| 2673 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| 2674 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */ |
| 2675 | |
| 2676 | (void) ciphersuite_info; /* unused in some configurations */ |
| 2677 | #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| 2678 | (void) signature_len; |
| 2679 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| 2680 | |
| 2681 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| 2682 | #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
| 2683 | size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf); |
| 2684 | #else |
| 2685 | size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf); |
| 2686 | #endif |
| 2687 | #endif |
| 2688 | |
| 2689 | ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */ |
| 2690 | |
| 2691 | /* |
| 2692 | * |
| 2693 | * Part 1: Provide key exchange parameters for chosen ciphersuite. |
| 2694 | * |
| 2695 | */ |
| 2696 | |
| 2697 | /* |
| 2698 | * - ECJPAKE key exchanges |
| 2699 | */ |
| 2700 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 2701 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| 2702 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2703 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 2704 | unsigned char *out_p = ssl->out_msg + ssl->out_msglen; |
| 2705 | unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - |
| 2706 | ssl->out_msglen; |
| 2707 | size_t output_offset = 0; |
| 2708 | size_t output_len = 0; |
| 2709 | |
| 2710 | /* |
| 2711 | * The first 3 bytes are: |
| 2712 | * [0] MBEDTLS_ECP_TLS_NAMED_CURVE |
| 2713 | * [1, 2] elliptic curve's TLS ID |
| 2714 | * |
| 2715 | * However since we only support secp256r1 for now, we hardcode its |
| 2716 | * TLS ID here |
| 2717 | */ |
| 2718 | uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( |
| 2719 | MBEDTLS_ECP_DP_SECP256R1); |
| 2720 | if (tls_id == 0) { |
| 2721 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| 2722 | } |
| 2723 | *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; |
| 2724 | MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1); |
| 2725 | output_offset += 3; |
| 2726 | |
| 2727 | ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, |
| 2728 | out_p + output_offset, |
| 2729 | end_p - out_p - output_offset, &output_len, |
| 2730 | MBEDTLS_ECJPAKE_ROUND_TWO); |
| 2731 | if (ret != 0) { |
| 2732 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 2733 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 2734 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); |
| 2735 | return ret; |
| 2736 | } |
| 2737 | |
| 2738 | output_offset += output_len; |
| 2739 | ssl->out_msglen += output_offset; |
| 2740 | #else |
| 2741 | size_t len = 0; |
| 2742 | |
| 2743 | ret = mbedtls_ecjpake_write_round_two( |
| 2744 | &ssl->handshake->ecjpake_ctx, |
| 2745 | ssl->out_msg + ssl->out_msglen, |
| 2746 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len, |
| 2747 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 2748 | if (ret != 0) { |
| 2749 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret); |
| 2750 | return ret; |
| 2751 | } |
| 2752 | |
| 2753 | ssl->out_msglen += len; |
| 2754 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 2755 | } |
| 2756 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 2757 | |
| 2758 | /* |
| 2759 | * For (EC)DHE key exchanges with PSK, parameters are prefixed by support |
| 2760 | * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, |
| 2761 | * we use empty support identity hints here. |
| 2762 | **/ |
| 2763 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ |
| 2764 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| 2765 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
| 2766 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| 2767 | ssl->out_msg[ssl->out_msglen++] = 0x00; |
| 2768 | ssl->out_msg[ssl->out_msglen++] = 0x00; |
| 2769 | } |
| 2770 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || |
| 2771 | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| 2772 | |
| 2773 | /* |
| 2774 | * - DHE key exchanges |
| 2775 | */ |
| 2776 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) |
| 2777 | if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) { |
| 2778 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2779 | size_t len = 0; |
| 2780 | |
| 2781 | if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) { |
| 2782 | MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set")); |
| 2783 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 2784 | } |
| 2785 | |
| 2786 | /* |
| 2787 | * Ephemeral DH parameters: |
| 2788 | * |
| 2789 | * struct { |
| 2790 | * opaque dh_p<1..2^16-1>; |
| 2791 | * opaque dh_g<1..2^16-1>; |
| 2792 | * opaque dh_Ys<1..2^16-1>; |
| 2793 | * } ServerDHParams; |
| 2794 | */ |
| 2795 | if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx, |
| 2796 | &ssl->conf->dhm_P, |
| 2797 | &ssl->conf->dhm_G)) != 0) { |
| 2798 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret); |
| 2799 | return ret; |
| 2800 | } |
| 2801 | |
| 2802 | if ((ret = mbedtls_dhm_make_params( |
| 2803 | &ssl->handshake->dhm_ctx, |
| 2804 | (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx), |
| 2805 | ssl->out_msg + ssl->out_msglen, &len, |
| 2806 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 2807 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret); |
| 2808 | return ret; |
| 2809 | } |
| 2810 | |
| 2811 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| 2812 | dig_signed = ssl->out_msg + ssl->out_msglen; |
| 2813 | #endif |
| 2814 | |
| 2815 | ssl->out_msglen += len; |
| 2816 | |
| 2817 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X); |
| 2818 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P); |
| 2819 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G); |
| 2820 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX); |
| 2821 | } |
| 2822 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */ |
| 2823 | |
| 2824 | /* |
| 2825 | * - ECDHE key exchanges |
| 2826 | */ |
| 2827 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) |
| 2828 | if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) { |
| 2829 | /* |
| 2830 | * Ephemeral ECDH parameters: |
| 2831 | * |
| 2832 | * struct { |
| 2833 | * ECParameters curve_params; |
| 2834 | * ECPoint public; |
| 2835 | * } ServerECDHParams; |
| 2836 | */ |
| 2837 | uint16_t *curr_tls_id = ssl->handshake->curves_tls_id; |
| 2838 | const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); |
| 2839 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2840 | size_t len = 0; |
| 2841 | |
| 2842 | /* Match our preference list against the offered curves */ |
| 2843 | if ((group_list == NULL) || (curr_tls_id == NULL)) { |
| 2844 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
| 2845 | } |
| 2846 | for (; *group_list != 0; group_list++) { |
| 2847 | for (curr_tls_id = ssl->handshake->curves_tls_id; |
| 2848 | *curr_tls_id != 0; curr_tls_id++) { |
| 2849 | if (*curr_tls_id == *group_list) { |
| 2850 | goto curve_matching_done; |
| 2851 | } |
| 2852 | } |
| 2853 | } |
| 2854 | |
| 2855 | curve_matching_done: |
| 2856 | if (*curr_tls_id == 0) { |
| 2857 | MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE")); |
| 2858 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 2859 | } |
| 2860 | |
| 2861 | MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s", |
| 2862 | mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id))); |
| 2863 | |
| 2864 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 2865 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
| 2866 | psa_key_attributes_t key_attributes; |
| 2867 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 2868 | uint8_t *p = ssl->out_msg + ssl->out_msglen; |
| 2869 | const size_t header_size = 4; // curve_type(1), namedcurve(2), |
| 2870 | // data length(1) |
| 2871 | const size_t data_length_size = 1; |
| 2872 | psa_key_type_t key_type = PSA_KEY_TYPE_NONE; |
| 2873 | size_t ec_bits = 0; |
| 2874 | |
| 2875 | MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based ECDH computation.")); |
| 2876 | |
| 2877 | /* Convert EC's TLS ID to PSA key type. */ |
| 2878 | if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id, |
| 2879 | &key_type, |
| 2880 | &ec_bits) == PSA_ERROR_NOT_SUPPORTED) { |
| 2881 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse.")); |
| 2882 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 2883 | } |
| 2884 | handshake->xxdh_psa_type = key_type; |
| 2885 | handshake->xxdh_psa_bits = ec_bits; |
| 2886 | |
| 2887 | key_attributes = psa_key_attributes_init(); |
| 2888 | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
| 2889 | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
| 2890 | psa_set_key_type(&key_attributes, handshake->xxdh_psa_type); |
| 2891 | psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits); |
| 2892 | |
| 2893 | /* |
| 2894 | * ECParameters curve_params |
| 2895 | * |
| 2896 | * First byte is curve_type, always named_curve |
| 2897 | */ |
| 2898 | *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE; |
| 2899 | |
| 2900 | /* |
| 2901 | * Next two bytes are the namedcurve value |
| 2902 | */ |
| 2903 | MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0); |
| 2904 | p += 2; |
| 2905 | |
| 2906 | /* Generate ECDH private key. */ |
| 2907 | status = psa_generate_key(&key_attributes, |
| 2908 | &handshake->xxdh_psa_privkey); |
| 2909 | if (status != PSA_SUCCESS) { |
| 2910 | ret = PSA_TO_MBEDTLS_ERR(status); |
| 2911 | MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret); |
| 2912 | return ret; |
| 2913 | } |
| 2914 | |
| 2915 | /* |
| 2916 | * ECPoint public |
| 2917 | * |
| 2918 | * First byte is data length. |
| 2919 | * It will be filled later. p holds now the data length location. |
| 2920 | */ |
| 2921 | |
| 2922 | /* Export the public part of the ECDH private key from PSA. |
| 2923 | * Make one byte space for the length. |
| 2924 | */ |
| 2925 | unsigned char *own_pubkey = p + data_length_size; |
| 2926 | |
| 2927 | size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN |
| 2928 | - (own_pubkey - ssl->out_msg)); |
| 2929 | |
| 2930 | status = psa_export_public_key(handshake->xxdh_psa_privkey, |
| 2931 | own_pubkey, own_pubkey_max_len, |
| 2932 | &len); |
| 2933 | if (status != PSA_SUCCESS) { |
| 2934 | ret = PSA_TO_MBEDTLS_ERR(status); |
| 2935 | MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret); |
| 2936 | (void) psa_destroy_key(handshake->xxdh_psa_privkey); |
| 2937 | handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 2938 | return ret; |
| 2939 | } |
| 2940 | |
| 2941 | /* Store the length of the exported public key. */ |
| 2942 | *p = (uint8_t) len; |
| 2943 | |
| 2944 | /* Determine full message length. */ |
| 2945 | len += header_size; |
| 2946 | #else |
| 2947 | mbedtls_ecp_group_id curr_grp_id = |
| 2948 | mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id); |
| 2949 | |
| 2950 | if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx, |
| 2951 | curr_grp_id)) != 0) { |
| 2952 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret); |
| 2953 | return ret; |
| 2954 | } |
| 2955 | |
| 2956 | if ((ret = mbedtls_ecdh_make_params( |
| 2957 | &ssl->handshake->ecdh_ctx, &len, |
| 2958 | ssl->out_msg + ssl->out_msglen, |
| 2959 | MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, |
| 2960 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 2961 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret); |
| 2962 | return ret; |
| 2963 | } |
| 2964 | |
| 2965 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 2966 | MBEDTLS_DEBUG_ECDH_Q); |
| 2967 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 2968 | |
| 2969 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| 2970 | dig_signed = ssl->out_msg + ssl->out_msglen; |
| 2971 | #endif |
| 2972 | |
| 2973 | ssl->out_msglen += len; |
| 2974 | } |
| 2975 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */ |
| 2976 | |
| 2977 | /* |
| 2978 | * |
| 2979 | * Part 2: For key exchanges involving the server signing the |
| 2980 | * exchange parameters, compute and add the signature here. |
| 2981 | * |
| 2982 | */ |
| 2983 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| 2984 | if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) { |
| 2985 | if (dig_signed == NULL) { |
| 2986 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2987 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 2988 | } |
| 2989 | |
| 2990 | size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed); |
| 2991 | size_t hashlen = 0; |
| 2992 | unsigned char hash[MBEDTLS_MD_MAX_SIZE]; |
| 2993 | |
| 2994 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2995 | |
| 2996 | /* |
| 2997 | * 2.1: Choose hash algorithm: |
| 2998 | * For TLS 1.2, obey signature-hash-algorithm extension |
| 2999 | * to choose appropriate hash. |
| 3000 | */ |
| 3001 | |
| 3002 | mbedtls_pk_type_t sig_alg = |
| 3003 | mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); |
| 3004 | |
| 3005 | unsigned char sig_hash = |
| 3006 | (unsigned char) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( |
| 3007 | ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); |
| 3008 | |
| 3009 | mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash); |
| 3010 | |
| 3011 | /* For TLS 1.2, obey signature-hash-algorithm extension |
| 3012 | * (RFC 5246, Sec. 7.4.1.4.1). */ |
| 3013 | if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) { |
| 3014 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3015 | /* (... because we choose a cipher suite |
| 3016 | * only if there is a matching hash.) */ |
| 3017 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 3018 | } |
| 3019 | |
| 3020 | MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg)); |
| 3021 | |
| 3022 | /* |
| 3023 | * 2.2: Compute the hash to be signed |
| 3024 | */ |
| 3025 | if (md_alg != MBEDTLS_MD_NONE) { |
| 3026 | ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen, |
| 3027 | dig_signed, |
| 3028 | dig_signed_len, |
| 3029 | md_alg); |
| 3030 | if (ret != 0) { |
| 3031 | return ret; |
| 3032 | } |
| 3033 | } else { |
| 3034 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3035 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 3036 | } |
| 3037 | |
| 3038 | MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen); |
| 3039 | |
| 3040 | /* |
| 3041 | * 2.3: Compute and add the signature |
| 3042 | */ |
| 3043 | /* |
| 3044 | * We need to specify signature and hash algorithm explicitly through |
| 3045 | * a prefix to the signature. |
| 3046 | * |
| 3047 | * struct { |
| 3048 | * HashAlgorithm hash; |
| 3049 | * SignatureAlgorithm signature; |
| 3050 | * } SignatureAndHashAlgorithm; |
| 3051 | * |
| 3052 | * struct { |
| 3053 | * SignatureAndHashAlgorithm algorithm; |
| 3054 | * opaque signature<0..2^16-1>; |
| 3055 | * } DigitallySigned; |
| 3056 | * |
| 3057 | */ |
| 3058 | |
| 3059 | ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg); |
| 3060 | ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg); |
| 3061 | |
| 3062 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| 3063 | if (ssl->conf->f_async_sign_start != NULL) { |
| 3064 | ret = ssl->conf->f_async_sign_start(ssl, |
| 3065 | mbedtls_ssl_own_cert(ssl), |
| 3066 | md_alg, hash, hashlen); |
| 3067 | switch (ret) { |
| 3068 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: |
| 3069 | /* act as if f_async_sign was null */ |
| 3070 | break; |
| 3071 | case 0: |
| 3072 | ssl->handshake->async_in_progress = 1; |
| 3073 | return ssl_resume_server_key_exchange(ssl, signature_len); |
| 3074 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: |
| 3075 | ssl->handshake->async_in_progress = 1; |
| 3076 | return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; |
| 3077 | default: |
| 3078 | MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret); |
| 3079 | return ret; |
| 3080 | } |
| 3081 | } |
| 3082 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| 3083 | |
| 3084 | if (mbedtls_ssl_own_key(ssl) == NULL) { |
| 3085 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key")); |
| 3086 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| 3087 | } |
| 3088 | |
| 3089 | /* Append the signature to ssl->out_msg, leaving 2 bytes for the |
| 3090 | * signature length which will be added in ssl_write_server_key_exchange |
| 3091 | * after the call to ssl_prepare_server_key_exchange. |
| 3092 | * ssl_write_server_key_exchange also takes care of incrementing |
| 3093 | * ssl->out_msglen. */ |
| 3094 | if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl), |
| 3095 | md_alg, hash, hashlen, |
| 3096 | ssl->out_msg + ssl->out_msglen + 2, |
| 3097 | out_buf_len - ssl->out_msglen - 2, |
| 3098 | signature_len, |
| 3099 | ssl->conf->f_rng, |
| 3100 | ssl->conf->p_rng)) != 0) { |
| 3101 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); |
| 3102 | return ret; |
| 3103 | } |
| 3104 | } |
| 3105 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| 3106 | |
| 3107 | return 0; |
| 3108 | } |
| 3109 | |
| 3110 | /* Prepare the ServerKeyExchange message and send it. For ciphersuites |
| 3111 | * that do not include a ServerKeyExchange message, do nothing. Either |
| 3112 | * way, if successful, move on to the next step in the SSL state |
| 3113 | * machine. */ |
| 3114 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 3115 | static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl) |
| 3116 | { |
| 3117 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 3118 | size_t signature_len = 0; |
| 3119 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) |
| 3120 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| 3121 | ssl->handshake->ciphersuite_info; |
| 3122 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ |
| 3123 | |
| 3124 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange")); |
| 3125 | |
| 3126 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) |
| 3127 | /* Extract static ECDH parameters and abort if ServerKeyExchange |
| 3128 | * is not needed. */ |
| 3129 | if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) { |
| 3130 | /* For suites involving ECDH, extract DH parameters |
| 3131 | * from certificate at this point. */ |
| 3132 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) |
| 3133 | if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) { |
| 3134 | ret = ssl_get_ecdh_params_from_cert(ssl); |
| 3135 | if (ret != 0) { |
| 3136 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret); |
| 3137 | return ret; |
| 3138 | } |
| 3139 | } |
| 3140 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */ |
| 3141 | |
| 3142 | /* Key exchanges not involving ephemeral keys don't use |
| 3143 | * ServerKeyExchange, so end here. */ |
| 3144 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange")); |
| 3145 | mbedtls_ssl_handshake_increment_state(ssl); |
| 3146 | return 0; |
| 3147 | } |
| 3148 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ |
| 3149 | |
| 3150 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ |
| 3151 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| 3152 | /* If we have already prepared the message and there is an ongoing |
| 3153 | * signature operation, resume signing. */ |
| 3154 | if (ssl->handshake->async_in_progress != 0) { |
| 3155 | MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation")); |
| 3156 | ret = ssl_resume_server_key_exchange(ssl, &signature_len); |
| 3157 | } else |
| 3158 | #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && |
| 3159 | defined(MBEDTLS_SSL_ASYNC_PRIVATE) */ |
| 3160 | { |
| 3161 | /* ServerKeyExchange is needed. Prepare the message. */ |
| 3162 | ret = ssl_prepare_server_key_exchange(ssl, &signature_len); |
| 3163 | } |
| 3164 | |
| 3165 | if (ret != 0) { |
| 3166 | /* If we're starting to write a new message, set ssl->out_msglen |
| 3167 | * to 0. But if we're resuming after an asynchronous message, |
| 3168 | * out_msglen is the amount of data written so far and mst be |
| 3169 | * preserved. */ |
| 3170 | if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| 3171 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)")); |
| 3172 | } else { |
| 3173 | ssl->out_msglen = 0; |
| 3174 | } |
| 3175 | return ret; |
| 3176 | } |
| 3177 | |
| 3178 | /* If there is a signature, write its length. |
| 3179 | * ssl_prepare_server_key_exchange already wrote the signature |
| 3180 | * itself at its proper place in the output buffer. */ |
| 3181 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
| 3182 | if (signature_len != 0) { |
| 3183 | ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len); |
| 3184 | ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len); |
| 3185 | |
| 3186 | MBEDTLS_SSL_DEBUG_BUF(3, "my signature", |
| 3187 | ssl->out_msg + ssl->out_msglen, |
| 3188 | signature_len); |
| 3189 | |
| 3190 | /* Skip over the already-written signature */ |
| 3191 | ssl->out_msglen += signature_len; |
| 3192 | } |
| 3193 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
| 3194 | |
| 3195 | /* Add header and send. */ |
| 3196 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3197 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; |
| 3198 | |
| 3199 | mbedtls_ssl_handshake_increment_state(ssl); |
| 3200 | |
| 3201 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 3202 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 3203 | return ret; |
| 3204 | } |
| 3205 | |
| 3206 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange")); |
| 3207 | return 0; |
| 3208 | } |
| 3209 | |
| 3210 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 3211 | static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl) |
| 3212 | { |
| 3213 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 3214 | |
| 3215 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done")); |
| 3216 | |
| 3217 | ssl->out_msglen = 4; |
| 3218 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 3219 | ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; |
| 3220 | |
| 3221 | mbedtls_ssl_handshake_increment_state(ssl); |
| 3222 | |
| 3223 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3224 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
| 3225 | mbedtls_ssl_send_flight_completed(ssl); |
| 3226 | } |
| 3227 | #endif |
| 3228 | |
| 3229 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 3230 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 3231 | return ret; |
| 3232 | } |
| 3233 | |
| 3234 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 3235 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
| 3236 | (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { |
| 3237 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); |
| 3238 | return ret; |
| 3239 | } |
| 3240 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
| 3241 | |
| 3242 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done")); |
| 3243 | |
| 3244 | return 0; |
| 3245 | } |
| 3246 | |
| 3247 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
| 3248 | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| 3249 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 3250 | static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p, |
| 3251 | const unsigned char *end) |
| 3252 | { |
| 3253 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| 3254 | size_t n; |
| 3255 | |
| 3256 | /* |
| 3257 | * Receive G^Y mod P, premaster = (G^Y)^X mod P |
| 3258 | */ |
| 3259 | if (*p + 2 > end) { |
| 3260 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3261 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3262 | } |
| 3263 | |
| 3264 | n = MBEDTLS_GET_UINT16_BE(*p, 0); |
| 3265 | *p += 2; |
| 3266 | |
| 3267 | if (*p + n > end) { |
| 3268 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3269 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3270 | } |
| 3271 | |
| 3272 | if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) { |
| 3273 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret); |
| 3274 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3275 | } |
| 3276 | |
| 3277 | *p += n; |
| 3278 | |
| 3279 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY); |
| 3280 | |
| 3281 | return ret; |
| 3282 | } |
| 3283 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
| 3284 | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| 3285 | |
| 3286 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| 3287 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| 3288 | |
| 3289 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| 3290 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 3291 | static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl, |
| 3292 | unsigned char *peer_pms, |
| 3293 | size_t *peer_pmslen, |
| 3294 | size_t peer_pmssize) |
| 3295 | { |
| 3296 | int ret = ssl->conf->f_async_resume(ssl, |
| 3297 | peer_pms, peer_pmslen, peer_pmssize); |
| 3298 | if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| 3299 | ssl->handshake->async_in_progress = 0; |
| 3300 | mbedtls_ssl_set_async_operation_data(ssl, NULL); |
| 3301 | } |
| 3302 | MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret); |
| 3303 | return ret; |
| 3304 | } |
| 3305 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| 3306 | |
| 3307 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 3308 | static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl, |
| 3309 | const unsigned char *p, |
| 3310 | const unsigned char *end, |
| 3311 | unsigned char *peer_pms, |
| 3312 | size_t *peer_pmslen, |
| 3313 | size_t peer_pmssize) |
| 3314 | { |
| 3315 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 3316 | |
| 3317 | mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl); |
| 3318 | if (own_cert == NULL) { |
| 3319 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate")); |
| 3320 | return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; |
| 3321 | } |
| 3322 | mbedtls_pk_context *public_key = &own_cert->pk; |
| 3323 | mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl); |
| 3324 | size_t len = mbedtls_pk_get_len(public_key); |
| 3325 | |
| 3326 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| 3327 | /* If we have already started decoding the message and there is an ongoing |
| 3328 | * decryption operation, resume signing. */ |
| 3329 | if (ssl->handshake->async_in_progress != 0) { |
| 3330 | MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation")); |
| 3331 | return ssl_resume_decrypt_pms(ssl, |
| 3332 | peer_pms, peer_pmslen, peer_pmssize); |
| 3333 | } |
| 3334 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| 3335 | |
| 3336 | /* |
| 3337 | * Prepare to decrypt the premaster using own private RSA key |
| 3338 | */ |
| 3339 | if (p + 2 > end) { |
| 3340 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3341 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3342 | } |
| 3343 | if (*p++ != MBEDTLS_BYTE_1(len) || |
| 3344 | *p++ != MBEDTLS_BYTE_0(len)) { |
| 3345 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3346 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3347 | } |
| 3348 | |
| 3349 | if (p + len != end) { |
| 3350 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3351 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3352 | } |
| 3353 | |
| 3354 | /* |
| 3355 | * Decrypt the premaster secret |
| 3356 | */ |
| 3357 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| 3358 | if (ssl->conf->f_async_decrypt_start != NULL) { |
| 3359 | ret = ssl->conf->f_async_decrypt_start(ssl, |
| 3360 | mbedtls_ssl_own_cert(ssl), |
| 3361 | p, len); |
| 3362 | switch (ret) { |
| 3363 | case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: |
| 3364 | /* act as if f_async_decrypt_start was null */ |
| 3365 | break; |
| 3366 | case 0: |
| 3367 | ssl->handshake->async_in_progress = 1; |
| 3368 | return ssl_resume_decrypt_pms(ssl, |
| 3369 | peer_pms, |
| 3370 | peer_pmslen, |
| 3371 | peer_pmssize); |
| 3372 | case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: |
| 3373 | ssl->handshake->async_in_progress = 1; |
| 3374 | return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; |
| 3375 | default: |
| 3376 | MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret); |
| 3377 | return ret; |
| 3378 | } |
| 3379 | } |
| 3380 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| 3381 | |
| 3382 | if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) { |
| 3383 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key")); |
| 3384 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| 3385 | } |
| 3386 | |
| 3387 | ret = mbedtls_pk_decrypt(private_key, p, len, |
| 3388 | peer_pms, peer_pmslen, peer_pmssize, |
| 3389 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3390 | return ret; |
| 3391 | } |
| 3392 | |
| 3393 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 3394 | static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl, |
| 3395 | const unsigned char *p, |
| 3396 | const unsigned char *end, |
| 3397 | size_t pms_offset) |
| 3398 | { |
| 3399 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 3400 | unsigned char *pms = ssl->handshake->premaster + pms_offset; |
| 3401 | unsigned char ver[2]; |
| 3402 | unsigned char fake_pms[48], peer_pms[48]; |
| 3403 | size_t peer_pmslen; |
| 3404 | mbedtls_ct_condition_t diff; |
| 3405 | |
| 3406 | /* In case of a failure in decryption, the decryption may write less than |
| 3407 | * 2 bytes of output, but we always read the first two bytes. It doesn't |
| 3408 | * matter in the end because diff will be nonzero in that case due to |
| 3409 | * ret being nonzero, and we only care whether diff is 0. |
| 3410 | * But do initialize peer_pms and peer_pmslen for robustness anyway. This |
| 3411 | * also makes memory analyzers happy (don't access uninitialized memory, |
| 3412 | * even if it's an unsigned char). */ |
| 3413 | peer_pms[0] = peer_pms[1] = ~0; |
| 3414 | peer_pmslen = 0; |
| 3415 | |
| 3416 | ret = ssl_decrypt_encrypted_pms(ssl, p, end, |
| 3417 | peer_pms, |
| 3418 | &peer_pmslen, |
| 3419 | sizeof(peer_pms)); |
| 3420 | |
| 3421 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| 3422 | if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) { |
| 3423 | return ret; |
| 3424 | } |
| 3425 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| 3426 | |
| 3427 | mbedtls_ssl_write_version(ver, ssl->conf->transport, |
| 3428 | ssl->session_negotiate->tls_version); |
| 3429 | |
| 3430 | /* Avoid data-dependent branches while checking for invalid |
| 3431 | * padding, to protect against timing-based Bleichenbacher-type |
| 3432 | * attacks. */ |
| 3433 | diff = mbedtls_ct_bool(ret); |
| 3434 | diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48)); |
| 3435 | diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0])); |
| 3436 | diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1])); |
| 3437 | |
| 3438 | /* |
| 3439 | * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding |
| 3440 | * must not cause the connection to end immediately; instead, send a |
| 3441 | * bad_record_mac later in the handshake. |
| 3442 | * To protect against timing-based variants of the attack, we must |
| 3443 | * not have any branch that depends on whether the decryption was |
| 3444 | * successful. In particular, always generate the fake premaster secret, |
| 3445 | * regardless of whether it will ultimately influence the output or not. |
| 3446 | */ |
| 3447 | ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms)); |
| 3448 | if (ret != 0) { |
| 3449 | /* It's ok to abort on an RNG failure, since this does not reveal |
| 3450 | * anything about the RSA decryption. */ |
| 3451 | return ret; |
| 3452 | } |
| 3453 | |
| 3454 | #if defined(MBEDTLS_SSL_DEBUG_ALL) |
| 3455 | if (diff != MBEDTLS_CT_FALSE) { |
| 3456 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3457 | } |
| 3458 | #endif |
| 3459 | |
| 3460 | if (sizeof(ssl->handshake->premaster) < pms_offset || |
| 3461 | sizeof(ssl->handshake->premaster) - pms_offset < 48) { |
| 3462 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3463 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 3464 | } |
| 3465 | ssl->handshake->pmslen = 48; |
| 3466 | |
| 3467 | /* Set pms to either the true or the fake PMS, without |
| 3468 | * data-dependent branches. */ |
| 3469 | mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen); |
| 3470 | |
| 3471 | return 0; |
| 3472 | } |
| 3473 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || |
| 3474 | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| 3475 | |
| 3476 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
| 3477 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 3478 | static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p, |
| 3479 | const unsigned char *end) |
| 3480 | { |
| 3481 | int ret = 0; |
| 3482 | uint16_t n; |
| 3483 | |
| 3484 | if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) { |
| 3485 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key")); |
| 3486 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
| 3487 | } |
| 3488 | |
| 3489 | /* |
| 3490 | * Receive client pre-shared key identity name |
| 3491 | */ |
| 3492 | if (end - *p < 2) { |
| 3493 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3494 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3495 | } |
| 3496 | |
| 3497 | n = MBEDTLS_GET_UINT16_BE(*p, 0); |
| 3498 | *p += 2; |
| 3499 | |
| 3500 | if (n == 0 || n > end - *p) { |
| 3501 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3502 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3503 | } |
| 3504 | |
| 3505 | if (ssl->conf->f_psk != NULL) { |
| 3506 | if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) { |
| 3507 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| 3508 | } |
| 3509 | } else { |
| 3510 | /* Identity is not a big secret since clients send it in the clear, |
| 3511 | * but treat it carefully anyway, just in case */ |
| 3512 | if (n != ssl->conf->psk_identity_len || |
| 3513 | mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) { |
| 3514 | ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| 3515 | } |
| 3516 | } |
| 3517 | |
| 3518 | if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { |
| 3519 | MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n); |
| 3520 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
| 3521 | MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY); |
| 3522 | return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
| 3523 | } |
| 3524 | |
| 3525 | *p += n; |
| 3526 | |
| 3527 | return 0; |
| 3528 | } |
| 3529 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
| 3530 | |
| 3531 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 3532 | static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) |
| 3533 | { |
| 3534 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 3535 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| 3536 | unsigned char *p, *end; |
| 3537 | |
| 3538 | ciphersuite_info = ssl->handshake->ciphersuite_info; |
| 3539 | |
| 3540 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange")); |
| 3541 | |
| 3542 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \ |
| 3543 | (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
| 3544 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)) |
| 3545 | if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
| 3546 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) && |
| 3547 | (ssl->handshake->async_in_progress != 0)) { |
| 3548 | /* We've already read a record and there is an asynchronous |
| 3549 | * operation in progress to decrypt it. So skip reading the |
| 3550 | * record. */ |
| 3551 | MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record")); |
| 3552 | } else |
| 3553 | #endif |
| 3554 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
| 3555 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 3556 | return ret; |
| 3557 | } |
| 3558 | |
| 3559 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
| 3560 | end = ssl->in_msg + ssl->in_hslen; |
| 3561 | |
| 3562 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
| 3563 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3564 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| 3565 | } |
| 3566 | |
| 3567 | if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) { |
| 3568 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message")); |
| 3569 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| 3570 | } |
| 3571 | |
| 3572 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) |
| 3573 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) { |
| 3574 | if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) { |
| 3575 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret); |
| 3576 | return ret; |
| 3577 | } |
| 3578 | |
| 3579 | if (p != end) { |
| 3580 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); |
| 3581 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3582 | } |
| 3583 | |
| 3584 | if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, |
| 3585 | ssl->handshake->premaster, |
| 3586 | MBEDTLS_PREMASTER_SIZE, |
| 3587 | &ssl->handshake->pmslen, |
| 3588 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3589 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); |
| 3590 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3591 | } |
| 3592 | |
| 3593 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); |
| 3594 | } else |
| 3595 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ |
| 3596 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
| 3597 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
| 3598 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
| 3599 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
| 3600 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
| 3601 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
| 3602 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
| 3603 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { |
| 3604 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3605 | size_t data_len = (size_t) (*p++); |
| 3606 | size_t buf_len = (size_t) (end - p); |
| 3607 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
| 3608 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 3609 | |
| 3610 | MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key.")); |
| 3611 | |
| 3612 | /* |
| 3613 | * We must have at least two bytes (1 for length, at least 1 for data) |
| 3614 | */ |
| 3615 | if (buf_len < 2) { |
| 3616 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET, |
| 3617 | buf_len)); |
| 3618 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 3619 | } |
| 3620 | |
| 3621 | if (data_len < 1 || data_len > buf_len) { |
| 3622 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET |
| 3623 | " > %" MBEDTLS_PRINTF_SIZET, |
| 3624 | data_len, buf_len)); |
| 3625 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 3626 | } |
| 3627 | |
| 3628 | /* Store peer's ECDH public key. */ |
| 3629 | if (data_len > sizeof(handshake->xxdh_psa_peerkey)) { |
| 3630 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET |
| 3631 | " > %" MBEDTLS_PRINTF_SIZET, |
| 3632 | data_len, |
| 3633 | sizeof(handshake->xxdh_psa_peerkey))); |
| 3634 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 3635 | } |
| 3636 | memcpy(handshake->xxdh_psa_peerkey, p, data_len); |
| 3637 | handshake->xxdh_psa_peerkey_len = data_len; |
| 3638 | |
| 3639 | /* Compute ECDH shared secret. */ |
| 3640 | status = psa_raw_key_agreement( |
| 3641 | PSA_ALG_ECDH, handshake->xxdh_psa_privkey, |
| 3642 | handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len, |
| 3643 | handshake->premaster, sizeof(handshake->premaster), |
| 3644 | &handshake->pmslen); |
| 3645 | if (status != PSA_SUCCESS) { |
| 3646 | ret = PSA_TO_MBEDTLS_ERR(status); |
| 3647 | MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret); |
| 3648 | if (handshake->xxdh_psa_privkey_is_external == 0) { |
| 3649 | (void) psa_destroy_key(handshake->xxdh_psa_privkey); |
| 3650 | } |
| 3651 | handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3652 | return ret; |
| 3653 | } |
| 3654 | |
| 3655 | if (handshake->xxdh_psa_privkey_is_external == 0) { |
| 3656 | status = psa_destroy_key(handshake->xxdh_psa_privkey); |
| 3657 | |
| 3658 | if (status != PSA_SUCCESS) { |
| 3659 | ret = PSA_TO_MBEDTLS_ERR(status); |
| 3660 | MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); |
| 3661 | return ret; |
| 3662 | } |
| 3663 | } |
| 3664 | handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3665 | #else |
| 3666 | if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx, |
| 3667 | p, (size_t) (end - p))) != 0) { |
| 3668 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret); |
| 3669 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3670 | } |
| 3671 | |
| 3672 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3673 | MBEDTLS_DEBUG_ECDH_QP); |
| 3674 | |
| 3675 | if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, |
| 3676 | &ssl->handshake->pmslen, |
| 3677 | ssl->handshake->premaster, |
| 3678 | MBEDTLS_MPI_MAX_SIZE, |
| 3679 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3680 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); |
| 3681 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3682 | } |
| 3683 | |
| 3684 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3685 | MBEDTLS_DEBUG_ECDH_Z); |
| 3686 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 3687 | } else |
| 3688 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
| 3689 | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
| 3690 | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
| 3691 | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
| 3692 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
| 3693 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { |
| 3694 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3695 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3696 | return ret; |
| 3697 | } |
| 3698 | |
| 3699 | if (p != end) { |
| 3700 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); |
| 3701 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3702 | } |
| 3703 | |
| 3704 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3705 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| 3706 | (mbedtls_key_exchange_type_t) ciphersuite_info-> |
| 3707 | key_exchange)) != 0) { |
| 3708 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3709 | return ret; |
| 3710 | } |
| 3711 | #endif /* !MBEDTLS_USE_PSA_CRYPTO */ |
| 3712 | } else |
| 3713 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ |
| 3714 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
| 3715 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
| 3716 | #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) |
| 3717 | if (ssl->handshake->async_in_progress != 0) { |
| 3718 | /* There is an asynchronous operation in progress to |
| 3719 | * decrypt the encrypted premaster secret, so skip |
| 3720 | * directly to resuming this operation. */ |
| 3721 | MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed")); |
| 3722 | /* Update p to skip the PSK identity. ssl_parse_encrypted_pms |
| 3723 | * won't actually use it, but maintain p anyway for robustness. */ |
| 3724 | p += ssl->conf->psk_identity_len + 2; |
| 3725 | } else |
| 3726 | #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ |
| 3727 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3728 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3729 | return ret; |
| 3730 | } |
| 3731 | |
| 3732 | if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) { |
| 3733 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret); |
| 3734 | return ret; |
| 3735 | } |
| 3736 | |
| 3737 | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3738 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| 3739 | (mbedtls_key_exchange_type_t) ciphersuite_info-> |
| 3740 | key_exchange)) != 0) { |
| 3741 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3742 | return ret; |
| 3743 | } |
| 3744 | #endif /* !MBEDTLS_USE_PSA_CRYPTO */ |
| 3745 | } else |
| 3746 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
| 3747 | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
| 3748 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { |
| 3749 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3750 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3751 | return ret; |
| 3752 | } |
| 3753 | if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) { |
| 3754 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret); |
| 3755 | return ret; |
| 3756 | } |
| 3757 | |
| 3758 | if (p != end) { |
| 3759 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange")); |
| 3760 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3761 | } |
| 3762 | |
| 3763 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3764 | unsigned char *pms = ssl->handshake->premaster; |
| 3765 | unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster); |
| 3766 | size_t pms_len; |
| 3767 | |
| 3768 | /* Write length only when we know the actual value */ |
| 3769 | if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, |
| 3770 | pms + 2, pms_end - (pms + 2), &pms_len, |
| 3771 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
| 3772 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); |
| 3773 | return ret; |
| 3774 | } |
| 3775 | MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0); |
| 3776 | pms += 2 + pms_len; |
| 3777 | |
| 3778 | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); |
| 3779 | #else |
| 3780 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| 3781 | (mbedtls_key_exchange_type_t) ciphersuite_info-> |
| 3782 | key_exchange)) != 0) { |
| 3783 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3784 | return ret; |
| 3785 | } |
| 3786 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 3787 | } else |
| 3788 | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
| 3789 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
| 3790 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
| 3791 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3792 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| 3793 | psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; |
| 3794 | size_t ecpoint_len; |
| 3795 | |
| 3796 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 3797 | |
| 3798 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3799 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3800 | psa_destroy_key(handshake->xxdh_psa_privkey); |
| 3801 | handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3802 | return ret; |
| 3803 | } |
| 3804 | |
| 3805 | /* Keep a copy of the peer's public key */ |
| 3806 | if (p >= end) { |
| 3807 | psa_destroy_key(handshake->xxdh_psa_privkey); |
| 3808 | handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3809 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3810 | } |
| 3811 | |
| 3812 | ecpoint_len = *(p++); |
| 3813 | if ((size_t) (end - p) < ecpoint_len) { |
| 3814 | psa_destroy_key(handshake->xxdh_psa_privkey); |
| 3815 | handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3816 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3817 | } |
| 3818 | |
| 3819 | /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account |
| 3820 | the sizes of the FFDH keys which are at least 2048 bits. |
| 3821 | The size of the array is thus greater than 256 bytes which is greater than any |
| 3822 | possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/ |
| 3823 | #if !defined(PSA_WANT_ALG_FFDH) |
| 3824 | if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) { |
| 3825 | psa_destroy_key(handshake->xxdh_psa_privkey); |
| 3826 | handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3827 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 3828 | } |
| 3829 | #else |
| 3830 | MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX, |
| 3831 | "peer key buffer too small"); |
| 3832 | #endif |
| 3833 | |
| 3834 | memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len); |
| 3835 | handshake->xxdh_psa_peerkey_len = ecpoint_len; |
| 3836 | p += ecpoint_len; |
| 3837 | |
| 3838 | /* As RFC 5489 section 2, the premaster secret is formed as follows: |
| 3839 | * - a uint16 containing the length (in octets) of the ECDH computation |
| 3840 | * - the octet string produced by the ECDH computation |
| 3841 | * - a uint16 containing the length (in octets) of the PSK |
| 3842 | * - the PSK itself |
| 3843 | */ |
| 3844 | unsigned char *psm = ssl->handshake->premaster; |
| 3845 | const unsigned char * const psm_end = |
| 3846 | psm + sizeof(ssl->handshake->premaster); |
| 3847 | /* uint16 to store length (in octets) of the ECDH computation */ |
| 3848 | const size_t zlen_size = 2; |
| 3849 | size_t zlen = 0; |
| 3850 | |
| 3851 | /* Compute ECDH shared secret. */ |
| 3852 | status = psa_raw_key_agreement(PSA_ALG_ECDH, |
| 3853 | handshake->xxdh_psa_privkey, |
| 3854 | handshake->xxdh_psa_peerkey, |
| 3855 | handshake->xxdh_psa_peerkey_len, |
| 3856 | psm + zlen_size, |
| 3857 | psm_end - (psm + zlen_size), |
| 3858 | &zlen); |
| 3859 | |
| 3860 | destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey); |
| 3861 | handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| 3862 | |
| 3863 | if (status != PSA_SUCCESS) { |
| 3864 | return PSA_TO_MBEDTLS_ERR(status); |
| 3865 | } else if (destruction_status != PSA_SUCCESS) { |
| 3866 | return PSA_TO_MBEDTLS_ERR(destruction_status); |
| 3867 | } |
| 3868 | |
| 3869 | /* Write the ECDH computation length before the ECDH computation */ |
| 3870 | MBEDTLS_PUT_UINT16_BE(zlen, psm, 0); |
| 3871 | psm += zlen_size + zlen; |
| 3872 | |
| 3873 | #else /* MBEDTLS_USE_PSA_CRYPTO */ |
| 3874 | if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { |
| 3875 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret); |
| 3876 | return ret; |
| 3877 | } |
| 3878 | |
| 3879 | if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx, |
| 3880 | p, (size_t) (end - p))) != 0) { |
| 3881 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret); |
| 3882 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 3883 | } |
| 3884 | |
| 3885 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
| 3886 | MBEDTLS_DEBUG_ECDH_QP); |
| 3887 | |
| 3888 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
| 3889 | (mbedtls_key_exchange_type_t) ciphersuite_info-> |
| 3890 | key_exchange)) != 0) { |
| 3891 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret); |
| 3892 | return ret; |
| 3893 | } |
| 3894 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 3895 | } else |
| 3896 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
| 3897 | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
| 3898 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { |
| 3899 | if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) { |
| 3900 | MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret); |
| 3901 | return ret; |
| 3902 | } |
| 3903 | } else |
| 3904 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
| 3905 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
| 3906 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
| 3907 | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
| 3908 | if ((ret = mbedtls_psa_ecjpake_read_round( |
| 3909 | &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p), |
| 3910 | MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) { |
| 3911 | psa_destroy_key(ssl->handshake->psa_pake_password); |
| 3912 | psa_pake_abort(&ssl->handshake->psa_pake_ctx); |
| 3913 | |
| 3914 | MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret); |
| 3915 | return ret; |
| 3916 | } |
| 3917 | #else |
| 3918 | ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx, |
| 3919 | p, (size_t) (end - p)); |
| 3920 | if (ret != 0) { |
| 3921 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret); |
| 3922 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 3923 | } |
| 3924 | |
| 3925 | ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx, |
| 3926 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen, |
| 3927 | ssl->conf->f_rng, ssl->conf->p_rng); |
| 3928 | if (ret != 0) { |
| 3929 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret); |
| 3930 | return ret; |
| 3931 | } |
| 3932 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
| 3933 | } else |
| 3934 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
| 3935 | { |
| 3936 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3937 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 3938 | } |
| 3939 | |
| 3940 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
| 3941 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
| 3942 | return ret; |
| 3943 | } |
| 3944 | |
| 3945 | mbedtls_ssl_handshake_increment_state(ssl); |
| 3946 | |
| 3947 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange")); |
| 3948 | |
| 3949 | return 0; |
| 3950 | } |
| 3951 | |
| 3952 | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
| 3953 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 3954 | static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) |
| 3955 | { |
| 3956 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| 3957 | ssl->handshake->ciphersuite_info; |
| 3958 | |
| 3959 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); |
| 3960 | |
| 3961 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 3962 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| 3963 | mbedtls_ssl_handshake_increment_state(ssl); |
| 3964 | return 0; |
| 3965 | } |
| 3966 | |
| 3967 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 3968 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 3969 | } |
| 3970 | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| 3971 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 3972 | static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) |
| 3973 | { |
| 3974 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| 3975 | size_t i, sig_len; |
| 3976 | unsigned char hash[48]; |
| 3977 | unsigned char *hash_start = hash; |
| 3978 | size_t hashlen; |
| 3979 | mbedtls_pk_type_t pk_alg; |
| 3980 | mbedtls_md_type_t md_alg; |
| 3981 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
| 3982 | ssl->handshake->ciphersuite_info; |
| 3983 | mbedtls_pk_context *peer_pk; |
| 3984 | |
| 3985 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); |
| 3986 | |
| 3987 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
| 3988 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| 3989 | mbedtls_ssl_handshake_increment_state(ssl); |
| 3990 | return 0; |
| 3991 | } |
| 3992 | |
| 3993 | #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 3994 | if (ssl->session_negotiate->peer_cert == NULL) { |
| 3995 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| 3996 | mbedtls_ssl_handshake_increment_state(ssl); |
| 3997 | return 0; |
| 3998 | } |
| 3999 | #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4000 | if (ssl->session_negotiate->peer_cert_digest == NULL) { |
| 4001 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify")); |
| 4002 | mbedtls_ssl_handshake_increment_state(ssl); |
| 4003 | return 0; |
| 4004 | } |
| 4005 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4006 | |
| 4007 | /* Read the message without adding it to the checksum */ |
| 4008 | ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */); |
| 4009 | if (0 != ret) { |
| 4010 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret); |
| 4011 | return ret; |
| 4012 | } |
| 4013 | |
| 4014 | mbedtls_ssl_handshake_increment_state(ssl); |
| 4015 | |
| 4016 | /* Process the message contents */ |
| 4017 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || |
| 4018 | ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) { |
| 4019 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4020 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| 4021 | } |
| 4022 | |
| 4023 | i = mbedtls_ssl_hs_hdr_len(ssl); |
| 4024 | |
| 4025 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
| 4026 | peer_pk = &ssl->handshake->peer_pubkey; |
| 4027 | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4028 | if (ssl->session_negotiate->peer_cert == NULL) { |
| 4029 | /* Should never happen */ |
| 4030 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 4031 | } |
| 4032 | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
| 4033 | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
| 4034 | |
| 4035 | /* |
| 4036 | * struct { |
| 4037 | * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only |
| 4038 | * opaque signature<0..2^16-1>; |
| 4039 | * } DigitallySigned; |
| 4040 | */ |
| 4041 | if (i + 2 > ssl->in_hslen) { |
| 4042 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4043 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 4044 | } |
| 4045 | |
| 4046 | /* |
| 4047 | * Hash |
| 4048 | */ |
| 4049 | md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]); |
| 4050 | |
| 4051 | if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) { |
| 4052 | MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" |
| 4053 | " for verify message")); |
| 4054 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 4055 | } |
| 4056 | |
| 4057 | #if !defined(MBEDTLS_MD_SHA1) |
| 4058 | if (MBEDTLS_MD_SHA1 == md_alg) { |
| 4059 | hash_start += 16; |
| 4060 | } |
| 4061 | #endif |
| 4062 | |
| 4063 | /* Info from md_alg will be used instead */ |
| 4064 | hashlen = 0; |
| 4065 | |
| 4066 | i++; |
| 4067 | |
| 4068 | /* |
| 4069 | * Signature |
| 4070 | */ |
| 4071 | if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i])) |
| 4072 | == MBEDTLS_PK_NONE) { |
| 4073 | MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" |
| 4074 | " for verify message")); |
| 4075 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 4076 | } |
| 4077 | |
| 4078 | /* |
| 4079 | * Check the certificate's key type matches the signature alg |
| 4080 | */ |
| 4081 | if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { |
| 4082 | MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); |
| 4083 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 4084 | } |
| 4085 | |
| 4086 | i++; |
| 4087 | |
| 4088 | if (i + 2 > ssl->in_hslen) { |
| 4089 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4090 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 4091 | } |
| 4092 | |
| 4093 | sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i); |
| 4094 | i += 2; |
| 4095 | |
| 4096 | if (i + sig_len != ssl->in_hslen) { |
| 4097 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message")); |
| 4098 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| 4099 | } |
| 4100 | |
| 4101 | /* Calculate hash and verify signature */ |
| 4102 | { |
| 4103 | size_t dummy_hlen; |
| 4104 | ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen); |
| 4105 | if (0 != ret) { |
| 4106 | MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret); |
| 4107 | return ret; |
| 4108 | } |
| 4109 | } |
| 4110 | |
| 4111 | if ((ret = mbedtls_pk_verify(peer_pk, |
| 4112 | md_alg, hash_start, hashlen, |
| 4113 | ssl->in_msg + i, sig_len)) != 0) { |
| 4114 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); |
| 4115 | return ret; |
| 4116 | } |
| 4117 | |
| 4118 | ret = mbedtls_ssl_update_handshake_status(ssl); |
| 4119 | if (0 != ret) { |
| 4120 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret); |
| 4121 | return ret; |
| 4122 | } |
| 4123 | |
| 4124 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify")); |
| 4125 | |
| 4126 | return ret; |
| 4127 | } |
| 4128 | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
| 4129 | |
| 4130 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 4131 | MBEDTLS_CHECK_RETURN_CRITICAL |
| 4132 | static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl) |
| 4133 | { |
| 4134 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 4135 | size_t tlen; |
| 4136 | uint32_t lifetime; |
| 4137 | |
| 4138 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket")); |
| 4139 | |
| 4140 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
| 4141 | ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; |
| 4142 | |
| 4143 | /* |
| 4144 | * struct { |
| 4145 | * uint32 ticket_lifetime_hint; |
| 4146 | * opaque ticket<0..2^16-1>; |
| 4147 | * } NewSessionTicket; |
| 4148 | * |
| 4149 | * 4 . 7 ticket_lifetime_hint (0 = unspecified) |
| 4150 | * 8 . 9 ticket_len (n) |
| 4151 | * 10 . 9+n ticket content |
| 4152 | */ |
| 4153 | |
| 4154 | #if defined(MBEDTLS_HAVE_TIME) |
| 4155 | ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time(); |
| 4156 | #endif |
| 4157 | if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket, |
| 4158 | ssl->session_negotiate, |
| 4159 | ssl->out_msg + 10, |
| 4160 | ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN, |
| 4161 | &tlen, &lifetime)) != 0) { |
| 4162 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret); |
| 4163 | tlen = 0; |
| 4164 | } |
| 4165 | |
| 4166 | MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4); |
| 4167 | MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8); |
| 4168 | ssl->out_msglen = 10 + tlen; |
| 4169 | |
| 4170 | /* |
| 4171 | * Morally equivalent to updating ssl->state, but NewSessionTicket and |
| 4172 | * ChangeCipherSpec share the same state. |
| 4173 | */ |
| 4174 | ssl->handshake->new_session_ticket = 0; |
| 4175 | |
| 4176 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
| 4177 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
| 4178 | return ret; |
| 4179 | } |
| 4180 | |
| 4181 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket")); |
| 4182 | |
| 4183 | return 0; |
| 4184 | } |
| 4185 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 4186 | |
| 4187 | /* |
| 4188 | * SSL handshake -- server side -- single step |
| 4189 | */ |
| 4190 | int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl) |
| 4191 | { |
| 4192 | int ret = 0; |
| 4193 | |
| 4194 | MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state)); |
| 4195 | |
| 4196 | switch (ssl->state) { |
| 4197 | case MBEDTLS_SSL_HELLO_REQUEST: |
| 4198 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); |
| 4199 | break; |
| 4200 | |
| 4201 | /* |
| 4202 | * <== ClientHello |
| 4203 | */ |
| 4204 | case MBEDTLS_SSL_CLIENT_HELLO: |
| 4205 | ret = ssl_parse_client_hello(ssl); |
| 4206 | break; |
| 4207 | |
| 4208 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
| 4209 | case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: |
| 4210 | return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED; |
| 4211 | #endif |
| 4212 | |
| 4213 | /* |
| 4214 | * ==> ServerHello |
| 4215 | * Certificate |
| 4216 | * ( ServerKeyExchange ) |
| 4217 | * ( CertificateRequest ) |
| 4218 | * ServerHelloDone |
| 4219 | */ |
| 4220 | case MBEDTLS_SSL_SERVER_HELLO: |
| 4221 | ret = ssl_write_server_hello(ssl); |
| 4222 | break; |
| 4223 | |
| 4224 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
| 4225 | ret = mbedtls_ssl_write_certificate(ssl); |
| 4226 | break; |
| 4227 | |
| 4228 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: |
| 4229 | ret = ssl_write_server_key_exchange(ssl); |
| 4230 | break; |
| 4231 | |
| 4232 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
| 4233 | ret = ssl_write_certificate_request(ssl); |
| 4234 | break; |
| 4235 | |
| 4236 | case MBEDTLS_SSL_SERVER_HELLO_DONE: |
| 4237 | ret = ssl_write_server_hello_done(ssl); |
| 4238 | break; |
| 4239 | |
| 4240 | /* |
| 4241 | * <== ( Certificate/Alert ) |
| 4242 | * ClientKeyExchange |
| 4243 | * ( CertificateVerify ) |
| 4244 | * ChangeCipherSpec |
| 4245 | * Finished |
| 4246 | */ |
| 4247 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
| 4248 | ret = mbedtls_ssl_parse_certificate(ssl); |
| 4249 | break; |
| 4250 | |
| 4251 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: |
| 4252 | ret = ssl_parse_client_key_exchange(ssl); |
| 4253 | break; |
| 4254 | |
| 4255 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
| 4256 | ret = ssl_parse_certificate_verify(ssl); |
| 4257 | break; |
| 4258 | |
| 4259 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: |
| 4260 | ret = mbedtls_ssl_parse_change_cipher_spec(ssl); |
| 4261 | break; |
| 4262 | |
| 4263 | case MBEDTLS_SSL_CLIENT_FINISHED: |
| 4264 | ret = mbedtls_ssl_parse_finished(ssl); |
| 4265 | break; |
| 4266 | |
| 4267 | /* |
| 4268 | * ==> ( NewSessionTicket ) |
| 4269 | * ChangeCipherSpec |
| 4270 | * Finished |
| 4271 | */ |
| 4272 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: |
| 4273 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 4274 | if (ssl->handshake->new_session_ticket != 0) { |
| 4275 | ret = ssl_write_new_session_ticket(ssl); |
| 4276 | } else |
| 4277 | #endif |
| 4278 | ret = mbedtls_ssl_write_change_cipher_spec(ssl); |
| 4279 | break; |
| 4280 | |
| 4281 | case MBEDTLS_SSL_SERVER_FINISHED: |
| 4282 | ret = mbedtls_ssl_write_finished(ssl); |
| 4283 | break; |
| 4284 | |
| 4285 | case MBEDTLS_SSL_FLUSH_BUFFERS: |
| 4286 | MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); |
| 4287 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP); |
| 4288 | break; |
| 4289 | |
| 4290 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
| 4291 | mbedtls_ssl_handshake_wrapup(ssl); |
| 4292 | break; |
| 4293 | |
| 4294 | default: |
| 4295 | MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); |
| 4296 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 4297 | } |
| 4298 | |
| 4299 | return ret; |
| 4300 | } |
| 4301 | |
| 4302 | void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order) |
| 4303 | { |
| 4304 | conf->respect_cli_pref = order; |
| 4305 | } |
| 4306 | |
| 4307 | #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */ |
| 4308 | |