Coverage Report

Created: 2025-03-01 06:26

/src/mbedtls/library/ssl_tls12_server.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  TLS server-side functions
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
8
#include "common.h"
9
10
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
11
12
#include "mbedtls/platform.h"
13
14
#include "mbedtls/ssl.h"
15
#include "ssl_misc.h"
16
#include "debug_internal.h"
17
#include "mbedtls/error.h"
18
#include "mbedtls/platform_util.h"
19
#include "constant_time_internal.h"
20
#include "mbedtls/constant_time.h"
21
22
#include <string.h>
23
24
#if defined(MBEDTLS_USE_PSA_CRYPTO)
25
/* Define a local translating function to save code size by not using too many
26
 * arguments in each translating place. */
27
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
28
    defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
29
static int local_err_translation(psa_status_t status)
30
0
{
31
0
    return psa_status_to_mbedtls(status, psa_to_ssl_errors,
32
0
                                 ARRAY_LENGTH(psa_to_ssl_errors),
33
0
                                 psa_generic_status_to_mbedtls);
34
0
}
35
0
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
36
#endif
37
#endif
38
39
#if defined(MBEDTLS_ECP_C)
40
#include "mbedtls/ecp.h"
41
#endif
42
43
#if defined(MBEDTLS_HAVE_TIME)
44
#include "mbedtls/platform_time.h"
45
#endif
46
47
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
48
int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
49
                                        const unsigned char *info,
50
                                        size_t ilen)
51
0
{
52
0
    if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
53
0
        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
54
0
    }
55
56
0
    mbedtls_free(ssl->cli_id);
57
58
0
    if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
59
0
        return MBEDTLS_ERR_SSL_ALLOC_FAILED;
60
0
    }
61
62
0
    memcpy(ssl->cli_id, info, ilen);
63
0
    ssl->cli_id_len = ilen;
64
65
0
    return 0;
66
0
}
67
68
void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
69
                                   mbedtls_ssl_cookie_write_t *f_cookie_write,
70
                                   mbedtls_ssl_cookie_check_t *f_cookie_check,
71
                                   void *p_cookie)
72
0
{
73
0
    conf->f_cookie_write = f_cookie_write;
74
0
    conf->f_cookie_check = f_cookie_check;
75
0
    conf->p_cookie       = p_cookie;
76
0
}
77
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
78
79
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
80
MBEDTLS_CHECK_RETURN_CRITICAL
81
static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
82
0
{
83
0
    if (conf->f_psk != NULL) {
84
0
        return 1;
85
0
    }
86
87
0
    if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
88
0
        return 0;
89
0
    }
90
91
92
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
93
0
    if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
94
0
        return 1;
95
0
    }
96
0
#endif /* MBEDTLS_USE_PSA_CRYPTO */
97
98
0
    if (conf->psk != NULL && conf->psk_len != 0) {
99
0
        return 1;
100
0
    }
101
102
0
    return 0;
103
0
}
104
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
105
106
MBEDTLS_CHECK_RETURN_CRITICAL
107
static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
108
                                        const unsigned char *buf,
109
                                        size_t len)
110
0
{
111
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
112
0
    if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
113
        /* Check verify-data in constant-time. The length OTOH is no secret */
114
0
        if (len    != 1 + ssl->verify_data_len ||
115
0
            buf[0] !=     ssl->verify_data_len ||
116
0
            mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
117
0
                              ssl->verify_data_len) != 0) {
118
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
119
0
            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
120
0
                                           MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
121
0
            return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
122
0
        }
123
0
    } else
124
0
#endif /* MBEDTLS_SSL_RENEGOTIATION */
125
0
    {
126
0
        if (len != 1 || buf[0] != 0x0) {
127
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
128
0
            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
129
0
                                           MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
130
0
            return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
131
0
        }
132
133
0
        ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
134
0
    }
135
136
0
    return 0;
137
0
}
138
139
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
140
    defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
141
    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
142
/*
143
 * Function for parsing a supported groups (TLS 1.3) or supported elliptic
144
 * curves (TLS 1.2) extension.
145
 *
146
 * The "extension_data" field of a supported groups extension contains a
147
 * "NamedGroupList" value (TLS 1.3 RFC8446):
148
 *      enum {
149
 *          secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
150
 *          x25519(0x001D), x448(0x001E),
151
 *          ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
152
 *          ffdhe6144(0x0103), ffdhe8192(0x0104),
153
 *          ffdhe_private_use(0x01FC..0x01FF),
154
 *          ecdhe_private_use(0xFE00..0xFEFF),
155
 *          (0xFFFF)
156
 *      } NamedGroup;
157
 *      struct {
158
 *          NamedGroup named_group_list<2..2^16-1>;
159
 *      } NamedGroupList;
160
 *
161
 * The "extension_data" field of a supported elliptic curves extension contains
162
 * a "NamedCurveList" value (TLS 1.2 RFC 8422):
163
 * enum {
164
 *      deprecated(1..22),
165
 *      secp256r1 (23), secp384r1 (24), secp521r1 (25),
166
 *      x25519(29), x448(30),
167
 *      reserved (0xFE00..0xFEFF),
168
 *      deprecated(0xFF01..0xFF02),
169
 *      (0xFFFF)
170
 *  } NamedCurve;
171
 * struct {
172
 *      NamedCurve named_curve_list<2..2^16-1>
173
 *  } NamedCurveList;
174
 *
175
 * The TLS 1.3 supported groups extension was defined to be a compatible
176
 * generalization of the TLS 1.2 supported elliptic curves extension. They both
177
 * share the same extension identifier.
178
 *
179
 */
180
MBEDTLS_CHECK_RETURN_CRITICAL
181
static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
182
                                          const unsigned char *buf,
183
                                          size_t len)
184
0
{
185
0
    size_t list_size, our_size;
186
0
    const unsigned char *p;
187
0
    uint16_t *curves_tls_id;
188
189
0
    if (len < 2) {
190
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
191
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
192
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
193
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
194
0
    }
195
0
    list_size = MBEDTLS_GET_UINT16_BE(buf, 0);
196
0
    if (list_size + 2 != len ||
197
0
        list_size % 2 != 0) {
198
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
199
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
200
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
201
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
202
0
    }
203
204
    /* Should never happen unless client duplicates the extension */
205
0
    if (ssl->handshake->curves_tls_id != NULL) {
206
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
207
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
208
0
                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
209
0
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
210
0
    }
211
212
    /* Don't allow our peer to make us allocate too much memory,
213
     * and leave room for a final 0 */
214
0
    our_size = list_size / 2 + 1;
215
0
    if (our_size > MBEDTLS_ECP_DP_MAX) {
216
0
        our_size = MBEDTLS_ECP_DP_MAX;
217
0
    }
218
219
0
    if ((curves_tls_id = mbedtls_calloc(our_size,
220
0
                                        sizeof(*curves_tls_id))) == NULL) {
221
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
222
0
                                       MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
223
0
        return MBEDTLS_ERR_SSL_ALLOC_FAILED;
224
0
    }
225
226
0
    ssl->handshake->curves_tls_id = curves_tls_id;
227
228
0
    p = buf + 2;
229
0
    while (list_size > 0 && our_size > 1) {
230
0
        uint16_t curr_tls_id = MBEDTLS_GET_UINT16_BE(p, 0);
231
232
0
        if (mbedtls_ssl_get_ecp_group_id_from_tls_id(curr_tls_id) !=
233
0
            MBEDTLS_ECP_DP_NONE) {
234
0
            *curves_tls_id++ = curr_tls_id;
235
0
            our_size--;
236
0
        }
237
238
0
        list_size -= 2;
239
0
        p += 2;
240
0
    }
241
242
0
    return 0;
243
0
}
244
245
MBEDTLS_CHECK_RETURN_CRITICAL
246
static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
247
                                             const unsigned char *buf,
248
                                             size_t len)
249
0
{
250
0
    size_t list_size;
251
0
    const unsigned char *p;
252
253
0
    if (len == 0 || (size_t) (buf[0] + 1) != len) {
254
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
255
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
256
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
257
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
258
0
    }
259
0
    list_size = buf[0];
260
261
0
    p = buf + 1;
262
0
    while (list_size > 0) {
263
0
        if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
264
0
            p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
265
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
266
            defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
267
            ssl->handshake->ecdh_ctx.point_format = p[0];
268
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
269
#if !defined(MBEDTLS_USE_PSA_CRYPTO) &&                             \
270
            defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
271
            mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
272
                                             p[0]);
273
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
274
0
            MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
275
0
            return 0;
276
0
        }
277
278
0
        list_size--;
279
0
        p++;
280
0
    }
281
282
0
    return 0;
283
0
}
284
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
285
          MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
286
          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
287
288
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
289
MBEDTLS_CHECK_RETURN_CRITICAL
290
static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
291
                                  const unsigned char *buf,
292
                                  size_t len)
293
0
{
294
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
295
296
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
297
0
    if (ssl->handshake->psa_pake_ctx_is_ok != 1)
298
#else
299
    if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
300
#endif /* MBEDTLS_USE_PSA_CRYPTO */
301
0
    {
302
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
303
0
        return 0;
304
0
    }
305
306
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
307
0
    if ((ret = mbedtls_psa_ecjpake_read_round(
308
0
             &ssl->handshake->psa_pake_ctx, buf, len,
309
0
             MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
310
0
        psa_destroy_key(ssl->handshake->psa_pake_password);
311
0
        psa_pake_abort(&ssl->handshake->psa_pake_ctx);
312
313
0
        MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round one", ret);
314
0
        mbedtls_ssl_send_alert_message(
315
0
            ssl,
316
0
            MBEDTLS_SSL_ALERT_LEVEL_FATAL,
317
0
            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
318
319
0
        return ret;
320
0
    }
321
#else
322
    if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
323
                                              buf, len)) != 0) {
324
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
325
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
326
                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
327
        return ret;
328
    }
329
#endif /* MBEDTLS_USE_PSA_CRYPTO */
330
331
    /* Only mark the extension as OK when we're sure it is */
332
0
    ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
333
334
0
    return 0;
335
0
}
336
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
337
338
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
339
MBEDTLS_CHECK_RETURN_CRITICAL
340
static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
341
                                             const unsigned char *buf,
342
                                             size_t len)
343
0
{
344
0
    if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
345
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
346
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
347
0
                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
348
0
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
349
0
    }
350
351
0
    ssl->session_negotiate->mfl_code = buf[0];
352
353
0
    return 0;
354
0
}
355
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
356
357
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
358
MBEDTLS_CHECK_RETURN_CRITICAL
359
static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
360
                             const unsigned char *buf,
361
                             size_t len)
362
0
{
363
0
    size_t peer_cid_len;
364
365
    /* CID extension only makes sense in DTLS */
366
0
    if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
367
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
368
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
369
0
                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
370
0
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
371
0
    }
372
373
    /*
374
     *   struct {
375
     *      opaque cid<0..2^8-1>;
376
     *   } ConnectionId;
377
     */
378
379
0
    if (len < 1) {
380
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
381
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
382
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
383
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
384
0
    }
385
386
0
    peer_cid_len = *buf++;
387
0
    len--;
388
389
0
    if (len != peer_cid_len) {
390
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
391
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
392
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
393
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
394
0
    }
395
396
    /* Ignore CID if the user has disabled its use. */
397
0
    if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
398
        /* Leave ssl->handshake->cid_in_use in its default
399
         * value of MBEDTLS_SSL_CID_DISABLED. */
400
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
401
0
        return 0;
402
0
    }
403
404
0
    if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
405
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
406
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
407
0
                                       MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
408
0
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
409
0
    }
410
411
0
    ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
412
0
    ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
413
0
    memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
414
415
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
416
0
    MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
417
418
0
    return 0;
419
0
}
420
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
421
422
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
423
MBEDTLS_CHECK_RETURN_CRITICAL
424
static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
425
                                          const unsigned char *buf,
426
                                          size_t len)
427
0
{
428
0
    if (len != 0) {
429
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
430
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
431
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
432
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
433
0
    }
434
435
0
    ((void) buf);
436
437
0
    if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED) {
438
0
        ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
439
0
    }
440
441
0
    return 0;
442
0
}
443
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
444
445
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
446
MBEDTLS_CHECK_RETURN_CRITICAL
447
static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
448
                                     const unsigned char *buf,
449
                                     size_t len)
450
0
{
451
0
    if (len != 0) {
452
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
453
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
454
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
455
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
456
0
    }
457
458
0
    ((void) buf);
459
460
0
    if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
461
0
        ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
462
0
    }
463
464
0
    return 0;
465
0
}
466
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
467
468
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
469
MBEDTLS_CHECK_RETURN_CRITICAL
470
static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
471
                                        unsigned char *buf,
472
                                        size_t len)
473
0
{
474
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
475
0
    mbedtls_ssl_session session;
476
477
0
    mbedtls_ssl_session_init(&session);
478
479
0
    if (ssl->conf->f_ticket_parse == NULL ||
480
0
        ssl->conf->f_ticket_write == NULL) {
481
0
        return 0;
482
0
    }
483
484
    /* Remember the client asked us to send a new ticket */
485
0
    ssl->handshake->new_session_ticket = 1;
486
487
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
488
489
0
    if (len == 0) {
490
0
        return 0;
491
0
    }
492
493
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
494
0
    if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
495
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
496
0
        return 0;
497
0
    }
498
0
#endif /* MBEDTLS_SSL_RENEGOTIATION */
499
500
    /*
501
     * Failures are ok: just ignore the ticket and proceed.
502
     */
503
0
    if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
504
0
                                         buf, len)) != 0) {
505
0
        mbedtls_ssl_session_free(&session);
506
507
0
        if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
508
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
509
0
        } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
510
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
511
0
        } else {
512
0
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
513
0
        }
514
515
0
        return 0;
516
0
    }
517
518
    /*
519
     * Keep the session ID sent by the client, since we MUST send it back to
520
     * inform them we're accepting the ticket  (RFC 5077 section 3.4)
521
     */
522
0
    session.id_len = ssl->session_negotiate->id_len;
523
0
    memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
524
525
0
    mbedtls_ssl_session_free(ssl->session_negotiate);
526
0
    memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
527
528
    /* Zeroize instead of free as we copied the content */
529
0
    mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
530
531
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
532
533
0
    ssl->handshake->resume = 1;
534
535
    /* Don't send a new ticket after all, this one is OK */
536
0
    ssl->handshake->new_session_ticket = 0;
537
538
0
    return 0;
539
0
}
540
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
541
542
#if defined(MBEDTLS_SSL_DTLS_SRTP)
543
MBEDTLS_CHECK_RETURN_CRITICAL
544
static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
545
                                  const unsigned char *buf,
546
                                  size_t len)
547
0
{
548
0
    mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
549
0
    size_t i, j;
550
0
    size_t profile_length;
551
0
    uint16_t mki_length;
552
    /*! 2 bytes for profile length and 1 byte for mki len */
553
0
    const size_t size_of_lengths = 3;
554
555
    /* If use_srtp is not configured, just ignore the extension */
556
0
    if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
557
0
        (ssl->conf->dtls_srtp_profile_list == NULL) ||
558
0
        (ssl->conf->dtls_srtp_profile_list_len == 0)) {
559
0
        return 0;
560
0
    }
561
562
    /* RFC5764 section 4.1.1
563
     * uint8 SRTPProtectionProfile[2];
564
     *
565
     * struct {
566
     *   SRTPProtectionProfiles SRTPProtectionProfiles;
567
     *   opaque srtp_mki<0..255>;
568
     * } UseSRTPData;
569
570
     * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
571
     */
572
573
    /*
574
     * Min length is 5: at least one protection profile(2 bytes)
575
     *                  and length(2 bytes) + srtp_mki length(1 byte)
576
     * Check here that we have at least 2 bytes of protection profiles length
577
     * and one of srtp_mki length
578
     */
579
0
    if (len < size_of_lengths) {
580
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
581
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
582
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
583
0
    }
584
585
0
    ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
586
587
    /* first 2 bytes are protection profile length(in bytes) */
588
0
    profile_length = (buf[0] << 8) | buf[1];
589
0
    buf += 2;
590
591
    /* The profile length cannot be bigger than input buffer size - lengths fields */
592
0
    if (profile_length > len - size_of_lengths ||
593
0
        profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
594
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
595
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
596
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
597
0
    }
598
    /*
599
     * parse the extension list values are defined in
600
     * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
601
     */
602
0
    for (j = 0; j < profile_length; j += 2) {
603
0
        uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
604
0
        client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
605
606
0
        if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
607
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
608
0
                                      mbedtls_ssl_get_srtp_profile_as_string(
609
0
                                          client_protection)));
610
0
        } else {
611
0
            continue;
612
0
        }
613
        /* check if suggested profile is in our list */
614
0
        for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
615
0
            if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
616
0
                ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
617
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
618
0
                                          mbedtls_ssl_get_srtp_profile_as_string(
619
0
                                              client_protection)));
620
0
                break;
621
0
            }
622
0
        }
623
0
        if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
624
0
            break;
625
0
        }
626
0
    }
627
0
    buf += profile_length; /* buf points to the mki length */
628
0
    mki_length = *buf;
629
0
    buf++;
630
631
0
    if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
632
0
        mki_length + profile_length + size_of_lengths != len) {
633
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
634
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
635
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
636
0
    }
637
638
    /* Parse the mki only if present and mki is supported locally */
639
0
    if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
640
0
        mki_length > 0) {
641
0
        ssl->dtls_srtp_info.mki_len = mki_length;
642
643
0
        memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
644
645
0
        MBEDTLS_SSL_DEBUG_BUF(3, "using mki",  ssl->dtls_srtp_info.mki_value,
646
0
                              ssl->dtls_srtp_info.mki_len);
647
0
    }
648
649
0
    return 0;
650
0
}
651
#endif /* MBEDTLS_SSL_DTLS_SRTP */
652
653
/*
654
 * Auxiliary functions for ServerHello parsing and related actions
655
 */
656
657
#if defined(MBEDTLS_X509_CRT_PARSE_C)
658
/*
659
 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
660
 */
661
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
662
MBEDTLS_CHECK_RETURN_CRITICAL
663
static int ssl_check_key_curve(mbedtls_pk_context *pk,
664
                               uint16_t *curves_tls_id)
665
0
{
666
0
    uint16_t *curr_tls_id = curves_tls_id;
667
0
    mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
668
0
    mbedtls_ecp_group_id curr_grp_id;
669
670
0
    while (*curr_tls_id != 0) {
671
0
        curr_grp_id = mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
672
0
        if (curr_grp_id == grp_id) {
673
0
            return 0;
674
0
        }
675
0
        curr_tls_id++;
676
0
    }
677
678
0
    return -1;
679
0
}
680
#endif /* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED */
681
682
/*
683
 * Try picking a certificate for this ciphersuite,
684
 * return 0 on success and -1 on failure.
685
 */
686
MBEDTLS_CHECK_RETURN_CRITICAL
687
static int ssl_pick_cert(mbedtls_ssl_context *ssl,
688
                         const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
689
0
{
690
0
    mbedtls_ssl_key_cert *cur, *list;
691
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
692
0
    psa_algorithm_t pk_alg =
693
0
        mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
694
0
    psa_key_usage_t pk_usage =
695
0
        mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
696
#else
697
    mbedtls_pk_type_t pk_alg =
698
        mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
699
#endif /* MBEDTLS_USE_PSA_CRYPTO */
700
0
    uint32_t flags;
701
702
0
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
703
0
    if (ssl->handshake->sni_key_cert != NULL) {
704
0
        list = ssl->handshake->sni_key_cert;
705
0
    } else
706
0
#endif
707
0
    list = ssl->conf->key_cert;
708
709
0
    int pk_alg_is_none = 0;
710
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
711
0
    pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
712
#else
713
    pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE);
714
#endif /* MBEDTLS_USE_PSA_CRYPTO */
715
0
    if (pk_alg_is_none) {
716
0
        return 0;
717
0
    }
718
719
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
720
721
0
    if (list == NULL) {
722
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
723
0
        return -1;
724
0
    }
725
726
0
    for (cur = list; cur != NULL; cur = cur->next) {
727
0
        flags = 0;
728
0
        MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
729
0
                              cur->cert);
730
731
0
        int key_type_matches = 0;
732
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
733
0
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
734
0
        key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
735
0
                             ssl->conf->f_async_decrypt_start != NULL ||
736
0
                             mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
737
0
                            mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
738
#else
739
        key_type_matches = (
740
            mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
741
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
742
#else
743
        key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg);
744
#endif /* MBEDTLS_USE_PSA_CRYPTO */
745
0
        if (!key_type_matches) {
746
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
747
0
            continue;
748
0
        }
749
750
        /*
751
         * This avoids sending the client a cert it'll reject based on
752
         * keyUsage or other extensions.
753
         *
754
         * It also allows the user to provision different certificates for
755
         * different uses based on keyUsage, eg if they want to avoid signing
756
         * and decrypting with the same RSA key.
757
         */
758
0
        if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
759
0
                                         MBEDTLS_SSL_IS_CLIENT,
760
0
                                         MBEDTLS_SSL_VERSION_TLS1_2,
761
0
                                         &flags) != 0) {
762
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
763
0
                                      "(extended) key usage extension"));
764
0
            continue;
765
0
        }
766
767
0
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
768
0
        if (pk_alg == MBEDTLS_PK_ECDSA &&
769
0
            ssl_check_key_curve(&cur->cert->pk,
770
0
                                ssl->handshake->curves_tls_id) != 0) {
771
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
772
0
            continue;
773
0
        }
774
0
#endif
775
776
        /* If we get there, we got a winner */
777
0
        break;
778
0
    }
779
780
    /* Do not update ssl->handshake->key_cert unless there is a match */
781
0
    if (cur != NULL) {
782
0
        ssl->handshake->key_cert = cur;
783
0
        MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
784
0
                              ssl->handshake->key_cert->cert);
785
0
        return 0;
786
0
    }
787
788
0
    return -1;
789
0
}
790
#endif /* MBEDTLS_X509_CRT_PARSE_C */
791
792
/*
793
 * Check if a given ciphersuite is suitable for use with our config/keys/etc
794
 * Sets ciphersuite_info only if the suite matches.
795
 */
796
MBEDTLS_CHECK_RETURN_CRITICAL
797
static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
798
                                 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
799
0
{
800
0
    const mbedtls_ssl_ciphersuite_t *suite_info;
801
802
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
803
0
    mbedtls_pk_type_t sig_type;
804
0
#endif
805
806
0
    suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
807
0
    if (suite_info == NULL) {
808
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
809
0
        return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
810
0
    }
811
812
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
813
0
                              (unsigned int) suite_id, suite_info->name));
814
815
0
    if (suite_info->min_tls_version > ssl->tls_version ||
816
0
        suite_info->max_tls_version < ssl->tls_version) {
817
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
818
0
        return 0;
819
0
    }
820
821
0
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
822
0
    if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
823
0
        (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
824
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
825
0
                                  "not configured or ext missing"));
826
0
        return 0;
827
0
    }
828
0
#endif
829
830
831
0
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
832
0
    defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
833
0
    if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
834
0
        (ssl->handshake->curves_tls_id == NULL ||
835
0
         ssl->handshake->curves_tls_id[0] == 0)) {
836
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
837
0
                                  "no common elliptic curve"));
838
0
        return 0;
839
0
    }
840
0
#endif
841
842
0
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
843
    /* If the ciphersuite requires a pre-shared key and we don't
844
     * have one, skip it now rather than failing later */
845
0
    if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
846
0
        ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
847
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
848
0
        return 0;
849
0
    }
850
0
#endif
851
852
0
#if defined(MBEDTLS_X509_CRT_PARSE_C)
853
    /*
854
     * Final check: if ciphersuite requires us to have a
855
     * certificate/key of a particular type:
856
     * - select the appropriate certificate if we have one, or
857
     * - try the next ciphersuite if we don't
858
     * This must be done last since we modify the key_cert list.
859
     */
860
0
    if (ssl_pick_cert(ssl, suite_info) != 0) {
861
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
862
0
                                  "no suitable certificate"));
863
0
        return 0;
864
0
    }
865
0
#endif
866
867
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
868
    /* If the ciphersuite requires signing, check whether
869
     * a suitable hash algorithm is present. */
870
0
    sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
871
0
    if (sig_type != MBEDTLS_PK_NONE &&
872
0
        mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
873
0
            ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
874
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
875
0
                                  "for signature algorithm %u", (unsigned) sig_type));
876
0
        return 0;
877
0
    }
878
879
0
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
880
881
0
    *ciphersuite_info = suite_info;
882
0
    return 0;
883
0
}
884
885
/* This function doesn't alert on errors that happen early during
886
   ClientHello parsing because they might indicate that the client is
887
   not talking SSL/TLS at all and would not understand our alert. */
888
MBEDTLS_CHECK_RETURN_CRITICAL
889
static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
890
0
{
891
0
    int ret, got_common_suite;
892
0
    size_t i, j;
893
0
    size_t ciph_offset, comp_offset, ext_offset;
894
0
    size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
895
0
#if defined(MBEDTLS_SSL_PROTO_DTLS)
896
0
    size_t cookie_offset, cookie_len;
897
0
#endif
898
0
    unsigned char *buf, *p, *ext;
899
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
900
0
    int renegotiation_info_seen = 0;
901
0
#endif
902
0
    int handshake_failure = 0;
903
0
    const int *ciphersuites;
904
0
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
905
906
    /* If there is no signature-algorithm extension present,
907
     * we need to fall back to the default values for allowed
908
     * signature-hash pairs. */
909
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
910
0
    int sig_hash_alg_ext_present = 0;
911
0
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
912
913
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
914
915
0
    int renegotiating;
916
917
0
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
918
0
read_record_header:
919
0
#endif
920
    /*
921
     * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
922
     * otherwise read it ourselves manually in order to support SSLv2
923
     * ClientHello, which doesn't use the same record layer format.
924
     * Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
925
     * ClientHello has been already fully fetched by the TLS 1.3 code and the
926
     * flag ssl->keep_current_message is raised.
927
     */
928
0
    renegotiating = 0;
929
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
930
0
    renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
931
0
#endif
932
0
    if (!renegotiating && !ssl->keep_current_message) {
933
0
        if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
934
            /* No alert on a read error. */
935
0
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
936
0
            return ret;
937
0
        }
938
0
    }
939
940
0
    buf = ssl->in_hdr;
941
942
0
    MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
943
944
    /*
945
     * TLS Client Hello
946
     *
947
     * Record layer:
948
     *     0  .   0   message type
949
     *     1  .   2   protocol version
950
     *     3  .   11  DTLS: epoch + record sequence number
951
     *     3  .   4   message length
952
     */
953
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message type: %d",
954
0
                              buf[0]));
955
956
0
    if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
957
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
958
0
        return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
959
0
    }
960
961
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, message len.: %d",
962
0
                              MBEDTLS_GET_UINT16_BE(ssl->in_len, 0)));
963
964
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, protocol version: [%d:%d]",
965
0
                              buf[1], buf[2]));
966
967
    /* For DTLS if this is the initial handshake, remember the client sequence
968
     * number to use it in our next message (RFC 6347 4.2.1) */
969
0
#if defined(MBEDTLS_SSL_PROTO_DTLS)
970
0
    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
971
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
972
0
        && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
973
0
#endif
974
0
        ) {
975
        /* Epoch should be 0 for initial handshakes */
976
0
        if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
977
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
978
0
            return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
979
0
        }
980
981
0
        memcpy(&ssl->cur_out_ctr[2], ssl->in_ctr + 2,
982
0
               sizeof(ssl->cur_out_ctr) - 2);
983
984
0
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
985
0
        if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
986
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
987
0
            ssl->next_record_offset = 0;
988
0
            ssl->in_left = 0;
989
0
            goto read_record_header;
990
0
        }
991
992
        /* No MAC to check yet, so we can update right now */
993
0
        mbedtls_ssl_dtls_replay_update(ssl);
994
0
#endif
995
0
    }
996
0
#endif /* MBEDTLS_SSL_PROTO_DTLS */
997
998
0
    msg_len = MBEDTLS_GET_UINT16_BE(ssl->in_len, 0);
999
1000
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
1001
0
    if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1002
        /* Set by mbedtls_ssl_read_record() */
1003
0
        msg_len = ssl->in_hslen;
1004
0
    } else
1005
0
#endif
1006
0
    {
1007
0
        if (ssl->keep_current_message) {
1008
0
            ssl->keep_current_message = 0;
1009
0
        } else {
1010
0
            if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
1011
0
                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1012
0
                return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1013
0
            }
1014
1015
0
            if ((ret = mbedtls_ssl_fetch_input(ssl,
1016
0
                                               mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
1017
0
                MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1018
0
                return ret;
1019
0
            }
1020
1021
            /* Done reading this record, get ready for the next one */
1022
0
#if defined(MBEDTLS_SSL_PROTO_DTLS)
1023
0
            if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1024
0
                ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
1025
0
            } else
1026
0
#endif
1027
0
            ssl->in_left = 0;
1028
0
        }
1029
0
    }
1030
1031
0
    buf = ssl->in_msg;
1032
1033
0
    MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
1034
1035
0
    ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
1036
0
    if (0 != ret) {
1037
0
        MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1038
0
        return ret;
1039
0
    }
1040
1041
    /*
1042
     * Handshake layer:
1043
     *     0  .   0   handshake type
1044
     *     1  .   3   handshake length
1045
     *     4  .   5   DTLS only: message sequence number
1046
     *     6  .   8   DTLS only: fragment offset
1047
     *     9  .  11   DTLS only: fragment length
1048
     */
1049
0
    if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1050
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1051
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
1052
0
    }
1053
1054
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
1055
1056
0
    if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1057
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1058
0
        return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1059
0
    }
1060
0
    {
1061
0
        size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
1062
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
1063
0
                                  (unsigned) handshake_len));
1064
1065
        /* The record layer has a record size limit of 2^14 - 1 and
1066
         * fragmentation is not supported, so buf[1] should be zero. */
1067
0
        if (buf[1] != 0) {
1068
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
1069
0
                                      (unsigned) buf[1]));
1070
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
1071
0
        }
1072
1073
        /* We don't support fragmentation of ClientHello (yet?) */
1074
0
        if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
1075
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
1076
0
                                      (unsigned) msg_len,
1077
0
                                      (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1078
0
                                      (unsigned) handshake_len));
1079
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
1080
0
        }
1081
0
    }
1082
1083
0
#if defined(MBEDTLS_SSL_PROTO_DTLS)
1084
0
    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1085
        /*
1086
         * Copy the client's handshake message_seq on initial handshakes,
1087
         * check sequence number on renego.
1088
         */
1089
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
1090
0
        if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1091
            /* This couldn't be done in ssl_prepare_handshake_record() */
1092
0
            unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
1093
0
            if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1094
0
                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1095
0
                                          "%u (expected %u)", cli_msg_seq,
1096
0
                                          ssl->handshake->in_msg_seq));
1097
0
                return MBEDTLS_ERR_SSL_DECODE_ERROR;
1098
0
            }
1099
1100
0
            ssl->handshake->in_msg_seq++;
1101
0
        } else
1102
0
#endif
1103
0
        {
1104
0
            unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
1105
0
            ssl->handshake->out_msg_seq = cli_msg_seq;
1106
0
            ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
1107
0
        }
1108
0
        {
1109
            /*
1110
             * For now we don't support fragmentation, so make sure
1111
             * fragment_offset == 0 and fragment_length == length
1112
             */
1113
0
            size_t fragment_offset, fragment_length, length;
1114
0
            fragment_offset = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 6);
1115
0
            fragment_length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 9);
1116
0
            length = MBEDTLS_GET_UINT24_BE(ssl->in_msg, 1);
1117
0
            MBEDTLS_SSL_DEBUG_MSG(
1118
0
                4, ("fragment_offset=%u fragment_length=%u length=%u",
1119
0
                    (unsigned) fragment_offset, (unsigned) fragment_length,
1120
0
                    (unsigned) length));
1121
0
            if (fragment_offset != 0 || length != fragment_length) {
1122
0
                MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1123
0
                return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1124
0
            }
1125
0
        }
1126
0
    }
1127
0
#endif /* MBEDTLS_SSL_PROTO_DTLS */
1128
1129
0
    buf += mbedtls_ssl_hs_hdr_len(ssl);
1130
0
    msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
1131
1132
    /*
1133
     * ClientHello layout:
1134
     *     0  .   1   protocol version
1135
     *     2  .  33   random bytes (starting with 4 bytes of Unix time)
1136
     *    34  .  34   session id length (1 byte)
1137
     *    35  . 34+x  session id, where x = session id length from byte 34
1138
     *   35+x . 35+x  DTLS only: cookie length (1 byte)
1139
     *   36+x .  ..   DTLS only: cookie
1140
     *    ..  .  ..   ciphersuite list length (2 bytes)
1141
     *    ..  .  ..   ciphersuite list
1142
     *    ..  .  ..   compression alg. list length (1 byte)
1143
     *    ..  .  ..   compression alg. list
1144
     *    ..  .  ..   extensions length (2 bytes, optional)
1145
     *    ..  .  ..   extensions (optional)
1146
     */
1147
1148
    /*
1149
     * Minimal length (with everything empty and extensions omitted) is
1150
     * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1151
     * read at least up to session id length without worrying.
1152
     */
1153
0
    if (msg_len < 38) {
1154
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1155
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
1156
0
    }
1157
1158
    /*
1159
     * Check and save the protocol version
1160
     */
1161
0
    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
1162
1163
0
    ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1164
0
                                                                               ssl->conf->transport);
1165
0
    ssl->session_negotiate->tls_version = ssl->tls_version;
1166
0
    ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1167
1168
0
    if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
1169
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("server only supports TLS 1.2"));
1170
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1171
0
                                       MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1172
0
        return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1173
0
    }
1174
1175
    /*
1176
     * Save client random (inc. Unix time)
1177
     */
1178
0
    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
1179
1180
0
    memcpy(ssl->handshake->randbytes, buf + 2, 32);
1181
1182
    /*
1183
     * Check the session ID length and save session ID
1184
     */
1185
0
    sess_len = buf[34];
1186
1187
0
    if (sess_len > sizeof(ssl->session_negotiate->id) ||
1188
0
        sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1189
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1190
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1191
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1192
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
1193
0
    }
1194
1195
0
    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
1196
1197
0
    ssl->session_negotiate->id_len = sess_len;
1198
0
    memset(ssl->session_negotiate->id, 0,
1199
0
           sizeof(ssl->session_negotiate->id));
1200
0
    memcpy(ssl->session_negotiate->id, buf + 35,
1201
0
           ssl->session_negotiate->id_len);
1202
1203
    /*
1204
     * Check the cookie length and content
1205
     */
1206
0
#if defined(MBEDTLS_SSL_PROTO_DTLS)
1207
0
    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1208
0
        cookie_offset = 35 + sess_len;
1209
0
        cookie_len = buf[cookie_offset];
1210
1211
0
        if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1212
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1213
0
            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1214
0
                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1215
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
1216
0
        }
1217
1218
0
        MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1219
0
                              buf + cookie_offset + 1, cookie_len);
1220
1221
0
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1222
0
        if (ssl->conf->f_cookie_check != NULL
1223
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
1224
0
            && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1225
0
#endif
1226
0
            ) {
1227
0
            if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1228
0
                                          buf + cookie_offset + 1, cookie_len,
1229
0
                                          ssl->cli_id, ssl->cli_id_len) != 0) {
1230
0
                MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
1231
0
                ssl->handshake->cookie_verify_result = 1;
1232
0
            } else {
1233
0
                MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
1234
0
                ssl->handshake->cookie_verify_result = 0;
1235
0
            }
1236
0
        } else
1237
0
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1238
0
        {
1239
            /* We know we didn't send a cookie, so it should be empty */
1240
0
            if (cookie_len != 0) {
1241
                /* This may be an attacker's probe, so don't send an alert */
1242
0
                MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1243
0
                return MBEDTLS_ERR_SSL_DECODE_ERROR;
1244
0
            }
1245
1246
0
            MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
1247
0
        }
1248
1249
        /*
1250
         * Check the ciphersuitelist length (will be parsed later)
1251
         */
1252
0
        ciph_offset = cookie_offset + 1 + cookie_len;
1253
0
    } else
1254
0
#endif /* MBEDTLS_SSL_PROTO_DTLS */
1255
0
    ciph_offset = 35 + sess_len;
1256
1257
0
    ciph_len = MBEDTLS_GET_UINT16_BE(buf, ciph_offset);
1258
1259
0
    if (ciph_len < 2 ||
1260
0
        ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
1261
0
        (ciph_len % 2) != 0) {
1262
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1263
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1264
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1265
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
1266
0
    }
1267
1268
0
    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1269
0
                          buf + ciph_offset + 2,  ciph_len);
1270
1271
    /*
1272
     * Check the compression algorithm's length.
1273
     * The list contents are ignored because implementing
1274
     * MBEDTLS_SSL_COMPRESS_NULL is mandatory and is the only
1275
     * option supported by Mbed TLS.
1276
     */
1277
0
    comp_offset = ciph_offset + 2 + ciph_len;
1278
1279
0
    comp_len = buf[comp_offset];
1280
1281
0
    if (comp_len < 1 ||
1282
0
        comp_len > 16 ||
1283
0
        comp_len + comp_offset + 1 > msg_len) {
1284
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1285
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1286
0
                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1287
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
1288
0
    }
1289
1290
0
    MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1291
0
                          buf + comp_offset + 1, comp_len);
1292
1293
    /*
1294
     * Check the extension length
1295
     */
1296
0
    ext_offset = comp_offset + 1 + comp_len;
1297
0
    if (msg_len > ext_offset) {
1298
0
        if (msg_len < ext_offset + 2) {
1299
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1300
0
            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1301
0
                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1302
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
1303
0
        }
1304
1305
0
        ext_len = MBEDTLS_GET_UINT16_BE(buf, ext_offset);
1306
1307
0
        if (msg_len != ext_offset + 2 + ext_len) {
1308
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1309
0
            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1310
0
                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1311
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
1312
0
        }
1313
0
    } else {
1314
0
        ext_len = 0;
1315
0
    }
1316
1317
0
    ext = buf + ext_offset + 2;
1318
0
    MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1319
1320
0
    while (ext_len != 0) {
1321
0
        unsigned int ext_id;
1322
0
        unsigned int ext_size;
1323
0
        if (ext_len < 4) {
1324
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1325
0
            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1326
0
                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1327
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
1328
0
        }
1329
0
        ext_id   = MBEDTLS_GET_UINT16_BE(ext, 0);
1330
0
        ext_size = MBEDTLS_GET_UINT16_BE(ext, 2);
1331
1332
0
        if (ext_size + 4 > ext_len) {
1333
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1334
0
            mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1335
0
                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1336
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
1337
0
        }
1338
0
        switch (ext_id) {
1339
0
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1340
0
            case MBEDTLS_TLS_EXT_SERVERNAME:
1341
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1342
0
                ret = mbedtls_ssl_parse_server_name_ext(ssl, ext + 4,
1343
0
                                                        ext + 4 + ext_size);
1344
0
                if (ret != 0) {
1345
0
                    return ret;
1346
0
                }
1347
0
                break;
1348
0
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1349
1350
0
            case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1351
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
1352
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
1353
0
                renegotiation_info_seen = 1;
1354
0
#endif
1355
1356
0
                ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1357
0
                if (ret != 0) {
1358
0
                    return ret;
1359
0
                }
1360
0
                break;
1361
1362
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1363
0
            case MBEDTLS_TLS_EXT_SIG_ALG:
1364
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
1365
1366
0
                ret = mbedtls_ssl_parse_sig_alg_ext(ssl, ext + 4, ext + 4 + ext_size);
1367
0
                if (ret != 0) {
1368
0
                    return ret;
1369
0
                }
1370
1371
0
                sig_hash_alg_ext_present = 1;
1372
0
                break;
1373
0
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1374
1375
0
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
1376
0
                defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
1377
0
                defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1378
0
            case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1379
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
1380
1381
0
                ret = ssl_parse_supported_groups_ext(ssl, ext + 4, ext_size);
1382
0
                if (ret != 0) {
1383
0
                    return ret;
1384
0
                }
1385
0
                break;
1386
1387
0
            case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1388
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
1389
0
                ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1390
1391
0
                ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1392
0
                if (ret != 0) {
1393
0
                    return ret;
1394
0
                }
1395
0
                break;
1396
0
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
1397
          MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
1398
          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1399
1400
0
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1401
0
            case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1402
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
1403
1404
0
                ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1405
0
                if (ret != 0) {
1406
0
                    return ret;
1407
0
                }
1408
0
                break;
1409
0
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1410
1411
0
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1412
0
            case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1413
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
1414
1415
0
                ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1416
0
                if (ret != 0) {
1417
0
                    return ret;
1418
0
                }
1419
0
                break;
1420
0
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1421
1422
0
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1423
0
            case MBEDTLS_TLS_EXT_CID:
1424
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
1425
1426
0
                ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1427
0
                if (ret != 0) {
1428
0
                    return ret;
1429
0
                }
1430
0
                break;
1431
0
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1432
1433
0
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1434
0
            case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1435
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
1436
1437
0
                ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1438
0
                if (ret != 0) {
1439
0
                    return ret;
1440
0
                }
1441
0
                break;
1442
0
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1443
1444
0
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1445
0
            case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1446
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
1447
1448
0
                ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1449
0
                if (ret != 0) {
1450
0
                    return ret;
1451
0
                }
1452
0
                break;
1453
0
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1454
1455
0
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1456
0
            case MBEDTLS_TLS_EXT_SESSION_TICKET:
1457
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
1458
1459
0
                ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1460
0
                if (ret != 0) {
1461
0
                    return ret;
1462
0
                }
1463
0
                break;
1464
0
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1465
1466
0
#if defined(MBEDTLS_SSL_ALPN)
1467
0
            case MBEDTLS_TLS_EXT_ALPN:
1468
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
1469
1470
0
                ret = mbedtls_ssl_parse_alpn_ext(ssl, ext + 4,
1471
0
                                                 ext + 4 + ext_size);
1472
0
                if (ret != 0) {
1473
0
                    return ret;
1474
0
                }
1475
0
                break;
1476
0
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1477
1478
0
#if defined(MBEDTLS_SSL_DTLS_SRTP)
1479
0
            case MBEDTLS_TLS_EXT_USE_SRTP:
1480
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
1481
1482
0
                ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1483
0
                if (ret != 0) {
1484
0
                    return ret;
1485
0
                }
1486
0
                break;
1487
0
#endif /* MBEDTLS_SSL_DTLS_SRTP */
1488
1489
0
            default:
1490
0
                MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1491
0
                                          ext_id));
1492
0
        }
1493
1494
0
        ext_len -= 4 + ext_size;
1495
0
        ext += 4 + ext_size;
1496
0
    }
1497
1498
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1499
1500
    /*
1501
     * Try to fall back to default hash SHA1 if the client
1502
     * hasn't provided any preferred signature-hash combinations.
1503
     */
1504
0
    if (!sig_hash_alg_ext_present) {
1505
0
        uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
1506
0
        const uint16_t default_sig_algs[] = {
1507
0
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1508
0
            MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
1509
0
                                               MBEDTLS_SSL_HASH_SHA1),
1510
0
#endif
1511
0
#if defined(MBEDTLS_RSA_C)
1512
0
            MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA,
1513
0
                                               MBEDTLS_SSL_HASH_SHA1),
1514
0
#endif
1515
0
            MBEDTLS_TLS_SIG_NONE
1516
0
        };
1517
1518
0
        MBEDTLS_STATIC_ASSERT(sizeof(default_sig_algs) / sizeof(default_sig_algs[0])
1519
0
                              <= MBEDTLS_RECEIVED_SIG_ALGS_SIZE,
1520
0
                              "default_sig_algs is too big");
1521
1522
0
        memcpy(received_sig_algs, default_sig_algs, sizeof(default_sig_algs));
1523
0
    }
1524
1525
0
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1526
1527
    /*
1528
     * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1529
     */
1530
0
    for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1531
0
        if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1532
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
1533
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
1534
0
            if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1535
0
                MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1536
0
                                          "during renegotiation"));
1537
0
                mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1538
0
                                               MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1539
0
                return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1540
0
            }
1541
0
#endif
1542
0
            ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1543
0
            break;
1544
0
        }
1545
0
    }
1546
1547
    /*
1548
     * Renegotiation security checks
1549
     */
1550
0
    if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1551
0
        ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1552
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
1553
0
        handshake_failure = 1;
1554
0
    }
1555
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
1556
0
    else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1557
0
             ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1558
0
             renegotiation_info_seen == 0) {
1559
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
1560
0
        handshake_failure = 1;
1561
0
    } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1562
0
               ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1563
0
               ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
1564
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
1565
0
        handshake_failure = 1;
1566
0
    } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1567
0
               ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1568
0
               renegotiation_info_seen == 1) {
1569
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
1570
0
        handshake_failure = 1;
1571
0
    }
1572
0
#endif /* MBEDTLS_SSL_RENEGOTIATION */
1573
1574
0
    if (handshake_failure == 1) {
1575
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1576
0
                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1577
0
        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1578
0
    }
1579
1580
    /*
1581
     * Server certification selection (after processing TLS extensions)
1582
     */
1583
0
    if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1584
0
        MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1585
0
        return ret;
1586
0
    }
1587
0
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1588
0
    ssl->handshake->sni_name = NULL;
1589
0
    ssl->handshake->sni_name_len = 0;
1590
0
#endif
1591
1592
    /*
1593
     * Search for a matching ciphersuite
1594
     * (At the end because we need information from the EC-based extensions
1595
     * and certificate from the SNI callback triggered by the SNI extension
1596
     * or certificate from server certificate selection callback.)
1597
     */
1598
0
    got_common_suite = 0;
1599
0
    ciphersuites = ssl->conf->ciphersuite_list;
1600
0
    ciphersuite_info = NULL;
1601
1602
0
    if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT) {
1603
0
        for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1604
0
            for (i = 0; ciphersuites[i] != 0; i++) {
1605
0
                if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
1606
0
                    continue;
1607
0
                }
1608
1609
0
                got_common_suite = 1;
1610
1611
0
                if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1612
0
                                                 &ciphersuite_info)) != 0) {
1613
0
                    return ret;
1614
0
                }
1615
1616
0
                if (ciphersuite_info != NULL) {
1617
0
                    goto have_ciphersuite;
1618
0
                }
1619
0
            }
1620
0
        }
1621
0
    } else {
1622
0
        for (i = 0; ciphersuites[i] != 0; i++) {
1623
0
            for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
1624
0
                if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
1625
0
                    continue;
1626
0
                }
1627
1628
0
                got_common_suite = 1;
1629
1630
0
                if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1631
0
                                                 &ciphersuite_info)) != 0) {
1632
0
                    return ret;
1633
0
                }
1634
1635
0
                if (ciphersuite_info != NULL) {
1636
0
                    goto have_ciphersuite;
1637
0
                }
1638
0
            }
1639
0
        }
1640
0
    }
1641
1642
0
    if (got_common_suite) {
1643
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1644
0
                                  "but none of them usable"));
1645
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1646
0
                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1647
0
        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1648
0
    } else {
1649
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1650
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1651
0
                                       MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1652
0
        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1653
0
    }
1654
1655
0
have_ciphersuite:
1656
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
1657
1658
0
    ssl->session_negotiate->ciphersuite = ciphersuites[i];
1659
0
    ssl->handshake->ciphersuite_info = ciphersuite_info;
1660
1661
0
    ssl->state++;
1662
1663
0
#if defined(MBEDTLS_SSL_PROTO_DTLS)
1664
0
    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1665
0
        mbedtls_ssl_recv_flight_completed(ssl);
1666
0
    }
1667
0
#endif
1668
1669
    /* Debugging-only output for testsuite */
1670
0
#if defined(MBEDTLS_DEBUG_C)                         && \
1671
0
    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1672
0
    mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
1673
0
    if (sig_alg != MBEDTLS_PK_NONE) {
1674
0
        unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
1675
0
            ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
1676
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
1677
0
                                  sig_hash));
1678
0
    } else {
1679
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
1680
0
                                  "%u - should not happen", (unsigned) sig_alg));
1681
0
    }
1682
0
#endif
1683
1684
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
1685
1686
0
    return 0;
1687
0
}
1688
1689
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1690
static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
1691
                              unsigned char *buf,
1692
                              size_t *olen)
1693
0
{
1694
0
    unsigned char *p = buf;
1695
0
    size_t ext_len;
1696
0
    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1697
1698
0
    *olen = 0;
1699
1700
    /* Skip writing the extension if we don't want to use it or if
1701
     * the client hasn't offered it. */
1702
0
    if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
1703
0
        return;
1704
0
    }
1705
1706
    /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1707
     * which is at most 255, so the increment cannot overflow. */
1708
0
    if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
1709
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1710
0
        return;
1711
0
    }
1712
1713
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
1714
1715
    /*
1716
     *   struct {
1717
     *      opaque cid<0..2^8-1>;
1718
     *   } ConnectionId;
1719
     */
1720
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
1721
0
    p += 2;
1722
0
    ext_len = (size_t) ssl->own_cid_len + 1;
1723
0
    MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
1724
0
    p += 2;
1725
1726
0
    *p++ = (uint8_t) ssl->own_cid_len;
1727
0
    memcpy(p, ssl->own_cid, ssl->own_cid_len);
1728
1729
0
    *olen = ssl->own_cid_len + 5;
1730
0
}
1731
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1732
1733
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
1734
static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1735
                                           unsigned char *buf,
1736
                                           size_t *olen)
1737
0
{
1738
0
    unsigned char *p = buf;
1739
0
    const mbedtls_ssl_ciphersuite_t *suite = NULL;
1740
1741
    /*
1742
     * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1743
     * from a client and then selects a stream or Authenticated Encryption
1744
     * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1745
     * encrypt-then-MAC response extension back to the client."
1746
     */
1747
0
    suite = mbedtls_ssl_ciphersuite_from_id(
1748
0
        ssl->session_negotiate->ciphersuite);
1749
0
    if (suite == NULL) {
1750
0
        ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
1751
0
    } else {
1752
0
        mbedtls_ssl_mode_t ssl_mode =
1753
0
            mbedtls_ssl_get_mode_from_ciphersuite(
1754
0
                ssl->session_negotiate->encrypt_then_mac,
1755
0
                suite);
1756
1757
0
        if (ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM) {
1758
0
            ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
1759
0
        }
1760
0
    }
1761
1762
0
    if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
1763
0
        *olen = 0;
1764
0
        return;
1765
0
    }
1766
1767
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
1768
1769
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
1770
0
    p += 2;
1771
1772
0
    *p++ = 0x00;
1773
0
    *p++ = 0x00;
1774
1775
0
    *olen = 4;
1776
0
}
1777
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
1778
1779
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1780
static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
1781
                                      unsigned char *buf,
1782
                                      size_t *olen)
1783
0
{
1784
0
    unsigned char *p = buf;
1785
1786
0
    if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
1787
0
        *olen = 0;
1788
0
        return;
1789
0
    }
1790
1791
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
1792
0
                              "extension"));
1793
1794
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
1795
0
    p += 2;
1796
1797
0
    *p++ = 0x00;
1798
0
    *p++ = 0x00;
1799
1800
0
    *olen = 4;
1801
0
}
1802
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1803
1804
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1805
static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
1806
                                         unsigned char *buf,
1807
                                         size_t *olen)
1808
0
{
1809
0
    unsigned char *p = buf;
1810
1811
0
    if (ssl->handshake->new_session_ticket == 0) {
1812
0
        *olen = 0;
1813
0
        return;
1814
0
    }
1815
1816
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
1817
1818
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
1819
0
    p += 2;
1820
1821
0
    *p++ = 0x00;
1822
0
    *p++ = 0x00;
1823
1824
0
    *olen = 4;
1825
0
}
1826
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1827
1828
static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
1829
                                        unsigned char *buf,
1830
                                        size_t *olen)
1831
0
{
1832
0
    unsigned char *p = buf;
1833
1834
0
    if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
1835
0
        *olen = 0;
1836
0
        return;
1837
0
    }
1838
1839
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
1840
1841
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
1842
0
    p += 2;
1843
1844
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
1845
0
    if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1846
0
        *p++ = 0x00;
1847
0
        *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
1848
0
        *p++ = ssl->verify_data_len * 2 & 0xFF;
1849
1850
0
        memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
1851
0
        p += ssl->verify_data_len;
1852
0
        memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
1853
0
        p += ssl->verify_data_len;
1854
0
    } else
1855
0
#endif /* MBEDTLS_SSL_RENEGOTIATION */
1856
0
    {
1857
0
        *p++ = 0x00;
1858
0
        *p++ = 0x01;
1859
0
        *p++ = 0x00;
1860
0
    }
1861
1862
0
    *olen = (size_t) (p - buf);
1863
0
}
1864
1865
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1866
static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1867
                                              unsigned char *buf,
1868
                                              size_t *olen)
1869
0
{
1870
0
    unsigned char *p = buf;
1871
1872
0
    if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
1873
0
        *olen = 0;
1874
0
        return;
1875
0
    }
1876
1877
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
1878
1879
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
1880
0
    p += 2;
1881
1882
0
    *p++ = 0x00;
1883
0
    *p++ = 1;
1884
1885
0
    *p++ = ssl->session_negotiate->mfl_code;
1886
1887
0
    *olen = 5;
1888
0
}
1889
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1890
1891
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
1892
    defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
1893
    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1894
static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1895
                                                  unsigned char *buf,
1896
                                                  size_t *olen)
1897
0
{
1898
0
    unsigned char *p = buf;
1899
0
    ((void) ssl);
1900
1901
0
    if ((ssl->handshake->cli_exts &
1902
0
         MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
1903
0
        *olen = 0;
1904
0
        return;
1905
0
    }
1906
1907
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
1908
1909
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
1910
0
    p += 2;
1911
1912
0
    *p++ = 0x00;
1913
0
    *p++ = 2;
1914
1915
0
    *p++ = 1;
1916
0
    *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
1917
1918
0
    *olen = 6;
1919
0
}
1920
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
1921
          MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
1922
          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1923
1924
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1925
static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
1926
                                       unsigned char *buf,
1927
                                       size_t *olen)
1928
0
{
1929
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1930
0
    unsigned char *p = buf;
1931
0
    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1932
0
    size_t kkpp_len;
1933
1934
0
    *olen = 0;
1935
1936
    /* Skip costly computation if not needed */
1937
0
    if (ssl->handshake->ciphersuite_info->key_exchange !=
1938
0
        MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
1939
0
        return;
1940
0
    }
1941
1942
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
1943
1944
0
    if (end - p < 4) {
1945
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
1946
0
        return;
1947
0
    }
1948
1949
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
1950
0
    p += 2;
1951
1952
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
1953
0
    ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
1954
0
                                          p + 2, (size_t) (end - p - 2), &kkpp_len,
1955
0
                                          MBEDTLS_ECJPAKE_ROUND_ONE);
1956
0
    if (ret != 0) {
1957
0
        psa_destroy_key(ssl->handshake->psa_pake_password);
1958
0
        psa_pake_abort(&ssl->handshake->psa_pake_ctx);
1959
0
        MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
1960
0
        return;
1961
0
    }
1962
#else
1963
    ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
1964
                                          p + 2, (size_t) (end - p - 2), &kkpp_len,
1965
                                          ssl->conf->f_rng, ssl->conf->p_rng);
1966
    if (ret != 0) {
1967
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
1968
        return;
1969
    }
1970
#endif /* MBEDTLS_USE_PSA_CRYPTO */
1971
1972
0
    MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
1973
0
    p += 2;
1974
1975
0
    *olen = kkpp_len + 4;
1976
0
}
1977
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1978
1979
#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
1980
static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
1981
                                   unsigned char *buf,
1982
                                   size_t *olen)
1983
0
{
1984
0
    size_t mki_len = 0, ext_len = 0;
1985
0
    uint16_t profile_value = 0;
1986
0
    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1987
1988
0
    *olen = 0;
1989
1990
0
    if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1991
0
        (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
1992
0
        return;
1993
0
    }
1994
1995
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
1996
1997
0
    if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
1998
0
        mki_len = ssl->dtls_srtp_info.mki_len;
1999
0
    }
2000
2001
    /* The extension total size is 9 bytes :
2002
     * - 2 bytes for the extension tag
2003
     * - 2 bytes for the total size
2004
     * - 2 bytes for the protection profile length
2005
     * - 2 bytes for the protection profile
2006
     * - 1 byte for the mki length
2007
     * +  the actual mki length
2008
     * Check we have enough room in the output buffer */
2009
0
    if ((size_t) (end - buf) < mki_len + 9) {
2010
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2011
0
        return;
2012
0
    }
2013
2014
    /* extension */
2015
0
    MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
2016
    /*
2017
     * total length 5 and mki value: only one profile(2 bytes)
2018
     *              and length(2 bytes) and srtp_mki  )
2019
     */
2020
0
    ext_len = 5 + mki_len;
2021
0
    MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
2022
2023
    /* protection profile length: 2 */
2024
0
    buf[4] = 0x00;
2025
0
    buf[5] = 0x02;
2026
0
    profile_value = mbedtls_ssl_check_srtp_profile_value(
2027
0
        ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
2028
0
    if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
2029
0
        MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
2030
0
    } else {
2031
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
2032
0
        return;
2033
0
    }
2034
2035
0
    buf[8] = mki_len & 0xFF;
2036
0
    memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
2037
2038
0
    *olen = 9 + mki_len;
2039
0
}
2040
#endif /* MBEDTLS_SSL_DTLS_SRTP */
2041
2042
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2043
MBEDTLS_CHECK_RETURN_CRITICAL
2044
static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
2045
0
{
2046
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2047
0
    unsigned char *p = ssl->out_msg + 4;
2048
0
    unsigned char *cookie_len_byte;
2049
2050
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
2051
2052
    /*
2053
     * struct {
2054
     *   ProtocolVersion server_version;
2055
     *   opaque cookie<0..2^8-1>;
2056
     * } HelloVerifyRequest;
2057
     */
2058
2059
    /* The RFC is not clear on this point, but sending the actual negotiated
2060
     * version looks like the most interoperable thing to do. */
2061
0
    mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2062
0
    MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
2063
0
    p += 2;
2064
2065
    /* If we get here, f_cookie_check is not null */
2066
0
    if (ssl->conf->f_cookie_write == NULL) {
2067
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2068
0
        return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2069
0
    }
2070
2071
    /* Skip length byte until we know the length */
2072
0
    cookie_len_byte = p++;
2073
2074
0
    if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2075
0
                                         &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2076
0
                                         ssl->cli_id, ssl->cli_id_len)) != 0) {
2077
0
        MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2078
0
        return ret;
2079
0
    }
2080
2081
0
    *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
2082
2083
0
    MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
2084
2085
0
    ssl->out_msglen  = (size_t) (p - ssl->out_msg);
2086
0
    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2087
0
    ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
2088
2089
0
    ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
2090
2091
0
    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2092
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2093
0
        return ret;
2094
0
    }
2095
2096
0
#if defined(MBEDTLS_SSL_PROTO_DTLS)
2097
0
    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2098
0
        (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2099
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2100
0
        return ret;
2101
0
    }
2102
0
#endif /* MBEDTLS_SSL_PROTO_DTLS */
2103
2104
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
2105
2106
0
    return 0;
2107
0
}
2108
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2109
2110
static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
2111
0
{
2112
0
    int ret;
2113
0
    mbedtls_ssl_session session_tmp;
2114
0
    mbedtls_ssl_session * const session = ssl->session_negotiate;
2115
2116
    /* Resume is 0  by default, see ssl_handshake_init().
2117
     * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
2118
0
    if (ssl->handshake->resume == 1) {
2119
0
        return;
2120
0
    }
2121
0
    if (session->id_len == 0) {
2122
0
        return;
2123
0
    }
2124
0
    if (ssl->conf->f_get_cache == NULL) {
2125
0
        return;
2126
0
    }
2127
0
#if defined(MBEDTLS_SSL_RENEGOTIATION)
2128
0
    if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
2129
0
        return;
2130
0
    }
2131
0
#endif
2132
2133
0
    mbedtls_ssl_session_init(&session_tmp);
2134
2135
0
    ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2136
0
                                 session->id,
2137
0
                                 session->id_len,
2138
0
                                 &session_tmp);
2139
0
    if (ret != 0) {
2140
0
        goto exit;
2141
0
    }
2142
2143
0
    if (session->ciphersuite != session_tmp.ciphersuite) {
2144
        /* Mismatch between cached and negotiated session */
2145
0
        goto exit;
2146
0
    }
2147
2148
    /* Move semantics */
2149
0
    mbedtls_ssl_session_free(session);
2150
0
    *session = session_tmp;
2151
0
    memset(&session_tmp, 0, sizeof(session_tmp));
2152
2153
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
2154
0
    ssl->handshake->resume = 1;
2155
2156
0
exit:
2157
2158
0
    mbedtls_ssl_session_free(&session_tmp);
2159
0
}
2160
2161
MBEDTLS_CHECK_RETURN_CRITICAL
2162
static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
2163
0
{
2164
0
#if defined(MBEDTLS_HAVE_TIME)
2165
0
    mbedtls_time_t t;
2166
0
#endif
2167
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2168
0
    size_t olen, ext_len = 0, n;
2169
0
    unsigned char *buf, *p;
2170
2171
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
2172
2173
0
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2174
0
    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2175
0
        ssl->handshake->cookie_verify_result != 0) {
2176
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2177
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2178
2179
0
        return ssl_write_hello_verify_request(ssl);
2180
0
    }
2181
0
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2182
2183
    /*
2184
     *     0  .   0   handshake type
2185
     *     1  .   3   handshake length
2186
     *     4  .   5   protocol version
2187
     *     6  .   9   UNIX time()
2188
     *    10  .  37   random bytes
2189
     */
2190
0
    buf = ssl->out_msg;
2191
0
    p = buf + 4;
2192
2193
0
    mbedtls_ssl_write_version(p, ssl->conf->transport, ssl->tls_version);
2194
0
    p += 2;
2195
2196
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2197
0
                              buf[4], buf[5]));
2198
2199
0
#if defined(MBEDTLS_HAVE_TIME)
2200
0
    t = mbedtls_time(NULL);
2201
0
    MBEDTLS_PUT_UINT32_BE(t, p, 0);
2202
0
    p += 4;
2203
2204
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2205
0
                              (long long) t));
2206
#else
2207
    if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2208
        return ret;
2209
    }
2210
2211
    p += 4;
2212
#endif /* MBEDTLS_HAVE_TIME */
2213
2214
0
    if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
2215
0
        return ret;
2216
0
    }
2217
0
    p += 20;
2218
2219
0
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2220
    /*
2221
     * RFC 8446
2222
     * TLS 1.3 has a downgrade protection mechanism embedded in the server's
2223
     * random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
2224
     * response to a ClientHello MUST set the last 8 bytes of their Random
2225
     * value specially in their ServerHello.
2226
     */
2227
0
    if (mbedtls_ssl_conf_is_tls13_enabled(ssl->conf)) {
2228
0
        static const unsigned char magic_tls12_downgrade_string[] =
2229
0
        { 'D', 'O', 'W', 'N', 'G', 'R', 'D', 1 };
2230
2231
0
        MBEDTLS_STATIC_ASSERT(
2232
0
            sizeof(magic_tls12_downgrade_string) == 8,
2233
0
            "magic_tls12_downgrade_string does not have the expected size");
2234
2235
0
        memcpy(p, magic_tls12_downgrade_string,
2236
0
               sizeof(magic_tls12_downgrade_string));
2237
0
    } else
2238
0
#endif
2239
0
    {
2240
0
        if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
2241
0
            return ret;
2242
0
        }
2243
0
    }
2244
0
    p += 8;
2245
2246
0
    memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
2247
2248
0
    MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
2249
2250
0
    ssl_handle_id_based_session_resumption(ssl);
2251
2252
0
    if (ssl->handshake->resume == 0) {
2253
        /*
2254
         * New session, create a new session id,
2255
         * unless we're about to issue a session ticket
2256
         */
2257
0
        ssl->state++;
2258
2259
0
#if defined(MBEDTLS_HAVE_TIME)
2260
0
        ssl->session_negotiate->start = mbedtls_time(NULL);
2261
0
#endif
2262
2263
0
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2264
0
        if (ssl->handshake->new_session_ticket != 0) {
2265
0
            ssl->session_negotiate->id_len = n = 0;
2266
0
            memset(ssl->session_negotiate->id, 0, 32);
2267
0
        } else
2268
0
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2269
0
        {
2270
0
            ssl->session_negotiate->id_len = n = 32;
2271
0
            if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2272
0
                                        n)) != 0) {
2273
0
                return ret;
2274
0
            }
2275
0
        }
2276
0
    } else {
2277
        /*
2278
         * Resuming a session
2279
         */
2280
0
        n = ssl->session_negotiate->id_len;
2281
0
        ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2282
2283
0
        if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2284
0
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2285
0
            return ret;
2286
0
        }
2287
0
    }
2288
2289
    /*
2290
     *    38  .  38     session id length
2291
     *    39  . 38+n    session id
2292
     *   39+n . 40+n    chosen ciphersuite
2293
     *   41+n . 41+n    chosen compression alg.
2294
     *   42+n . 43+n    extensions length
2295
     *   44+n . 43+n+m  extensions
2296
     */
2297
0
    *p++ = (unsigned char) ssl->session_negotiate->id_len;
2298
0
    memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
2299
0
    p += ssl->session_negotiate->id_len;
2300
2301
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2302
0
    MBEDTLS_SSL_DEBUG_BUF(3,   "server hello, session id", buf + 39, n);
2303
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2304
0
                              ssl->handshake->resume ? "a" : "no"));
2305
2306
0
    MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
2307
0
    p += 2;
2308
0
    *p++ = MBEDTLS_BYTE_0(MBEDTLS_SSL_COMPRESS_NULL);
2309
2310
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2311
0
                              mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2312
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2313
0
                              (unsigned int) MBEDTLS_SSL_COMPRESS_NULL));
2314
2315
    /*
2316
     *  First write extensions, then the total length
2317
     */
2318
0
    ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
2319
0
    ext_len += olen;
2320
2321
0
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2322
0
    ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
2323
0
    ext_len += olen;
2324
0
#endif
2325
2326
0
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2327
0
    ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
2328
0
    ext_len += olen;
2329
0
#endif
2330
2331
0
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2332
0
    ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
2333
0
    ext_len += olen;
2334
0
#endif
2335
2336
0
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2337
0
    ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
2338
0
    ext_len += olen;
2339
0
#endif
2340
2341
0
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2342
0
    ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
2343
0
    ext_len += olen;
2344
0
#endif
2345
2346
0
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
2347
0
    defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
2348
0
    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2349
0
    const mbedtls_ssl_ciphersuite_t *suite =
2350
0
        mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
2351
0
    if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
2352
0
        ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
2353
0
        ext_len += olen;
2354
0
    }
2355
0
#endif
2356
2357
0
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2358
0
    ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
2359
0
    ext_len += olen;
2360
0
#endif
2361
2362
0
#if defined(MBEDTLS_SSL_ALPN)
2363
0
    unsigned char *end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
2364
0
    if ((ret = mbedtls_ssl_write_alpn_ext(ssl, p + 2 + ext_len, end, &olen))
2365
0
        != 0) {
2366
0
        return ret;
2367
0
    }
2368
2369
0
    ext_len += olen;
2370
0
#endif
2371
2372
0
#if defined(MBEDTLS_SSL_DTLS_SRTP)
2373
0
    ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
2374
0
    ext_len += olen;
2375
0
#endif
2376
2377
0
    MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2378
0
                              ext_len));
2379
2380
0
    if (ext_len > 0) {
2381
0
        MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
2382
0
        p += 2 + ext_len;
2383
0
    }
2384
2385
0
    ssl->out_msglen  = (size_t) (p - buf);
2386
0
    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2387
0
    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;
2388
2389
0
    ret = mbedtls_ssl_write_handshake_msg(ssl);
2390
2391
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2392
2393
0
    return ret;
2394
0
}
2395
2396
#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2397
MBEDTLS_CHECK_RETURN_CRITICAL
2398
static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
2399
{
2400
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2401
        ssl->handshake->ciphersuite_info;
2402
2403
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2404
2405
    if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2406
        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2407
        ssl->state++;
2408
        return 0;
2409
    }
2410
2411
    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2412
    return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2413
}
2414
#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2415
MBEDTLS_CHECK_RETURN_CRITICAL
2416
static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
2417
0
{
2418
0
    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2419
0
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2420
0
        ssl->handshake->ciphersuite_info;
2421
0
    uint16_t dn_size, total_dn_size; /* excluding length bytes */
2422
0
    size_t ct_len, sa_len; /* including length bytes */
2423
0
    unsigned char *buf, *p;
2424
0
    const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2425
0
    const mbedtls_x509_crt *crt;
2426
0
    int authmode;
2427
2428
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2429
2430
0
    ssl->state++;
2431
2432
0
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2433
0
    if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
2434
0
        authmode = ssl->handshake->sni_authmode;
2435
0
    } else
2436
0
#endif
2437
0
    authmode = ssl->conf->authmode;
2438
2439
0
    if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2440
0
        authmode == MBEDTLS_SSL_VERIFY_NONE) {
2441
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2442
0
        return 0;
2443
0
    }
2444
2445
    /*
2446
     *     0  .   0   handshake type
2447
     *     1  .   3   handshake length
2448
     *     4  .   4   cert type count
2449
     *     5  .. m-1  cert types
2450
     *     m  .. m+1  sig alg length (TLS 1.2 only)
2451
     *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
2452
     *     n  .. n+1  length of all DNs
2453
     *    n+2 .. n+3  length of DN 1
2454
     *    n+4 .. ...  Distinguished Name #1
2455
     *    ... .. ...  length of DN 2, etc.
2456
     */
2457
0
    buf = ssl->out_msg;
2458
0
    p = buf + 4;
2459
2460
    /*
2461
     * Supported certificate types
2462
     *
2463
     *     ClientCertificateType certificate_types<1..2^8-1>;
2464
     *     enum { (255) } ClientCertificateType;
2465
     */
2466
0
    ct_len = 0;
2467
2468
0
#if defined(MBEDTLS_RSA_C)
2469
0
    p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
2470
0
#endif
2471
0
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
2472
0
    p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
2473
0
#endif
2474
2475
0
    p[0] = (unsigned char) ct_len++;
2476
0
    p += ct_len;
2477
2478
0
    sa_len = 0;
2479
2480
    /*
2481
     * Add signature_algorithms for verify (TLS 1.2)
2482
     *
2483
     *     SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2484
     *
2485
     *     struct {
2486
     *           HashAlgorithm hash;
2487
     *           SignatureAlgorithm signature;
2488
     *     } SignatureAndHashAlgorithm;
2489
     *
2490
     *     enum { (255) } HashAlgorithm;
2491
     *     enum { (255) } SignatureAlgorithm;
2492
     */
2493
0
    const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2494
0
    if (sig_alg == NULL) {
2495
0
        return MBEDTLS_ERR_SSL_BAD_CONFIG;
2496
0
    }
2497
2498
0
    for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2499
0
        unsigned char hash = MBEDTLS_BYTE_1(*sig_alg);
2500
2501
0
        if (mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
2502
0
            continue;
2503
0
        }
2504
0
        if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
2505
0
            continue;
2506
0
        }
2507
2508
        /* Write elements at offsets starting from 1 (offset 0 is for the
2509
         * length). Thus the offset of each element is the length of the
2510
         * partial list including that element. */
2511
0
        sa_len += 2;
2512
0
        MBEDTLS_PUT_UINT16_BE(*sig_alg, p, sa_len);
2513
2514
0
    }
2515
2516
    /* Fill in list length. */
2517
0
    MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
2518
0
    sa_len += 2;
2519
0
    p += sa_len;
2520
2521
    /*
2522
     * DistinguishedName certificate_authorities<0..2^16-1>;
2523
     * opaque DistinguishedName<1..2^16-1>;
2524
     */
2525
0
    p += 2;
2526
2527
0
    total_dn_size = 0;
2528
2529
0
    if (ssl->conf->cert_req_ca_list ==  MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
2530
        /* NOTE: If trusted certificates are provisioned
2531
         *       via a CA callback (configured through
2532
         *       `mbedtls_ssl_conf_ca_cb()`, then the
2533
         *       CertificateRequest is currently left empty. */
2534
2535
0
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2536
0
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2537
0
        if (ssl->handshake->dn_hints != NULL) {
2538
0
            crt = ssl->handshake->dn_hints;
2539
0
        } else
2540
0
#endif
2541
0
        if (ssl->conf->dn_hints != NULL) {
2542
0
            crt = ssl->conf->dn_hints;
2543
0
        } else
2544
0
#endif
2545
0
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2546
0
        if (ssl->handshake->sni_ca_chain != NULL) {
2547
0
            crt = ssl->handshake->sni_ca_chain;
2548
0
        } else
2549
0
#endif
2550
0
        crt = ssl->conf->ca_chain;
2551
2552
0
        while (crt != NULL && crt->version != 0) {
2553
            /* It follows from RFC 5280 A.1 that this length
2554
             * can be represented in at most 11 bits. */
2555
0
            dn_size = (uint16_t) crt->subject_raw.len;
2556
2557
0
            if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
2558
0
                MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
2559
0
                break;
2560
0
            }
2561
2562
0
            MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
2563
0
            p += 2;
2564
0
            memcpy(p, crt->subject_raw.p, dn_size);
2565
0
            p += dn_size;
2566
2567
0
            MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
2568
2569
0
            total_dn_size += (unsigned short) (2 + dn_size);
2570
0
            crt = crt->next;
2571
0
        }
2572
0
    }
2573
2574
0
    ssl->out_msglen  = (size_t) (p - buf);
2575
0
    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2576
0
    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
2577
0
    MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
2578
2579
0
    ret = mbedtls_ssl_write_handshake_msg(ssl);
2580
2581
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
2582
2583
0
    return ret;
2584
0
}
2585
#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2586
2587
#if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2588
    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
2589
#if defined(MBEDTLS_USE_PSA_CRYPTO)
2590
MBEDTLS_CHECK_RETURN_CRITICAL
2591
static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
2592
0
{
2593
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2594
0
    psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2595
0
    mbedtls_pk_context *pk;
2596
0
    mbedtls_pk_type_t pk_type;
2597
0
    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
2598
0
    unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
2599
0
    size_t key_len;
2600
0
#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2601
0
    uint16_t tls_id = 0;
2602
0
    psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
2603
0
    mbedtls_ecp_group_id grp_id;
2604
0
    mbedtls_ecp_keypair *key;
2605
0
#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
2606
2607
0
    pk = mbedtls_ssl_own_key(ssl);
2608
2609
0
    if (pk == NULL) {
2610
0
        return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2611
0
    }
2612
2613
0
    pk_type = mbedtls_pk_get_type(pk);
2614
2615
0
    switch (pk_type) {
2616
0
        case MBEDTLS_PK_OPAQUE:
2617
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2618
        case MBEDTLS_PK_ECKEY:
2619
        case MBEDTLS_PK_ECKEY_DH:
2620
        case MBEDTLS_PK_ECDSA:
2621
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2622
0
            if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
2623
0
                return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2624
0
            }
2625
2626
            /* Get the attributes of the key previously parsed by PK module in
2627
             * order to extract its type and length (in bits). */
2628
0
            status = psa_get_key_attributes(pk->priv_id, &key_attributes);
2629
0
            if (status != PSA_SUCCESS) {
2630
0
                ret = PSA_TO_MBEDTLS_ERR(status);
2631
0
                goto exit;
2632
0
            }
2633
0
            ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
2634
0
            ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
2635
2636
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2637
            if (pk_type != MBEDTLS_PK_OPAQUE) {
2638
                /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
2639
                 * module and only have ECDSA capabilities. Since we need
2640
                 * them for ECDH later, we export and then re-import them with
2641
                 * proper flags and algorithm. Of course We also set key's type
2642
                 * and bits that we just got above. */
2643
                key_attributes = psa_key_attributes_init();
2644
                psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2645
                psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2646
                psa_set_key_type(&key_attributes,
2647
                                 PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2648
                psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
2649
2650
                status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
2651
                if (status != PSA_SUCCESS) {
2652
                    ret = PSA_TO_MBEDTLS_ERR(status);
2653
                    goto exit;
2654
                }
2655
                status = psa_import_key(&key_attributes, buf, key_len,
2656
                                        &ssl->handshake->xxdh_psa_privkey);
2657
                if (status != PSA_SUCCESS) {
2658
                    ret = PSA_TO_MBEDTLS_ERR(status);
2659
                    goto exit;
2660
                }
2661
2662
                /* Set this key as owned by the TLS library: it will be its duty
2663
                 * to clear it exit. */
2664
                ssl->handshake->xxdh_psa_privkey_is_external = 0;
2665
2666
                ret = 0;
2667
                break;
2668
            }
2669
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
2670
2671
            /* Opaque key is created by the user (externally from Mbed TLS)
2672
             * so we assume it already has the right algorithm and flags
2673
             * set. Just copy its ID as reference. */
2674
0
            ssl->handshake->xxdh_psa_privkey = pk->priv_id;
2675
0
            ssl->handshake->xxdh_psa_privkey_is_external = 1;
2676
0
            ret = 0;
2677
0
            break;
2678
2679
0
#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
2680
0
        case MBEDTLS_PK_ECKEY:
2681
0
        case MBEDTLS_PK_ECKEY_DH:
2682
0
        case MBEDTLS_PK_ECDSA:
2683
0
            key = mbedtls_pk_ec_rw(*pk);
2684
0
            grp_id = mbedtls_pk_get_ec_group_id(pk);
2685
0
            if (grp_id == MBEDTLS_ECP_DP_NONE) {
2686
0
                return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
2687
0
            }
2688
0
            tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
2689
0
            if (tls_id == 0) {
2690
                /* This elliptic curve is not supported */
2691
0
                return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2692
0
            }
2693
2694
            /* If the above conversion to TLS ID was fine, then also this one will
2695
               be, so there is no need to check the return value here */
2696
0
            mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
2697
0
                                                       &ssl->handshake->xxdh_psa_bits);
2698
2699
0
            ssl->handshake->xxdh_psa_type = key_type;
2700
2701
0
            key_attributes = psa_key_attributes_init();
2702
0
            psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2703
0
            psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
2704
0
            psa_set_key_type(&key_attributes,
2705
0
                             PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
2706
0
            psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits);
2707
2708
0
            ret = mbedtls_ecp_write_key_ext(key, &key_len, buf, sizeof(buf));
2709
0
            if (ret != 0) {
2710
0
                mbedtls_platform_zeroize(buf, sizeof(buf));
2711
0
                break;
2712
0
            }
2713
2714
0
            status = psa_import_key(&key_attributes, buf, key_len,
2715
0
                                    &ssl->handshake->xxdh_psa_privkey);
2716
0
            if (status != PSA_SUCCESS) {
2717
0
                ret = PSA_TO_MBEDTLS_ERR(status);
2718
0
                mbedtls_platform_zeroize(buf, sizeof(buf));
2719
0
                break;
2720
0
            }
2721
2722
0
            mbedtls_platform_zeroize(buf, sizeof(buf));
2723
0
            ret = 0;
2724
0
            break;
2725
0
#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
2726
0
        default:
2727
0
            ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2728
0
    }
2729
2730
0
exit:
2731
0
    psa_reset_key_attributes(&key_attributes);
2732
0
    mbedtls_platform_zeroize(buf, sizeof(buf));
2733
2734
0
    return ret;
2735
0
}
2736
#else /* MBEDTLS_USE_PSA_CRYPTO */
2737
MBEDTLS_CHECK_RETURN_CRITICAL
2738
static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
2739
{
2740
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2741
2742
    const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
2743
    if (private_key == NULL) {
2744
        MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key"));
2745
        return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
2746
    }
2747
2748
    if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) {
2749
        MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2750
        return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2751
    }
2752
2753
    if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
2754
                                       mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
2755
                                       MBEDTLS_ECDH_OURS)) != 0) {
2756
        MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2757
        return ret;
2758
    }
2759
2760
    return 0;
2761
}
2762
#endif /* MBEDTLS_USE_PSA_CRYPTO */
2763
#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2764
          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2765
2766
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
2767
    defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2768
MBEDTLS_CHECK_RETURN_CRITICAL
2769
static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2770
                                          size_t *signature_len)
2771
0
{
2772
    /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2773
     * signature length which will be added in ssl_write_server_key_exchange
2774
     * after the call to ssl_prepare_server_key_exchange.
2775
     * ssl_write_server_key_exchange also takes care of incrementing
2776
     * ssl->out_msglen. */
2777
0
    unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
2778
0
    size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2779
0
                          - sig_start);
2780
0
    int ret = ssl->conf->f_async_resume(ssl,
2781
0
                                        sig_start, signature_len, sig_max_len);
2782
0
    if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
2783
0
        ssl->handshake->async_in_progress = 0;
2784
0
        mbedtls_ssl_set_async_operation_data(ssl, NULL);
2785
0
    }
2786
0
    MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
2787
0
    return ret;
2788
0
}
2789
#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
2790
          defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
2791
2792
/* Prepare the ServerKeyExchange message, up to and including
2793
 * calculating the signature if any, but excluding formatting the
2794
 * signature and sending the message. */
2795
MBEDTLS_CHECK_RETURN_CRITICAL
2796
static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
2797
                                           size_t *signature_len)
2798
0
{
2799
0
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2800
0
        ssl->handshake->ciphersuite_info;
2801
2802
0
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
2803
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2804
0
    unsigned char *dig_signed = NULL;
2805
0
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
2806
0
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
2807
2808
0
    (void) ciphersuite_info; /* unused in some configurations */
2809
#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2810
    (void) signature_len;
2811
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
2812
2813
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2814
0
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2815
0
    size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
2816
#else
2817
    size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
2818
#endif
2819
0
#endif
2820
2821
0
    ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
2822
2823
    /*
2824
     *
2825
     * Part 1: Provide key exchange parameters for chosen ciphersuite.
2826
     *
2827
     */
2828
2829
    /*
2830
     * - ECJPAKE key exchanges
2831
     */
2832
0
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2833
0
    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
2834
0
        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2835
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
2836
0
        unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
2837
0
        unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
2838
0
                               ssl->out_msglen;
2839
0
        size_t output_offset = 0;
2840
0
        size_t output_len = 0;
2841
2842
        /*
2843
         * The first 3 bytes are:
2844
         * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
2845
         * [1, 2] elliptic curve's TLS ID
2846
         *
2847
         * However since we only support secp256r1 for now, we hardcode its
2848
         * TLS ID here
2849
         */
2850
0
        uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
2851
0
            MBEDTLS_ECP_DP_SECP256R1);
2852
0
        if (tls_id == 0) {
2853
0
            return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2854
0
        }
2855
0
        *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE;
2856
0
        MBEDTLS_PUT_UINT16_BE(tls_id, out_p, 1);
2857
0
        output_offset += 3;
2858
2859
0
        ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
2860
0
                                              out_p + output_offset,
2861
0
                                              end_p - out_p - output_offset, &output_len,
2862
0
                                              MBEDTLS_ECJPAKE_ROUND_TWO);
2863
0
        if (ret != 0) {
2864
0
            psa_destroy_key(ssl->handshake->psa_pake_password);
2865
0
            psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2866
0
            MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
2867
0
            return ret;
2868
0
        }
2869
2870
0
        output_offset += output_len;
2871
0
        ssl->out_msglen += output_offset;
2872
#else
2873
        size_t len = 0;
2874
2875
        ret = mbedtls_ecjpake_write_round_two(
2876
            &ssl->handshake->ecjpake_ctx,
2877
            ssl->out_msg + ssl->out_msglen,
2878
            MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
2879
            ssl->conf->f_rng, ssl->conf->p_rng);
2880
        if (ret != 0) {
2881
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
2882
            return ret;
2883
        }
2884
2885
        ssl->out_msglen += len;
2886
#endif /* MBEDTLS_USE_PSA_CRYPTO */
2887
0
    }
2888
0
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2889
2890
    /*
2891
     * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
2892
     * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2893
     * we use empty support identity hints here.
2894
     **/
2895
0
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)   || \
2896
0
    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2897
0
    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2898
0
        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
2899
0
        ssl->out_msg[ssl->out_msglen++] = 0x00;
2900
0
        ssl->out_msg[ssl->out_msglen++] = 0x00;
2901
0
    }
2902
0
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2903
          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2904
2905
    /*
2906
     * - DHE key exchanges
2907
     */
2908
0
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
2909
0
    if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
2910
0
        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2911
0
        size_t len = 0;
2912
2913
0
        if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
2914
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
2915
0
            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2916
0
        }
2917
2918
        /*
2919
         * Ephemeral DH parameters:
2920
         *
2921
         * struct {
2922
         *     opaque dh_p<1..2^16-1>;
2923
         *     opaque dh_g<1..2^16-1>;
2924
         *     opaque dh_Ys<1..2^16-1>;
2925
         * } ServerDHParams;
2926
         */
2927
0
        if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
2928
0
                                         &ssl->conf->dhm_P,
2929
0
                                         &ssl->conf->dhm_G)) != 0) {
2930
0
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
2931
0
            return ret;
2932
0
        }
2933
2934
0
        if ((ret = mbedtls_dhm_make_params(
2935
0
                 &ssl->handshake->dhm_ctx,
2936
0
                 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2937
0
                 ssl->out_msg + ssl->out_msglen, &len,
2938
0
                 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2939
0
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
2940
0
            return ret;
2941
0
        }
2942
2943
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2944
0
        dig_signed = ssl->out_msg + ssl->out_msglen;
2945
0
#endif
2946
2947
0
        ssl->out_msglen += len;
2948
2949
0
        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2950
0
        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2951
0
        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2952
0
        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
2953
0
    }
2954
0
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
2955
2956
    /*
2957
     * - ECDHE key exchanges
2958
     */
2959
0
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
2960
0
    if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
2961
        /*
2962
         * Ephemeral ECDH parameters:
2963
         *
2964
         * struct {
2965
         *     ECParameters curve_params;
2966
         *     ECPoint      public;
2967
         * } ServerECDHParams;
2968
         */
2969
0
        uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
2970
0
        const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
2971
0
        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2972
0
        size_t len = 0;
2973
2974
        /* Match our preference list against the offered curves */
2975
0
        if ((group_list == NULL) || (curr_tls_id == NULL)) {
2976
0
            return MBEDTLS_ERR_SSL_BAD_CONFIG;
2977
0
        }
2978
0
        for (; *group_list != 0; group_list++) {
2979
0
            for (curr_tls_id = ssl->handshake->curves_tls_id;
2980
0
                 *curr_tls_id != 0; curr_tls_id++) {
2981
0
                if (*curr_tls_id == *group_list) {
2982
0
                    goto curve_matching_done;
2983
0
                }
2984
0
            }
2985
0
        }
2986
2987
0
curve_matching_done:
2988
0
        if (*curr_tls_id == 0) {
2989
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
2990
0
            return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2991
0
        }
2992
2993
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
2994
0
                                  mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
2995
2996
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
2997
0
        psa_status_t status = PSA_ERROR_GENERIC_ERROR;
2998
0
        psa_key_attributes_t key_attributes;
2999
0
        mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3000
0
        uint8_t *p = ssl->out_msg + ssl->out_msglen;
3001
0
        const size_t header_size = 4; // curve_type(1), namedcurve(2),
3002
                                      // data length(1)
3003
0
        const size_t data_length_size = 1;
3004
0
        psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
3005
0
        size_t ec_bits = 0;
3006
3007
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
3008
3009
        /* Convert EC's TLS ID to PSA key type. */
3010
0
        if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
3011
0
                                                       &key_type,
3012
0
                                                       &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
3013
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
3014
0
            return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
3015
0
        }
3016
0
        handshake->xxdh_psa_type = key_type;
3017
0
        handshake->xxdh_psa_bits = ec_bits;
3018
3019
0
        key_attributes = psa_key_attributes_init();
3020
0
        psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
3021
0
        psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
3022
0
        psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
3023
0
        psa_set_key_bits(&key_attributes, handshake->xxdh_psa_bits);
3024
3025
        /*
3026
         * ECParameters curve_params
3027
         *
3028
         * First byte is curve_type, always named_curve
3029
         */
3030
0
        *p++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
3031
3032
        /*
3033
         * Next two bytes are the namedcurve value
3034
         */
3035
0
        MBEDTLS_PUT_UINT16_BE(*curr_tls_id, p, 0);
3036
0
        p += 2;
3037
3038
        /* Generate ECDH private key. */
3039
0
        status = psa_generate_key(&key_attributes,
3040
0
                                  &handshake->xxdh_psa_privkey);
3041
0
        if (status != PSA_SUCCESS) {
3042
0
            ret = PSA_TO_MBEDTLS_ERR(status);
3043
0
            MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
3044
0
            return ret;
3045
0
        }
3046
3047
        /*
3048
         * ECPoint  public
3049
         *
3050
         * First byte is data length.
3051
         * It will be filled later. p holds now the data length location.
3052
         */
3053
3054
        /* Export the public part of the ECDH private key from PSA.
3055
         * Make one byte space for the length.
3056
         */
3057
0
        unsigned char *own_pubkey = p + data_length_size;
3058
3059
0
        size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
3060
0
                                              - (own_pubkey - ssl->out_msg));
3061
3062
0
        status = psa_export_public_key(handshake->xxdh_psa_privkey,
3063
0
                                       own_pubkey, own_pubkey_max_len,
3064
0
                                       &len);
3065
0
        if (status != PSA_SUCCESS) {
3066
0
            ret = PSA_TO_MBEDTLS_ERR(status);
3067
0
            MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
3068
0
            (void) psa_destroy_key(handshake->xxdh_psa_privkey);
3069
0
            handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3070
0
            return ret;
3071
0
        }
3072
3073
        /* Store the length of the exported public key. */
3074
0
        *p = (uint8_t) len;
3075
3076
        /* Determine full message length. */
3077
0
        len += header_size;
3078
#else
3079
        mbedtls_ecp_group_id curr_grp_id =
3080
            mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
3081
3082
        if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
3083
                                      curr_grp_id)) != 0) {
3084
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
3085
            return ret;
3086
        }
3087
3088
        if ((ret = mbedtls_ecdh_make_params(
3089
                 &ssl->handshake->ecdh_ctx, &len,
3090
                 ssl->out_msg + ssl->out_msglen,
3091
                 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3092
                 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3093
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
3094
            return ret;
3095
        }
3096
3097
        MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3098
                               MBEDTLS_DEBUG_ECDH_Q);
3099
#endif /* MBEDTLS_USE_PSA_CRYPTO */
3100
3101
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3102
0
        dig_signed = ssl->out_msg + ssl->out_msglen;
3103
0
#endif
3104
3105
0
        ssl->out_msglen += len;
3106
0
    }
3107
0
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
3108
3109
    /*
3110
     *
3111
     * Part 2: For key exchanges involving the server signing the
3112
     *         exchange parameters, compute and add the signature here.
3113
     *
3114
     */
3115
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3116
0
    if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
3117
0
        if (dig_signed == NULL) {
3118
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3119
0
            return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3120
0
        }
3121
3122
0
        size_t dig_signed_len = (size_t) (ssl->out_msg + ssl->out_msglen - dig_signed);
3123
0
        size_t hashlen = 0;
3124
0
        unsigned char hash[MBEDTLS_MD_MAX_SIZE];
3125
3126
0
        int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3127
3128
        /*
3129
         * 2.1: Choose hash algorithm:
3130
         *      For TLS 1.2, obey signature-hash-algorithm extension
3131
         *      to choose appropriate hash.
3132
         */
3133
3134
0
        mbedtls_pk_type_t sig_alg =
3135
0
            mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
3136
3137
0
        unsigned char sig_hash =
3138
0
            (unsigned char) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
3139
0
                ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
3140
3141
0
        mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash(sig_hash);
3142
3143
        /*    For TLS 1.2, obey signature-hash-algorithm extension
3144
         *    (RFC 5246, Sec. 7.4.1.4.1). */
3145
0
        if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
3146
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3147
            /* (... because we choose a cipher suite
3148
             *      only if there is a matching hash.) */
3149
0
            return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3150
0
        }
3151
3152
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
3153
3154
        /*
3155
         * 2.2: Compute the hash to be signed
3156
         */
3157
0
        if (md_alg != MBEDTLS_MD_NONE) {
3158
0
            ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3159
0
                                                         dig_signed,
3160
0
                                                         dig_signed_len,
3161
0
                                                         md_alg);
3162
0
            if (ret != 0) {
3163
0
                return ret;
3164
0
            }
3165
0
        } else {
3166
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3167
0
            return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3168
0
        }
3169
3170
0
        MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
3171
3172
        /*
3173
         * 2.3: Compute and add the signature
3174
         */
3175
        /*
3176
         * We need to specify signature and hash algorithm explicitly through
3177
         * a prefix to the signature.
3178
         *
3179
         * struct {
3180
         *    HashAlgorithm hash;
3181
         *    SignatureAlgorithm signature;
3182
         * } SignatureAndHashAlgorithm;
3183
         *
3184
         * struct {
3185
         *    SignatureAndHashAlgorithm algorithm;
3186
         *    opaque signature<0..2^16-1>;
3187
         * } DigitallySigned;
3188
         *
3189
         */
3190
3191
0
        ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_hash_from_md_alg(md_alg);
3192
0
        ssl->out_msg[ssl->out_msglen++] = mbedtls_ssl_sig_from_pk_alg(sig_alg);
3193
3194
0
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3195
0
        if (ssl->conf->f_async_sign_start != NULL) {
3196
0
            ret = ssl->conf->f_async_sign_start(ssl,
3197
0
                                                mbedtls_ssl_own_cert(ssl),
3198
0
                                                md_alg, hash, hashlen);
3199
0
            switch (ret) {
3200
0
                case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3201
                    /* act as if f_async_sign was null */
3202
0
                    break;
3203
0
                case 0:
3204
0
                    ssl->handshake->async_in_progress = 1;
3205
0
                    return ssl_resume_server_key_exchange(ssl, signature_len);
3206
0
                case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3207
0
                    ssl->handshake->async_in_progress = 1;
3208
0
                    return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3209
0
                default:
3210
0
                    MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3211
0
                    return ret;
3212
0
            }
3213
0
        }
3214
0
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3215
3216
0
        if (mbedtls_ssl_own_key(ssl) == NULL) {
3217
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3218
0
            return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3219
0
        }
3220
3221
        /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3222
         * signature length which will be added in ssl_write_server_key_exchange
3223
         * after the call to ssl_prepare_server_key_exchange.
3224
         * ssl_write_server_key_exchange also takes care of incrementing
3225
         * ssl->out_msglen. */
3226
0
        if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3227
0
                                   md_alg, hash, hashlen,
3228
0
                                   ssl->out_msg + ssl->out_msglen + 2,
3229
0
                                   out_buf_len - ssl->out_msglen - 2,
3230
0
                                   signature_len,
3231
0
                                   ssl->conf->f_rng,
3232
0
                                   ssl->conf->p_rng)) != 0) {
3233
0
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3234
0
            return ret;
3235
0
        }
3236
0
    }
3237
0
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3238
3239
0
    return 0;
3240
0
}
3241
3242
/* Prepare the ServerKeyExchange message and send it. For ciphersuites
3243
 * that do not include a ServerKeyExchange message, do nothing. Either
3244
 * way, if successful, move on to the next step in the SSL state
3245
 * machine. */
3246
MBEDTLS_CHECK_RETURN_CRITICAL
3247
static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
3248
0
{
3249
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3250
0
    size_t signature_len = 0;
3251
0
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3252
0
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3253
0
        ssl->handshake->ciphersuite_info;
3254
0
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3255
3256
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
3257
3258
0
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3259
    /* Extract static ECDH parameters and abort if ServerKeyExchange
3260
     * is not needed. */
3261
0
    if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
3262
        /* For suites involving ECDH, extract DH parameters
3263
         * from certificate at this point. */
3264
0
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
3265
0
        if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3266
0
            ret = ssl_get_ecdh_params_from_cert(ssl);
3267
0
            if (ret != 0) {
3268
0
                MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3269
0
                return ret;
3270
0
            }
3271
0
        }
3272
0
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
3273
3274
        /* Key exchanges not involving ephemeral keys don't use
3275
         * ServerKeyExchange, so end here. */
3276
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
3277
0
        ssl->state++;
3278
0
        return 0;
3279
0
    }
3280
0
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3281
3282
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
3283
0
    defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3284
    /* If we have already prepared the message and there is an ongoing
3285
     * signature operation, resume signing. */
3286
0
    if (ssl->handshake->async_in_progress != 0) {
3287
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3288
0
        ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3289
0
    } else
3290
0
#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
3291
          defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3292
0
    {
3293
        /* ServerKeyExchange is needed. Prepare the message. */
3294
0
        ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
3295
0
    }
3296
3297
0
    if (ret != 0) {
3298
        /* If we're starting to write a new message, set ssl->out_msglen
3299
         * to 0. But if we're resuming after an asynchronous message,
3300
         * out_msglen is the amount of data written so far and mst be
3301
         * preserved. */
3302
0
        if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3303
0
            MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3304
0
        } else {
3305
0
            ssl->out_msglen = 0;
3306
0
        }
3307
0
        return ret;
3308
0
    }
3309
3310
    /* If there is a signature, write its length.
3311
     * ssl_prepare_server_key_exchange already wrote the signature
3312
     * itself at its proper place in the output buffer. */
3313
0
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3314
0
    if (signature_len != 0) {
3315
0
        ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3316
0
        ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
3317
3318
0
        MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3319
0
                              ssl->out_msg + ssl->out_msglen,
3320
0
                              signature_len);
3321
3322
        /* Skip over the already-written signature */
3323
0
        ssl->out_msglen += signature_len;
3324
0
    }
3325
0
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3326
3327
    /* Add header and send. */
3328
0
    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3329
0
    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
3330
3331
0
    ssl->state++;
3332
3333
0
    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3334
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3335
0
        return ret;
3336
0
    }
3337
3338
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3339
0
    return 0;
3340
0
}
3341
3342
MBEDTLS_CHECK_RETURN_CRITICAL
3343
static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
3344
0
{
3345
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3346
3347
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
3348
3349
0
    ssl->out_msglen  = 4;
3350
0
    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3351
0
    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
3352
3353
0
    ssl->state++;
3354
3355
0
#if defined(MBEDTLS_SSL_PROTO_DTLS)
3356
0
    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3357
0
        mbedtls_ssl_send_flight_completed(ssl);
3358
0
    }
3359
0
#endif
3360
3361
0
    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3362
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3363
0
        return ret;
3364
0
    }
3365
3366
0
#if defined(MBEDTLS_SSL_PROTO_DTLS)
3367
0
    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3368
0
        (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3369
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3370
0
        return ret;
3371
0
    }
3372
0
#endif /* MBEDTLS_SSL_PROTO_DTLS */
3373
3374
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
3375
3376
0
    return 0;
3377
0
}
3378
3379
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
3380
    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3381
MBEDTLS_CHECK_RETURN_CRITICAL
3382
static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
3383
                                      const unsigned char *end)
3384
0
{
3385
0
    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3386
0
    size_t n;
3387
3388
    /*
3389
     * Receive G^Y mod P, premaster = (G^Y)^X mod P
3390
     */
3391
0
    if (*p + 2 > end) {
3392
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3393
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
3394
0
    }
3395
3396
0
    n = MBEDTLS_GET_UINT16_BE(*p, 0);
3397
0
    *p += 2;
3398
3399
0
    if (*p + n > end) {
3400
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3401
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
3402
0
    }
3403
3404
0
    if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
3405
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
3406
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
3407
0
    }
3408
3409
0
    *p += n;
3410
3411
0
    MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
3412
3413
0
    return ret;
3414
0
}
3415
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3416
          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3417
3418
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
3419
    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3420
3421
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3422
MBEDTLS_CHECK_RETURN_CRITICAL
3423
static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3424
                                  unsigned char *peer_pms,
3425
                                  size_t *peer_pmslen,
3426
                                  size_t peer_pmssize)
3427
0
{
3428
0
    int ret = ssl->conf->f_async_resume(ssl,
3429
0
                                        peer_pms, peer_pmslen, peer_pmssize);
3430
0
    if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3431
0
        ssl->handshake->async_in_progress = 0;
3432
0
        mbedtls_ssl_set_async_operation_data(ssl, NULL);
3433
0
    }
3434
0
    MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3435
0
    return ret;
3436
0
}
3437
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3438
3439
MBEDTLS_CHECK_RETURN_CRITICAL
3440
static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3441
                                     const unsigned char *p,
3442
                                     const unsigned char *end,
3443
                                     unsigned char *peer_pms,
3444
                                     size_t *peer_pmslen,
3445
                                     size_t peer_pmssize)
3446
0
{
3447
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3448
3449
0
    mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3450
0
    if (own_cert == NULL) {
3451
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3452
0
        return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
3453
0
    }
3454
0
    mbedtls_pk_context *public_key = &own_cert->pk;
3455
0
    mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3456
0
    size_t len = mbedtls_pk_get_len(public_key);
3457
3458
0
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3459
    /* If we have already started decoding the message and there is an ongoing
3460
     * decryption operation, resume signing. */
3461
0
    if (ssl->handshake->async_in_progress != 0) {
3462
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3463
0
        return ssl_resume_decrypt_pms(ssl,
3464
0
                                      peer_pms, peer_pmslen, peer_pmssize);
3465
0
    }
3466
0
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3467
3468
    /*
3469
     * Prepare to decrypt the premaster using own private RSA key
3470
     */
3471
0
    if (p + 2 > end) {
3472
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3473
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
3474
0
    }
3475
0
    if (*p++ != MBEDTLS_BYTE_1(len) ||
3476
0
        *p++ != MBEDTLS_BYTE_0(len)) {
3477
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3478
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
3479
0
    }
3480
3481
0
    if (p + len != end) {
3482
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3483
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
3484
0
    }
3485
3486
    /*
3487
     * Decrypt the premaster secret
3488
     */
3489
0
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3490
0
    if (ssl->conf->f_async_decrypt_start != NULL) {
3491
0
        ret = ssl->conf->f_async_decrypt_start(ssl,
3492
0
                                               mbedtls_ssl_own_cert(ssl),
3493
0
                                               p, len);
3494
0
        switch (ret) {
3495
0
            case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3496
                /* act as if f_async_decrypt_start was null */
3497
0
                break;
3498
0
            case 0:
3499
0
                ssl->handshake->async_in_progress = 1;
3500
0
                return ssl_resume_decrypt_pms(ssl,
3501
0
                                              peer_pms,
3502
0
                                              peer_pmslen,
3503
0
                                              peer_pmssize);
3504
0
            case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3505
0
                ssl->handshake->async_in_progress = 1;
3506
0
                return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3507
0
            default:
3508
0
                MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3509
0
                return ret;
3510
0
        }
3511
0
    }
3512
0
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3513
3514
0
    if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3515
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3516
0
        return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3517
0
    }
3518
3519
0
    ret = mbedtls_pk_decrypt(private_key, p, len,
3520
0
                             peer_pms, peer_pmslen, peer_pmssize,
3521
0
                             ssl->conf->f_rng, ssl->conf->p_rng);
3522
0
    return ret;
3523
0
}
3524
3525
MBEDTLS_CHECK_RETURN_CRITICAL
3526
static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3527
                                   const unsigned char *p,
3528
                                   const unsigned char *end,
3529
                                   size_t pms_offset)
3530
0
{
3531
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3532
0
    unsigned char *pms = ssl->handshake->premaster + pms_offset;
3533
0
    unsigned char ver[2];
3534
0
    unsigned char fake_pms[48], peer_pms[48];
3535
0
    size_t peer_pmslen;
3536
0
    mbedtls_ct_condition_t diff;
3537
3538
    /* In case of a failure in decryption, the decryption may write less than
3539
     * 2 bytes of output, but we always read the first two bytes. It doesn't
3540
     * matter in the end because diff will be nonzero in that case due to
3541
     * ret being nonzero, and we only care whether diff is 0.
3542
     * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3543
     * also makes memory analyzers happy (don't access uninitialized memory,
3544
     * even if it's an unsigned char). */
3545
0
    peer_pms[0] = peer_pms[1] = ~0;
3546
0
    peer_pmslen = 0;
3547
3548
0
    ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3549
0
                                    peer_pms,
3550
0
                                    &peer_pmslen,
3551
0
                                    sizeof(peer_pms));
3552
3553
0
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3554
0
    if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3555
0
        return ret;
3556
0
    }
3557
0
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3558
3559
0
    mbedtls_ssl_write_version(ver, ssl->conf->transport,
3560
0
                              ssl->session_negotiate->tls_version);
3561
3562
    /* Avoid data-dependent branches while checking for invalid
3563
     * padding, to protect against timing-based Bleichenbacher-type
3564
     * attacks. */
3565
0
    diff = mbedtls_ct_bool(ret);
3566
0
    diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
3567
0
    diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
3568
0
    diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
3569
3570
    /*
3571
     * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3572
     * must not cause the connection to end immediately; instead, send a
3573
     * bad_record_mac later in the handshake.
3574
     * To protect against timing-based variants of the attack, we must
3575
     * not have any branch that depends on whether the decryption was
3576
     * successful. In particular, always generate the fake premaster secret,
3577
     * regardless of whether it will ultimately influence the output or not.
3578
     */
3579
0
    ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3580
0
    if (ret != 0) {
3581
        /* It's ok to abort on an RNG failure, since this does not reveal
3582
         * anything about the RSA decryption. */
3583
0
        return ret;
3584
0
    }
3585
3586
0
#if defined(MBEDTLS_SSL_DEBUG_ALL)
3587
0
    if (diff != MBEDTLS_CT_FALSE) {
3588
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3589
0
    }
3590
0
#endif
3591
3592
0
    if (sizeof(ssl->handshake->premaster) < pms_offset ||
3593
0
        sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3594
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3595
0
        return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3596
0
    }
3597
0
    ssl->handshake->pmslen = 48;
3598
3599
    /* Set pms to either the true or the fake PMS, without
3600
     * data-dependent branches. */
3601
0
    mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
3602
3603
0
    return 0;
3604
0
}
3605
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3606
          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3607
3608
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
3609
MBEDTLS_CHECK_RETURN_CRITICAL
3610
static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3611
                                         const unsigned char *end)
3612
0
{
3613
0
    int ret = 0;
3614
0
    uint16_t n;
3615
3616
0
    if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3617
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3618
0
        return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3619
0
    }
3620
3621
    /*
3622
     * Receive client pre-shared key identity name
3623
     */
3624
0
    if (end - *p < 2) {
3625
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3626
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
3627
0
    }
3628
3629
0
    n = MBEDTLS_GET_UINT16_BE(*p, 0);
3630
0
    *p += 2;
3631
3632
0
    if (n == 0 || n > end - *p) {
3633
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3634
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
3635
0
    }
3636
3637
0
    if (ssl->conf->f_psk != NULL) {
3638
0
        if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
3639
0
            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3640
0
        }
3641
0
    } else {
3642
        /* Identity is not a big secret since clients send it in the clear,
3643
         * but treat it carefully anyway, just in case */
3644
0
        if (n != ssl->conf->psk_identity_len ||
3645
0
            mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
3646
0
            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3647
0
        }
3648
0
    }
3649
3650
0
    if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3651
0
        MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3652
0
        mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3653
0
                                       MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3654
0
        return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3655
0
    }
3656
3657
0
    *p += n;
3658
3659
0
    return 0;
3660
0
}
3661
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
3662
3663
MBEDTLS_CHECK_RETURN_CRITICAL
3664
static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
3665
0
{
3666
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3667
0
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3668
0
    unsigned char *p, *end;
3669
3670
0
    ciphersuite_info = ssl->handshake->ciphersuite_info;
3671
3672
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
3673
3674
0
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
3675
0
    (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3676
0
    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED))
3677
0
    if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3678
0
         ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
3679
0
        (ssl->handshake->async_in_progress != 0)) {
3680
        /* We've already read a record and there is an asynchronous
3681
         * operation in progress to decrypt it. So skip reading the
3682
         * record. */
3683
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3684
0
    } else
3685
0
#endif
3686
0
    if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3687
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3688
0
        return ret;
3689
0
    }
3690
3691
0
    p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
3692
0
    end = ssl->in_msg + ssl->in_hslen;
3693
3694
0
    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3695
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3696
0
        return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3697
0
    }
3698
3699
0
    if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3700
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3701
0
        return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3702
0
    }
3703
3704
0
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3705
0
    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
3706
0
        if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3707
0
            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3708
0
            return ret;
3709
0
        }
3710
3711
0
        if (p != end) {
3712
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3713
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
3714
0
        }
3715
3716
0
        if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3717
0
                                           ssl->handshake->premaster,
3718
0
                                           MBEDTLS_PREMASTER_SIZE,
3719
0
                                           &ssl->handshake->pmslen,
3720
0
                                           ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3721
0
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3722
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
3723
0
        }
3724
3725
0
        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3726
0
    } else
3727
0
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3728
0
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
3729
0
    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
3730
0
    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
3731
0
    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3732
0
    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3733
0
        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3734
0
        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3735
0
        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
3736
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
3737
0
        size_t data_len = (size_t) (*p++);
3738
0
        size_t buf_len = (size_t) (end - p);
3739
0
        psa_status_t status = PSA_ERROR_GENERIC_ERROR;
3740
0
        mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3741
3742
0
        MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key."));
3743
3744
        /*
3745
         * We must have at least two bytes (1 for length, at least 1 for data)
3746
         */
3747
0
        if (buf_len < 2) {
3748
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET,
3749
0
                                      buf_len));
3750
0
            return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3751
0
        }
3752
3753
0
        if (data_len < 1 || data_len > buf_len) {
3754
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET
3755
0
                                      " > %" MBEDTLS_PRINTF_SIZET,
3756
0
                                      data_len, buf_len));
3757
0
            return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3758
0
        }
3759
3760
        /* Store peer's ECDH public key. */
3761
0
        if (data_len > sizeof(handshake->xxdh_psa_peerkey)) {
3762
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
3763
0
                                      " > %" MBEDTLS_PRINTF_SIZET,
3764
0
                                      data_len,
3765
0
                                      sizeof(handshake->xxdh_psa_peerkey)));
3766
0
            return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3767
0
        }
3768
0
        memcpy(handshake->xxdh_psa_peerkey, p, data_len);
3769
0
        handshake->xxdh_psa_peerkey_len = data_len;
3770
3771
        /* Compute ECDH shared secret. */
3772
0
        status = psa_raw_key_agreement(
3773
0
            PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
3774
0
            handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
3775
0
            handshake->premaster, sizeof(handshake->premaster),
3776
0
            &handshake->pmslen);
3777
0
        if (status != PSA_SUCCESS) {
3778
0
            ret = PSA_TO_MBEDTLS_ERR(status);
3779
0
            MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
3780
0
            if (handshake->xxdh_psa_privkey_is_external == 0) {
3781
0
                (void) psa_destroy_key(handshake->xxdh_psa_privkey);
3782
0
            }
3783
0
            handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3784
0
            return ret;
3785
0
        }
3786
3787
0
        if (handshake->xxdh_psa_privkey_is_external == 0) {
3788
0
            status = psa_destroy_key(handshake->xxdh_psa_privkey);
3789
3790
0
            if (status != PSA_SUCCESS) {
3791
0
                ret = PSA_TO_MBEDTLS_ERR(status);
3792
0
                MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
3793
0
                return ret;
3794
0
            }
3795
0
        }
3796
0
        handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3797
#else
3798
        if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3799
                                            p, (size_t) (end - p))) != 0) {
3800
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3801
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
3802
        }
3803
3804
        MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3805
                               MBEDTLS_DEBUG_ECDH_QP);
3806
3807
        if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3808
                                            &ssl->handshake->pmslen,
3809
                                            ssl->handshake->premaster,
3810
                                            MBEDTLS_MPI_MAX_SIZE,
3811
                                            ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3812
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
3813
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
3814
        }
3815
3816
        MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3817
                               MBEDTLS_DEBUG_ECDH_Z);
3818
#endif /* MBEDTLS_USE_PSA_CRYPTO */
3819
0
    } else
3820
0
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3821
          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3822
          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3823
          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3824
0
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3825
0
    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3826
0
        if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3827
0
            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3828
0
            return ret;
3829
0
        }
3830
3831
0
        if (p != end) {
3832
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3833
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
3834
0
        }
3835
3836
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
3837
        if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3838
                                                    (mbedtls_key_exchange_type_t) ciphersuite_info->
3839
                                                    key_exchange)) != 0) {
3840
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3841
            return ret;
3842
        }
3843
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
3844
0
    } else
3845
0
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3846
0
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3847
0
    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3848
0
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3849
0
        if (ssl->handshake->async_in_progress != 0) {
3850
            /* There is an asynchronous operation in progress to
3851
             * decrypt the encrypted premaster secret, so skip
3852
             * directly to resuming this operation. */
3853
0
            MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
3854
            /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
3855
             * won't actually use it, but maintain p anyway for robustness. */
3856
0
            p += ssl->conf->psk_identity_len + 2;
3857
0
        } else
3858
0
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3859
0
        if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3860
0
            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3861
0
            return ret;
3862
0
        }
3863
3864
0
        if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
3865
0
            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
3866
0
            return ret;
3867
0
        }
3868
3869
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
3870
        if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3871
                                                    (mbedtls_key_exchange_type_t) ciphersuite_info->
3872
                                                    key_exchange)) != 0) {
3873
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3874
            return ret;
3875
        }
3876
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
3877
0
    } else
3878
0
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3879
0
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3880
0
    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3881
0
        if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3882
0
            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3883
0
            return ret;
3884
0
        }
3885
0
        if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3886
0
            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3887
0
            return ret;
3888
0
        }
3889
3890
0
        if (p != end) {
3891
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3892
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
3893
0
        }
3894
3895
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
3896
0
        unsigned char *pms = ssl->handshake->premaster;
3897
0
        unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
3898
0
        size_t pms_len;
3899
3900
        /* Write length only when we know the actual value */
3901
0
        if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3902
0
                                           pms + 2, pms_end - (pms + 2), &pms_len,
3903
0
                                           ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3904
0
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3905
0
            return ret;
3906
0
        }
3907
0
        MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
3908
0
        pms += 2 + pms_len;
3909
3910
0
        MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3911
#else
3912
        if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3913
                                                    (mbedtls_key_exchange_type_t) ciphersuite_info->
3914
                                                    key_exchange)) != 0) {
3915
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3916
            return ret;
3917
        }
3918
#endif /* MBEDTLS_USE_PSA_CRYPTO */
3919
0
    } else
3920
0
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3921
0
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3922
0
    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
3923
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
3924
0
        psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3925
0
        psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
3926
0
        size_t ecpoint_len;
3927
3928
0
        mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3929
3930
0
        if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3931
0
            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3932
0
            psa_destroy_key(handshake->xxdh_psa_privkey);
3933
0
            handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3934
0
            return ret;
3935
0
        }
3936
3937
        /* Keep a copy of the peer's public key */
3938
0
        if (p >= end) {
3939
0
            psa_destroy_key(handshake->xxdh_psa_privkey);
3940
0
            handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3941
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
3942
0
        }
3943
3944
0
        ecpoint_len = *(p++);
3945
0
        if ((size_t) (end - p) < ecpoint_len) {
3946
0
            psa_destroy_key(handshake->xxdh_psa_privkey);
3947
0
            handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3948
0
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
3949
0
        }
3950
3951
        /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
3952
           the sizes of the FFDH keys which are at least 2048 bits.
3953
           The size of the array is thus greater than 256 bytes which is greater than any
3954
           possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
3955
#if !defined(PSA_WANT_ALG_FFDH)
3956
        if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
3957
            psa_destroy_key(handshake->xxdh_psa_privkey);
3958
            handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3959
            return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
3960
        }
3961
#else
3962
0
        MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
3963
0
                              "peer key buffer too small");
3964
0
#endif
3965
3966
0
        memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
3967
0
        handshake->xxdh_psa_peerkey_len = ecpoint_len;
3968
0
        p += ecpoint_len;
3969
3970
        /* As RFC 5489 section 2, the premaster secret is formed as follows:
3971
         * - a uint16 containing the length (in octets) of the ECDH computation
3972
         * - the octet string produced by the ECDH computation
3973
         * - a uint16 containing the length (in octets) of the PSK
3974
         * - the PSK itself
3975
         */
3976
0
        unsigned char *psm = ssl->handshake->premaster;
3977
0
        const unsigned char * const psm_end =
3978
0
            psm + sizeof(ssl->handshake->premaster);
3979
        /* uint16 to store length (in octets) of the ECDH computation */
3980
0
        const size_t zlen_size = 2;
3981
0
        size_t zlen = 0;
3982
3983
        /* Compute ECDH shared secret. */
3984
0
        status = psa_raw_key_agreement(PSA_ALG_ECDH,
3985
0
                                       handshake->xxdh_psa_privkey,
3986
0
                                       handshake->xxdh_psa_peerkey,
3987
0
                                       handshake->xxdh_psa_peerkey_len,
3988
0
                                       psm + zlen_size,
3989
0
                                       psm_end - (psm + zlen_size),
3990
0
                                       &zlen);
3991
3992
0
        destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
3993
0
        handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3994
3995
0
        if (status != PSA_SUCCESS) {
3996
0
            return PSA_TO_MBEDTLS_ERR(status);
3997
0
        } else if (destruction_status != PSA_SUCCESS) {
3998
0
            return PSA_TO_MBEDTLS_ERR(destruction_status);
3999
0
        }
4000
4001
        /* Write the ECDH computation length before the ECDH computation */
4002
0
        MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
4003
0
        psm += zlen_size + zlen;
4004
4005
#else /* MBEDTLS_USE_PSA_CRYPTO */
4006
        if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
4007
            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
4008
            return ret;
4009
        }
4010
4011
        if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
4012
                                            p, (size_t) (end - p))) != 0) {
4013
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
4014
            return MBEDTLS_ERR_SSL_DECODE_ERROR;
4015
        }
4016
4017
        MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
4018
                               MBEDTLS_DEBUG_ECDH_QP);
4019
4020
        if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
4021
                                                    (mbedtls_key_exchange_type_t) ciphersuite_info->
4022
                                                    key_exchange)) != 0) {
4023
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
4024
            return ret;
4025
        }
4026
#endif /* MBEDTLS_USE_PSA_CRYPTO */
4027
0
    } else
4028
0
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
4029
0
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
4030
0
    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
4031
0
        if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
4032
0
            MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
4033
0
            return ret;
4034
0
        }
4035
0
    } else
4036
0
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
4037
0
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4038
0
    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
4039
0
#if defined(MBEDTLS_USE_PSA_CRYPTO)
4040
0
        if ((ret = mbedtls_psa_ecjpake_read_round(
4041
0
                 &ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
4042
0
                 MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
4043
0
            psa_destroy_key(ssl->handshake->psa_pake_password);
4044
0
            psa_pake_abort(&ssl->handshake->psa_pake_ctx);
4045
4046
0
            MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
4047
0
            return ret;
4048
0
        }
4049
#else
4050
        ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
4051
                                             p, (size_t) (end - p));
4052
        if (ret != 0) {
4053
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
4054
            return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4055
        }
4056
4057
        ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
4058
                                            ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4059
                                            ssl->conf->f_rng, ssl->conf->p_rng);
4060
        if (ret != 0) {
4061
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
4062
            return ret;
4063
        }
4064
#endif /* MBEDTLS_USE_PSA_CRYPTO */
4065
0
    } else
4066
0
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
4067
0
    {
4068
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4069
0
        return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4070
0
    }
4071
4072
0
    if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4073
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
4074
0
        return ret;
4075
0
    }
4076
4077
0
    ssl->state++;
4078
4079
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
4080
4081
0
    return 0;
4082
0
}
4083
4084
#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
4085
MBEDTLS_CHECK_RETURN_CRITICAL
4086
static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
4087
{
4088
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4089
        ssl->handshake->ciphersuite_info;
4090
4091
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
4092
4093
    if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4094
        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4095
        ssl->state++;
4096
        return 0;
4097
    }
4098
4099
    MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4100
    return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4101
}
4102
#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4103
MBEDTLS_CHECK_RETURN_CRITICAL
4104
static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
4105
0
{
4106
0
    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4107
0
    size_t i, sig_len;
4108
0
    unsigned char hash[48];
4109
0
    unsigned char *hash_start = hash;
4110
0
    size_t hashlen;
4111
0
    mbedtls_pk_type_t pk_alg;
4112
0
    mbedtls_md_type_t md_alg;
4113
0
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4114
0
        ssl->handshake->ciphersuite_info;
4115
0
    mbedtls_pk_context *peer_pk;
4116
4117
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
4118
4119
0
    if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4120
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4121
0
        ssl->state++;
4122
0
        return 0;
4123
0
    }
4124
4125
0
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4126
0
    if (ssl->session_negotiate->peer_cert == NULL) {
4127
0
        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4128
0
        ssl->state++;
4129
0
        return 0;
4130
0
    }
4131
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4132
    if (ssl->session_negotiate->peer_cert_digest == NULL) {
4133
        MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4134
        ssl->state++;
4135
        return 0;
4136
    }
4137
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4138
4139
    /* Read the message without adding it to the checksum */
4140
0
    ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
4141
0
    if (0 != ret) {
4142
0
        MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
4143
0
        return ret;
4144
0
    }
4145
4146
0
    ssl->state++;
4147
4148
    /* Process the message contents */
4149
0
    if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4150
0
        ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
4151
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4152
0
        return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
4153
0
    }
4154
4155
0
    i = mbedtls_ssl_hs_hdr_len(ssl);
4156
4157
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4158
    peer_pk = &ssl->handshake->peer_pubkey;
4159
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4160
0
    if (ssl->session_negotiate->peer_cert == NULL) {
4161
        /* Should never happen */
4162
0
        return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4163
0
    }
4164
0
    peer_pk = &ssl->session_negotiate->peer_cert->pk;
4165
0
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4166
4167
    /*
4168
     *  struct {
4169
     *     SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4170
     *     opaque signature<0..2^16-1>;
4171
     *  } DigitallySigned;
4172
     */
4173
0
    if (i + 2 > ssl->in_hslen) {
4174
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4175
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
4176
0
    }
4177
4178
    /*
4179
     * Hash
4180
     */
4181
0
    md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
4182
4183
0
    if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
4184
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4185
0
                                  " for verify message"));
4186
0
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
4187
0
    }
4188
4189
0
#if !defined(MBEDTLS_MD_SHA1)
4190
0
    if (MBEDTLS_MD_SHA1 == md_alg) {
4191
0
        hash_start += 16;
4192
0
    }
4193
0
#endif
4194
4195
    /* Info from md_alg will be used instead */
4196
0
    hashlen = 0;
4197
4198
0
    i++;
4199
4200
    /*
4201
     * Signature
4202
     */
4203
0
    if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
4204
0
        == MBEDTLS_PK_NONE) {
4205
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4206
0
                                  " for verify message"));
4207
0
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
4208
0
    }
4209
4210
    /*
4211
     * Check the certificate's key type matches the signature alg
4212
     */
4213
0
    if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
4214
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
4215
0
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
4216
0
    }
4217
4218
0
    i++;
4219
4220
0
    if (i + 2 > ssl->in_hslen) {
4221
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4222
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
4223
0
    }
4224
4225
0
    sig_len = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i);
4226
0
    i += 2;
4227
4228
0
    if (i + sig_len != ssl->in_hslen) {
4229
0
        MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4230
0
        return MBEDTLS_ERR_SSL_DECODE_ERROR;
4231
0
    }
4232
4233
    /* Calculate hash and verify signature */
4234
0
    {
4235
0
        size_t dummy_hlen;
4236
0
        ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
4237
0
        if (0 != ret) {
4238
0
            MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
4239
0
            return ret;
4240
0
        }
4241
0
    }
4242
4243
0
    if ((ret = mbedtls_pk_verify(peer_pk,
4244
0
                                 md_alg, hash_start, hashlen,
4245
0
                                 ssl->in_msg + i, sig_len)) != 0) {
4246
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
4247
0
        return ret;
4248
0
    }
4249
4250
0
    ret = mbedtls_ssl_update_handshake_status(ssl);
4251
0
    if (0 != ret) {
4252
0
        MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
4253
0
        return ret;
4254
0
    }
4255
4256
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
4257
4258
0
    return ret;
4259
0
}
4260
#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4261
4262
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4263
MBEDTLS_CHECK_RETURN_CRITICAL
4264
static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
4265
0
{
4266
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4267
0
    size_t tlen;
4268
0
    uint32_t lifetime;
4269
4270
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
4271
4272
0
    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4273
0
    ssl->out_msg[0]  = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
4274
4275
    /*
4276
     * struct {
4277
     *     uint32 ticket_lifetime_hint;
4278
     *     opaque ticket<0..2^16-1>;
4279
     * } NewSessionTicket;
4280
     *
4281
     * 4  .  7   ticket_lifetime_hint (0 = unspecified)
4282
     * 8  .  9   ticket_len (n)
4283
     * 10 .  9+n ticket content
4284
     */
4285
4286
0
#if defined(MBEDTLS_HAVE_TIME)
4287
0
    ssl->session_negotiate->ticket_creation_time = mbedtls_ms_time();
4288
0
#endif
4289
0
    if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
4290
0
                                         ssl->session_negotiate,
4291
0
                                         ssl->out_msg + 10,
4292
0
                                         ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4293
0
                                         &tlen, &lifetime)) != 0) {
4294
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
4295
0
        tlen = 0;
4296
0
    }
4297
4298
0
    MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
4299
0
    MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
4300
0
    ssl->out_msglen = 10 + tlen;
4301
4302
    /*
4303
     * Morally equivalent to updating ssl->state, but NewSessionTicket and
4304
     * ChangeCipherSpec share the same state.
4305
     */
4306
0
    ssl->handshake->new_session_ticket = 0;
4307
4308
0
    if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4309
0
        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4310
0
        return ret;
4311
0
    }
4312
4313
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
4314
4315
0
    return 0;
4316
0
}
4317
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
4318
4319
/*
4320
 * SSL handshake -- server side -- single step
4321
 */
4322
int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
4323
0
{
4324
0
    int ret = 0;
4325
4326
0
    MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
4327
4328
0
    switch (ssl->state) {
4329
0
        case MBEDTLS_SSL_HELLO_REQUEST:
4330
0
            ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4331
0
            break;
4332
4333
        /*
4334
         *  <==   ClientHello
4335
         */
4336
0
        case MBEDTLS_SSL_CLIENT_HELLO:
4337
0
            ret = ssl_parse_client_hello(ssl);
4338
0
            break;
4339
4340
0
#if defined(MBEDTLS_SSL_PROTO_DTLS)
4341
0
        case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
4342
0
            return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
4343
0
#endif
4344
4345
        /*
4346
         *  ==>   ServerHello
4347
         *        Certificate
4348
         *      ( ServerKeyExchange  )
4349
         *      ( CertificateRequest )
4350
         *        ServerHelloDone
4351
         */
4352
0
        case MBEDTLS_SSL_SERVER_HELLO:
4353
0
            ret = ssl_write_server_hello(ssl);
4354
0
            break;
4355
4356
0
        case MBEDTLS_SSL_SERVER_CERTIFICATE:
4357
0
            ret = mbedtls_ssl_write_certificate(ssl);
4358
0
            break;
4359
4360
0
        case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4361
0
            ret = ssl_write_server_key_exchange(ssl);
4362
0
            break;
4363
4364
0
        case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4365
0
            ret = ssl_write_certificate_request(ssl);
4366
0
            break;
4367
4368
0
        case MBEDTLS_SSL_SERVER_HELLO_DONE:
4369
0
            ret = ssl_write_server_hello_done(ssl);
4370
0
            break;
4371
4372
        /*
4373
         *  <== ( Certificate/Alert  )
4374
         *        ClientKeyExchange
4375
         *      ( CertificateVerify  )
4376
         *        ChangeCipherSpec
4377
         *        Finished
4378
         */
4379
0
        case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4380
0
            ret = mbedtls_ssl_parse_certificate(ssl);
4381
0
            break;
4382
4383
0
        case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4384
0
            ret = ssl_parse_client_key_exchange(ssl);
4385
0
            break;
4386
4387
0
        case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4388
0
            ret = ssl_parse_certificate_verify(ssl);
4389
0
            break;
4390
4391
0
        case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4392
0
            ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
4393
0
            break;
4394
4395
0
        case MBEDTLS_SSL_CLIENT_FINISHED:
4396
0
            ret = mbedtls_ssl_parse_finished(ssl);
4397
0
            break;
4398
4399
        /*
4400
         *  ==> ( NewSessionTicket )
4401
         *        ChangeCipherSpec
4402
         *        Finished
4403
         */
4404
0
        case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4405
0
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4406
0
            if (ssl->handshake->new_session_ticket != 0) {
4407
0
                ret = ssl_write_new_session_ticket(ssl);
4408
0
            } else
4409
0
#endif
4410
0
            ret = mbedtls_ssl_write_change_cipher_spec(ssl);
4411
0
            break;
4412
4413
0
        case MBEDTLS_SSL_SERVER_FINISHED:
4414
0
            ret = mbedtls_ssl_write_finished(ssl);
4415
0
            break;
4416
4417
0
        case MBEDTLS_SSL_FLUSH_BUFFERS:
4418
0
            MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
4419
0
            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4420
0
            break;
4421
4422
0
        case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4423
0
            mbedtls_ssl_handshake_wrapup(ssl);
4424
0
            break;
4425
4426
0
        default:
4427
0
            MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4428
0
            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4429
0
    }
4430
4431
0
    return ret;
4432
0
}
4433
4434
void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order)
4435
0
{
4436
0
    conf->respect_cli_pref = order;
4437
0
}
4438
4439
#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_2 */