/src/openthread/third_party/mbedtls/repo/library/ssl_cli.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * SSLv3/TLSv1 client-side functions |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | |
8 | | #include "common.h" |
9 | | |
10 | | #if defined(MBEDTLS_SSL_CLI_C) |
11 | | |
12 | | #include "mbedtls/platform.h" |
13 | | |
14 | | #include "mbedtls/ssl.h" |
15 | | #include "mbedtls/ssl_internal.h" |
16 | | #include "mbedtls/debug.h" |
17 | | #include "mbedtls/error.h" |
18 | | #include "mbedtls/constant_time.h" |
19 | | |
20 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
21 | | #include "mbedtls/psa_util.h" |
22 | | #include "psa/crypto.h" |
23 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
24 | | |
25 | | #include <string.h> |
26 | | |
27 | | #include <stdint.h> |
28 | | |
29 | | #if defined(MBEDTLS_HAVE_TIME) |
30 | | #include "mbedtls/platform_time.h" |
31 | | #endif |
32 | | |
33 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
34 | | #include "mbedtls/platform_util.h" |
35 | | #endif |
36 | | |
37 | | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
38 | | MBEDTLS_CHECK_RETURN_CRITICAL |
39 | | static int ssl_conf_has_static_psk(mbedtls_ssl_config const *conf) |
40 | 0 | { |
41 | 0 | if (conf->psk_identity == NULL || |
42 | 0 | conf->psk_identity_len == 0) { |
43 | 0 | return 0; |
44 | 0 | } |
45 | | |
46 | 0 | if (conf->psk != NULL && conf->psk_len != 0) { |
47 | 0 | return 1; |
48 | 0 | } |
49 | | |
50 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
51 | | if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { |
52 | | return 1; |
53 | | } |
54 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
55 | | |
56 | 0 | return 0; |
57 | 0 | } |
58 | | |
59 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
60 | | MBEDTLS_CHECK_RETURN_CRITICAL |
61 | | static int ssl_conf_has_static_raw_psk(mbedtls_ssl_config const *conf) |
62 | | { |
63 | | if (conf->psk_identity == NULL || |
64 | | conf->psk_identity_len == 0) { |
65 | | return 0; |
66 | | } |
67 | | |
68 | | if (conf->psk != NULL && conf->psk_len != 0) { |
69 | | return 1; |
70 | | } |
71 | | |
72 | | return 0; |
73 | | } |
74 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
75 | | |
76 | | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
77 | | |
78 | | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
79 | | MBEDTLS_CHECK_RETURN_CRITICAL |
80 | | static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl, |
81 | | unsigned char *buf, |
82 | | const unsigned char *end, |
83 | | size_t *olen) |
84 | | { |
85 | | unsigned char *p = buf; |
86 | | size_t hostname_len; |
87 | | |
88 | | *olen = 0; |
89 | | |
90 | | if (ssl->hostname == NULL) { |
91 | | return 0; |
92 | | } |
93 | | |
94 | | MBEDTLS_SSL_DEBUG_MSG(3, |
95 | | ("client hello, adding server name extension: %s", |
96 | | ssl->hostname)); |
97 | | |
98 | | hostname_len = strlen(ssl->hostname); |
99 | | |
100 | | MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9); |
101 | | |
102 | | /* |
103 | | * Sect. 3, RFC 6066 (TLS Extensions Definitions) |
104 | | * |
105 | | * In order to provide any of the server names, clients MAY include an |
106 | | * extension of type "server_name" in the (extended) client hello. The |
107 | | * "extension_data" field of this extension SHALL contain |
108 | | * "ServerNameList" where: |
109 | | * |
110 | | * struct { |
111 | | * NameType name_type; |
112 | | * select (name_type) { |
113 | | * case host_name: HostName; |
114 | | * } name; |
115 | | * } ServerName; |
116 | | * |
117 | | * enum { |
118 | | * host_name(0), (255) |
119 | | * } NameType; |
120 | | * |
121 | | * opaque HostName<1..2^16-1>; |
122 | | * |
123 | | * struct { |
124 | | * ServerName server_name_list<1..2^16-1> |
125 | | * } ServerNameList; |
126 | | * |
127 | | */ |
128 | | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SERVERNAME, p, 0); |
129 | | p += 2; |
130 | | |
131 | | MBEDTLS_PUT_UINT16_BE(hostname_len + 5, p, 0); |
132 | | p += 2; |
133 | | |
134 | | MBEDTLS_PUT_UINT16_BE(hostname_len + 3, p, 0); |
135 | | p += 2; |
136 | | |
137 | | *p++ = MBEDTLS_BYTE_0(MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME); |
138 | | |
139 | | MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0); |
140 | | p += 2; |
141 | | |
142 | | memcpy(p, ssl->hostname, hostname_len); |
143 | | |
144 | | *olen = hostname_len + 9; |
145 | | |
146 | | return 0; |
147 | | } |
148 | | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
149 | | |
150 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
151 | | MBEDTLS_CHECK_RETURN_CRITICAL |
152 | | static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl, |
153 | | unsigned char *buf, |
154 | | const unsigned char *end, |
155 | | size_t *olen) |
156 | | { |
157 | | unsigned char *p = buf; |
158 | | |
159 | | *olen = 0; |
160 | | |
161 | | /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the |
162 | | * initial ClientHello, in which case also adding the renegotiation |
163 | | * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ |
164 | | if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { |
165 | | return 0; |
166 | | } |
167 | | |
168 | | MBEDTLS_SSL_DEBUG_MSG(3, |
169 | | ("client hello, adding renegotiation extension")); |
170 | | |
171 | | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len); |
172 | | |
173 | | /* |
174 | | * Secure renegotiation |
175 | | */ |
176 | | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0); |
177 | | p += 2; |
178 | | |
179 | | *p++ = 0x00; |
180 | | *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1); |
181 | | *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len); |
182 | | |
183 | | memcpy(p, ssl->own_verify_data, ssl->verify_data_len); |
184 | | |
185 | | *olen = 5 + ssl->verify_data_len; |
186 | | |
187 | | return 0; |
188 | | } |
189 | | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
190 | | |
191 | | /* |
192 | | * Only if we handle at least one key exchange that needs signatures. |
193 | | */ |
194 | | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
195 | | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
196 | | MBEDTLS_CHECK_RETURN_CRITICAL |
197 | | static int ssl_write_signature_algorithms_ext(mbedtls_ssl_context *ssl, |
198 | | unsigned char *buf, |
199 | | const unsigned char *end, |
200 | | size_t *olen) |
201 | 0 | { |
202 | 0 | unsigned char *p = buf; |
203 | 0 | size_t sig_alg_len = 0; |
204 | 0 | const int *md; |
205 | |
|
206 | 0 | #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) |
207 | 0 | unsigned char *sig_alg_list = buf + 6; |
208 | 0 | #endif |
209 | |
|
210 | 0 | *olen = 0; |
211 | |
|
212 | 0 | if (ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) { |
213 | 0 | return 0; |
214 | 0 | } |
215 | | |
216 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
217 | 0 | ("client hello, adding signature_algorithms extension")); |
218 | |
|
219 | 0 | if (ssl->conf->sig_hashes == NULL) { |
220 | 0 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
221 | 0 | } |
222 | | |
223 | 0 | for (md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++) { |
224 | 0 | #if defined(MBEDTLS_ECDSA_C) |
225 | 0 | sig_alg_len += 2; |
226 | 0 | #endif |
227 | | #if defined(MBEDTLS_RSA_C) |
228 | | sig_alg_len += 2; |
229 | | #endif |
230 | 0 | if (sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN) { |
231 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
232 | 0 | ("length in bytes of sig-hash-alg extension too big")); |
233 | 0 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
234 | 0 | } |
235 | 0 | } |
236 | | |
237 | | /* Empty signature algorithms list, this is a configuration error. */ |
238 | 0 | if (sig_alg_len == 0) { |
239 | 0 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
240 | 0 | } |
241 | | |
242 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, sig_alg_len + 6); |
243 | | |
244 | | /* |
245 | | * Prepare signature_algorithms extension (TLS 1.2) |
246 | | */ |
247 | 0 | sig_alg_len = 0; |
248 | |
|
249 | 0 | for (md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++) { |
250 | 0 | #if defined(MBEDTLS_ECDSA_C) |
251 | 0 | sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg(*md); |
252 | 0 | sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; |
253 | 0 | #endif |
254 | | #if defined(MBEDTLS_RSA_C) |
255 | | sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg(*md); |
256 | | sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; |
257 | | #endif |
258 | 0 | } |
259 | | |
260 | | /* |
261 | | * enum { |
262 | | * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), |
263 | | * sha512(6), (255) |
264 | | * } HashAlgorithm; |
265 | | * |
266 | | * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } |
267 | | * SignatureAlgorithm; |
268 | | * |
269 | | * struct { |
270 | | * HashAlgorithm hash; |
271 | | * SignatureAlgorithm signature; |
272 | | * } SignatureAndHashAlgorithm; |
273 | | * |
274 | | * SignatureAndHashAlgorithm |
275 | | * supported_signature_algorithms<2..2^16-2>; |
276 | | */ |
277 | 0 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, p, 0); |
278 | 0 | p += 2; |
279 | |
|
280 | 0 | MBEDTLS_PUT_UINT16_BE(sig_alg_len + 2, p, 0); |
281 | 0 | p += 2; |
282 | |
|
283 | 0 | MBEDTLS_PUT_UINT16_BE(sig_alg_len, p, 0); |
284 | 0 | p += 2; |
285 | |
|
286 | 0 | *olen = 6 + sig_alg_len; |
287 | |
|
288 | 0 | return 0; |
289 | 0 | } |
290 | | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && |
291 | | MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ |
292 | | |
293 | | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
294 | | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
295 | | MBEDTLS_CHECK_RETURN_CRITICAL |
296 | | static int ssl_write_supported_elliptic_curves_ext(mbedtls_ssl_context *ssl, |
297 | | unsigned char *buf, |
298 | | const unsigned char *end, |
299 | | size_t *olen) |
300 | 0 | { |
301 | 0 | unsigned char *p = buf; |
302 | 0 | unsigned char *elliptic_curve_list = p + 6; |
303 | 0 | size_t elliptic_curve_len = 0; |
304 | 0 | const mbedtls_ecp_curve_info *info; |
305 | 0 | const mbedtls_ecp_group_id *grp_id; |
306 | |
|
307 | 0 | *olen = 0; |
308 | |
|
309 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
310 | 0 | ("client hello, adding supported_elliptic_curves extension")); |
311 | |
|
312 | 0 | if (ssl->conf->curve_list == NULL) { |
313 | 0 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
314 | 0 | } |
315 | | |
316 | 0 | for (grp_id = ssl->conf->curve_list; |
317 | 0 | *grp_id != MBEDTLS_ECP_DP_NONE; |
318 | 0 | grp_id++) { |
319 | 0 | info = mbedtls_ecp_curve_info_from_grp_id(*grp_id); |
320 | 0 | if (info == NULL) { |
321 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
322 | 0 | ("invalid curve in ssl configuration")); |
323 | 0 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
324 | 0 | } |
325 | 0 | elliptic_curve_len += 2; |
326 | |
|
327 | 0 | if (elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN) { |
328 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
329 | 0 | ("malformed supported_elliptic_curves extension in config")); |
330 | 0 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
331 | 0 | } |
332 | 0 | } |
333 | | |
334 | | /* Empty elliptic curve list, this is a configuration error. */ |
335 | 0 | if (elliptic_curve_len == 0) { |
336 | 0 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
337 | 0 | } |
338 | | |
339 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6 + elliptic_curve_len); |
340 | | |
341 | 0 | elliptic_curve_len = 0; |
342 | |
|
343 | 0 | for (grp_id = ssl->conf->curve_list; |
344 | 0 | *grp_id != MBEDTLS_ECP_DP_NONE; |
345 | 0 | grp_id++) { |
346 | 0 | info = mbedtls_ecp_curve_info_from_grp_id(*grp_id); |
347 | 0 | elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_1(info->tls_id); |
348 | 0 | elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_0(info->tls_id); |
349 | 0 | } |
350 | |
|
351 | 0 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES, p, 0); |
352 | 0 | p += 2; |
353 | |
|
354 | 0 | MBEDTLS_PUT_UINT16_BE(elliptic_curve_len + 2, p, 0); |
355 | 0 | p += 2; |
356 | |
|
357 | 0 | MBEDTLS_PUT_UINT16_BE(elliptic_curve_len, p, 0); |
358 | 0 | p += 2; |
359 | |
|
360 | 0 | *olen = 6 + elliptic_curve_len; |
361 | |
|
362 | 0 | return 0; |
363 | 0 | } |
364 | | |
365 | | MBEDTLS_CHECK_RETURN_CRITICAL |
366 | | static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl, |
367 | | unsigned char *buf, |
368 | | const unsigned char *end, |
369 | | size_t *olen) |
370 | 0 | { |
371 | 0 | unsigned char *p = buf; |
372 | 0 | (void) ssl; /* ssl used for debugging only */ |
373 | |
|
374 | 0 | *olen = 0; |
375 | |
|
376 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
377 | 0 | ("client hello, adding supported_point_formats extension")); |
378 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); |
379 | | |
380 | 0 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0); |
381 | 0 | p += 2; |
382 | |
|
383 | 0 | *p++ = 0x00; |
384 | 0 | *p++ = 2; |
385 | |
|
386 | 0 | *p++ = 1; |
387 | 0 | *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; |
388 | |
|
389 | 0 | *olen = 6; |
390 | |
|
391 | 0 | return 0; |
392 | 0 | } |
393 | | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
394 | | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
395 | | |
396 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
397 | | MBEDTLS_CHECK_RETURN_CRITICAL |
398 | | static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl, |
399 | | unsigned char *buf, |
400 | | const unsigned char *end, |
401 | | size_t *olen) |
402 | 0 | { |
403 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
404 | 0 | unsigned char *p = buf; |
405 | 0 | size_t kkpp_len; |
406 | |
|
407 | 0 | *olen = 0; |
408 | | |
409 | | /* Skip costly extension if we can't use EC J-PAKE anyway */ |
410 | 0 | if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) { |
411 | 0 | return 0; |
412 | 0 | } |
413 | | |
414 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
415 | 0 | ("client hello, adding ecjpake_kkpp extension")); |
416 | |
|
417 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
418 | | |
419 | 0 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0); |
420 | 0 | p += 2; |
421 | | |
422 | | /* |
423 | | * We may need to send ClientHello multiple times for Hello verification. |
424 | | * We don't want to compute fresh values every time (both for performance |
425 | | * and consistency reasons), so cache the extension content. |
426 | | */ |
427 | 0 | if (ssl->handshake->ecjpake_cache == NULL || |
428 | 0 | ssl->handshake->ecjpake_cache_len == 0) { |
429 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters")); |
430 | |
|
431 | 0 | ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx, |
432 | 0 | p + 2, end - p - 2, &kkpp_len, |
433 | 0 | ssl->conf->f_rng, ssl->conf->p_rng); |
434 | 0 | if (ret != 0) { |
435 | 0 | MBEDTLS_SSL_DEBUG_RET(1, |
436 | 0 | "mbedtls_ecjpake_write_round_one", ret); |
437 | 0 | return ret; |
438 | 0 | } |
439 | | |
440 | 0 | ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len); |
441 | 0 | if (ssl->handshake->ecjpake_cache == NULL) { |
442 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed")); |
443 | 0 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
444 | 0 | } |
445 | | |
446 | 0 | memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len); |
447 | 0 | ssl->handshake->ecjpake_cache_len = kkpp_len; |
448 | 0 | } else { |
449 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters")); |
450 | |
|
451 | 0 | kkpp_len = ssl->handshake->ecjpake_cache_len; |
452 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len); |
453 | | |
454 | 0 | memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len); |
455 | 0 | } |
456 | | |
457 | 0 | MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0); |
458 | 0 | p += 2; |
459 | |
|
460 | 0 | *olen = kkpp_len + 4; |
461 | |
|
462 | 0 | return 0; |
463 | 0 | } |
464 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
465 | | |
466 | | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
467 | | MBEDTLS_CHECK_RETURN_CRITICAL |
468 | | static int ssl_write_cid_ext(mbedtls_ssl_context *ssl, |
469 | | unsigned char *buf, |
470 | | const unsigned char *end, |
471 | | size_t *olen) |
472 | | { |
473 | | unsigned char *p = buf; |
474 | | size_t ext_len; |
475 | | |
476 | | /* |
477 | | * Quoting draft-ietf-tls-dtls-connection-id-05 |
478 | | * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05 |
479 | | * |
480 | | * struct { |
481 | | * opaque cid<0..2^8-1>; |
482 | | * } ConnectionId; |
483 | | */ |
484 | | |
485 | | *olen = 0; |
486 | | if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || |
487 | | ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { |
488 | | return 0; |
489 | | } |
490 | | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension")); |
491 | | |
492 | | /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX |
493 | | * which is at most 255, so the increment cannot overflow. */ |
494 | | MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5)); |
495 | | |
496 | | /* Add extension ID + size */ |
497 | | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0); |
498 | | p += 2; |
499 | | ext_len = (size_t) ssl->own_cid_len + 1; |
500 | | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
501 | | p += 2; |
502 | | |
503 | | *p++ = (uint8_t) ssl->own_cid_len; |
504 | | memcpy(p, ssl->own_cid, ssl->own_cid_len); |
505 | | |
506 | | *olen = ssl->own_cid_len + 5; |
507 | | |
508 | | return 0; |
509 | | } |
510 | | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
511 | | |
512 | | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
513 | | MBEDTLS_CHECK_RETURN_CRITICAL |
514 | | static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
515 | | unsigned char *buf, |
516 | | const unsigned char *end, |
517 | | size_t *olen) |
518 | 0 | { |
519 | 0 | unsigned char *p = buf; |
520 | |
|
521 | 0 | *olen = 0; |
522 | |
|
523 | 0 | if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) { |
524 | 0 | return 0; |
525 | 0 | } |
526 | | |
527 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
528 | 0 | ("client hello, adding max_fragment_length extension")); |
529 | |
|
530 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5); |
531 | | |
532 | 0 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0); |
533 | 0 | p += 2; |
534 | |
|
535 | 0 | *p++ = 0x00; |
536 | 0 | *p++ = 1; |
537 | |
|
538 | 0 | *p++ = ssl->conf->mfl_code; |
539 | |
|
540 | 0 | *olen = 5; |
541 | |
|
542 | 0 | return 0; |
543 | 0 | } |
544 | | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
545 | | |
546 | | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
547 | | MBEDTLS_CHECK_RETURN_CRITICAL |
548 | | static int ssl_write_truncated_hmac_ext(mbedtls_ssl_context *ssl, |
549 | | unsigned char *buf, |
550 | | const unsigned char *end, |
551 | | size_t *olen) |
552 | | { |
553 | | unsigned char *p = buf; |
554 | | |
555 | | *olen = 0; |
556 | | |
557 | | if (ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED) { |
558 | | return 0; |
559 | | } |
560 | | |
561 | | MBEDTLS_SSL_DEBUG_MSG(3, |
562 | | ("client hello, adding truncated_hmac extension")); |
563 | | |
564 | | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
565 | | |
566 | | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_TRUNCATED_HMAC, p, 0); |
567 | | p += 2; |
568 | | |
569 | | *p++ = 0x00; |
570 | | *p++ = 0x00; |
571 | | |
572 | | *olen = 4; |
573 | | |
574 | | return 0; |
575 | | } |
576 | | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
577 | | |
578 | | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
579 | | MBEDTLS_CHECK_RETURN_CRITICAL |
580 | | static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
581 | | unsigned char *buf, |
582 | | const unsigned char *end, |
583 | | size_t *olen) |
584 | | { |
585 | | unsigned char *p = buf; |
586 | | |
587 | | *olen = 0; |
588 | | |
589 | | if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || |
590 | | ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) { |
591 | | return 0; |
592 | | } |
593 | | |
594 | | MBEDTLS_SSL_DEBUG_MSG(3, |
595 | | ("client hello, adding encrypt_then_mac extension")); |
596 | | |
597 | | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
598 | | |
599 | | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0); |
600 | | p += 2; |
601 | | |
602 | | *p++ = 0x00; |
603 | | *p++ = 0x00; |
604 | | |
605 | | *olen = 4; |
606 | | |
607 | | return 0; |
608 | | } |
609 | | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
610 | | |
611 | | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
612 | | MBEDTLS_CHECK_RETURN_CRITICAL |
613 | | static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl, |
614 | | unsigned char *buf, |
615 | | const unsigned char *end, |
616 | | size_t *olen) |
617 | | { |
618 | | unsigned char *p = buf; |
619 | | |
620 | | *olen = 0; |
621 | | |
622 | | if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || |
623 | | ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) { |
624 | | return 0; |
625 | | } |
626 | | |
627 | | MBEDTLS_SSL_DEBUG_MSG(3, |
628 | | ("client hello, adding extended_master_secret extension")); |
629 | | |
630 | | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
631 | | |
632 | | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0); |
633 | | p += 2; |
634 | | |
635 | | *p++ = 0x00; |
636 | | *p++ = 0x00; |
637 | | |
638 | | *olen = 4; |
639 | | |
640 | | return 0; |
641 | | } |
642 | | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
643 | | |
644 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
645 | | MBEDTLS_CHECK_RETURN_CRITICAL |
646 | | static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl, |
647 | | unsigned char *buf, |
648 | | const unsigned char *end, |
649 | | size_t *olen) |
650 | | { |
651 | | unsigned char *p = buf; |
652 | | size_t tlen = ssl->session_negotiate->ticket_len; |
653 | | |
654 | | *olen = 0; |
655 | | |
656 | | if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) { |
657 | | return 0; |
658 | | } |
659 | | |
660 | | MBEDTLS_SSL_DEBUG_MSG(3, |
661 | | ("client hello, adding session ticket extension")); |
662 | | |
663 | | /* The addition is safe here since the ticket length is 16 bit. */ |
664 | | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen); |
665 | | |
666 | | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0); |
667 | | p += 2; |
668 | | |
669 | | MBEDTLS_PUT_UINT16_BE(tlen, p, 0); |
670 | | p += 2; |
671 | | |
672 | | *olen = 4; |
673 | | |
674 | | if (ssl->session_negotiate->ticket == NULL || tlen == 0) { |
675 | | return 0; |
676 | | } |
677 | | |
678 | | MBEDTLS_SSL_DEBUG_MSG(3, |
679 | | ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen)); |
680 | | |
681 | | memcpy(p, ssl->session_negotiate->ticket, tlen); |
682 | | |
683 | | *olen += tlen; |
684 | | |
685 | | return 0; |
686 | | } |
687 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
688 | | |
689 | | #if defined(MBEDTLS_SSL_ALPN) |
690 | | MBEDTLS_CHECK_RETURN_CRITICAL |
691 | | static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl, |
692 | | unsigned char *buf, |
693 | | const unsigned char *end, |
694 | | size_t *olen) |
695 | | { |
696 | | unsigned char *p = buf; |
697 | | size_t alpnlen = 0; |
698 | | const char **cur; |
699 | | |
700 | | *olen = 0; |
701 | | |
702 | | if (ssl->conf->alpn_list == NULL) { |
703 | | return 0; |
704 | | } |
705 | | |
706 | | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding alpn extension")); |
707 | | |
708 | | for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) { |
709 | | alpnlen += strlen(*cur) + 1; |
710 | | } |
711 | | |
712 | | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6 + alpnlen); |
713 | | |
714 | | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0); |
715 | | p += 2; |
716 | | |
717 | | /* |
718 | | * opaque ProtocolName<1..2^8-1>; |
719 | | * |
720 | | * struct { |
721 | | * ProtocolName protocol_name_list<2..2^16-1> |
722 | | * } ProtocolNameList; |
723 | | */ |
724 | | |
725 | | /* Skip writing extension and list length for now */ |
726 | | p += 4; |
727 | | |
728 | | for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) { |
729 | | /* |
730 | | * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of |
731 | | * protocol names is less than 255. |
732 | | */ |
733 | | *p = (unsigned char) strlen(*cur); |
734 | | memcpy(p + 1, *cur, *p); |
735 | | p += 1 + *p; |
736 | | } |
737 | | |
738 | | *olen = p - buf; |
739 | | |
740 | | /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ |
741 | | MBEDTLS_PUT_UINT16_BE(*olen - 6, buf, 4); |
742 | | |
743 | | /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ |
744 | | MBEDTLS_PUT_UINT16_BE(*olen - 4, buf, 2); |
745 | | |
746 | | return 0; |
747 | | } |
748 | | #endif /* MBEDTLS_SSL_ALPN */ |
749 | | |
750 | | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
751 | | MBEDTLS_CHECK_RETURN_CRITICAL |
752 | | static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl, |
753 | | unsigned char *buf, |
754 | | const unsigned char *end, |
755 | | size_t *olen) |
756 | | { |
757 | | unsigned char *p = buf; |
758 | | size_t protection_profiles_index = 0, ext_len = 0; |
759 | | uint16_t mki_len = 0, profile_value = 0; |
760 | | |
761 | | *olen = 0; |
762 | | |
763 | | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
764 | | (ssl->conf->dtls_srtp_profile_list == NULL) || |
765 | | (ssl->conf->dtls_srtp_profile_list_len == 0)) { |
766 | | return 0; |
767 | | } |
768 | | |
769 | | /* RFC 5764 section 4.1.1 |
770 | | * uint8 SRTPProtectionProfile[2]; |
771 | | * |
772 | | * struct { |
773 | | * SRTPProtectionProfiles SRTPProtectionProfiles; |
774 | | * opaque srtp_mki<0..255>; |
775 | | * } UseSRTPData; |
776 | | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
777 | | */ |
778 | | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { |
779 | | mki_len = ssl->dtls_srtp_info.mki_len; |
780 | | } |
781 | | /* Extension length = 2 bytes for profiles length, |
782 | | * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ), |
783 | | * 1 byte for srtp_mki vector length and the mki_len value |
784 | | */ |
785 | | ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len; |
786 | | |
787 | | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension")); |
788 | | |
789 | | /* Check there is room in the buffer for the extension + 4 bytes |
790 | | * - the extension tag (2 bytes) |
791 | | * - the extension length (2 bytes) |
792 | | */ |
793 | | MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4); |
794 | | |
795 | | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0); |
796 | | p += 2; |
797 | | |
798 | | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
799 | | p += 2; |
800 | | |
801 | | /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */ |
802 | | /* micro-optimization: |
803 | | * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH |
804 | | * which is lower than 127, so the upper byte of the length is always 0 |
805 | | * For the documentation, the more generic code is left in comments |
806 | | * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len ) |
807 | | * >> 8 ) & 0xFF ); |
808 | | */ |
809 | | *p++ = 0; |
810 | | *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len); |
811 | | |
812 | | for (protection_profiles_index = 0; |
813 | | protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len; |
814 | | protection_profiles_index++) { |
815 | | profile_value = mbedtls_ssl_check_srtp_profile_value |
816 | | (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]); |
817 | | if (profile_value != MBEDTLS_TLS_SRTP_UNSET) { |
818 | | MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x", |
819 | | profile_value)); |
820 | | MBEDTLS_PUT_UINT16_BE(profile_value, p, 0); |
821 | | p += 2; |
822 | | } else { |
823 | | /* |
824 | | * Note: we shall never arrive here as protection profiles |
825 | | * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function |
826 | | */ |
827 | | MBEDTLS_SSL_DEBUG_MSG(3, |
828 | | ("client hello, " |
829 | | "illegal DTLS-SRTP protection profile %d", |
830 | | ssl->conf->dtls_srtp_profile_list[protection_profiles_index] |
831 | | )); |
832 | | return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
833 | | } |
834 | | } |
835 | | |
836 | | *p++ = mki_len & 0xFF; |
837 | | |
838 | | if (mki_len != 0) { |
839 | | memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len); |
840 | | /* |
841 | | * Increment p to point to the current position. |
842 | | */ |
843 | | p += mki_len; |
844 | | MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value, |
845 | | ssl->dtls_srtp_info.mki_len); |
846 | | } |
847 | | |
848 | | /* |
849 | | * total extension length: extension type (2 bytes) |
850 | | * + extension length (2 bytes) |
851 | | * + protection profile length (2 bytes) |
852 | | * + 2 * number of protection profiles |
853 | | * + srtp_mki vector length(1 byte) |
854 | | * + mki value |
855 | | */ |
856 | | *olen = p - buf; |
857 | | |
858 | | return 0; |
859 | | } |
860 | | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
861 | | |
862 | | /* |
863 | | * Generate random bytes for ClientHello |
864 | | */ |
865 | | MBEDTLS_CHECK_RETURN_CRITICAL |
866 | | static int ssl_generate_random(mbedtls_ssl_context *ssl) |
867 | 0 | { |
868 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
869 | 0 | unsigned char *p = ssl->handshake->randbytes; |
870 | | #if defined(MBEDTLS_HAVE_TIME) |
871 | | mbedtls_time_t t; |
872 | | #endif |
873 | | |
874 | | /* |
875 | | * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) |
876 | | */ |
877 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
878 | 0 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
879 | 0 | ssl->handshake->verify_cookie != NULL) { |
880 | 0 | return 0; |
881 | 0 | } |
882 | 0 | #endif |
883 | | |
884 | | #if defined(MBEDTLS_HAVE_TIME) |
885 | | t = mbedtls_time(NULL); |
886 | | MBEDTLS_PUT_UINT32_BE(t, p, 0); |
887 | | p += 4; |
888 | | |
889 | | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, current time: %" MBEDTLS_PRINTF_LONGLONG, |
890 | | (long long) t)); |
891 | | #else |
892 | 0 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) { |
893 | 0 | return ret; |
894 | 0 | } |
895 | | |
896 | 0 | p += 4; |
897 | 0 | #endif /* MBEDTLS_HAVE_TIME */ |
898 | |
|
899 | 0 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 28)) != 0) { |
900 | 0 | return ret; |
901 | 0 | } |
902 | | |
903 | 0 | return 0; |
904 | 0 | } |
905 | | |
906 | | /** |
907 | | * \brief Validate cipher suite against config in SSL context. |
908 | | * |
909 | | * \param suite_info cipher suite to validate |
910 | | * \param ssl SSL context |
911 | | * \param min_minor_ver Minimal minor version to accept a cipher suite |
912 | | * \param max_minor_ver Maximal minor version to accept a cipher suite |
913 | | * |
914 | | * \return 0 if valid, else 1 |
915 | | */ |
916 | | MBEDTLS_CHECK_RETURN_CRITICAL |
917 | | static int ssl_validate_ciphersuite( |
918 | | const mbedtls_ssl_ciphersuite_t *suite_info, |
919 | | const mbedtls_ssl_context *ssl, |
920 | | int min_minor_ver, int max_minor_ver) |
921 | 0 | { |
922 | 0 | (void) ssl; |
923 | 0 | if (suite_info == NULL) { |
924 | 0 | return 1; |
925 | 0 | } |
926 | | |
927 | 0 | if (suite_info->min_minor_ver > max_minor_ver || |
928 | 0 | suite_info->max_minor_ver < min_minor_ver) { |
929 | 0 | return 1; |
930 | 0 | } |
931 | | |
932 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
933 | 0 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
934 | 0 | (suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS)) { |
935 | 0 | return 1; |
936 | 0 | } |
937 | 0 | #endif |
938 | | |
939 | | #if defined(MBEDTLS_ARC4_C) |
940 | | if (ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && |
941 | | suite_info->cipher == MBEDTLS_CIPHER_ARC4_128) { |
942 | | return 1; |
943 | | } |
944 | | #endif |
945 | | |
946 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
947 | 0 | if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && |
948 | 0 | mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) { |
949 | 0 | return 1; |
950 | 0 | } |
951 | 0 | #endif |
952 | | |
953 | | /* Don't suggest PSK-based ciphersuite if no PSK is available. */ |
954 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
955 | 0 | if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) && |
956 | 0 | ssl_conf_has_static_psk(ssl->conf) == 0) { |
957 | 0 | return 1; |
958 | 0 | } |
959 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
960 | | |
961 | 0 | return 0; |
962 | 0 | } |
963 | | |
964 | | MBEDTLS_CHECK_RETURN_CRITICAL |
965 | | static int ssl_write_client_hello(mbedtls_ssl_context *ssl) |
966 | 0 | { |
967 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
968 | 0 | size_t i, n, olen, ext_len = 0; |
969 | |
|
970 | 0 | unsigned char *buf; |
971 | 0 | unsigned char *p, *q; |
972 | 0 | const unsigned char *end; |
973 | |
|
974 | 0 | unsigned char offer_compress; |
975 | 0 | const int *ciphersuites; |
976 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
977 | 0 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
978 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
979 | 0 | int uses_ec = 0; |
980 | 0 | #endif |
981 | |
|
982 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client hello")); |
983 | |
|
984 | 0 | if (ssl->conf->f_rng == NULL) { |
985 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); |
986 | 0 | return MBEDTLS_ERR_SSL_NO_RNG; |
987 | 0 | } |
988 | | |
989 | 0 | int renegotiating = 0; |
990 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
991 | | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
992 | | renegotiating = 1; |
993 | | } |
994 | | #endif |
995 | 0 | if (!renegotiating) { |
996 | 0 | ssl->major_ver = ssl->conf->min_major_ver; |
997 | 0 | ssl->minor_ver = ssl->conf->min_minor_ver; |
998 | 0 | } |
999 | |
|
1000 | 0 | if (ssl->conf->max_major_ver == 0) { |
1001 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
1002 | 0 | ( |
1003 | 0 | "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()")); |
1004 | 0 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
1005 | 0 | } |
1006 | | |
1007 | 0 | buf = ssl->out_msg; |
1008 | 0 | end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN; |
1009 | | |
1010 | | /* |
1011 | | * Check if there's enough space for the first part of the ClientHello |
1012 | | * consisting of the 38 bytes described below, the session identifier (at |
1013 | | * most 32 bytes) and its length (1 byte). |
1014 | | * |
1015 | | * Use static upper bounds instead of the actual values |
1016 | | * to allow the compiler to optimize this away. |
1017 | | */ |
1018 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 38 + 1 + 32); |
1019 | | |
1020 | | /* |
1021 | | * The 38 first bytes of the ClientHello: |
1022 | | * 0 . 0 handshake type (written later) |
1023 | | * 1 . 3 handshake length (written later) |
1024 | | * 4 . 5 highest version supported |
1025 | | * 6 . 9 current UNIX time |
1026 | | * 10 . 37 random bytes |
1027 | | * |
1028 | | * The current UNIX time (4 bytes) and following 28 random bytes are written |
1029 | | * by ssl_generate_random() into ssl->handshake->randbytes buffer and then |
1030 | | * copied from there into the output buffer. |
1031 | | */ |
1032 | | |
1033 | 0 | p = buf + 4; |
1034 | 0 | mbedtls_ssl_write_version(ssl->conf->max_major_ver, |
1035 | 0 | ssl->conf->max_minor_ver, |
1036 | 0 | ssl->conf->transport, p); |
1037 | 0 | p += 2; |
1038 | |
|
1039 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, max version: [%d:%d]", |
1040 | 0 | buf[4], buf[5])); |
1041 | |
|
1042 | 0 | if ((ret = ssl_generate_random(ssl)) != 0) { |
1043 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_generate_random", ret); |
1044 | 0 | return ret; |
1045 | 0 | } |
1046 | | |
1047 | 0 | memcpy(p, ssl->handshake->randbytes, 32); |
1048 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", p, 32); |
1049 | 0 | p += 32; |
1050 | | |
1051 | | /* |
1052 | | * 38 . 38 session id length |
1053 | | * 39 . 39+n session id |
1054 | | * 39+n . 39+n DTLS only: cookie length (1 byte) |
1055 | | * 40+n . .. DTLS only: cookie |
1056 | | * .. . .. ciphersuitelist length (2 bytes) |
1057 | | * .. . .. ciphersuitelist |
1058 | | * .. . .. compression methods length (1 byte) |
1059 | | * .. . .. compression methods |
1060 | | * .. . .. extensions length (2 bytes) |
1061 | | * .. . .. extensions |
1062 | | */ |
1063 | 0 | n = ssl->session_negotiate->id_len; |
1064 | |
|
1065 | 0 | if (n < 16 || n > 32 || |
1066 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
1067 | | ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || |
1068 | | #endif |
1069 | 0 | ssl->handshake->resume == 0) { |
1070 | 0 | n = 0; |
1071 | 0 | } |
1072 | |
|
1073 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
1074 | | /* |
1075 | | * RFC 5077 section 3.4: "When presenting a ticket, the client MAY |
1076 | | * generate and include a Session ID in the TLS ClientHello." |
1077 | | */ |
1078 | | if (!renegotiating) { |
1079 | | if (ssl->session_negotiate->ticket != NULL && |
1080 | | ssl->session_negotiate->ticket_len != 0) { |
1081 | | ret = ssl->conf->f_rng(ssl->conf->p_rng, |
1082 | | ssl->session_negotiate->id, 32); |
1083 | | |
1084 | | if (ret != 0) { |
1085 | | return ret; |
1086 | | } |
1087 | | |
1088 | | ssl->session_negotiate->id_len = n = 32; |
1089 | | } |
1090 | | } |
1091 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
1092 | | |
1093 | | /* |
1094 | | * The first check of the output buffer size above ( |
1095 | | * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );) |
1096 | | * has checked that there is enough space in the output buffer for the |
1097 | | * session identifier length byte and the session identifier (n <= 32). |
1098 | | */ |
1099 | 0 | *p++ = (unsigned char) n; |
1100 | |
|
1101 | 0 | for (i = 0; i < n; i++) { |
1102 | 0 | *p++ = ssl->session_negotiate->id[i]; |
1103 | 0 | } |
1104 | |
|
1105 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n)); |
1106 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 39, n); |
1107 | | |
1108 | | /* |
1109 | | * With 'n' being the length of the session identifier |
1110 | | * |
1111 | | * 39+n . 39+n DTLS only: cookie length (1 byte) |
1112 | | * 40+n . .. DTLS only: cookie |
1113 | | * .. . .. ciphersuitelist length (2 bytes) |
1114 | | * .. . .. ciphersuitelist |
1115 | | * .. . .. compression methods length (1 byte) |
1116 | | * .. . .. compression methods |
1117 | | * .. . .. extensions length (2 bytes) |
1118 | | * .. . .. extensions |
1119 | | */ |
1120 | | |
1121 | | /* |
1122 | | * DTLS cookie |
1123 | | */ |
1124 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1125 | 0 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
1126 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1); |
1127 | | |
1128 | 0 | if (ssl->handshake->verify_cookie == NULL) { |
1129 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("no verify cookie to send")); |
1130 | 0 | *p++ = 0; |
1131 | 0 | } else { |
1132 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie", |
1133 | 0 | ssl->handshake->verify_cookie, |
1134 | 0 | ssl->handshake->verify_cookie_len); |
1135 | |
|
1136 | 0 | *p++ = ssl->handshake->verify_cookie_len; |
1137 | |
|
1138 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, |
1139 | 0 | ssl->handshake->verify_cookie_len); |
1140 | 0 | memcpy(p, ssl->handshake->verify_cookie, |
1141 | 0 | ssl->handshake->verify_cookie_len); |
1142 | 0 | p += ssl->handshake->verify_cookie_len; |
1143 | 0 | } |
1144 | 0 | } |
1145 | 0 | #endif |
1146 | | |
1147 | | /* |
1148 | | * Ciphersuite list |
1149 | | */ |
1150 | 0 | ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; |
1151 | | |
1152 | | /* Skip writing ciphersuite length for now */ |
1153 | 0 | n = 0; |
1154 | 0 | q = p; |
1155 | |
|
1156 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
1157 | 0 | p += 2; |
1158 | |
|
1159 | 0 | for (i = 0; ciphersuites[i] != 0; i++) { |
1160 | 0 | ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuites[i]); |
1161 | |
|
1162 | 0 | if (ssl_validate_ciphersuite(ciphersuite_info, ssl, |
1163 | 0 | ssl->conf->min_minor_ver, |
1164 | 0 | ssl->conf->max_minor_ver) != 0) { |
1165 | 0 | continue; |
1166 | 0 | } |
1167 | | |
1168 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, add ciphersuite: %#04x (%s)", |
1169 | 0 | (unsigned int) ciphersuites[i], ciphersuite_info->name)); |
1170 | |
|
1171 | 0 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
1172 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1173 | 0 | uses_ec |= mbedtls_ssl_ciphersuite_uses_ec(ciphersuite_info); |
1174 | 0 | #endif |
1175 | |
|
1176 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
1177 | | |
1178 | 0 | n++; |
1179 | 0 | MBEDTLS_PUT_UINT16_BE(ciphersuites[i], p, 0); |
1180 | 0 | p += 2; |
1181 | 0 | } |
1182 | | |
1183 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
1184 | 0 | ("client hello, got %" MBEDTLS_PRINTF_SIZET |
1185 | 0 | " ciphersuites (excluding SCSVs)", n)); |
1186 | | |
1187 | | /* |
1188 | | * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
1189 | | */ |
1190 | 0 | if (!renegotiating) { |
1191 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("adding EMPTY_RENEGOTIATION_INFO_SCSV")); |
1192 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
1193 | 0 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0); |
1194 | 0 | p += 2; |
1195 | 0 | n++; |
1196 | 0 | } |
1197 | | |
1198 | | /* Some versions of OpenSSL don't handle it correctly if not at end */ |
1199 | | #if defined(MBEDTLS_SSL_FALLBACK_SCSV) |
1200 | | if (ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK) { |
1201 | | MBEDTLS_SSL_DEBUG_MSG(3, ("adding FALLBACK_SCSV")); |
1202 | | |
1203 | | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
1204 | | MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_FALLBACK_SCSV_VALUE, p, 0); |
1205 | | p += 2; |
1206 | | n++; |
1207 | | } |
1208 | | #endif |
1209 | | |
1210 | 0 | *q++ = (unsigned char) (n >> 7); |
1211 | 0 | *q++ = (unsigned char) (n << 1); |
1212 | |
|
1213 | | #if defined(MBEDTLS_ZLIB_SUPPORT) |
1214 | | offer_compress = 1; |
1215 | | #else |
1216 | 0 | offer_compress = 0; |
1217 | 0 | #endif |
1218 | | |
1219 | | /* |
1220 | | * We don't support compression with DTLS right now: if many records come |
1221 | | * in the same datagram, uncompressing one could overwrite the next one. |
1222 | | * We don't want to add complexity for handling that case unless there is |
1223 | | * an actual need for it. |
1224 | | */ |
1225 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1226 | 0 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
1227 | 0 | offer_compress = 0; |
1228 | 0 | } |
1229 | 0 | #endif |
1230 | |
|
1231 | 0 | if (offer_compress) { |
1232 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress len.: %d", 2)); |
1233 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress alg.: %d %d", |
1234 | 0 | MBEDTLS_SSL_COMPRESS_DEFLATE, |
1235 | 0 | MBEDTLS_SSL_COMPRESS_NULL)); |
1236 | |
|
1237 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3); |
1238 | 0 | *p++ = 2; |
1239 | 0 | *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; |
1240 | 0 | *p++ = MBEDTLS_SSL_COMPRESS_NULL; |
1241 | 0 | } else { |
1242 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress len.: %d", 1)); |
1243 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress alg.: %d", |
1244 | 0 | MBEDTLS_SSL_COMPRESS_NULL)); |
1245 | |
|
1246 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
1247 | 0 | *p++ = 1; |
1248 | 0 | *p++ = MBEDTLS_SSL_COMPRESS_NULL; |
1249 | 0 | } |
1250 | | |
1251 | | /* First write extensions, then the total length */ |
1252 | | |
1253 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
1254 | | |
1255 | | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
1256 | | if ((ret = ssl_write_hostname_ext(ssl, p + 2 + ext_len, |
1257 | | end, &olen)) != 0) { |
1258 | | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_hostname_ext", ret); |
1259 | | return ret; |
1260 | | } |
1261 | | ext_len += olen; |
1262 | | #endif |
1263 | | |
1264 | | /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added |
1265 | | * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ |
1266 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
1267 | | if ((ret = ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, |
1268 | | end, &olen)) != 0) { |
1269 | | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret); |
1270 | | return ret; |
1271 | | } |
1272 | | ext_len += olen; |
1273 | | #endif |
1274 | | |
1275 | 0 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ |
1276 | 0 | defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) |
1277 | 0 | if ((ret = ssl_write_signature_algorithms_ext(ssl, p + 2 + ext_len, |
1278 | 0 | end, &olen)) != 0) { |
1279 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_signature_algorithms_ext", ret); |
1280 | 0 | return ret; |
1281 | 0 | } |
1282 | 0 | ext_len += olen; |
1283 | 0 | #endif |
1284 | |
|
1285 | 0 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
1286 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1287 | 0 | if (uses_ec) { |
1288 | 0 | if ((ret = ssl_write_supported_elliptic_curves_ext(ssl, p + 2 + ext_len, |
1289 | 0 | end, &olen)) != 0) { |
1290 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_elliptic_curves_ext", ret); |
1291 | 0 | return ret; |
1292 | 0 | } |
1293 | 0 | ext_len += olen; |
1294 | |
|
1295 | 0 | if ((ret = ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, |
1296 | 0 | end, &olen)) != 0) { |
1297 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret); |
1298 | 0 | return ret; |
1299 | 0 | } |
1300 | 0 | ext_len += olen; |
1301 | 0 | } |
1302 | 0 | #endif |
1303 | | |
1304 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1305 | 0 | if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, |
1306 | 0 | end, &olen)) != 0) { |
1307 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret); |
1308 | 0 | return ret; |
1309 | 0 | } |
1310 | 0 | ext_len += olen; |
1311 | 0 | #endif |
1312 | |
|
1313 | | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
1314 | | if ((ret = ssl_write_cid_ext(ssl, p + 2 + ext_len, end, &olen)) != 0) { |
1315 | | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret); |
1316 | | return ret; |
1317 | | } |
1318 | | ext_len += olen; |
1319 | | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
1320 | |
|
1321 | 0 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
1322 | 0 | if ((ret = ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, |
1323 | 0 | end, &olen)) != 0) { |
1324 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret); |
1325 | 0 | return ret; |
1326 | 0 | } |
1327 | 0 | ext_len += olen; |
1328 | 0 | #endif |
1329 | |
|
1330 | | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
1331 | | if ((ret = ssl_write_truncated_hmac_ext(ssl, p + 2 + ext_len, |
1332 | | end, &olen)) != 0) { |
1333 | | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_truncated_hmac_ext", ret); |
1334 | | return ret; |
1335 | | } |
1336 | | ext_len += olen; |
1337 | | #endif |
1338 | |
|
1339 | | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
1340 | | if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, |
1341 | | end, &olen)) != 0) { |
1342 | | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret); |
1343 | | return ret; |
1344 | | } |
1345 | | ext_len += olen; |
1346 | | #endif |
1347 | |
|
1348 | | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
1349 | | if ((ret = ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, |
1350 | | end, &olen)) != 0) { |
1351 | | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret); |
1352 | | return ret; |
1353 | | } |
1354 | | ext_len += olen; |
1355 | | #endif |
1356 | |
|
1357 | | #if defined(MBEDTLS_SSL_ALPN) |
1358 | | if ((ret = ssl_write_alpn_ext(ssl, p + 2 + ext_len, |
1359 | | end, &olen)) != 0) { |
1360 | | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_alpn_ext", ret); |
1361 | | return ret; |
1362 | | } |
1363 | | ext_len += olen; |
1364 | | #endif |
1365 | |
|
1366 | | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
1367 | | if ((ret = ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, |
1368 | | end, &olen)) != 0) { |
1369 | | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret); |
1370 | | return ret; |
1371 | | } |
1372 | | ext_len += olen; |
1373 | | #endif |
1374 | |
|
1375 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
1376 | | if ((ret = ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, |
1377 | | end, &olen)) != 0) { |
1378 | | MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret); |
1379 | | return ret; |
1380 | | } |
1381 | | ext_len += olen; |
1382 | | #endif |
1383 | | |
1384 | | /* olen unused if all extensions are disabled */ |
1385 | 0 | ((void) olen); |
1386 | |
|
1387 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, total extension length: %" MBEDTLS_PRINTF_SIZET, |
1388 | 0 | ext_len)); |
1389 | |
|
1390 | 0 | if (ext_len > 0) { |
1391 | | /* No need to check for space here, because the extension |
1392 | | * writing functions already took care of that. */ |
1393 | 0 | MBEDTLS_PUT_UINT16_BE(ext_len, p, 0); |
1394 | 0 | p += 2 + ext_len; |
1395 | 0 | } |
1396 | |
|
1397 | 0 | ssl->out_msglen = p - buf; |
1398 | 0 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
1399 | 0 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; |
1400 | |
|
1401 | 0 | ssl->state++; |
1402 | |
|
1403 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1404 | 0 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
1405 | 0 | mbedtls_ssl_send_flight_completed(ssl); |
1406 | 0 | } |
1407 | 0 | #endif |
1408 | |
|
1409 | 0 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
1410 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
1411 | 0 | return ret; |
1412 | 0 | } |
1413 | | |
1414 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1415 | 0 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
1416 | 0 | (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { |
1417 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); |
1418 | 0 | return ret; |
1419 | 0 | } |
1420 | 0 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
1421 | | |
1422 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client hello")); |
1423 | |
|
1424 | 0 | return 0; |
1425 | 0 | } |
1426 | | |
1427 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1428 | | static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl, |
1429 | | const unsigned char *buf, |
1430 | | size_t len) |
1431 | 0 | { |
1432 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
1433 | | if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) { |
1434 | | /* Check verify-data in constant-time. The length OTOH is no secret */ |
1435 | | if (len != 1 + ssl->verify_data_len * 2 || |
1436 | | buf[0] != ssl->verify_data_len * 2 || |
1437 | | mbedtls_ct_memcmp(buf + 1, |
1438 | | ssl->own_verify_data, ssl->verify_data_len) != 0 || |
1439 | | mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len, |
1440 | | ssl->peer_verify_data, ssl->verify_data_len) != 0) { |
1441 | | MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info")); |
1442 | | mbedtls_ssl_send_alert_message( |
1443 | | ssl, |
1444 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1445 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
1446 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1447 | | } |
1448 | | } else |
1449 | | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
1450 | 0 | { |
1451 | 0 | if (len != 1 || buf[0] != 0x00) { |
1452 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
1453 | 0 | ("non-zero length renegotiation info")); |
1454 | 0 | mbedtls_ssl_send_alert_message( |
1455 | 0 | ssl, |
1456 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1457 | 0 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
1458 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1459 | 0 | } |
1460 | | |
1461 | 0 | ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; |
1462 | 0 | } |
1463 | | |
1464 | 0 | return 0; |
1465 | 0 | } |
1466 | | |
1467 | | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
1468 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1469 | | static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl, |
1470 | | const unsigned char *buf, |
1471 | | size_t len) |
1472 | 0 | { |
1473 | | /* |
1474 | | * server should use the extension only if we did, |
1475 | | * and if so the server's value should match ours (and len is always 1) |
1476 | | */ |
1477 | 0 | if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || |
1478 | 0 | len != 1 || |
1479 | 0 | buf[0] != ssl->conf->mfl_code) { |
1480 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
1481 | 0 | ("non-matching max fragment length extension")); |
1482 | 0 | mbedtls_ssl_send_alert_message( |
1483 | 0 | ssl, |
1484 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1485 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
1486 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1487 | 0 | } |
1488 | | |
1489 | 0 | return 0; |
1490 | 0 | } |
1491 | | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
1492 | | |
1493 | | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
1494 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1495 | | static int ssl_parse_truncated_hmac_ext(mbedtls_ssl_context *ssl, |
1496 | | const unsigned char *buf, |
1497 | | size_t len) |
1498 | | { |
1499 | | if (ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || |
1500 | | len != 0) { |
1501 | | MBEDTLS_SSL_DEBUG_MSG(1, |
1502 | | ("non-matching truncated HMAC extension")); |
1503 | | mbedtls_ssl_send_alert_message( |
1504 | | ssl, |
1505 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1506 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
1507 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1508 | | } |
1509 | | |
1510 | | ((void) buf); |
1511 | | |
1512 | | ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; |
1513 | | |
1514 | | return 0; |
1515 | | } |
1516 | | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
1517 | | |
1518 | | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
1519 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1520 | | static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl, |
1521 | | const unsigned char *buf, |
1522 | | size_t len) |
1523 | | { |
1524 | | size_t peer_cid_len; |
1525 | | |
1526 | | if ( /* CID extension only makes sense in DTLS */ |
1527 | | ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || |
1528 | | /* The server must only send the CID extension if we have offered it. */ |
1529 | | ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { |
1530 | | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected")); |
1531 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1532 | | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
1533 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1534 | | } |
1535 | | |
1536 | | if (len == 0) { |
1537 | | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); |
1538 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1539 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
1540 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1541 | | } |
1542 | | |
1543 | | peer_cid_len = *buf++; |
1544 | | len--; |
1545 | | |
1546 | | if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) { |
1547 | | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); |
1548 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1549 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
1550 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1551 | | } |
1552 | | |
1553 | | if (len != peer_cid_len) { |
1554 | | MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid")); |
1555 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1556 | | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
1557 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1558 | | } |
1559 | | |
1560 | | ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED; |
1561 | | ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len; |
1562 | | memcpy(ssl->handshake->peer_cid, buf, peer_cid_len); |
1563 | | |
1564 | | MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated")); |
1565 | | MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len); |
1566 | | |
1567 | | return 0; |
1568 | | } |
1569 | | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
1570 | | |
1571 | | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
1572 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1573 | | static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl, |
1574 | | const unsigned char *buf, |
1575 | | size_t len) |
1576 | | { |
1577 | | if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || |
1578 | | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || |
1579 | | len != 0) { |
1580 | | MBEDTLS_SSL_DEBUG_MSG(1, |
1581 | | ("non-matching encrypt-then-MAC extension")); |
1582 | | mbedtls_ssl_send_alert_message( |
1583 | | ssl, |
1584 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1585 | | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
1586 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1587 | | } |
1588 | | |
1589 | | ((void) buf); |
1590 | | |
1591 | | ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; |
1592 | | |
1593 | | return 0; |
1594 | | } |
1595 | | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
1596 | | |
1597 | | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
1598 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1599 | | static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl, |
1600 | | const unsigned char *buf, |
1601 | | size_t len) |
1602 | | { |
1603 | | if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || |
1604 | | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || |
1605 | | len != 0) { |
1606 | | MBEDTLS_SSL_DEBUG_MSG(1, |
1607 | | ("non-matching extended master secret extension")); |
1608 | | mbedtls_ssl_send_alert_message( |
1609 | | ssl, |
1610 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1611 | | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
1612 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1613 | | } |
1614 | | |
1615 | | ((void) buf); |
1616 | | |
1617 | | ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; |
1618 | | |
1619 | | return 0; |
1620 | | } |
1621 | | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
1622 | | |
1623 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
1624 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1625 | | static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl, |
1626 | | const unsigned char *buf, |
1627 | | size_t len) |
1628 | | { |
1629 | | if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || |
1630 | | len != 0) { |
1631 | | MBEDTLS_SSL_DEBUG_MSG(1, |
1632 | | ("non-matching session ticket extension")); |
1633 | | mbedtls_ssl_send_alert_message( |
1634 | | ssl, |
1635 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1636 | | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
1637 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1638 | | } |
1639 | | |
1640 | | ((void) buf); |
1641 | | |
1642 | | ssl->handshake->new_session_ticket = 1; |
1643 | | |
1644 | | return 0; |
1645 | | } |
1646 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
1647 | | |
1648 | | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
1649 | | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1650 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1651 | | static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl, |
1652 | | const unsigned char *buf, |
1653 | | size_t len) |
1654 | 0 | { |
1655 | 0 | size_t list_size; |
1656 | 0 | const unsigned char *p; |
1657 | |
|
1658 | 0 | if (len == 0 || (size_t) (buf[0] + 1) != len) { |
1659 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
1660 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1661 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
1662 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1663 | 0 | } |
1664 | 0 | list_size = buf[0]; |
1665 | |
|
1666 | 0 | p = buf + 1; |
1667 | 0 | while (list_size > 0) { |
1668 | 0 | if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || |
1669 | 0 | p[0] == MBEDTLS_ECP_PF_COMPRESSED) { |
1670 | 0 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) |
1671 | 0 | ssl->handshake->ecdh_ctx.point_format = p[0]; |
1672 | 0 | #endif |
1673 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1674 | 0 | ssl->handshake->ecjpake_ctx.point_format = p[0]; |
1675 | 0 | #endif |
1676 | 0 | MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0])); |
1677 | 0 | return 0; |
1678 | 0 | } |
1679 | | |
1680 | 0 | list_size--; |
1681 | 0 | p++; |
1682 | 0 | } |
1683 | | |
1684 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common")); |
1685 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1686 | 0 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
1687 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1688 | 0 | } |
1689 | | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
1690 | | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
1691 | | |
1692 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
1693 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1694 | | static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl, |
1695 | | const unsigned char *buf, |
1696 | | size_t len) |
1697 | 0 | { |
1698 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1699 | |
|
1700 | 0 | if (ssl->handshake->ciphersuite_info->key_exchange != |
1701 | 0 | MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
1702 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension")); |
1703 | 0 | return 0; |
1704 | 0 | } |
1705 | | |
1706 | | /* If we got here, we no longer need our cached extension */ |
1707 | 0 | mbedtls_free(ssl->handshake->ecjpake_cache); |
1708 | 0 | ssl->handshake->ecjpake_cache = NULL; |
1709 | 0 | ssl->handshake->ecjpake_cache_len = 0; |
1710 | |
|
1711 | 0 | if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx, |
1712 | 0 | buf, len)) != 0) { |
1713 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret); |
1714 | 0 | mbedtls_ssl_send_alert_message( |
1715 | 0 | ssl, |
1716 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1717 | 0 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
1718 | 0 | return ret; |
1719 | 0 | } |
1720 | | |
1721 | 0 | return 0; |
1722 | 0 | } |
1723 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
1724 | | |
1725 | | #if defined(MBEDTLS_SSL_ALPN) |
1726 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1727 | | static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, |
1728 | | const unsigned char *buf, size_t len) |
1729 | | { |
1730 | | size_t list_len, name_len; |
1731 | | const char **p; |
1732 | | |
1733 | | /* If we didn't send it, the server shouldn't send it */ |
1734 | | if (ssl->conf->alpn_list == NULL) { |
1735 | | MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension")); |
1736 | | mbedtls_ssl_send_alert_message( |
1737 | | ssl, |
1738 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1739 | | MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT); |
1740 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1741 | | } |
1742 | | |
1743 | | /* |
1744 | | * opaque ProtocolName<1..2^8-1>; |
1745 | | * |
1746 | | * struct { |
1747 | | * ProtocolName protocol_name_list<2..2^16-1> |
1748 | | * } ProtocolNameList; |
1749 | | * |
1750 | | * the "ProtocolNameList" MUST contain exactly one "ProtocolName" |
1751 | | */ |
1752 | | |
1753 | | /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ |
1754 | | if (len < 4) { |
1755 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1756 | | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
1757 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1758 | | } |
1759 | | |
1760 | | list_len = (buf[0] << 8) | buf[1]; |
1761 | | if (list_len != len - 2) { |
1762 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1763 | | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
1764 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1765 | | } |
1766 | | |
1767 | | name_len = buf[2]; |
1768 | | if (name_len != list_len - 1) { |
1769 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1770 | | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
1771 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1772 | | } |
1773 | | |
1774 | | /* Check that the server chosen protocol was in our list and save it */ |
1775 | | for (p = ssl->conf->alpn_list; *p != NULL; p++) { |
1776 | | if (name_len == strlen(*p) && |
1777 | | memcmp(buf + 3, *p, name_len) == 0) { |
1778 | | ssl->alpn_chosen = *p; |
1779 | | return 0; |
1780 | | } |
1781 | | } |
1782 | | |
1783 | | MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol")); |
1784 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1785 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
1786 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1787 | | } |
1788 | | #endif /* MBEDTLS_SSL_ALPN */ |
1789 | | |
1790 | | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
1791 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1792 | | static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl, |
1793 | | const unsigned char *buf, |
1794 | | size_t len) |
1795 | | { |
1796 | | mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET; |
1797 | | size_t i, mki_len = 0; |
1798 | | uint16_t server_protection_profile_value = 0; |
1799 | | |
1800 | | /* If use_srtp is not configured, just ignore the extension */ |
1801 | | if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) || |
1802 | | (ssl->conf->dtls_srtp_profile_list == NULL) || |
1803 | | (ssl->conf->dtls_srtp_profile_list_len == 0)) { |
1804 | | return 0; |
1805 | | } |
1806 | | |
1807 | | /* RFC 5764 section 4.1.1 |
1808 | | * uint8 SRTPProtectionProfile[2]; |
1809 | | * |
1810 | | * struct { |
1811 | | * SRTPProtectionProfiles SRTPProtectionProfiles; |
1812 | | * opaque srtp_mki<0..255>; |
1813 | | * } UseSRTPData; |
1814 | | |
1815 | | * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>; |
1816 | | * |
1817 | | */ |
1818 | | if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) { |
1819 | | mki_len = ssl->dtls_srtp_info.mki_len; |
1820 | | } |
1821 | | |
1822 | | /* |
1823 | | * Length is 5 + optional mki_value : one protection profile length (2 bytes) |
1824 | | * + protection profile (2 bytes) |
1825 | | * + mki_len(1 byte) |
1826 | | * and optional srtp_mki |
1827 | | */ |
1828 | | if ((len < 5) || (len != (buf[4] + 5u))) { |
1829 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1830 | | } |
1831 | | |
1832 | | /* |
1833 | | * get the server protection profile |
1834 | | */ |
1835 | | |
1836 | | /* |
1837 | | * protection profile length must be 0x0002 as we must have only |
1838 | | * one protection profile in server Hello |
1839 | | */ |
1840 | | if ((buf[0] != 0) || (buf[1] != 2)) { |
1841 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1842 | | } |
1843 | | |
1844 | | server_protection_profile_value = (buf[2] << 8) | buf[3]; |
1845 | | server_protection = mbedtls_ssl_check_srtp_profile_value( |
1846 | | server_protection_profile_value); |
1847 | | if (server_protection != MBEDTLS_TLS_SRTP_UNSET) { |
1848 | | MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s", |
1849 | | mbedtls_ssl_get_srtp_profile_as_string( |
1850 | | server_protection))); |
1851 | | } |
1852 | | |
1853 | | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET; |
1854 | | |
1855 | | /* |
1856 | | * Check we have the server profile in our list |
1857 | | */ |
1858 | | for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) { |
1859 | | if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) { |
1860 | | ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i]; |
1861 | | MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s", |
1862 | | mbedtls_ssl_get_srtp_profile_as_string( |
1863 | | server_protection))); |
1864 | | break; |
1865 | | } |
1866 | | } |
1867 | | |
1868 | | /* If no match was found : server problem, it shall never answer with incompatible profile */ |
1869 | | if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) { |
1870 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1871 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
1872 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1873 | | } |
1874 | | |
1875 | | /* If server does not use mki in its reply, make sure the client won't keep |
1876 | | * one as negotiated */ |
1877 | | if (len == 5) { |
1878 | | ssl->dtls_srtp_info.mki_len = 0; |
1879 | | } |
1880 | | |
1881 | | /* |
1882 | | * RFC5764: |
1883 | | * If the client detects a nonzero-length MKI in the server's response |
1884 | | * that is different than the one the client offered, then the client |
1885 | | * MUST abort the handshake and SHOULD send an invalid_parameter alert. |
1886 | | */ |
1887 | | if (len > 5 && (buf[4] != mki_len || |
1888 | | (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) { |
1889 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1890 | | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
1891 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1892 | | } |
1893 | | #if defined(MBEDTLS_DEBUG_C) |
1894 | | if (len > 5) { |
1895 | | MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value, |
1896 | | ssl->dtls_srtp_info.mki_len); |
1897 | | } |
1898 | | #endif |
1899 | | return 0; |
1900 | | } |
1901 | | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
1902 | | |
1903 | | /* |
1904 | | * Parse HelloVerifyRequest. Only called after verifying the HS type. |
1905 | | */ |
1906 | | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1907 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1908 | | static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl) |
1909 | 0 | { |
1910 | 0 | const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
1911 | 0 | int major_ver, minor_ver; |
1912 | 0 | unsigned char cookie_len; |
1913 | |
|
1914 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request")); |
1915 | | |
1916 | | /* Check that there is enough room for: |
1917 | | * - 2 bytes of version |
1918 | | * - 1 byte of cookie_len |
1919 | | */ |
1920 | 0 | if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) { |
1921 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
1922 | 0 | ("incoming HelloVerifyRequest message is too short")); |
1923 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1924 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
1925 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1926 | 0 | } |
1927 | | |
1928 | | /* |
1929 | | * struct { |
1930 | | * ProtocolVersion server_version; |
1931 | | * opaque cookie<0..2^8-1>; |
1932 | | * } HelloVerifyRequest; |
1933 | | */ |
1934 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2); |
1935 | 0 | mbedtls_ssl_read_version(&major_ver, &minor_ver, ssl->conf->transport, p); |
1936 | 0 | p += 2; |
1937 | | |
1938 | | /* |
1939 | | * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) |
1940 | | * even is lower than our min version. |
1941 | | */ |
1942 | 0 | if (major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || |
1943 | 0 | minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || |
1944 | 0 | major_ver > ssl->conf->max_major_ver || |
1945 | 0 | minor_ver > ssl->conf->max_minor_ver) { |
1946 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version")); |
1947 | |
|
1948 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1949 | 0 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); |
1950 | |
|
1951 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION; |
1952 | 0 | } |
1953 | | |
1954 | 0 | cookie_len = *p++; |
1955 | 0 | if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) { |
1956 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
1957 | 0 | ("cookie length does not match incoming message size")); |
1958 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
1959 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
1960 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
1961 | 0 | } |
1962 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len); |
1963 | |
|
1964 | 0 | mbedtls_free(ssl->handshake->verify_cookie); |
1965 | |
|
1966 | 0 | ssl->handshake->verify_cookie = mbedtls_calloc(1, cookie_len); |
1967 | 0 | if (ssl->handshake->verify_cookie == NULL) { |
1968 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len)); |
1969 | 0 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
1970 | 0 | } |
1971 | | |
1972 | 0 | memcpy(ssl->handshake->verify_cookie, p, cookie_len); |
1973 | 0 | ssl->handshake->verify_cookie_len = cookie_len; |
1974 | | |
1975 | | /* Start over at ClientHello */ |
1976 | 0 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
1977 | 0 | mbedtls_ssl_reset_checksum(ssl); |
1978 | |
|
1979 | 0 | mbedtls_ssl_recv_flight_completed(ssl); |
1980 | |
|
1981 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request")); |
1982 | |
|
1983 | 0 | return 0; |
1984 | 0 | } |
1985 | | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
1986 | | |
1987 | | static int is_compression_bad(mbedtls_ssl_context *ssl, unsigned char comp) |
1988 | 0 | { |
1989 | 0 | int bad_comp = 0; |
1990 | | |
1991 | | /* Suppress warnings in some configurations */ |
1992 | 0 | (void) ssl; |
1993 | | #if defined(MBEDTLS_ZLIB_SUPPORT) |
1994 | | /* See comments in ssl_write_client_hello() */ |
1995 | | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
1996 | | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
1997 | | comp != MBEDTLS_SSL_COMPRESS_NULL) { |
1998 | | bad_comp = 1; |
1999 | | } |
2000 | | #endif |
2001 | | |
2002 | | if (comp != MBEDTLS_SSL_COMPRESS_NULL && |
2003 | | comp != MBEDTLS_SSL_COMPRESS_DEFLATE) { |
2004 | | bad_comp = 1; |
2005 | | } |
2006 | | #else /* MBEDTLS_ZLIB_SUPPORT */ |
2007 | 0 | if (comp != MBEDTLS_SSL_COMPRESS_NULL) { |
2008 | 0 | bad_comp = 1; |
2009 | 0 | } |
2010 | 0 | #endif /* MBEDTLS_ZLIB_SUPPORT */ |
2011 | 0 | return bad_comp; |
2012 | 0 | } |
2013 | | |
2014 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2015 | | static int ssl_parse_server_hello(mbedtls_ssl_context *ssl) |
2016 | 0 | { |
2017 | 0 | int ret, i; |
2018 | 0 | size_t n; |
2019 | 0 | size_t ext_len; |
2020 | 0 | unsigned char *buf, *ext; |
2021 | 0 | unsigned char comp; |
2022 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
2023 | | int renegotiation_info_seen = 0; |
2024 | | #endif |
2025 | 0 | int handshake_failure = 0; |
2026 | 0 | const mbedtls_ssl_ciphersuite_t *suite_info; |
2027 | |
|
2028 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello")); |
2029 | |
|
2030 | 0 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
2031 | | /* No alert on a read error. */ |
2032 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
2033 | 0 | return ret; |
2034 | 0 | } |
2035 | | |
2036 | 0 | buf = ssl->in_msg; |
2037 | |
|
2038 | 0 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
2039 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
2040 | | if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { |
2041 | | ssl->renego_records_seen++; |
2042 | | |
2043 | | if (ssl->conf->renego_max_records >= 0 && |
2044 | | ssl->renego_records_seen > ssl->conf->renego_max_records) { |
2045 | | MBEDTLS_SSL_DEBUG_MSG(1, |
2046 | | ("renegotiation requested, but not honored by server")); |
2047 | | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
2048 | | } |
2049 | | |
2050 | | MBEDTLS_SSL_DEBUG_MSG(1, |
2051 | | ("non-handshake message during renegotiation")); |
2052 | | |
2053 | | ssl->keep_current_message = 1; |
2054 | | return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO; |
2055 | | } |
2056 | | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
2057 | |
|
2058 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
2059 | 0 | mbedtls_ssl_send_alert_message( |
2060 | 0 | ssl, |
2061 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2062 | 0 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
2063 | 0 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
2064 | 0 | } |
2065 | | |
2066 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
2067 | 0 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
2068 | 0 | if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) { |
2069 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request")); |
2070 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello")); |
2071 | 0 | return ssl_parse_hello_verify_request(ssl); |
2072 | 0 | } else { |
2073 | | /* We made it through the verification process */ |
2074 | 0 | mbedtls_free(ssl->handshake->verify_cookie); |
2075 | 0 | ssl->handshake->verify_cookie = NULL; |
2076 | 0 | ssl->handshake->verify_cookie_len = 0; |
2077 | 0 | } |
2078 | 0 | } |
2079 | 0 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
2080 | | |
2081 | 0 | if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) || |
2082 | 0 | buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) { |
2083 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
2084 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2085 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
2086 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
2087 | 0 | } |
2088 | | |
2089 | | /* |
2090 | | * 0 . 1 server_version |
2091 | | * 2 . 33 random (maybe including 4 bytes of Unix time) |
2092 | | * 34 . 34 session_id length = n |
2093 | | * 35 . 34+n session_id |
2094 | | * 35+n . 36+n cipher_suite |
2095 | | * 37+n . 37+n compression_method |
2096 | | * |
2097 | | * 38+n . 39+n extensions length (optional) |
2098 | | * 40+n . .. extensions |
2099 | | */ |
2100 | 0 | buf += mbedtls_ssl_hs_hdr_len(ssl); |
2101 | |
|
2102 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf + 0, 2); |
2103 | 0 | mbedtls_ssl_read_version(&ssl->major_ver, &ssl->minor_ver, |
2104 | 0 | ssl->conf->transport, buf + 0); |
2105 | |
|
2106 | 0 | if (ssl->major_ver < ssl->conf->min_major_ver || |
2107 | 0 | ssl->minor_ver < ssl->conf->min_minor_ver || |
2108 | 0 | ssl->major_ver > ssl->conf->max_major_ver || |
2109 | 0 | ssl->minor_ver > ssl->conf->max_minor_ver) { |
2110 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
2111 | 0 | ( |
2112 | 0 | "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]", |
2113 | 0 | ssl->conf->min_major_ver, |
2114 | 0 | ssl->conf->min_minor_ver, |
2115 | 0 | ssl->major_ver, ssl->minor_ver, |
2116 | 0 | ssl->conf->max_major_ver, |
2117 | 0 | ssl->conf->max_minor_ver)); |
2118 | |
|
2119 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2120 | 0 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION); |
2121 | |
|
2122 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION; |
2123 | 0 | } |
2124 | | |
2125 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu", |
2126 | 0 | ((unsigned long) buf[2] << 24) | |
2127 | 0 | ((unsigned long) buf[3] << 16) | |
2128 | 0 | ((unsigned long) buf[4] << 8) | |
2129 | 0 | ((unsigned long) buf[5]))); |
2130 | |
|
2131 | 0 | memcpy(ssl->handshake->randbytes + 32, buf + 2, 32); |
2132 | |
|
2133 | 0 | n = buf[34]; |
2134 | |
|
2135 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32); |
2136 | |
|
2137 | 0 | if (n > 32) { |
2138 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
2139 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2140 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
2141 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
2142 | 0 | } |
2143 | | |
2144 | 0 | if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) { |
2145 | 0 | ext_len = ((buf[38 + n] << 8) |
2146 | 0 | | (buf[39 + n])); |
2147 | |
|
2148 | 0 | if ((ext_len > 0 && ext_len < 4) || |
2149 | 0 | ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) { |
2150 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
2151 | 0 | mbedtls_ssl_send_alert_message( |
2152 | 0 | ssl, |
2153 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2154 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
2155 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
2156 | 0 | } |
2157 | 0 | } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) { |
2158 | 0 | ext_len = 0; |
2159 | 0 | } else { |
2160 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
2161 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2162 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
2163 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
2164 | 0 | } |
2165 | | |
2166 | | /* ciphersuite (used later) */ |
2167 | 0 | i = (buf[35 + n] << 8) | buf[36 + n]; |
2168 | | |
2169 | | /* |
2170 | | * Read and check compression |
2171 | | */ |
2172 | 0 | comp = buf[37 + n]; |
2173 | |
|
2174 | 0 | if (is_compression_bad(ssl, comp)) { |
2175 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
2176 | 0 | ("server hello, bad compression: %d", comp)); |
2177 | 0 | mbedtls_ssl_send_alert_message( |
2178 | 0 | ssl, |
2179 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2180 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
2181 | 0 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
2182 | 0 | } |
2183 | | |
2184 | | /* |
2185 | | * Initialize update checksum functions |
2186 | | */ |
2187 | 0 | ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i); |
2188 | 0 | if (ssl->handshake->ciphersuite_info == NULL) { |
2189 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
2190 | 0 | ("ciphersuite info for %04x not found", (unsigned int) i)); |
2191 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2192 | 0 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
2193 | 0 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
2194 | 0 | } |
2195 | | |
2196 | 0 | mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info); |
2197 | |
|
2198 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n)); |
2199 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n); |
2200 | | |
2201 | | /* |
2202 | | * Check if the session can be resumed |
2203 | | */ |
2204 | 0 | if (ssl->handshake->resume == 0 || n == 0 || |
2205 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
2206 | | ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || |
2207 | | #endif |
2208 | 0 | ssl->session_negotiate->ciphersuite != i || |
2209 | 0 | ssl->session_negotiate->compression != comp || |
2210 | 0 | ssl->session_negotiate->id_len != n || |
2211 | 0 | memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) { |
2212 | 0 | ssl->state++; |
2213 | 0 | ssl->handshake->resume = 0; |
2214 | | #if defined(MBEDTLS_HAVE_TIME) |
2215 | | ssl->session_negotiate->start = mbedtls_time(NULL); |
2216 | | #endif |
2217 | 0 | ssl->session_negotiate->ciphersuite = i; |
2218 | 0 | ssl->session_negotiate->compression = comp; |
2219 | 0 | ssl->session_negotiate->id_len = n; |
2220 | 0 | memcpy(ssl->session_negotiate->id, buf + 35, n); |
2221 | 0 | } else { |
2222 | 0 | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
2223 | 0 | } |
2224 | |
|
2225 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed", |
2226 | 0 | ssl->handshake->resume ? "a" : "no")); |
2227 | |
|
2228 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i)); |
2229 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d", |
2230 | 0 | buf[37 + n])); |
2231 | | |
2232 | | /* |
2233 | | * Perform cipher suite validation in same way as in ssl_write_client_hello. |
2234 | | */ |
2235 | 0 | i = 0; |
2236 | 0 | while (1) { |
2237 | 0 | if (ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0) { |
2238 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
2239 | 0 | mbedtls_ssl_send_alert_message( |
2240 | 0 | ssl, |
2241 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2242 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
2243 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
2244 | 0 | } |
2245 | | |
2246 | 0 | if (ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == |
2247 | 0 | ssl->session_negotiate->ciphersuite) { |
2248 | 0 | break; |
2249 | 0 | } |
2250 | 0 | } |
2251 | | |
2252 | 0 | suite_info = mbedtls_ssl_ciphersuite_from_id( |
2253 | 0 | ssl->session_negotiate->ciphersuite); |
2254 | 0 | if (ssl_validate_ciphersuite(suite_info, ssl, ssl->minor_ver, |
2255 | 0 | ssl->minor_ver) != 0) { |
2256 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
2257 | 0 | mbedtls_ssl_send_alert_message( |
2258 | 0 | ssl, |
2259 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2260 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
2261 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
2262 | 0 | } |
2263 | | |
2264 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
2265 | 0 | ("server hello, chosen ciphersuite: %s", suite_info->name)); |
2266 | |
|
2267 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
2268 | | if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA && |
2269 | | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) { |
2270 | | ssl->handshake->ecrs_enabled = 1; |
2271 | | } |
2272 | | #endif |
2273 | |
|
2274 | 0 | if (comp != MBEDTLS_SSL_COMPRESS_NULL |
2275 | | #if defined(MBEDTLS_ZLIB_SUPPORT) |
2276 | | && comp != MBEDTLS_SSL_COMPRESS_DEFLATE |
2277 | | #endif |
2278 | 0 | ) { |
2279 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
2280 | 0 | mbedtls_ssl_send_alert_message( |
2281 | 0 | ssl, |
2282 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2283 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
2284 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
2285 | 0 | } |
2286 | 0 | ssl->session_negotiate->compression = comp; |
2287 | |
|
2288 | 0 | ext = buf + 40 + n; |
2289 | |
|
2290 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, |
2291 | 0 | ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, |
2292 | 0 | ext_len)); |
2293 | |
|
2294 | 0 | while (ext_len) { |
2295 | 0 | unsigned int ext_id = ((ext[0] << 8) |
2296 | 0 | | (ext[1])); |
2297 | 0 | unsigned int ext_size = ((ext[2] << 8) |
2298 | 0 | | (ext[3])); |
2299 | |
|
2300 | 0 | if (ext_size + 4 > ext_len) { |
2301 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
2302 | 0 | mbedtls_ssl_send_alert_message( |
2303 | 0 | ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2304 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
2305 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
2306 | 0 | } |
2307 | | |
2308 | 0 | switch (ext_id) { |
2309 | 0 | case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: |
2310 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension")); |
2311 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
2312 | | renegotiation_info_seen = 1; |
2313 | | #endif |
2314 | |
|
2315 | 0 | if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4, |
2316 | 0 | ext_size)) != 0) { |
2317 | 0 | return ret; |
2318 | 0 | } |
2319 | | |
2320 | 0 | break; |
2321 | | |
2322 | 0 | #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) |
2323 | 0 | case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: |
2324 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
2325 | 0 | ("found max_fragment_length extension")); |
2326 | |
|
2327 | 0 | if ((ret = ssl_parse_max_fragment_length_ext(ssl, |
2328 | 0 | ext + 4, ext_size)) != 0) { |
2329 | 0 | return ret; |
2330 | 0 | } |
2331 | | |
2332 | 0 | break; |
2333 | 0 | #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ |
2334 | | |
2335 | | #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) |
2336 | | case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: |
2337 | | MBEDTLS_SSL_DEBUG_MSG(3, ("found truncated_hmac extension")); |
2338 | | |
2339 | | if ((ret = ssl_parse_truncated_hmac_ext(ssl, |
2340 | | ext + 4, ext_size)) != 0) { |
2341 | | return ret; |
2342 | | } |
2343 | | |
2344 | | break; |
2345 | | #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ |
2346 | | |
2347 | | #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
2348 | | case MBEDTLS_TLS_EXT_CID: |
2349 | | MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension")); |
2350 | | |
2351 | | if ((ret = ssl_parse_cid_ext(ssl, |
2352 | | ext + 4, |
2353 | | ext_size)) != 0) { |
2354 | | return ret; |
2355 | | } |
2356 | | |
2357 | | break; |
2358 | | #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ |
2359 | | |
2360 | | #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) |
2361 | | case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: |
2362 | | MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension")); |
2363 | | |
2364 | | if ((ret = ssl_parse_encrypt_then_mac_ext(ssl, |
2365 | | ext + 4, ext_size)) != 0) { |
2366 | | return ret; |
2367 | | } |
2368 | | |
2369 | | break; |
2370 | | #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ |
2371 | | |
2372 | | #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) |
2373 | | case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: |
2374 | | MBEDTLS_SSL_DEBUG_MSG(3, |
2375 | | ("found extended_master_secret extension")); |
2376 | | |
2377 | | if ((ret = ssl_parse_extended_ms_ext(ssl, |
2378 | | ext + 4, ext_size)) != 0) { |
2379 | | return ret; |
2380 | | } |
2381 | | |
2382 | | break; |
2383 | | #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ |
2384 | | |
2385 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
2386 | | case MBEDTLS_TLS_EXT_SESSION_TICKET: |
2387 | | MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension")); |
2388 | | |
2389 | | if ((ret = ssl_parse_session_ticket_ext(ssl, |
2390 | | ext + 4, ext_size)) != 0) { |
2391 | | return ret; |
2392 | | } |
2393 | | |
2394 | | break; |
2395 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
2396 | | |
2397 | 0 | #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ |
2398 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
2399 | 0 | case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: |
2400 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
2401 | 0 | ("found supported_point_formats extension")); |
2402 | |
|
2403 | 0 | if ((ret = ssl_parse_supported_point_formats_ext(ssl, |
2404 | 0 | ext + 4, ext_size)) != 0) { |
2405 | 0 | return ret; |
2406 | 0 | } |
2407 | | |
2408 | 0 | break; |
2409 | 0 | #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || |
2410 | | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
2411 | | |
2412 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
2413 | 0 | case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: |
2414 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension")); |
2415 | |
|
2416 | 0 | if ((ret = ssl_parse_ecjpake_kkpp(ssl, |
2417 | 0 | ext + 4, ext_size)) != 0) { |
2418 | 0 | return ret; |
2419 | 0 | } |
2420 | | |
2421 | 0 | break; |
2422 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
2423 | | |
2424 | | #if defined(MBEDTLS_SSL_ALPN) |
2425 | | case MBEDTLS_TLS_EXT_ALPN: |
2426 | | MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); |
2427 | | |
2428 | | if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) { |
2429 | | return ret; |
2430 | | } |
2431 | | |
2432 | | break; |
2433 | | #endif /* MBEDTLS_SSL_ALPN */ |
2434 | | |
2435 | | #if defined(MBEDTLS_SSL_DTLS_SRTP) |
2436 | | case MBEDTLS_TLS_EXT_USE_SRTP: |
2437 | | MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension")); |
2438 | | |
2439 | | if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) { |
2440 | | return ret; |
2441 | | } |
2442 | | |
2443 | | break; |
2444 | | #endif /* MBEDTLS_SSL_DTLS_SRTP */ |
2445 | | |
2446 | 0 | default: |
2447 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
2448 | 0 | ("unknown extension found: %u (ignoring)", ext_id)); |
2449 | 0 | } |
2450 | | |
2451 | 0 | ext_len -= 4 + ext_size; |
2452 | 0 | ext += 4 + ext_size; |
2453 | |
|
2454 | 0 | if (ext_len > 0 && ext_len < 4) { |
2455 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message")); |
2456 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
2457 | 0 | } |
2458 | 0 | } |
2459 | | |
2460 | | /* |
2461 | | * mbedtls_ssl_derive_keys() has to be called after the parsing of the |
2462 | | * extensions. It sets the transform data for the resumed session which in |
2463 | | * case of DTLS includes the server CID extracted from the CID extension. |
2464 | | */ |
2465 | 0 | if (ssl->handshake->resume) { |
2466 | 0 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
2467 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
2468 | 0 | mbedtls_ssl_send_alert_message( |
2469 | 0 | ssl, |
2470 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2471 | 0 | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
2472 | 0 | return ret; |
2473 | 0 | } |
2474 | 0 | } |
2475 | | |
2476 | | /* |
2477 | | * Renegotiation security checks |
2478 | | */ |
2479 | 0 | if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
2480 | 0 | ssl->conf->allow_legacy_renegotiation == |
2481 | 0 | MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) { |
2482 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
2483 | 0 | ("legacy renegotiation, breaking off handshake")); |
2484 | 0 | handshake_failure = 1; |
2485 | 0 | } |
2486 | | #if defined(MBEDTLS_SSL_RENEGOTIATION) |
2487 | | else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
2488 | | ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && |
2489 | | renegotiation_info_seen == 0) { |
2490 | | MBEDTLS_SSL_DEBUG_MSG(1, |
2491 | | ("renegotiation_info extension missing (secure)")); |
2492 | | handshake_failure = 1; |
2493 | | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
2494 | | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
2495 | | ssl->conf->allow_legacy_renegotiation == |
2496 | | MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) { |
2497 | | MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed")); |
2498 | | handshake_failure = 1; |
2499 | | } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && |
2500 | | ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && |
2501 | | renegotiation_info_seen == 1) { |
2502 | | MBEDTLS_SSL_DEBUG_MSG(1, |
2503 | | ("renegotiation_info extension present (legacy)")); |
2504 | | handshake_failure = 1; |
2505 | | } |
2506 | | #endif /* MBEDTLS_SSL_RENEGOTIATION */ |
2507 | |
|
2508 | 0 | if (handshake_failure == 1) { |
2509 | 0 | mbedtls_ssl_send_alert_message( |
2510 | 0 | ssl, |
2511 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2512 | 0 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
2513 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO; |
2514 | 0 | } |
2515 | | |
2516 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello")); |
2517 | |
|
2518 | 0 | return 0; |
2519 | 0 | } |
2520 | | |
2521 | | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
2522 | | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
2523 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2524 | | static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl, |
2525 | | unsigned char **p, |
2526 | | unsigned char *end) |
2527 | | { |
2528 | | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
2529 | | size_t dhm_actual_bitlen; |
2530 | | |
2531 | | /* |
2532 | | * Ephemeral DH parameters: |
2533 | | * |
2534 | | * struct { |
2535 | | * opaque dh_p<1..2^16-1>; |
2536 | | * opaque dh_g<1..2^16-1>; |
2537 | | * opaque dh_Ys<1..2^16-1>; |
2538 | | * } ServerDHParams; |
2539 | | */ |
2540 | | if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx, |
2541 | | p, end)) != 0) { |
2542 | | MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret); |
2543 | | return ret; |
2544 | | } |
2545 | | |
2546 | | dhm_actual_bitlen = mbedtls_mpi_bitlen(&ssl->handshake->dhm_ctx.P); |
2547 | | if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) { |
2548 | | MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u", |
2549 | | dhm_actual_bitlen, |
2550 | | ssl->conf->dhm_min_bitlen)); |
2551 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2552 | | } |
2553 | | |
2554 | | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P); |
2555 | | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G); |
2556 | | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY); |
2557 | | |
2558 | | return ret; |
2559 | | } |
2560 | | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
2561 | | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
2562 | | |
2563 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
2564 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
2565 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
2566 | | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
2567 | | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
2568 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2569 | | static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl) |
2570 | 0 | { |
2571 | 0 | const mbedtls_ecp_curve_info *curve_info; |
2572 | 0 | mbedtls_ecp_group_id grp_id; |
2573 | | #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) |
2574 | | grp_id = ssl->handshake->ecdh_ctx.grp.id; |
2575 | | #else |
2576 | 0 | grp_id = ssl->handshake->ecdh_ctx.grp_id; |
2577 | 0 | #endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */ |
2578 | |
|
2579 | 0 | curve_info = mbedtls_ecp_curve_info_from_grp_id(grp_id); |
2580 | 0 | if (curve_info == NULL) { |
2581 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
2582 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
2583 | 0 | } |
2584 | | |
2585 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", curve_info->name)); |
2586 | |
|
2587 | 0 | #if defined(MBEDTLS_ECP_C) |
2588 | 0 | if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) { |
2589 | 0 | return -1; |
2590 | 0 | } |
2591 | | #else |
2592 | | if (ssl->handshake->ecdh_ctx.grp.nbits < 163 || |
2593 | | ssl->handshake->ecdh_ctx.grp.nbits > 521) { |
2594 | | return -1; |
2595 | | } |
2596 | | #endif /* MBEDTLS_ECP_C */ |
2597 | | |
2598 | 0 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
2599 | 0 | MBEDTLS_DEBUG_ECDH_QP); |
2600 | |
|
2601 | 0 | return 0; |
2602 | 0 | } |
2603 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
2604 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
2605 | | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || |
2606 | | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
2607 | | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
2608 | | |
2609 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
2610 | | (defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
2611 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)) |
2612 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2613 | | static int ssl_parse_server_ecdh_params_psa(mbedtls_ssl_context *ssl, |
2614 | | unsigned char **p, |
2615 | | unsigned char *end) |
2616 | | { |
2617 | | uint16_t tls_id; |
2618 | | size_t ecdh_bits = 0; |
2619 | | uint8_t ecpoint_len; |
2620 | | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
2621 | | |
2622 | | /* |
2623 | | * Parse ECC group |
2624 | | */ |
2625 | | |
2626 | | if (end - *p < 4) { |
2627 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2628 | | } |
2629 | | |
2630 | | /* First byte is curve_type; only named_curve is handled */ |
2631 | | if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) { |
2632 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2633 | | } |
2634 | | |
2635 | | /* Next two bytes are the namedcurve value */ |
2636 | | tls_id = *(*p)++; |
2637 | | tls_id <<= 8; |
2638 | | tls_id |= *(*p)++; |
2639 | | |
2640 | | /* Check it's a curve we offered */ |
2641 | | if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) { |
2642 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2643 | | } |
2644 | | |
2645 | | /* Convert EC group to PSA key type. */ |
2646 | | if ((handshake->ecdh_psa_type = |
2647 | | mbedtls_psa_parse_tls_ecc_group(tls_id, &ecdh_bits)) == 0) { |
2648 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2649 | | } |
2650 | | if (ecdh_bits > 0xffff) { |
2651 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2652 | | } |
2653 | | handshake->ecdh_bits = (uint16_t) ecdh_bits; |
2654 | | |
2655 | | /* |
2656 | | * Put peer's ECDH public key in the format understood by PSA. |
2657 | | */ |
2658 | | |
2659 | | ecpoint_len = *(*p)++; |
2660 | | if ((size_t) (end - *p) < ecpoint_len) { |
2661 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2662 | | } |
2663 | | |
2664 | | if (mbedtls_psa_tls_ecpoint_to_psa_ec( |
2665 | | *p, ecpoint_len, |
2666 | | handshake->ecdh_psa_peerkey, |
2667 | | sizeof(handshake->ecdh_psa_peerkey), |
2668 | | &handshake->ecdh_psa_peerkey_len) != 0) { |
2669 | | return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; |
2670 | | } |
2671 | | |
2672 | | *p += ecpoint_len; |
2673 | | return 0; |
2674 | | } |
2675 | | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
2676 | | ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
2677 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ |
2678 | | |
2679 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
2680 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
2681 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
2682 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2683 | | static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl, |
2684 | | unsigned char **p, |
2685 | | unsigned char *end) |
2686 | 0 | { |
2687 | 0 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
2688 | | |
2689 | | /* |
2690 | | * Ephemeral ECDH parameters: |
2691 | | * |
2692 | | * struct { |
2693 | | * ECParameters curve_params; |
2694 | | * ECPoint public; |
2695 | | * } ServerECDHParams; |
2696 | | */ |
2697 | 0 | if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx, |
2698 | 0 | (const unsigned char **) p, end)) != 0) { |
2699 | 0 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret); |
2700 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
2701 | | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
2702 | | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
2703 | | } |
2704 | | #endif |
2705 | 0 | return ret; |
2706 | 0 | } |
2707 | | |
2708 | 0 | if (ssl_check_server_ecdh_params(ssl) != 0) { |
2709 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
2710 | 0 | ("bad server key exchange message (ECDHE curve)")); |
2711 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2712 | 0 | } |
2713 | | |
2714 | 0 | return ret; |
2715 | 0 | } |
2716 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
2717 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
2718 | | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
2719 | | |
2720 | | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
2721 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2722 | | static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl, |
2723 | | unsigned char **p, |
2724 | | unsigned char *end) |
2725 | 0 | { |
2726 | 0 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
2727 | 0 | uint16_t len; |
2728 | 0 | ((void) ssl); |
2729 | | |
2730 | | /* |
2731 | | * PSK parameters: |
2732 | | * |
2733 | | * opaque psk_identity_hint<0..2^16-1>; |
2734 | | */ |
2735 | 0 | if (end - (*p) < 2) { |
2736 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
2737 | 0 | ("bad server key exchange message (psk_identity_hint length)")); |
2738 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2739 | 0 | } |
2740 | 0 | len = (*p)[0] << 8 | (*p)[1]; |
2741 | 0 | *p += 2; |
2742 | |
|
2743 | 0 | if (end - (*p) < len) { |
2744 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
2745 | 0 | ("bad server key exchange message (psk_identity_hint length)")); |
2746 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2747 | 0 | } |
2748 | | |
2749 | | /* |
2750 | | * Note: we currently ignore the PSK identity hint, as we only allow one |
2751 | | * PSK to be provisioned on the client. This could be changed later if |
2752 | | * someone needs that feature. |
2753 | | */ |
2754 | 0 | *p += len; |
2755 | 0 | ret = 0; |
2756 | |
|
2757 | 0 | return ret; |
2758 | 0 | } |
2759 | | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
2760 | | |
2761 | | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ |
2762 | | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
2763 | | /* |
2764 | | * Generate a pre-master secret and encrypt it with the server's RSA key |
2765 | | */ |
2766 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2767 | | static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl, |
2768 | | size_t offset, size_t *olen, |
2769 | | size_t pms_offset) |
2770 | | { |
2771 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2772 | | size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; |
2773 | | unsigned char *p = ssl->handshake->premaster + pms_offset; |
2774 | | mbedtls_pk_context *peer_pk; |
2775 | | |
2776 | | if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) { |
2777 | | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms")); |
2778 | | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
2779 | | } |
2780 | | |
2781 | | /* |
2782 | | * Generate (part of) the pre-master as |
2783 | | * struct { |
2784 | | * ProtocolVersion client_version; |
2785 | | * opaque random[46]; |
2786 | | * } PreMasterSecret; |
2787 | | */ |
2788 | | mbedtls_ssl_write_version(ssl->conf->max_major_ver, |
2789 | | ssl->conf->max_minor_ver, |
2790 | | ssl->conf->transport, p); |
2791 | | |
2792 | | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) { |
2793 | | MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret); |
2794 | | return ret; |
2795 | | } |
2796 | | |
2797 | | ssl->handshake->pmslen = 48; |
2798 | | |
2799 | | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
2800 | | peer_pk = &ssl->handshake->peer_pubkey; |
2801 | | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
2802 | | if (ssl->session_negotiate->peer_cert == NULL) { |
2803 | | /* Should never happen */ |
2804 | | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
2805 | | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
2806 | | } |
2807 | | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
2808 | | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
2809 | | |
2810 | | /* |
2811 | | * Now write it out, encrypted |
2812 | | */ |
2813 | | if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) { |
2814 | | MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch")); |
2815 | | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
2816 | | } |
2817 | | |
2818 | | if ((ret = mbedtls_pk_encrypt(peer_pk, |
2819 | | p, ssl->handshake->pmslen, |
2820 | | ssl->out_msg + offset + len_bytes, olen, |
2821 | | MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, |
2822 | | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
2823 | | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret); |
2824 | | return ret; |
2825 | | } |
2826 | | |
2827 | | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
2828 | | defined(MBEDTLS_SSL_PROTO_TLS1_2) |
2829 | | if (len_bytes == 2) { |
2830 | | MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset); |
2831 | | *olen += 2; |
2832 | | } |
2833 | | #endif |
2834 | | |
2835 | | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
2836 | | /* We don't need the peer's public key anymore. Free it. */ |
2837 | | mbedtls_pk_free(peer_pk); |
2838 | | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
2839 | | return 0; |
2840 | | } |
2841 | | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || |
2842 | | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
2843 | | |
2844 | | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
2845 | | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
2846 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
2847 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
2848 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2849 | | static int ssl_parse_signature_algorithm(mbedtls_ssl_context *ssl, |
2850 | | unsigned char **p, |
2851 | | unsigned char *end, |
2852 | | mbedtls_md_type_t *md_alg, |
2853 | | mbedtls_pk_type_t *pk_alg) |
2854 | 0 | { |
2855 | 0 | ((void) ssl); |
2856 | 0 | *md_alg = MBEDTLS_MD_NONE; |
2857 | 0 | *pk_alg = MBEDTLS_PK_NONE; |
2858 | | |
2859 | | /* Only in TLS 1.2 */ |
2860 | 0 | if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) { |
2861 | 0 | return 0; |
2862 | 0 | } |
2863 | | |
2864 | 0 | if ((*p) + 2 > end) { |
2865 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2866 | 0 | } |
2867 | | |
2868 | | /* |
2869 | | * Get hash algorithm |
2870 | | */ |
2871 | 0 | if ((*md_alg = mbedtls_ssl_md_alg_from_hash((*p)[0])) |
2872 | 0 | == MBEDTLS_MD_NONE) { |
2873 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
2874 | 0 | ("Server used unsupported HashAlgorithm %d", *(p)[0])); |
2875 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2876 | 0 | } |
2877 | | |
2878 | | /* |
2879 | | * Get signature algorithm |
2880 | | */ |
2881 | 0 | if ((*pk_alg = mbedtls_ssl_pk_alg_from_sig((*p)[1])) |
2882 | 0 | == MBEDTLS_PK_NONE) { |
2883 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
2884 | 0 | ("server used unsupported SignatureAlgorithm %d", (*p)[1])); |
2885 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2886 | 0 | } |
2887 | | |
2888 | | /* |
2889 | | * Check if the hash is acceptable |
2890 | | */ |
2891 | 0 | if (mbedtls_ssl_check_sig_hash(ssl, *md_alg) != 0) { |
2892 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
2893 | 0 | ("server used HashAlgorithm %d that was not offered", *(p)[0])); |
2894 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
2895 | 0 | } |
2896 | | |
2897 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("Server used SignatureAlgorithm %d", |
2898 | 0 | (*p)[1])); |
2899 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("Server used HashAlgorithm %d", |
2900 | 0 | (*p)[0])); |
2901 | 0 | *p += 2; |
2902 | |
|
2903 | 0 | return 0; |
2904 | 0 | } |
2905 | | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
2906 | | MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
2907 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
2908 | | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
2909 | | |
2910 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
2911 | | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
2912 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2913 | | static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) |
2914 | | { |
2915 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2916 | | const mbedtls_ecp_keypair *peer_key; |
2917 | | mbedtls_pk_context *peer_pk; |
2918 | | |
2919 | | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
2920 | | peer_pk = &ssl->handshake->peer_pubkey; |
2921 | | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
2922 | | if (ssl->session_negotiate->peer_cert == NULL) { |
2923 | | /* Should never happen */ |
2924 | | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
2925 | | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
2926 | | } |
2927 | | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
2928 | | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
2929 | | |
2930 | | /* This is a public key, so it can't be opaque, so can_do() is a good |
2931 | | * enough check to ensure pk_ec() is safe to use below. */ |
2932 | | if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) { |
2933 | | MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable")); |
2934 | | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
2935 | | } |
2936 | | |
2937 | | peer_key = mbedtls_pk_ec(*peer_pk); |
2938 | | |
2939 | | if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key, |
2940 | | MBEDTLS_ECDH_THEIRS)) != 0) { |
2941 | | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret); |
2942 | | return ret; |
2943 | | } |
2944 | | |
2945 | | if (ssl_check_server_ecdh_params(ssl) != 0) { |
2946 | | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)")); |
2947 | | return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; |
2948 | | } |
2949 | | |
2950 | | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
2951 | | /* We don't need the peer's public key anymore. Free it, |
2952 | | * so that more RAM is available for upcoming expensive |
2953 | | * operations like ECDHE. */ |
2954 | | mbedtls_pk_free(peer_pk); |
2955 | | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
2956 | | |
2957 | | return ret; |
2958 | | } |
2959 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || |
2960 | | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
2961 | | |
2962 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2963 | | static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl) |
2964 | 0 | { |
2965 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2966 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
2967 | 0 | ssl->handshake->ciphersuite_info; |
2968 | 0 | unsigned char *p = NULL, *end = NULL; |
2969 | |
|
2970 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange")); |
2971 | |
|
2972 | | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
2973 | | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { |
2974 | | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange")); |
2975 | | ssl->state++; |
2976 | | return 0; |
2977 | | } |
2978 | | ((void) p); |
2979 | | ((void) end); |
2980 | | #endif |
2981 | |
|
2982 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
2983 | | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
2984 | | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
2985 | | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { |
2986 | | if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) { |
2987 | | MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret); |
2988 | | mbedtls_ssl_send_alert_message( |
2989 | | ssl, |
2990 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
2991 | | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
2992 | | return ret; |
2993 | | } |
2994 | | |
2995 | | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange")); |
2996 | | ssl->state++; |
2997 | | return 0; |
2998 | | } |
2999 | | ((void) p); |
3000 | | ((void) end); |
3001 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
3002 | | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
3003 | |
|
3004 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3005 | | if (ssl->handshake->ecrs_enabled && |
3006 | | ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) { |
3007 | | goto start_processing; |
3008 | | } |
3009 | | #endif |
3010 | |
|
3011 | 0 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
3012 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
3013 | 0 | return ret; |
3014 | 0 | } |
3015 | | |
3016 | 0 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
3017 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
3018 | 0 | mbedtls_ssl_send_alert_message( |
3019 | 0 | ssl, |
3020 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3021 | 0 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
3022 | 0 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
3023 | 0 | } |
3024 | | |
3025 | | /* |
3026 | | * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server |
3027 | | * doesn't use a psk_identity_hint |
3028 | | */ |
3029 | 0 | if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) { |
3030 | 0 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
3031 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
3032 | | /* Current message is probably either |
3033 | | * CertificateRequest or ServerHelloDone */ |
3034 | 0 | ssl->keep_current_message = 1; |
3035 | 0 | goto exit; |
3036 | 0 | } |
3037 | | |
3038 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
3039 | 0 | ("server key exchange message must not be skipped")); |
3040 | 0 | mbedtls_ssl_send_alert_message( |
3041 | 0 | ssl, |
3042 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3043 | 0 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
3044 | |
|
3045 | 0 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
3046 | 0 | } |
3047 | | |
3048 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3049 | | if (ssl->handshake->ecrs_enabled) { |
3050 | | ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing; |
3051 | | } |
3052 | | |
3053 | | start_processing: |
3054 | | #endif |
3055 | 0 | p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
3056 | 0 | end = ssl->in_msg + ssl->in_hslen; |
3057 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, end - p); |
3058 | |
|
3059 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
3060 | 0 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
3061 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || |
3062 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || |
3063 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
3064 | 0 | if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) { |
3065 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
3066 | 0 | mbedtls_ssl_send_alert_message( |
3067 | 0 | ssl, |
3068 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3069 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
3070 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
3071 | 0 | } |
3072 | 0 | } /* FALLTHROUGH */ |
3073 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
3074 | | |
3075 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ |
3076 | 0 | defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
3077 | 0 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || |
3078 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
3079 | 0 | ; /* nothing more to do */ |
3080 | 0 | } else |
3081 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || |
3082 | | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ |
3083 | | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ |
3084 | | defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
3085 | | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || |
3086 | | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { |
3087 | | if (ssl_parse_server_dh_params(ssl, &p, end) != 0) { |
3088 | | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
3089 | | mbedtls_ssl_send_alert_message( |
3090 | | ssl, |
3091 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3092 | | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
3093 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
3094 | | } |
3095 | | } else |
3096 | | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || |
3097 | | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
3098 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
3099 | | (defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
3100 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)) |
3101 | | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
3102 | | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) { |
3103 | | if (ssl_parse_server_ecdh_params_psa(ssl, &p, end) != 0) { |
3104 | | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
3105 | | mbedtls_ssl_send_alert_message( |
3106 | | ssl, |
3107 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3108 | | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
3109 | | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
3110 | | } |
3111 | | } else |
3112 | | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
3113 | | ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
3114 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ |
3115 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
3116 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ |
3117 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) |
3118 | 0 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
3119 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || |
3120 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) { |
3121 | 0 | if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) { |
3122 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
3123 | 0 | mbedtls_ssl_send_alert_message( |
3124 | 0 | ssl, |
3125 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3126 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
3127 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
3128 | 0 | } |
3129 | 0 | } else |
3130 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
3131 | | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || |
3132 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ |
3133 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
3134 | 0 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
3135 | 0 | ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx, |
3136 | 0 | p, end - p); |
3137 | 0 | if (ret != 0) { |
3138 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret); |
3139 | 0 | mbedtls_ssl_send_alert_message( |
3140 | 0 | ssl, |
3141 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3142 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
3143 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
3144 | 0 | } |
3145 | 0 | } else |
3146 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ |
3147 | 0 | { |
3148 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
3149 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
3150 | 0 | } |
3151 | | |
3152 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) |
3153 | 0 | if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) { |
3154 | 0 | size_t sig_len, hashlen; |
3155 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
3156 | | unsigned char hash[PSA_HASH_MAX_SIZE]; |
3157 | | #else |
3158 | 0 | unsigned char hash[MBEDTLS_MD_MAX_SIZE]; |
3159 | 0 | #endif |
3160 | 0 | mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; |
3161 | 0 | mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; |
3162 | 0 | unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
3163 | 0 | size_t params_len = p - params; |
3164 | 0 | void *rs_ctx = NULL; |
3165 | |
|
3166 | 0 | mbedtls_pk_context *peer_pk; |
3167 | | |
3168 | | /* |
3169 | | * Handle the digitally-signed structure |
3170 | | */ |
3171 | 0 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
3172 | 0 | if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) { |
3173 | 0 | if (ssl_parse_signature_algorithm(ssl, &p, end, |
3174 | 0 | &md_alg, &pk_alg) != 0) { |
3175 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
3176 | 0 | ("bad server key exchange message")); |
3177 | 0 | mbedtls_ssl_send_alert_message( |
3178 | 0 | ssl, |
3179 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3180 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
3181 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
3182 | 0 | } |
3183 | | |
3184 | 0 | if (pk_alg != |
3185 | 0 | mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info)) { |
3186 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
3187 | 0 | ("bad server key exchange message")); |
3188 | 0 | mbedtls_ssl_send_alert_message( |
3189 | 0 | ssl, |
3190 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3191 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); |
3192 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
3193 | 0 | } |
3194 | 0 | } else |
3195 | 0 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
3196 | | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
3197 | | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
3198 | | if (ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3) { |
3199 | | pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); |
3200 | | |
3201 | | /* Default hash for ECDSA is SHA-1 */ |
3202 | | if (pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE) { |
3203 | | md_alg = MBEDTLS_MD_SHA1; |
3204 | | } |
3205 | | } else |
3206 | | #endif |
3207 | 0 | { |
3208 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
3209 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
3210 | 0 | } |
3211 | | |
3212 | | /* |
3213 | | * Read signature |
3214 | | */ |
3215 | | |
3216 | 0 | if (p > end - 2) { |
3217 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
3218 | 0 | mbedtls_ssl_send_alert_message( |
3219 | 0 | ssl, |
3220 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3221 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
3222 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
3223 | 0 | } |
3224 | 0 | sig_len = (p[0] << 8) | p[1]; |
3225 | 0 | p += 2; |
3226 | |
|
3227 | 0 | if (p != end - sig_len) { |
3228 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
3229 | 0 | mbedtls_ssl_send_alert_message( |
3230 | 0 | ssl, |
3231 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3232 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
3233 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE; |
3234 | 0 | } |
3235 | | |
3236 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len); |
3237 | | |
3238 | | /* |
3239 | | * Compute the hash that has been signed |
3240 | | */ |
3241 | | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
3242 | | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
3243 | | if (md_alg == MBEDTLS_MD_NONE) { |
3244 | | hashlen = 36; |
3245 | | ret = mbedtls_ssl_get_key_exchange_md_ssl_tls(ssl, hash, params, |
3246 | | params_len); |
3247 | | if (ret != 0) { |
3248 | | return ret; |
3249 | | } |
3250 | | } else |
3251 | | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ |
3252 | | MBEDTLS_SSL_PROTO_TLS1_1 */ |
3253 | 0 | #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ |
3254 | 0 | defined(MBEDTLS_SSL_PROTO_TLS1_2) |
3255 | 0 | if (md_alg != MBEDTLS_MD_NONE) { |
3256 | 0 | ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen, |
3257 | 0 | params, params_len, |
3258 | 0 | md_alg); |
3259 | 0 | if (ret != 0) { |
3260 | 0 | return ret; |
3261 | 0 | } |
3262 | 0 | } else |
3263 | 0 | #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ |
3264 | | MBEDTLS_SSL_PROTO_TLS1_2 */ |
3265 | 0 | { |
3266 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
3267 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
3268 | 0 | } |
3269 | | |
3270 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen); |
3271 | |
|
3272 | 0 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
3273 | 0 | peer_pk = &ssl->handshake->peer_pubkey; |
3274 | | #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
3275 | | if (ssl->session_negotiate->peer_cert == NULL) { |
3276 | | /* Should never happen */ |
3277 | | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
3278 | | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
3279 | | } |
3280 | | peer_pk = &ssl->session_negotiate->peer_cert->pk; |
3281 | | #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
3282 | | |
3283 | | /* |
3284 | | * Verify signature |
3285 | | */ |
3286 | 0 | if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { |
3287 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); |
3288 | 0 | mbedtls_ssl_send_alert_message( |
3289 | 0 | ssl, |
3290 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3291 | 0 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); |
3292 | 0 | return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; |
3293 | 0 | } |
3294 | | |
3295 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3296 | | if (ssl->handshake->ecrs_enabled) { |
3297 | | rs_ctx = &ssl->handshake->ecrs_ctx.pk; |
3298 | | } |
3299 | | #endif /* MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED */ |
3300 | | |
3301 | 0 | if ((ret = mbedtls_pk_verify_restartable(peer_pk, |
3302 | 0 | md_alg, hash, hashlen, p, sig_len, rs_ctx)) != 0) { |
3303 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3304 | | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
3305 | | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); |
3306 | | return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
3307 | | } |
3308 | | #endif /* MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED */ |
3309 | 0 | mbedtls_ssl_send_alert_message( |
3310 | 0 | ssl, |
3311 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3312 | 0 | MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); |
3313 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); |
3314 | 0 | return ret; |
3315 | 0 | } |
3316 | | |
3317 | 0 | #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) |
3318 | | /* We don't need the peer's public key anymore. Free it, |
3319 | | * so that more RAM is available for upcoming expensive |
3320 | | * operations like ECDHE. */ |
3321 | 0 | mbedtls_pk_free(peer_pk); |
3322 | 0 | #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ |
3323 | 0 | } |
3324 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ |
3325 | | |
3326 | 0 | exit: |
3327 | 0 | ssl->state++; |
3328 | |
|
3329 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange")); |
3330 | |
|
3331 | 0 | return 0; |
3332 | 0 | } |
3333 | | |
3334 | | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
3335 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3336 | | static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl) |
3337 | | { |
3338 | | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
3339 | | ssl->handshake->ciphersuite_info; |
3340 | | |
3341 | | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request")); |
3342 | | |
3343 | | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
3344 | | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request")); |
3345 | | ssl->state++; |
3346 | | return 0; |
3347 | | } |
3348 | | |
3349 | | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
3350 | | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
3351 | | } |
3352 | | #else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
3353 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3354 | | static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl) |
3355 | 0 | { |
3356 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3357 | 0 | unsigned char *buf; |
3358 | 0 | size_t n = 0; |
3359 | 0 | size_t cert_type_len = 0, dn_len = 0; |
3360 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
3361 | 0 | ssl->handshake->ciphersuite_info; |
3362 | |
|
3363 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request")); |
3364 | |
|
3365 | 0 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
3366 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request")); |
3367 | 0 | ssl->state++; |
3368 | 0 | return 0; |
3369 | 0 | } |
3370 | | |
3371 | 0 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
3372 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
3373 | 0 | return ret; |
3374 | 0 | } |
3375 | | |
3376 | 0 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
3377 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
3378 | 0 | mbedtls_ssl_send_alert_message( |
3379 | 0 | ssl, |
3380 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3381 | 0 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
3382 | 0 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
3383 | 0 | } |
3384 | | |
3385 | 0 | ssl->state++; |
3386 | 0 | ssl->client_auth = (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST); |
3387 | |
|
3388 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request", |
3389 | 0 | ssl->client_auth ? "a" : "no")); |
3390 | |
|
3391 | 0 | if (ssl->client_auth == 0) { |
3392 | | /* Current message is probably the ServerHelloDone */ |
3393 | 0 | ssl->keep_current_message = 1; |
3394 | 0 | goto exit; |
3395 | 0 | } |
3396 | | |
3397 | | /* |
3398 | | * struct { |
3399 | | * ClientCertificateType certificate_types<1..2^8-1>; |
3400 | | * SignatureAndHashAlgorithm |
3401 | | * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only |
3402 | | * DistinguishedName certificate_authorities<0..2^16-1>; |
3403 | | * } CertificateRequest; |
3404 | | * |
3405 | | * Since we only support a single certificate on clients, let's just |
3406 | | * ignore all the information that's supposed to help us pick a |
3407 | | * certificate. |
3408 | | * |
3409 | | * We could check that our certificate matches the request, and bail out |
3410 | | * if it doesn't, but it's simpler to just send the certificate anyway, |
3411 | | * and give the server the opportunity to decide if it should terminate |
3412 | | * the connection when it doesn't like our certificate. |
3413 | | * |
3414 | | * Same goes for the hash in TLS 1.2's signature_algorithms: at this |
3415 | | * point we only have one hash available (see comments in |
3416 | | * write_certificate_verify), so let's just use what we have. |
3417 | | * |
3418 | | * However, we still minimally parse the message to check it is at least |
3419 | | * superficially sane. |
3420 | | */ |
3421 | 0 | buf = ssl->in_msg; |
3422 | | |
3423 | | /* certificate_types */ |
3424 | 0 | if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) { |
3425 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
3426 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3427 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
3428 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST; |
3429 | 0 | } |
3430 | 0 | cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)]; |
3431 | 0 | n = cert_type_len; |
3432 | | |
3433 | | /* |
3434 | | * In the subsequent code there are two paths that read from buf: |
3435 | | * * the length of the signature algorithms field (if minor version of |
3436 | | * SSL is 3), |
3437 | | * * distinguished name length otherwise. |
3438 | | * Both reach at most the index: |
3439 | | * ...hdr_len + 2 + n, |
3440 | | * therefore the buffer length at this point must be greater than that |
3441 | | * regardless of the actual code path. |
3442 | | */ |
3443 | 0 | if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) { |
3444 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
3445 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3446 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
3447 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST; |
3448 | 0 | } |
3449 | | |
3450 | | /* supported_signature_algorithms */ |
3451 | 0 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
3452 | 0 | if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) { |
3453 | 0 | size_t sig_alg_len = |
3454 | 0 | ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8) |
3455 | 0 | | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n])); |
3456 | | #if defined(MBEDTLS_DEBUG_C) |
3457 | | unsigned char *sig_alg; |
3458 | | size_t i; |
3459 | | #endif |
3460 | | |
3461 | | /* |
3462 | | * The furthest access in buf is in the loop few lines below: |
3463 | | * sig_alg[i + 1], |
3464 | | * where: |
3465 | | * sig_alg = buf + ...hdr_len + 3 + n, |
3466 | | * max(i) = sig_alg_len - 1. |
3467 | | * Therefore the furthest access is: |
3468 | | * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1], |
3469 | | * which reduces to: |
3470 | | * buf[...hdr_len + 3 + n + sig_alg_len], |
3471 | | * which is one less than we need the buf to be. |
3472 | | */ |
3473 | 0 | if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) |
3474 | 0 | + 3 + n + sig_alg_len) { |
3475 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
3476 | 0 | mbedtls_ssl_send_alert_message( |
3477 | 0 | ssl, |
3478 | 0 | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3479 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
3480 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST; |
3481 | 0 | } |
3482 | | |
3483 | | #if defined(MBEDTLS_DEBUG_C) |
3484 | | sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n; |
3485 | | for (i = 0; i < sig_alg_len; i += 2) { |
3486 | | MBEDTLS_SSL_DEBUG_MSG(3, |
3487 | | ("Supported Signature Algorithm found: %d,%d", |
3488 | | sig_alg[i], sig_alg[i + 1])); |
3489 | | } |
3490 | | #endif |
3491 | | |
3492 | 0 | n += 2 + sig_alg_len; |
3493 | 0 | } |
3494 | 0 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
3495 | | |
3496 | | /* certificate_authorities */ |
3497 | 0 | dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8) |
3498 | 0 | | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n])); |
3499 | |
|
3500 | 0 | n += dn_len; |
3501 | 0 | if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) { |
3502 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message")); |
3503 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3504 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
3505 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST; |
3506 | 0 | } |
3507 | | |
3508 | 0 | exit: |
3509 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request")); |
3510 | |
|
3511 | 0 | return 0; |
3512 | 0 | } |
3513 | | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
3514 | | |
3515 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3516 | | static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl) |
3517 | 0 | { |
3518 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3519 | |
|
3520 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done")); |
3521 | |
|
3522 | 0 | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
3523 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
3524 | 0 | return ret; |
3525 | 0 | } |
3526 | | |
3527 | 0 | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
3528 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message")); |
3529 | 0 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
3530 | 0 | } |
3531 | | |
3532 | 0 | if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) || |
3533 | 0 | ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) { |
3534 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message")); |
3535 | 0 | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
3536 | 0 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
3537 | 0 | return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE; |
3538 | 0 | } |
3539 | | |
3540 | 0 | ssl->state++; |
3541 | |
|
3542 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
3543 | 0 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
3544 | 0 | mbedtls_ssl_recv_flight_completed(ssl); |
3545 | 0 | } |
3546 | 0 | #endif |
3547 | |
|
3548 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done")); |
3549 | |
|
3550 | 0 | return 0; |
3551 | 0 | } |
3552 | | |
3553 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3554 | | static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl) |
3555 | 0 | { |
3556 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3557 | |
|
3558 | 0 | size_t header_len; |
3559 | 0 | size_t content_len; |
3560 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
3561 | 0 | ssl->handshake->ciphersuite_info; |
3562 | |
|
3563 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange")); |
3564 | |
|
3565 | | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) |
3566 | | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) { |
3567 | | /* |
3568 | | * DHM key exchange -- send G^X mod P |
3569 | | */ |
3570 | | content_len = ssl->handshake->dhm_ctx.len; |
3571 | | |
3572 | | MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4); |
3573 | | header_len = 6; |
3574 | | |
3575 | | ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx, |
3576 | | (int) mbedtls_mpi_size(&ssl->handshake->dhm_ctx.P), |
3577 | | &ssl->out_msg[header_len], content_len, |
3578 | | ssl->conf->f_rng, ssl->conf->p_rng); |
3579 | | if (ret != 0) { |
3580 | | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret); |
3581 | | return ret; |
3582 | | } |
3583 | | |
3584 | | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X); |
3585 | | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX); |
3586 | | |
3587 | | if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, |
3588 | | ssl->handshake->premaster, |
3589 | | MBEDTLS_PREMASTER_SIZE, |
3590 | | &ssl->handshake->pmslen, |
3591 | | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
3592 | | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); |
3593 | | return ret; |
3594 | | } |
3595 | | |
3596 | | MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); |
3597 | | } else |
3598 | | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ |
3599 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
3600 | | (defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
3601 | | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)) |
3602 | | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
3603 | | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) { |
3604 | | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
3605 | | psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; |
3606 | | psa_key_attributes_t key_attributes; |
3607 | | |
3608 | | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
3609 | | |
3610 | | unsigned char own_pubkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; |
3611 | | size_t own_pubkey_len; |
3612 | | unsigned char *own_pubkey_ecpoint; |
3613 | | size_t own_pubkey_ecpoint_len; |
3614 | | |
3615 | | header_len = 4; |
3616 | | |
3617 | | MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation.")); |
3618 | | |
3619 | | /* |
3620 | | * Generate EC private key for ECDHE exchange. |
3621 | | */ |
3622 | | |
3623 | | /* The master secret is obtained from the shared ECDH secret by |
3624 | | * applying the TLS 1.2 PRF with a specific salt and label. While |
3625 | | * the PSA Crypto API encourages combining key agreement schemes |
3626 | | * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not |
3627 | | * yet support the provisioning of salt + label to the KDF. |
3628 | | * For the time being, we therefore need to split the computation |
3629 | | * of the ECDH secret and the application of the TLS 1.2 PRF. */ |
3630 | | key_attributes = psa_key_attributes_init(); |
3631 | | psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); |
3632 | | psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); |
3633 | | psa_set_key_type(&key_attributes, handshake->ecdh_psa_type); |
3634 | | psa_set_key_bits(&key_attributes, handshake->ecdh_bits); |
3635 | | |
3636 | | /* Generate ECDH private key. */ |
3637 | | status = psa_generate_key(&key_attributes, |
3638 | | &handshake->ecdh_psa_privkey); |
3639 | | if (status != PSA_SUCCESS) { |
3640 | | return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; |
3641 | | } |
3642 | | |
3643 | | /* Export the public part of the ECDH private key from PSA |
3644 | | * and convert it to ECPoint format used in ClientKeyExchange. */ |
3645 | | status = psa_export_public_key(handshake->ecdh_psa_privkey, |
3646 | | own_pubkey, sizeof(own_pubkey), |
3647 | | &own_pubkey_len); |
3648 | | if (status != PSA_SUCCESS) { |
3649 | | psa_destroy_key(handshake->ecdh_psa_privkey); |
3650 | | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
3651 | | return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; |
3652 | | } |
3653 | | |
3654 | | if (mbedtls_psa_tls_psa_ec_to_ecpoint(own_pubkey, |
3655 | | own_pubkey_len, |
3656 | | &own_pubkey_ecpoint, |
3657 | | &own_pubkey_ecpoint_len) != 0) { |
3658 | | psa_destroy_key(handshake->ecdh_psa_privkey); |
3659 | | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
3660 | | return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; |
3661 | | } |
3662 | | |
3663 | | /* Copy ECPoint structure to outgoing message buffer. */ |
3664 | | ssl->out_msg[header_len] = (unsigned char) own_pubkey_ecpoint_len; |
3665 | | memcpy(ssl->out_msg + header_len + 1, |
3666 | | own_pubkey_ecpoint, own_pubkey_ecpoint_len); |
3667 | | content_len = own_pubkey_ecpoint_len + 1; |
3668 | | |
3669 | | /* The ECDH secret is the premaster secret used for key derivation. */ |
3670 | | |
3671 | | /* Compute ECDH shared secret. */ |
3672 | | status = psa_raw_key_agreement(PSA_ALG_ECDH, |
3673 | | handshake->ecdh_psa_privkey, |
3674 | | handshake->ecdh_psa_peerkey, |
3675 | | handshake->ecdh_psa_peerkey_len, |
3676 | | ssl->handshake->premaster, |
3677 | | sizeof(ssl->handshake->premaster), |
3678 | | &ssl->handshake->pmslen); |
3679 | | |
3680 | | destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey); |
3681 | | handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
3682 | | |
3683 | | if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) { |
3684 | | return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; |
3685 | | } |
3686 | | } else |
3687 | | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
3688 | | ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
3689 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ |
3690 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ |
3691 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ |
3692 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ |
3693 | 0 | defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) |
3694 | 0 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || |
3695 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || |
3696 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || |
3697 | 0 | ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { |
3698 | | /* |
3699 | | * ECDH key exchange -- send client public value |
3700 | | */ |
3701 | 0 | header_len = 4; |
3702 | |
|
3703 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3704 | | if (ssl->handshake->ecrs_enabled) { |
3705 | | if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) { |
3706 | | goto ecdh_calc_secret; |
3707 | | } |
3708 | | |
3709 | | mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx); |
3710 | | } |
3711 | | #endif |
3712 | |
|
3713 | 0 | ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx, |
3714 | 0 | &content_len, |
3715 | 0 | &ssl->out_msg[header_len], 1000, |
3716 | 0 | ssl->conf->f_rng, ssl->conf->p_rng); |
3717 | 0 | if (ret != 0) { |
3718 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret); |
3719 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3720 | | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
3721 | | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
3722 | | } |
3723 | | #endif |
3724 | 0 | return ret; |
3725 | 0 | } |
3726 | | |
3727 | 0 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
3728 | 0 | MBEDTLS_DEBUG_ECDH_Q); |
3729 | |
|
3730 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3731 | | if (ssl->handshake->ecrs_enabled) { |
3732 | | ssl->handshake->ecrs_n = content_len; |
3733 | | ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret; |
3734 | | } |
3735 | | |
3736 | | ecdh_calc_secret: |
3737 | | if (ssl->handshake->ecrs_enabled) { |
3738 | | content_len = ssl->handshake->ecrs_n; |
3739 | | } |
3740 | | #endif |
3741 | 0 | if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, |
3742 | 0 | &ssl->handshake->pmslen, |
3743 | 0 | ssl->handshake->premaster, |
3744 | 0 | MBEDTLS_MPI_MAX_SIZE, |
3745 | 0 | ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { |
3746 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); |
3747 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3748 | | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
3749 | | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
3750 | | } |
3751 | | #endif |
3752 | 0 | return ret; |
3753 | 0 | } |
3754 | | |
3755 | 0 | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
3756 | 0 | MBEDTLS_DEBUG_ECDH_Z); |
3757 | 0 | } else |
3758 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || |
3759 | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || |
3760 | | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || |
3761 | | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ |
3762 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) |
3763 | 0 | if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) { |
3764 | | /* |
3765 | | * opaque psk_identity<0..2^16-1>; |
3766 | | */ |
3767 | 0 | if (ssl_conf_has_static_psk(ssl->conf) == 0) { |
3768 | | /* We don't offer PSK suites if we don't have a PSK, |
3769 | | * and we check that the server's choice is among the |
3770 | | * ciphersuites we offered, so this should never happen. */ |
3771 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
3772 | 0 | } |
3773 | | |
3774 | 0 | header_len = 4; |
3775 | 0 | content_len = ssl->conf->psk_identity_len; |
3776 | |
|
3777 | 0 | if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) { |
3778 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, |
3779 | 0 | ("psk identity too long or SSL buffer too short")); |
3780 | 0 | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
3781 | 0 | } |
3782 | | |
3783 | 0 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len); |
3784 | 0 | ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len); |
3785 | |
|
3786 | 0 | memcpy(ssl->out_msg + header_len, |
3787 | 0 | ssl->conf->psk_identity, |
3788 | 0 | ssl->conf->psk_identity_len); |
3789 | 0 | header_len += ssl->conf->psk_identity_len; |
3790 | |
|
3791 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
3792 | 0 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { |
3793 | 0 | content_len = 0; |
3794 | 0 | } else |
3795 | 0 | #endif |
3796 | | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) |
3797 | | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { |
3798 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
3799 | | /* Opaque PSKs are currently only supported for PSK-only suites. */ |
3800 | | if (ssl_conf_has_static_raw_psk(ssl->conf) == 0) { |
3801 | | MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with RSA-PSK")); |
3802 | | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
3803 | | } |
3804 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
3805 | | |
3806 | | if ((ret = ssl_write_encrypted_pms(ssl, header_len, |
3807 | | &content_len, 2)) != 0) { |
3808 | | return ret; |
3809 | | } |
3810 | | } else |
3811 | | #endif |
3812 | | #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) |
3813 | | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { |
3814 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
3815 | | /* Opaque PSKs are currently only supported for PSK-only suites. */ |
3816 | | if (ssl_conf_has_static_raw_psk(ssl->conf) == 0) { |
3817 | | MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with DHE-PSK")); |
3818 | | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
3819 | | } |
3820 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
3821 | | |
3822 | | /* |
3823 | | * ClientDiffieHellmanPublic public (DHM send G^X mod P) |
3824 | | */ |
3825 | | content_len = ssl->handshake->dhm_ctx.len; |
3826 | | |
3827 | | if (header_len + 2 + content_len > |
3828 | | MBEDTLS_SSL_OUT_CONTENT_LEN) { |
3829 | | MBEDTLS_SSL_DEBUG_MSG(1, |
3830 | | ("psk identity or DHM size too long or SSL buffer too short")); |
3831 | | return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
3832 | | } |
3833 | | |
3834 | | ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len); |
3835 | | ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len); |
3836 | | |
3837 | | ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx, |
3838 | | (int) mbedtls_mpi_size(&ssl->handshake->dhm_ctx.P), |
3839 | | &ssl->out_msg[header_len], content_len, |
3840 | | ssl->conf->f_rng, ssl->conf->p_rng); |
3841 | | if (ret != 0) { |
3842 | | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret); |
3843 | | return ret; |
3844 | | } |
3845 | | } else |
3846 | | #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ |
3847 | | #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) |
3848 | | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { |
3849 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
3850 | | /* Opaque PSKs are currently only supported for PSK-only suites. */ |
3851 | | if (ssl_conf_has_static_raw_psk(ssl->conf) == 0) { |
3852 | | MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with ECDHE-PSK")); |
3853 | | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
3854 | | } |
3855 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
3856 | | |
3857 | | /* |
3858 | | * ClientECDiffieHellmanPublic public; |
3859 | | */ |
3860 | | ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx, |
3861 | | &content_len, |
3862 | | &ssl->out_msg[header_len], |
3863 | | MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, |
3864 | | ssl->conf->f_rng, ssl->conf->p_rng); |
3865 | | if (ret != 0) { |
3866 | | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret); |
3867 | | return ret; |
3868 | | } |
3869 | | |
3870 | | MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, |
3871 | | MBEDTLS_DEBUG_ECDH_Q); |
3872 | | } else |
3873 | | #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ |
3874 | 0 | { |
3875 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
3876 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
3877 | 0 | } |
3878 | | |
3879 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
3880 | | defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) |
3881 | | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK && |
3882 | | ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && |
3883 | | ssl_conf_has_static_raw_psk(ssl->conf) == 0) { |
3884 | | MBEDTLS_SSL_DEBUG_MSG(1, |
3885 | | ("skip PMS generation for opaque PSK")); |
3886 | | } else |
3887 | | #endif /* MBEDTLS_USE_PSA_CRYPTO && |
3888 | | MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ |
3889 | 0 | if ((ret = mbedtls_ssl_psk_derive_premaster(ssl, |
3890 | 0 | ciphersuite_info->key_exchange)) != 0) { |
3891 | 0 | MBEDTLS_SSL_DEBUG_RET(1, |
3892 | 0 | "mbedtls_ssl_psk_derive_premaster", ret); |
3893 | 0 | return ret; |
3894 | 0 | } |
3895 | 0 | } else |
3896 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ |
3897 | | #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) |
3898 | | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) { |
3899 | | header_len = 4; |
3900 | | if ((ret = ssl_write_encrypted_pms(ssl, header_len, |
3901 | | &content_len, 0)) != 0) { |
3902 | | return ret; |
3903 | | } |
3904 | | } else |
3905 | | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
3906 | 0 | #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) |
3907 | 0 | if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { |
3908 | 0 | header_len = 4; |
3909 | |
|
3910 | 0 | ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx, |
3911 | 0 | ssl->out_msg + header_len, |
3912 | 0 | MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, |
3913 | 0 | &content_len, |
3914 | 0 | ssl->conf->f_rng, ssl->conf->p_rng); |
3915 | 0 | if (ret != 0) { |
3916 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret); |
3917 | 0 | return ret; |
3918 | 0 | } |
3919 | | |
3920 | 0 | ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx, |
3921 | 0 | ssl->handshake->premaster, 32, &ssl->handshake->pmslen, |
3922 | 0 | ssl->conf->f_rng, ssl->conf->p_rng); |
3923 | 0 | if (ret != 0) { |
3924 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret); |
3925 | 0 | return ret; |
3926 | 0 | } |
3927 | 0 | } else |
3928 | 0 | #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ |
3929 | 0 | { |
3930 | 0 | ((void) ciphersuite_info); |
3931 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
3932 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
3933 | 0 | } |
3934 | | |
3935 | 0 | ssl->out_msglen = header_len + content_len; |
3936 | 0 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
3937 | 0 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; |
3938 | |
|
3939 | 0 | ssl->state++; |
3940 | |
|
3941 | 0 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
3942 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
3943 | 0 | return ret; |
3944 | 0 | } |
3945 | | |
3946 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange")); |
3947 | |
|
3948 | 0 | return 0; |
3949 | 0 | } |
3950 | | |
3951 | | #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) |
3952 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3953 | | static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl) |
3954 | | { |
3955 | | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
3956 | | ssl->handshake->ciphersuite_info; |
3957 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3958 | | |
3959 | | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); |
3960 | | |
3961 | | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
3962 | | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
3963 | | return ret; |
3964 | | } |
3965 | | |
3966 | | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
3967 | | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); |
3968 | | ssl->state++; |
3969 | | return 0; |
3970 | | } |
3971 | | |
3972 | | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
3973 | | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
3974 | | } |
3975 | | #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
3976 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3977 | | static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl) |
3978 | 0 | { |
3979 | 0 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
3980 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
3981 | 0 | ssl->handshake->ciphersuite_info; |
3982 | 0 | size_t n = 0, offset = 0; |
3983 | 0 | unsigned char hash[48]; |
3984 | 0 | unsigned char *hash_start = hash; |
3985 | 0 | mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; |
3986 | 0 | size_t hashlen; |
3987 | 0 | void *rs_ctx = NULL; |
3988 | |
|
3989 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify")); |
3990 | |
|
3991 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
3992 | | if (ssl->handshake->ecrs_enabled && |
3993 | | ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) { |
3994 | | goto sign; |
3995 | | } |
3996 | | #endif |
3997 | |
|
3998 | 0 | if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) { |
3999 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret); |
4000 | 0 | return ret; |
4001 | 0 | } |
4002 | | |
4003 | 0 | if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) { |
4004 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); |
4005 | 0 | ssl->state++; |
4006 | 0 | return 0; |
4007 | 0 | } |
4008 | | |
4009 | 0 | if (ssl->client_auth == 0 || mbedtls_ssl_own_cert(ssl) == NULL) { |
4010 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify")); |
4011 | 0 | ssl->state++; |
4012 | 0 | return 0; |
4013 | 0 | } |
4014 | | |
4015 | 0 | if (mbedtls_ssl_own_key(ssl) == NULL) { |
4016 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate")); |
4017 | 0 | return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; |
4018 | 0 | } |
4019 | | |
4020 | | /* |
4021 | | * Make a signature of the handshake digests |
4022 | | */ |
4023 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
4024 | | if (ssl->handshake->ecrs_enabled) { |
4025 | | ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign; |
4026 | | } |
4027 | | |
4028 | | sign: |
4029 | | #endif |
4030 | | |
4031 | 0 | ssl->handshake->calc_verify(ssl, hash, &hashlen); |
4032 | |
|
4033 | | #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ |
4034 | | defined(MBEDTLS_SSL_PROTO_TLS1_1) |
4035 | | if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) { |
4036 | | /* |
4037 | | * digitally-signed struct { |
4038 | | * opaque md5_hash[16]; |
4039 | | * opaque sha_hash[20]; |
4040 | | * }; |
4041 | | * |
4042 | | * md5_hash |
4043 | | * MD5(handshake_messages); |
4044 | | * |
4045 | | * sha_hash |
4046 | | * SHA(handshake_messages); |
4047 | | */ |
4048 | | md_alg = MBEDTLS_MD_NONE; |
4049 | | |
4050 | | /* |
4051 | | * For ECDSA, default hash is SHA-1 only |
4052 | | */ |
4053 | | if (mbedtls_pk_can_do(mbedtls_ssl_own_key(ssl), MBEDTLS_PK_ECDSA)) { |
4054 | | hash_start += 16; |
4055 | | hashlen -= 16; |
4056 | | md_alg = MBEDTLS_MD_SHA1; |
4057 | | } |
4058 | | } else |
4059 | | #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ |
4060 | | MBEDTLS_SSL_PROTO_TLS1_1 */ |
4061 | 0 | #if defined(MBEDTLS_SSL_PROTO_TLS1_2) |
4062 | 0 | if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) { |
4063 | | /* |
4064 | | * digitally-signed struct { |
4065 | | * opaque handshake_messages[handshake_messages_length]; |
4066 | | * }; |
4067 | | * |
4068 | | * Taking shortcut here. We assume that the server always allows the |
4069 | | * PRF Hash function and has sent it in the allowed signature |
4070 | | * algorithms list received in the Certificate Request message. |
4071 | | * |
4072 | | * Until we encounter a server that does not, we will take this |
4073 | | * shortcut. |
4074 | | * |
4075 | | * Reason: Otherwise we should have running hashes for SHA512 and |
4076 | | * SHA224 in order to satisfy 'weird' needs from the server |
4077 | | * side. |
4078 | | */ |
4079 | 0 | if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) { |
4080 | 0 | md_alg = MBEDTLS_MD_SHA384; |
4081 | 0 | ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; |
4082 | 0 | } else { |
4083 | 0 | md_alg = MBEDTLS_MD_SHA256; |
4084 | 0 | ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; |
4085 | 0 | } |
4086 | 0 | ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl)); |
4087 | | |
4088 | | /* Info from md_alg will be used instead */ |
4089 | 0 | hashlen = 0; |
4090 | 0 | offset = 2; |
4091 | 0 | } else |
4092 | 0 | #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ |
4093 | 0 | { |
4094 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
4095 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
4096 | 0 | } |
4097 | | |
4098 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
4099 | | if (ssl->handshake->ecrs_enabled) { |
4100 | | rs_ctx = &ssl->handshake->ecrs_ctx.pk; |
4101 | | } |
4102 | | #endif |
4103 | | |
4104 | 0 | if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl), |
4105 | 0 | md_alg, hash_start, hashlen, |
4106 | 0 | ssl->out_msg + 6 + offset, &n, |
4107 | 0 | ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) { |
4108 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); |
4109 | | #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) |
4110 | | if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { |
4111 | | ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; |
4112 | | } |
4113 | | #endif |
4114 | 0 | return ret; |
4115 | 0 | } |
4116 | | |
4117 | 0 | MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4); |
4118 | |
|
4119 | 0 | ssl->out_msglen = 6 + n + offset; |
4120 | 0 | ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; |
4121 | 0 | ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; |
4122 | |
|
4123 | 0 | ssl->state++; |
4124 | |
|
4125 | 0 | if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { |
4126 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); |
4127 | 0 | return ret; |
4128 | 0 | } |
4129 | | |
4130 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify")); |
4131 | |
|
4132 | 0 | return ret; |
4133 | 0 | } |
4134 | | #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ |
4135 | | |
4136 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
4137 | | MBEDTLS_CHECK_RETURN_CRITICAL |
4138 | | static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl) |
4139 | | { |
4140 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
4141 | | uint32_t lifetime; |
4142 | | size_t ticket_len; |
4143 | | unsigned char *ticket; |
4144 | | const unsigned char *msg; |
4145 | | |
4146 | | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket")); |
4147 | | |
4148 | | if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { |
4149 | | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
4150 | | return ret; |
4151 | | } |
4152 | | |
4153 | | if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
4154 | | MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); |
4155 | | mbedtls_ssl_send_alert_message( |
4156 | | ssl, |
4157 | | MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
4158 | | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); |
4159 | | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
4160 | | } |
4161 | | |
4162 | | /* |
4163 | | * struct { |
4164 | | * uint32 ticket_lifetime_hint; |
4165 | | * opaque ticket<0..2^16-1>; |
4166 | | * } NewSessionTicket; |
4167 | | * |
4168 | | * 0 . 3 ticket_lifetime_hint |
4169 | | * 4 . 5 ticket_len (n) |
4170 | | * 6 . 5+n ticket content |
4171 | | */ |
4172 | | if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || |
4173 | | ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) { |
4174 | | MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); |
4175 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
4176 | | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
4177 | | return MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET; |
4178 | | } |
4179 | | |
4180 | | msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); |
4181 | | |
4182 | | lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) | |
4183 | | (msg[2] << 8) | (msg[3]); |
4184 | | |
4185 | | ticket_len = (msg[4] << 8) | (msg[5]); |
4186 | | |
4187 | | if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) { |
4188 | | MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message")); |
4189 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
4190 | | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); |
4191 | | return MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET; |
4192 | | } |
4193 | | |
4194 | | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len)); |
4195 | | |
4196 | | /* We're not waiting for a NewSessionTicket message any more */ |
4197 | | ssl->handshake->new_session_ticket = 0; |
4198 | | ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; |
4199 | | |
4200 | | /* |
4201 | | * Zero-length ticket means the server changed his mind and doesn't want |
4202 | | * to send a ticket after all, so just forget it |
4203 | | */ |
4204 | | if (ticket_len == 0) { |
4205 | | return 0; |
4206 | | } |
4207 | | |
4208 | | if (ssl->session != NULL && ssl->session->ticket != NULL) { |
4209 | | mbedtls_platform_zeroize(ssl->session->ticket, |
4210 | | ssl->session->ticket_len); |
4211 | | mbedtls_free(ssl->session->ticket); |
4212 | | ssl->session->ticket = NULL; |
4213 | | ssl->session->ticket_len = 0; |
4214 | | } |
4215 | | |
4216 | | mbedtls_platform_zeroize(ssl->session_negotiate->ticket, |
4217 | | ssl->session_negotiate->ticket_len); |
4218 | | mbedtls_free(ssl->session_negotiate->ticket); |
4219 | | ssl->session_negotiate->ticket = NULL; |
4220 | | ssl->session_negotiate->ticket_len = 0; |
4221 | | |
4222 | | if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) { |
4223 | | MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed")); |
4224 | | mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, |
4225 | | MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); |
4226 | | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
4227 | | } |
4228 | | |
4229 | | memcpy(ticket, msg + 6, ticket_len); |
4230 | | |
4231 | | ssl->session_negotiate->ticket = ticket; |
4232 | | ssl->session_negotiate->ticket_len = ticket_len; |
4233 | | ssl->session_negotiate->ticket_lifetime = lifetime; |
4234 | | |
4235 | | /* |
4236 | | * RFC 5077 section 3.4: |
4237 | | * "If the client receives a session ticket from the server, then it |
4238 | | * discards any Session ID that was sent in the ServerHello." |
4239 | | */ |
4240 | | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id")); |
4241 | | ssl->session_negotiate->id_len = 0; |
4242 | | |
4243 | | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket")); |
4244 | | |
4245 | | return 0; |
4246 | | } |
4247 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
4248 | | |
4249 | | /* |
4250 | | * SSL handshake -- client side -- single step |
4251 | | */ |
4252 | | int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl) |
4253 | 0 | { |
4254 | 0 | int ret = 0; |
4255 | |
|
4256 | 0 | if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) { |
4257 | 0 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
4258 | 0 | } |
4259 | | |
4260 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %d", ssl->state)); |
4261 | |
|
4262 | 0 | if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) { |
4263 | 0 | return ret; |
4264 | 0 | } |
4265 | | |
4266 | 0 | #if defined(MBEDTLS_SSL_PROTO_DTLS) |
4267 | 0 | if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && |
4268 | 0 | ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) { |
4269 | 0 | if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { |
4270 | 0 | return ret; |
4271 | 0 | } |
4272 | 0 | } |
4273 | 0 | #endif /* MBEDTLS_SSL_PROTO_DTLS */ |
4274 | | |
4275 | | /* Change state now, so that it is right in mbedtls_ssl_read_record(), used |
4276 | | * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ |
4277 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
4278 | | if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && |
4279 | | ssl->handshake->new_session_ticket != 0) { |
4280 | | ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; |
4281 | | } |
4282 | | #endif |
4283 | | |
4284 | 0 | switch (ssl->state) { |
4285 | 0 | case MBEDTLS_SSL_HELLO_REQUEST: |
4286 | 0 | ssl->state = MBEDTLS_SSL_CLIENT_HELLO; |
4287 | 0 | break; |
4288 | | |
4289 | | /* |
4290 | | * ==> ClientHello |
4291 | | */ |
4292 | 0 | case MBEDTLS_SSL_CLIENT_HELLO: |
4293 | 0 | ret = ssl_write_client_hello(ssl); |
4294 | 0 | break; |
4295 | | |
4296 | | /* |
4297 | | * <== ServerHello |
4298 | | * Certificate |
4299 | | * ( ServerKeyExchange ) |
4300 | | * ( CertificateRequest ) |
4301 | | * ServerHelloDone |
4302 | | */ |
4303 | 0 | case MBEDTLS_SSL_SERVER_HELLO: |
4304 | 0 | ret = ssl_parse_server_hello(ssl); |
4305 | 0 | break; |
4306 | | |
4307 | 0 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
4308 | 0 | ret = mbedtls_ssl_parse_certificate(ssl); |
4309 | 0 | break; |
4310 | | |
4311 | 0 | case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: |
4312 | 0 | ret = ssl_parse_server_key_exchange(ssl); |
4313 | 0 | break; |
4314 | | |
4315 | 0 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
4316 | 0 | ret = ssl_parse_certificate_request(ssl); |
4317 | 0 | break; |
4318 | | |
4319 | 0 | case MBEDTLS_SSL_SERVER_HELLO_DONE: |
4320 | 0 | ret = ssl_parse_server_hello_done(ssl); |
4321 | 0 | break; |
4322 | | |
4323 | | /* |
4324 | | * ==> ( Certificate/Alert ) |
4325 | | * ClientKeyExchange |
4326 | | * ( CertificateVerify ) |
4327 | | * ChangeCipherSpec |
4328 | | * Finished |
4329 | | */ |
4330 | 0 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
4331 | 0 | ret = mbedtls_ssl_write_certificate(ssl); |
4332 | 0 | break; |
4333 | | |
4334 | 0 | case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: |
4335 | 0 | ret = ssl_write_client_key_exchange(ssl); |
4336 | 0 | break; |
4337 | | |
4338 | 0 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
4339 | 0 | ret = ssl_write_certificate_verify(ssl); |
4340 | 0 | break; |
4341 | | |
4342 | 0 | case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: |
4343 | 0 | ret = mbedtls_ssl_write_change_cipher_spec(ssl); |
4344 | 0 | break; |
4345 | | |
4346 | 0 | case MBEDTLS_SSL_CLIENT_FINISHED: |
4347 | 0 | ret = mbedtls_ssl_write_finished(ssl); |
4348 | 0 | break; |
4349 | | |
4350 | | /* |
4351 | | * <== ( NewSessionTicket ) |
4352 | | * ChangeCipherSpec |
4353 | | * Finished |
4354 | | */ |
4355 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
4356 | | case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: |
4357 | | ret = ssl_parse_new_session_ticket(ssl); |
4358 | | break; |
4359 | | #endif |
4360 | | |
4361 | 0 | case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: |
4362 | 0 | ret = mbedtls_ssl_parse_change_cipher_spec(ssl); |
4363 | 0 | break; |
4364 | | |
4365 | 0 | case MBEDTLS_SSL_SERVER_FINISHED: |
4366 | 0 | ret = mbedtls_ssl_parse_finished(ssl); |
4367 | 0 | break; |
4368 | | |
4369 | 0 | case MBEDTLS_SSL_FLUSH_BUFFERS: |
4370 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); |
4371 | 0 | ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; |
4372 | 0 | break; |
4373 | | |
4374 | 0 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
4375 | 0 | mbedtls_ssl_handshake_wrapup(ssl); |
4376 | 0 | break; |
4377 | | |
4378 | 0 | default: |
4379 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); |
4380 | 0 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
4381 | 0 | } |
4382 | | |
4383 | 0 | return ret; |
4384 | 0 | } |
4385 | | #endif /* MBEDTLS_SSL_CLI_C */ |