Blame - library/ssl_tls13_client.c - mirror/mbed-tls

2021-08-24 15:59:48 +0800

[diff] [blame]

26

#include <string.h>

27

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

28

#include "mbedtls/debug.h"

29

#include "mbedtls/error.h"

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

30

#include "mbedtls/platform.h"

Jerry Yu

a13c7e7

2021-08-17 10:44:40 +0800

[diff] [blame]

31

Jerry Yu

bdc7188

2021-09-14 19:30:36 +0800

[diff] [blame]

32

#include "ssl_misc.h"

Ronald Cron

3d580bf

2022-02-18 17:24:56 +0100

[diff] [blame]

33

#include "ssl_client.h"

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

34

#include "ssl_tls13_keys.h"

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

35

#include "ssl_debug_helpers.h"

Manuel Pégourié-Gonnard

02b10d8

2023-03-28 12:33:20 +0200

[diff] [blame]

36

#include "md_psa.h"

Jerry Yu

bdc7188

2021-09-14 19:30:36 +0800

[diff] [blame]

37

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

38

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Andrzej Kurek

0064484

2023-05-30 05:45:00 -0400

[diff] [blame]

39

/* Define a local translating function to save code size by not using too many

40

* arguments in each translating place. */

41

static int local_err_translation(psa_status_t status)

42

{

43

return psa_status_to_mbedtls(status, psa_to_ssl_errors,

Andrzej Kurek

1e4a030

2023-05-30 09:45:17 -0400

[diff] [blame]

44

ARRAY_LENGTH(psa_to_ssl_errors),

Andrzej Kurek

0064484

2023-05-30 05:45:00 -0400

[diff] [blame]

45

psa_generic_status_to_mbedtls);

46

}

47

#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)

Andrzej Kurek

a6033ac

2023-05-30 15:16:34 -0400

[diff] [blame]

48

#endif

49

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

50

/* Write extensions */

51

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

52

/*

53

* ssl_tls13_write_supported_versions_ext():

54

*

55

* struct {

56

* ProtocolVersion versions<2..254>;

57

* } SupportedVersions;

58

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

59

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

60

static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,

61

unsigned char *buf,

62

unsigned char *end,

63

size_t *out_len)

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

64

{

65

unsigned char *p = buf;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

66

unsigned char versions_len = (ssl->handshake->min_tls_version <=

67

MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

68

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

69

*out_len = 0;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

70

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

71

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

72

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

73

/* Check if we have space to write the extension:

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

74

* - extension_type (2 bytes)

75

* - extension_data_length (2 bytes)

76

* - versions_length (1 byte )

Ronald Cron

a77fc27

2022-03-30 17:20:47 +0200

[diff] [blame]

77

* - versions (2 or 4 bytes)

Jerry Yu

159c5a0

2021-08-31 12:51:25 +0800

[diff] [blame]

78

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

79

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

80

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

81

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);

82

MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);

Jerry Yu

eecfbf0

2021-08-30 18:32:07 +0800

[diff] [blame]

83

p += 4;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

84

Jerry Yu

1bc2c1f

2021-09-01 12:57:29 +0800

[diff] [blame]

85

/* Length of versions */

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

86

*p++ = versions_len;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

87

Jerry Yu

0c63af6

2021-09-02 12:59:12 +0800

[diff] [blame]

88

/* Write values of supported versions.

Jerry Yu

0c63af6

2021-09-02 12:59:12 +0800

[diff] [blame]

89

* They are defined by the configuration.

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

90

* Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

91

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

92

mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,

93

MBEDTLS_SSL_VERSION_TLS1_3);

94

MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

95

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

96

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

97

if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {

98

mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,

99

MBEDTLS_SSL_VERSION_TLS1_2);

100

MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

101

}

102

103

*out_len = 5 + versions_len;

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

104

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

105

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

106

ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

107

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

108

return 0;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

109

}

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

110

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

111

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

112

static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,

113

const unsigned char *buf,

114

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

115

{

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

116

((void) ssl);

117

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

118

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);

119

if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=

120

MBEDTLS_SSL_VERSION_TLS1_3) {

121

MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

122

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

123

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

124

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

125

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

126

}

127

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

128

if (&buf[2] != end) {

Xiaokang Qian

91bb3f0

2023-04-03 09:07:03 +0000

[diff] [blame]

129

MBEDTLS_SSL_DEBUG_MSG(

130

1, ("supported_versions ext data length incorrect"));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

131

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

132

MBEDTLS_ERR_SSL_DECODE_ERROR);

133

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Ronald Cron

9847338

2022-03-30 20:04:10 +0200

[diff] [blame]

134

}

135

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

136

return 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

137

}

138

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

139

#if defined(MBEDTLS_SSL_ALPN)

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

140

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

141

static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,

142

const unsigned char *buf, size_t len)

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

143

{

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

144

const unsigned char *p = buf;

145

const unsigned char *end = buf + len;

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

146

size_t protocol_name_list_len, protocol_name_len;

147

const unsigned char *protocol_name_list_end;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

148

149

/* If we didn't send it, the server shouldn't send it */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

150

if (ssl->conf->alpn_list == NULL) {

151

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

152

}

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

153

154

/*

155

* opaque ProtocolName<1..2^8-1>;

156

*

157

* struct {

158

* ProtocolName protocol_name_list<2..2^16-1>

159

* } ProtocolNameList;

160

*

161

* the "ProtocolNameList" MUST contain exactly one "ProtocolName"

162

*/

163

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

164

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

165

protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

166

p += 2;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

167

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

168

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

169

protocol_name_list_end = p + protocol_name_list_len;

170

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

171

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

172

protocol_name_len = *p++;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

173

174

/* Check that the server chosen protocol was in our list and save it */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

175

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);

176

for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {

177

if (protocol_name_len == strlen(*alpn) &&

178

memcmp(p, *alpn, protocol_name_len) == 0) {

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

179

ssl->alpn_chosen = *alpn;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

180

return 0;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

}

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

184

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

185

}

186

#endif /* MBEDTLS_SSL_ALPN */

187

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

188

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

189

static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

190

{

191

uint16_t group_id = ssl->handshake->offered_group_id;

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

192

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

193

if (group_id == 0) {

194

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

195

}

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

196

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

197

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

198

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

199

mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

200

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

201

psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;

202

203

/* Destroy generated private key. */

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

204

status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

205

if (status != PSA_SUCCESS) {

Andrzej Kurek

8a045ce

2022-12-23 11:00:06 -0500

[diff] [blame]

206

ret = PSA_TO_MBEDTLS_ERR(status);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

207

MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);

208

return ret;

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

209

}

210

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

211

ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

212

return 0;

213

} else

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

214

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

215

if (0 /* other KEMs? */) {

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

/* Do something */

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

219

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

220

}

221

222

/*

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

223

* Functions for writing key_share extension.

224

*/

Ronald Cron

2022-10-18 12:17:11 +0200

[diff] [blame]

225

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

226

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

227

static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,

228

uint16_t *group_id)

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

229

{

230

int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

231

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

232

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

233

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

234

const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

235

/* Pick first available ECDHE group compatible with TLS 1.3 */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

236

if (group_list == NULL) {

237

return MBEDTLS_ERR_SSL_BAD_CONFIG;

238

}

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

239

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

240

for (; *group_list != 0; group_list++) {

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

241

#if defined(PSA_WANT_ALG_ECDH)

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

242

if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(

243

*group_list, NULL, NULL) == PSA_SUCCESS) &&

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

244

mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {

Brett Warren

14efd33

2021-10-06 09:32:11 +0100

[diff] [blame]

245

*group_id = *group_list;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

246

return 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

247

}

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

248

#endif

249

#if defined(PSA_WANT_ALG_FFDH)

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

250

if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

251

*group_id = *group_list;

252

return 0;

253

}

254

#endif

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

255

}

256

#else

257

((void) ssl);

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

258

((void) group_id);

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

259

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

260

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

261

return ret;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

}

/*

* ssl_tls13_write_key_share_ext

266

*

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

267

* Structure of key_share extension in ClientHello:

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

*

* struct {

* NamedGroup group;

* opaque key_exchange<1..2^16-1>;

272

* } KeyShareEntry;

273

* struct {

274

* KeyShareEntry client_shares<0..2^16-1>;

275

* } KeyShareClientHello;

276

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

277

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

278

static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,

279

unsigned char *buf,

280

unsigned char *end,

281

size_t *out_len)

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

282

{

283

unsigned char *p = buf;

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

284

unsigned char *client_shares; /* Start of client_shares */

285

size_t client_shares_len; /* Length of client_shares */

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

286

uint16_t group_id;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

287

int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

288

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

289

*out_len = 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

290

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

291

/* Check if we have space for header and length fields:

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

292

* - extension_type (2 bytes)

293

* - extension_data_length (2 bytes)

294

* - client_shares_length (2 bytes)

295

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

296

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

297

p += 6;

298

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

299

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

300

301

/* HRR could already have requested something else. */

302

group_id = ssl->handshake->offered_group_id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

303

if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

304

!mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

305

MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,

306

&group_id));

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

}

/*

* Dispatch to type-specific key generation function.

311

*

312

* So far, we're only supporting ECDHE. With the introduction

313

* of PQC KEMs, we'll want to have multiple branches, one per

314

* type of KEM, and dispatch to the corresponding crypto. And

315

* only one key share entry is allowed.

316

*/

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

317

client_shares = p;

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

318

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

319

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

320

mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

321

/* Pointer to group */

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

322

unsigned char *group = p;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

323

/* Length of key_exchange */

Przemyslaw Stekiel

4f419e5

2022-02-10 15:56:26 +0100

[diff] [blame]

324

size_t key_exchange_len = 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

325

326

/* Check there is space for header of KeyShareEntry

327

* - group (2 bytes)

328

* - key_exchange_length (2 bytes)

329

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

330

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

331

p += 4;

Przemek Stekiel

408569f

2023-07-06 11:26:44 +0200

[diff] [blame]

332

ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

333

ssl, group_id, p, end, &key_exchange_len);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

334

p += key_exchange_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

335

if (ret != 0) {

336

return ret;

337

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

338

339

/* Write group */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

340

MBEDTLS_PUT_UINT16_BE(group_id, group, 0);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

341

/* Write key_exchange_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

342

MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);

343

} else

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

344

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

345

if (0 /* other KEMs? */) {

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

346

/* Do something */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

347

} else {

348

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

349

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

350

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

351

/* Length of client_shares */

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

352

client_shares_len = p - client_shares;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

353

if (client_shares_len == 0) {

354

MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));

355

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

7c522d4

2021-09-08 17:55:09 +0800

[diff] [blame]

356

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

357

/* Write extension_type */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

358

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

359

/* Write extension_data_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

360

MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

361

/* Write client_shares_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

362

MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

363

364

/* Update offered_group_id field */

365

ssl->handshake->offered_group_id = group_id;

366

367

/* Output the total length of key_share extension. */

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

368

*out_len = p - buf;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

369

Xiaokang Qian

91bb3f0

2023-04-03 09:07:03 +0000

[diff] [blame]

370

MBEDTLS_SSL_DEBUG_BUF(

371

3, "client hello, key_share extension", buf, *out_len);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

372

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

373

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

377

return ret;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

378

}

Ronald Cron

2022-10-18 12:17:11 +0200

[diff] [blame]

379

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

380

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

381

/*

382

* ssl_tls13_parse_hrr_key_share_ext()

383

* Parse key_share extension in Hello Retry Request

384

*

385

* struct {

386

* NamedGroup selected_group;

387

* } KeyShareHelloRetryRequest;

388

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

389

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

390

static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,

391

const unsigned char *buf,

392

const unsigned char *end)

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

393

{

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

394

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

395

const unsigned char *p = buf;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

396

int selected_group;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

397

int found = 0;

398

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

399

const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);

400

if (group_list == NULL) {

401

return MBEDTLS_ERR_SSL_BAD_CONFIG;

402

}

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

403

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

404

MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

405

406

/* Read selected_group */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

407

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

408

selected_group = MBEDTLS_GET_UINT16_BE(p, 0);

409

MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

410

411

/* Upon receipt of this extension in a HelloRetryRequest, the client

412

* MUST first verify that the selected_group field corresponds to a

413

* group which was provided in the "supported_groups" extension in the

414

* original ClientHello.

415

* The supported_group was based on the info in ssl->conf->group_list.

416

*

417

* If the server provided a key share that was not sent in the ClientHello

418

* then the client MUST abort the handshake with an "illegal_parameter" alert.

419

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

420

for (; *group_list != 0; group_list++) {

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

421

#if defined(PSA_WANT_ALG_ECDH)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

422

if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {

423

if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(

424

*group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||

425

*group_list != selected_group) {

426

found = 1;

427

break;

428

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

429

}

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

430

#endif /* PSA_WANT_ALG_ECDH */

431

#if defined(PSA_WANT_ALG_FFDH)

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

432

if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

433

found = 1;

434

break;

435

}

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

436

#endif /* PSA_WANT_ALG_FFDH */

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

437

}

438

439

/* Client MUST verify that the selected_group field does not

440

* correspond to a group which was provided in the "key_share"

441

* extension in the original ClientHello. If the server sent an

442

* HRR message with a key share already provided in the

443

* ClientHello then the client MUST abort the handshake with

444

* an "illegal_parameter" alert.

445

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

446

if (found == 0 || selected_group == ssl->handshake->offered_group_id) {

447

MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

448

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

449

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

450

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

451

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

452

}

453

454

/* Remember server's preference for next ClientHello */

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

455

ssl->handshake->offered_group_id = selected_group;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

456

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

457

return 0;

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

458

#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Andrzej Kurek

c19fb08

2022-10-03 10:52:24 -0400

[diff] [blame]

459

(void) ssl;

460

(void) buf;

461

(void) end;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

462

return MBEDTLS_ERR_SSL_BAD_CONFIG;

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

463

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

464

}

465

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

466

/*

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

467

* ssl_tls13_parse_key_share_ext()

468

* Parse key_share extension in Server Hello

469

*

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

470

* struct {

471

* KeyShareEntry server_share;

472

* } KeyShareServerHello;

473

* struct {

474

* NamedGroup group;

475

* opaque key_exchange<1..2^16-1>;

476

* } KeyShareEntry;

477

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

478

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

479

static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,

480

const unsigned char *buf,

481

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

482

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

483

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

484

const unsigned char *p = buf;

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

485

uint16_t group, offered_group;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

486

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

487

/* ...

488

* NamedGroup group; (2 bytes)

489

* ...

490

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

491

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

492

group = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

493

p += 2;

494

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

495

/* Check that the chosen group matches the one we offered. */

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

496

offered_group = ssl->handshake->offered_group_id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

497

if (offered_group != group) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

498

MBEDTLS_SSL_DEBUG_MSG(

499

1, ("Invalid server key share, our group %u, their group %u",

500

(unsigned) offered_group, (unsigned) group));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

501

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

502

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

503

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

504

}

505

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

506

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

507

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

508

mbedtls_ssl_tls13_named_group_is_ffdh(group)) {

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

509

MBEDTLS_SSL_DEBUG_MSG(2,

510

("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

511

ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

if (ret != 0) {

return ret;

}

} else

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

516

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

517

if (0 /* other KEMs? */) {

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

518

/* Do something */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

519

} else {

520

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

521

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

522

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

523

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

524

}

525

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

526

/*

527

* ssl_tls13_parse_cookie_ext()

528

* Parse cookie extension in Hello Retry Request

529

*

530

* struct {

531

* opaque cookie<1..2^16-1>;

532

* } Cookie;

533

*

534

* When sending a HelloRetryRequest, the server MAY provide a "cookie"

535

* extension to the client (this is an exception to the usual rule that

536

* the only extensions that may be sent are those that appear in the

537

* ClientHello). When sending the new ClientHello, the client MUST copy

538

* the contents of the extension received in the HelloRetryRequest into

539

* a "cookie" extension in the new ClientHello. Clients MUST NOT use

540

* cookies in their initial ClientHello in subsequent connections.

541

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

542

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

543

static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,

544

const unsigned char *buf,

545

const unsigned char *end)

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

546

{

XiaokangQian

25c9c90

2022-02-08 10:49:53 +0000

[diff] [blame]

547

uint16_t cookie_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

548

const unsigned char *p = buf;

549

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

550

551

/* Retrieve length field of cookie */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

552

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

553

cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

554

p += 2;

555

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

556

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);

557

MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

558

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

559

mbedtls_free(handshake->cookie);

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

560

handshake->cookie_len = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

561

handshake->cookie = mbedtls_calloc(1, cookie_len);

562

if (handshake->cookie == NULL) {

563

MBEDTLS_SSL_DEBUG_MSG(1,

564

("alloc failed ( %ud bytes )",

565

cookie_len));

566

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

567

}

568

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

569

memcpy(handshake->cookie, p, cookie_len);

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

570

handshake->cookie_len = cookie_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

571

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

572

return 0;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

573

}

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

574

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

575

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

576

static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,

577

unsigned char *buf,

578

unsigned char *end,

579

size_t *out_len)

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

580

{

581

unsigned char *p = buf;

XiaokangQian

9deb90f

2022-02-08 10:31:07 +0000

[diff] [blame]

582

*out_len = 0;

XiaokangQian

c02768a

2022-02-10 07:31:25 +0000

[diff] [blame]

583

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

584

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

585

if (handshake->cookie == NULL) {

586

MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));

587

return 0;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

588

}

589

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

590

MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",

591

handshake->cookie,

592

handshake->cookie_len);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

593

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

594

MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

595

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

596

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

597

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

598

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);

599

MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);

600

MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);

XiaokangQian

233397e

2022-02-07 08:32:16 +0000

[diff] [blame]

601

p += 6;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

602

603

/* Cookie */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

604

memcpy(p, handshake->cookie, handshake->cookie_len);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

605

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

606

*out_len = handshake->cookie_len + 6;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

607

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

608

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

609

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

610

return 0;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

611

}

612

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

613

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

614

/*

615

* ssl_tls13_write_psk_key_exchange_modes_ext() structure:

616

*

617

* enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;

618

*

619

* struct {

620

* PskKeyExchangeMode ke_modes<1..255>;

621

* } PskKeyExchangeModes;

622

*/

XiaokangQian

8698195

2022-07-19 09:51:50 +0000

[diff] [blame]

623

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

624

static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,

625

unsigned char *buf,

626

unsigned char *end,

627

size_t *out_len)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

628

{

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

629

unsigned char *p = buf;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

630

int ke_modes_len = 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

631

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

632

((void) ke_modes_len);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

633

*out_len = 0;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

634

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

635

/* Skip writing extension if no PSK key exchange mode

XiaokangQian

7c12d31

2022-07-20 07:25:43 +0000

[diff] [blame]

636

* is enabled in the config.

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

637

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

638

if (!mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) {

639

MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));

640

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

641

}

642

643

/* Require 7 bytes of data, otherwise fail,

644

* even if extension might be shorter.

645

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

646

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

647

MBEDTLS_SSL_DEBUG_MSG(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

648

3, ("client hello, adding psk_key_exchange_modes extension"));

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

649

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

650

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

651

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

652

/* Skip extension length (2 bytes) and

653

* ke_modes length (1 byte) for now.

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

*/

p += 5;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

657

if (mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl)) {

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

658

*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

659

ke_modes_len++;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

660

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

661

MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

662

}

663

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

664

if (mbedtls_ssl_conf_tls13_psk_enabled(ssl)) {

Ronald Cron

a709a0f

2022-09-27 16:46:11 +0200

[diff] [blame]

665

*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;

666

ke_modes_len++;

667

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

668

MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));

Ronald Cron

a709a0f

2022-09-27 16:46:11 +0200

[diff] [blame]

669

}

670

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

671

/* Now write the extension and ke_modes length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

672

MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

673

buf[4] = ke_modes_len;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

674

675

*out_len = p - buf;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

676

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

677

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

678

ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

679

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

680

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

681

}

Jerry Yu

db8c5fa

2022-08-03 12:10:13 +0800

[diff] [blame]

682

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

683

static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

684

{

Jerry Yu

21f9095

2022-10-08 10:30:53 +0800

[diff] [blame]

685

const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

686

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

687

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

688

if (ciphersuite_info != NULL) {

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

689

return mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

690

}

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

691

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

692

return PSA_ALG_NONE;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

693

}

694

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

695

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

696

static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)

Xiaokang Qian

b781a23

2022-11-01 07:39:46 +0000

[diff] [blame]

697

{

698

mbedtls_ssl_session *session = ssl->session_negotiate;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

699

return ssl->handshake->resume &&

Pengyu Lv

9356678

2022-12-07 12:10:05 +0800

[diff] [blame]

700

session != NULL && session->ticket != NULL &&

Pengyu Lv

9b84ea7

2023-01-16 14:08:23 +0800

[diff] [blame]

701

mbedtls_ssl_conf_tls13_check_kex_modes(

702

ssl, mbedtls_ssl_session_get_ticket_flags(

703

session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));

Xiaokang Qian

b781a23

2022-11-01 07:39:46 +0000

[diff] [blame]

704

}

705

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

706

#if defined(MBEDTLS_SSL_EARLY_DATA)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

707

static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

708

{

709

mbedtls_ssl_session *session = ssl->session_negotiate;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

710

return ssl->handshake->resume &&

711

session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&

712

(session->ticket_flags &

713

MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA) &&

714

mbedtls_ssl_tls13_cipher_suite_is_offered(

715

ssl, session->ciphersuite);

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

}

#endif

Xiaokang Qian

2022-11-01 07:39:46 +0000

[diff] [blame]

719

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

720

static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,

721

psa_algorithm_t *hash_alg,

722

const unsigned char **identity,

723

size_t *identity_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

724

{

725

mbedtls_ssl_session *session = ssl->session_negotiate;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

726

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

727

if (!ssl_tls13_has_configured_ticket(ssl)) {

728

return -1;

729

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

730

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

731

*hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

732

*identity = session->ticket;

733

*identity_len = session->ticket_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

734

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

735

}

736

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

737

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

738

static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,

739

psa_algorithm_t *hash_alg,

740

const unsigned char **psk,

741

size_t *psk_len)

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

742

{

743

744

mbedtls_ssl_session *session = ssl->session_negotiate;

745

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

746

if (!ssl_tls13_has_configured_ticket(ssl)) {

747

return -1;

748

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

749

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

750

*hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

751

*psk = session->resumption_key;

752

*psk_len = session->resumption_key_len;

753

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

754

return 0;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

755

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

756

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

757

758

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

759

static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,

760

psa_algorithm_t *hash_alg,

761

const unsigned char **identity,

762

size_t *identity_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

763

{

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

764

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

765

if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

766

return -1;

767

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

768

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

769

*hash_alg = PSA_ALG_SHA_256;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

770

*identity = ssl->conf->psk_identity;

771

*identity_len = ssl->conf->psk_identity_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

772

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

773

}

774

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

775

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

776

static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,

777

psa_algorithm_t *hash_alg,

778

const unsigned char **psk,

779

size_t *psk_len)

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

780

{

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

781

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

782

if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

783

return -1;

784

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

785

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

786

*hash_alg = PSA_ALG_SHA_256;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

787

*psk = ssl->conf->psk;

788

*psk_len = ssl->conf->psk_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

789

return 0;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

790

}

791

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

792

static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

793

{

794

int configured_psk_count = 0;

795

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

796

if (ssl_tls13_has_configured_ticket(ssl)) {

797

MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

798

configured_psk_count++;

799

}

800

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

801

if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

802

MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

803

configured_psk_count++;

804

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

805

return configured_psk_count;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

806

}

807

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

808

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

809

static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,

810

unsigned char *buf,

811

unsigned char *end,

812

const unsigned char *identity,

813

size_t identity_len,

814

uint32_t obfuscated_ticket_age,

815

size_t *out_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

816

{

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

817

((void) ssl);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

818

*out_len = 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

819

820

/*

821

* - identity_len (2 bytes)

822

* - identity (psk_identity_len bytes)

823

* - obfuscated_ticket_age (4 bytes)

824

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

825

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

826

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

827

MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);

828

memcpy(buf + 2, identity, identity_len);

829

MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

830

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

831

MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

832

833

*out_len = 6 + identity_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

834

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

835

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

836

}

837

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

838

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

839

static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,

unsigned char *buf,

unsigned char *end,

int psk_type,

psa_algorithm_t hash_alg,

844

const unsigned char *psk,

845

size_t psk_len,

846

size_t *out_len)

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

847

{

848

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

849

unsigned char binder_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

850

unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

851

size_t transcript_len = 0;

*out_len = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

855

binder_len = PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

856

857

/*

858

* - binder_len (1 bytes)

859

* - binder (binder_len bytes)

860

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

861

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

862

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

863

buf[0] = binder_len;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

864

865

/* Get current state of handshake transcript. */

866

ret = mbedtls_ssl_get_handshake_transcript(

Manuel Pégourié-Gonnard

2d6d993

2023-03-28 11:38:08 +0200

[diff] [blame]

867

ssl, mbedtls_md_type_from_psa_alg(hash_alg),

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

868

transcript, sizeof(transcript), &transcript_len);

869

if (ret != 0) {

870

return ret;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

871

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

872

873

ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,

874

psk, psk_len, psk_type,

875

transcript, buf + 1);

876

if (ret != 0) {

877

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);

878

return ret;

879

}

880

MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

881

882

*out_len = 1 + binder_len;

883

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

884

return 0;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

}

/*

* mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:

889

*

890

* struct {

891

* opaque identity<1..2^16-1>;

892

* uint32 obfuscated_ticket_age;

893

* } PskIdentity;

894

*

895

* opaque PskBinderEntry<32..255>;

896

*

897

* struct {

898

* PskIdentity identities<7..2^16-1>;

899

* PskBinderEntry binders<33..2^16-1>;

* } OfferedPsks;

*

* struct {

* select (Handshake.msg_type) {

904

* case client_hello: OfferedPsks;

905

* ...

906

* };

907

* } PreSharedKeyExtension;

908

*

909

*/

XiaokangQian

3ad67bf

2022-07-21 02:26:21 +0000

[diff] [blame]

910

int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

911

mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,

912

size_t *out_len, size_t *binders_len)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

913

{

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

914

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

915

int configured_psk_count = 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

916

unsigned char *p = buf;

Xiaokang Qian

854db28

2022-12-19 07:31:27 +0000

[diff] [blame]

917

psa_algorithm_t hash_alg = PSA_ALG_NONE;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

918

const unsigned char *identity;

919

size_t identity_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

920

size_t l_binders_len = 0;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

921

size_t output_len;

Xiaokang Qian

7179f81

2023-02-03 03:38:44 +0000

[diff] [blame]

922

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

*out_len = 0;

*binders_len = 0;

/* Check if we have any PSKs to offer. If no, skip pre_shared_key */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

927

configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);

928

if (configured_psk_count == 0) {

929

MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));

930

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

931

}

932

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

933

MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",

934

configured_psk_count));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

935

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

936

/* Check if we have space to write the extension, binders included.

937

* - extension_type (2 bytes)

938

* - extension_data_len (2 bytes)

939

* - identities_len (2 bytes)

940

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

941

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

942

p += 6;

943

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

944

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

945

if (ssl_tls13_ticket_get_identity(

946

ssl, &hash_alg, &identity, &identity_len) == 0) {

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

947

#if defined(MBEDTLS_HAVE_TIME)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

948

mbedtls_time_t now = mbedtls_time(NULL);

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

949

mbedtls_ssl_session *session = ssl->session_negotiate;

Jerry Yu

6916e70

2022-10-10 21:33:51 +0800

[diff] [blame]

950

uint32_t obfuscated_ticket_age =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

951

(uint32_t) (now - session->ticket_received);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

952

Jerry Yu

3e60cad

2023-01-10 14:58:08 +0800

[diff] [blame]

953

/*

954

* The ticket timestamp is in seconds but the ticket age is in

955

* milliseconds. If the ticket was received at the end of a second and

956

* re-used here just at the beginning of the next second, the computed

957

* age `now - session->ticket_received` is equal to 1s thus 1000 ms

958

* while the actual age could be just a few milliseconds or tens of

959

* milliseconds. If the server has more accurate ticket timestamps

960

* (typically timestamps in milliseconds), as part of the processing of

961

* the ClientHello, it may compute a ticket lifetime smaller than the

962

* one computed here and potentially reject the ticket. To avoid that,

963

* remove one second to the ticket age if possible.

Jerry Yu

bdb936b

2023-01-07 16:07:46 +0800

[diff] [blame]

964

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

965

if (obfuscated_ticket_age > 0) {

Jerry Yu

bdb936b

2023-01-07 16:07:46 +0800

[diff] [blame]

966

obfuscated_ticket_age -= 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

967

}

Jerry Yu

bdb936b

2023-01-07 16:07:46 +0800

[diff] [blame]

968

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

969

obfuscated_ticket_age *= 1000;

970

obfuscated_ticket_age += session->ticket_age_add;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

971

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

972

ret = ssl_tls13_write_identity(ssl, p, end,

973

identity, identity_len,

974

obfuscated_ticket_age,

975

&output_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

976

#else

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

977

ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,

978

0, &output_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

979

#endif /* MBEDTLS_HAVE_TIME */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

980

if (ret != 0) {

981

return ret;

982

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

983

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

984

p += output_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

985

l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

986

}

987

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

988

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

989

if (ssl_tls13_psk_get_identity(

990

ssl, &hash_alg, &identity, &identity_len) == 0) {

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

991

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

992

ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

997

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

998

p += output_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

999

l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

1000

}

1001

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1002

MBEDTLS_SSL_DEBUG_MSG(3,

1003

("client hello, adding pre_shared_key extension, "

1004

"omitting PSK binder list"));

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1005

1006

/* Take into account the two bytes for the length of the binders. */

1007

l_binders_len += 2;

Jerry Yu

6916e70

2022-10-10 21:33:51 +0800

[diff] [blame]

1008

/* Check if there is enough space for binders */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1009

MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1010

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

1011

/*

1012

* - extension_type (2 bytes)

1013

* - extension_data_len (2 bytes)

1014

* - identities_len (2 bytes)

1015

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1016

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);

1017

MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);

1018

MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

1019

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1020

*out_len = (p - buf) + l_binders_len;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1021

*binders_len = l_binders_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

1022

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1023

MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

1024

Jerry Yu

06b364f

2023-10-18 11:22:50 +0800

[diff] [blame^]

1025

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);

1026

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1027

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1028

}

1029

XiaokangQian

8698195

2022-07-19 09:51:50 +0000

[diff] [blame]

1030

int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1031

mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1032

{

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1033

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1034

unsigned char *p = buf;

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1035

psa_algorithm_t hash_alg = PSA_ALG_NONE;

1036

const unsigned char *psk;

1037

size_t psk_len;

1038

size_t output_len;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1039

1040

/* Check if we have space to write binders_len.

1041

* - binders_len (2 bytes)

1042

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1043

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1044

p += 2;

1045

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1046

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1047

if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1048

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1049

ret = ssl_tls13_write_binder(ssl, p, end,

1050

MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,

1051

hash_alg, psk, psk_len,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1056

p += output_len;

1057

}

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1058

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1059

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1060

if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1061

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1062

ret = ssl_tls13_write_binder(ssl, p, end,

1063

MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,

1064

hash_alg, psk, psk_len,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

p += output_len;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1072

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1073

1074

/*

1075

* - binders_len (2 bytes)

1076

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1077

MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1078

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1079

MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1080

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

1081

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1082

ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1083

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1084

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1085

}

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

/*

* struct {

* opaque identity<1..2^16-1>;

1090

* uint32 obfuscated_ticket_age;

1091

* } PskIdentity;

1092

*

1093

* opaque PskBinderEntry<32..255>;

*

* struct {

*

* select (Handshake.msg_type) {

1098

* ...

1099

* case server_hello: uint16 selected_identity;

1100

* };

1101

*

1102

* } PreSharedKeyExtension;

1103

*

1104

*/

1105

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1106

static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,

1107

const unsigned char *buf,

1108

const unsigned char *end)

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

1109

{

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1110

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1111

int selected_identity;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1112

const unsigned char *psk;

1113

size_t psk_len;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1114

psa_algorithm_t hash_alg;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1115

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1116

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);

1117

selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);

Xiaokang Qian

2a67493

2023-01-04 03:15:09 +0000

[diff] [blame]

1118

ssl->handshake->selected_identity = (uint16_t) selected_identity;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1119

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1120

MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1121

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1122

if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {

1123

MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1124

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1125

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1126

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1127

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1128

}

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1129

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1130

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1131

if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {

1132

ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);

1133

} else

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1134

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1135

if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

1136

ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);

1137

} else {

1138

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

1139

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1140

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1141

if (ret != 0) {

1142

return ret;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1143

}

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1144

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

1145

if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac)

Xiaokang Qian

eb31cbc

2023-02-07 02:08:56 +0000

[diff] [blame]

1146

!= hash_alg) {

1147

MBEDTLS_SSL_DEBUG_MSG(

1148

1, ("Invalid ciphersuite for external psk."));

1149

1150

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1151

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1152

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1153

}

1154

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1155

ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);

1156

if (ret != 0) {

1157

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);

return ret;

}

return 0;

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

1162

}

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1163

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1164

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1165

int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,

1166

unsigned char *buf,

1167

unsigned char *end,

1168

size_t *out_len)

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1169

{

1170

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1171

unsigned char *p = buf;

size_t ext_len;

*out_len = 0;

/* Write supported_versions extension

1177

*

1178

* Supported Versions Extension is mandatory with TLS 1.3.

1179

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1180

ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);

1181

if (ret != 0) {

1182

return ret;

1183

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1184

p += ext_len;

1185

1186

/* Echo the cookie if the server provided one in its preceding

1187

* HelloRetryRequest message.

1188

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1189

ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);

1190

if (ret != 0) {

1191

return ret;

1192

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1193

p += ext_len;

1194

Ronald Cron

2022-10-18 12:17:11 +0200

[diff] [blame]

1195

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1196

if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {

1197

ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);

1198

if (ret != 0) {

1199

return ret;

1200

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1201

p += ext_len;

1202

}

Ronald Cron

2022-10-18 12:17:11 +0200

[diff] [blame]

1203

#endif

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1204

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1205

#if defined(MBEDTLS_SSL_EARLY_DATA)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1206

if (mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&

1207

ssl_tls13_early_data_has_valid_ticket(ssl) &&

1208

ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {

1209

ret = mbedtls_ssl_tls13_write_early_data_ext(ssl, p, end, &ext_len);

1210

if (ret != 0) {

1211

return ret;

1212

}

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1213

p += ext_len;

1214

Ronald Cron

4a8c9e2

2022-10-26 18:49:09 +0200

[diff] [blame]

1215

/* Initializes the status to `rejected`. It will be updated to

1216

* `accepted` if the EncryptedExtension message contain an early data

1217

* indication extension.

Xiaokang Qian

a042b84

2022-11-09 01:59:33 +0000

[diff] [blame]

1218

*/

Ronald Cron

4a8c9e2

2022-10-26 18:49:09 +0200

[diff] [blame]

1219

ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1220

} else {

1221

MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension"));

Xiaokang Qian

2022-11-08 07:02:27 +0000

[diff] [blame]

1222

ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1223

}

1224

#endif /* MBEDTLS_SSL_EARLY_DATA */

1225

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1226

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1227

/* For PSK-based key exchange we need the pre_shared_key extension

1228

* and the psk_key_exchange_modes extension.

1229

*

1230

* The pre_shared_key extension MUST be the last extension in the

1231

* ClientHello. Servers MUST check that it is the last extension and

1232

* otherwise fail the handshake with an "illegal_parameter" alert.

1233

*

1234

* Add the psk_key_exchange_modes extension.

1235

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1236

ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);

1237

if (ret != 0) {

1238

return ret;

1239

}

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1240

p += ext_len;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1241

#endif

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1242

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1243

*out_len = p - buf;

1244

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1245

return 0;

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1246

}

1247

Xiaokang Qian

934ce6f

2023-02-06 10:23:04 +0000

[diff] [blame]

1248

int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1249

{

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1250

((void) ssl);

Xiaokang Qian

79f7752

2023-01-28 10:35:29 +0000

[diff] [blame]

1251

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1252

#if defined(MBEDTLS_SSL_EARLY_DATA)

1253

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1254

psa_algorithm_t hash_alg = PSA_ALG_NONE;

1255

const unsigned char *psk;

1256

size_t psk_len;

1257

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

Xiaokang Qian

2023-01-04 10:47:05 +0000

[diff] [blame]

1258

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1259

if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {

Xiaokang Qian

6be8290

2023-02-03 06:04:43 +0000

[diff] [blame]

1260

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

1261

mbedtls_ssl_handshake_set_state(

1262

ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);

1263

#endif

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1264

MBEDTLS_SSL_DEBUG_MSG(

1265

1, ("Set hs psk for early data when writing the first psk"));

1266

1267

ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);

1268

if (ret != 0) {

1269

MBEDTLS_SSL_DEBUG_RET(

1270

1, "ssl_tls13_ticket_get_psk", ret);

return ret;

}

ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);

1275

if (ret != 0) {

1276

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);

return ret;

}

Xiaokang Qian

2023-02-07 02:32:23 +0000

[diff] [blame]

1280

/*

1281

* Early data are going to be encrypted using the ciphersuite

1282

* associated with the pre-shared key used for the handshake.

1283

* Note that if the server rejects early data, the handshake

1284

* based on the pre-shared key may complete successfully

1285

* with a selected ciphersuite different from the ciphersuite

1286

* associated with the pre-shared key. Only the hashes of the

1287

* two ciphersuites have to be the same. In that case, the

1288

* encrypted handshake data and application data are

1289

* encrypted using a different ciphersuite than the one used for

1290

* the rejected early data.

1291

*/

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1292

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(

1293

ssl->session_negotiate->ciphersuite);

1294

ssl->handshake->ciphersuite_info = ciphersuite_info;

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1295

Tom Cosgrove

5c8505f

2023-03-07 11:39:52 +0000

[diff] [blame]

1296

/* Enable psk and psk_ephemeral to make stage early happy */

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1297

ssl->handshake->key_exchange_mode =

1298

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;

1299

1300

/* Start the TLS 1.3 key schedule:

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1301

* Set the PSK and derive early secret.

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1302

*/

1303

ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);

1304

if (ret != 0) {

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1305

MBEDTLS_SSL_DEBUG_RET(

1306

1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

return ret;

}

/* Derive early data key material */

1311

ret = mbedtls_ssl_tls13_compute_early_transform(ssl);

1312

if (ret != 0) {

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1313

MBEDTLS_SSL_DEBUG_RET(

1314

1, "mbedtls_ssl_tls13_compute_early_transform", ret);

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

return ret;

}

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1318

}

1319

#endif /* MBEDTLS_SSL_EARLY_DATA */

1320

return 0;

1321

}

Jerry Yu

1bc2c1f

2021-09-01 12:57:29 +0800

[diff] [blame]

1322

/*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1323

* Functions for parsing and processing Server Hello

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1324

*/

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1325

Ronald Cron

da41b38

2022-03-30 09:57:11 +0200

[diff] [blame]

1326

/**

1327

* \brief Detect if the ServerHello contains a supported_versions extension

1328

* or not.

1329

*

1330

* \param[in] ssl SSL context

1331

* \param[in] buf Buffer containing the ServerHello message

1332

* \param[in] end End of the buffer containing the ServerHello message

1333

*

1334

* \return 0 if the ServerHello does not contain a supported_versions extension

1335

* \return 1 if the ServerHello contains a supported_versions extension

1336

* \return A negative value if an error occurred while parsing the ServerHello.

1337

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1338

MBEDTLS_CHECK_RETURN_CRITICAL

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1339

static int ssl_tls13_is_supported_versions_ext_present(

1340

mbedtls_ssl_context *ssl,

1341

const unsigned char *buf,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1342

const unsigned char *end)

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1343

{

1344

const unsigned char *p = buf;

1345

size_t legacy_session_id_echo_len;

Ronald Cron

eff5673

2023-04-03 17:36:31 +0200

[diff] [blame]

1346

const unsigned char *supported_versions_data;

1347

const unsigned char *supported_versions_data_end;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1348

1349

/*

1350

* Check there is enough data to access the legacy_session_id_echo vector

Ronald Cron

da41b38

2022-03-30 09:57:11 +0200

[diff] [blame]

1351

* length:

1352

* - legacy_version 2 bytes

1353

* - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes

1354

* - legacy_session_id_echo length 1 byte

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1355

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1356

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1357

p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;

1358

legacy_session_id_echo_len = *p;

1359

1360

/*

1361

* Jump to the extensions, jumping over:

1362

* - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes

1363

* - cipher_suite 2 bytes

1364

* - legacy_compression_method 1 byte

1365

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1366

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);

1367

p += legacy_session_id_echo_len + 4;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1368

Ronald Cron

47dce63

2023-02-08 17:38:29 +0100

[diff] [blame]

1369

return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(

1370

ssl, p, end,

Ronald Cron

eff5673

2023-04-03 17:36:31 +0200

[diff] [blame]

1371

&supported_versions_data, &supported_versions_data_end);

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1372

}

1373

Jerry Yu

7a186a0

2021-10-15 18:46:14 +0800

[diff] [blame]

1374

/* Returns a negative value on failure, and otherwise

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1375

* - 1 if the last eight bytes of the ServerHello random bytes indicate that

1376

* the server is TLS 1.3 capable but negotiating TLS 1.2 or below.

1377

* - 0 otherwise

1378

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1379

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1380

static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,

1381

const unsigned char *buf,

1382

const unsigned char *end)

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1383

{

1384

/* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */

1385

static const unsigned char magic_downgrade_string[] =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1386

{ 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1387

const unsigned char *last_eight_bytes_of_random;

1388

unsigned char last_byte_of_random;

1389

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1390

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1391

last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;

1392

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1393

if (memcmp(last_eight_bytes_of_random,

1394

magic_downgrade_string,

1395

sizeof(magic_downgrade_string)) == 0) {

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1396

last_byte_of_random = last_eight_bytes_of_random[7];

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1397

return last_byte_of_random == 0 ||

1398

last_byte_of_random == 1;

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1399

}

1400

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1401

return 0;

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1402

}

1403

1404

/* Returns a negative value on failure, and otherwise

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1405

* - SSL_SERVER_HELLO or

1406

* - SSL_SERVER_HELLO_HRR

XiaokangQian

51eff22

2021-12-10 10:33:56 +0000

[diff] [blame]

1407

* to indicate which message is expected and to be parsed next.

1408

*/

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1409

#define SSL_SERVER_HELLO 0

1410

#define SSL_SERVER_HELLO_HRR 1

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1411

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1412

static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,

1413

const unsigned char *buf,

1414

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1415

{

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1416

1417

/* Check whether this message is a HelloRetryRequest ( HRR ) message.

1418

*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1419

* Server Hello and HRR are only distinguished by Random set to the

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1420

* special value of the SHA-256 of "HelloRetryRequest".

1421

*

1422

* struct {

1423

* ProtocolVersion legacy_version = 0x0303;

1424

* Random random;

1425

* opaque legacy_session_id_echo<0..32>;

1426

* CipherSuite cipher_suite;

1427

* uint8 legacy_compression_method = 0;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1428

* Extension extensions<6..2^16-1>;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1429

* } ServerHello;

1430

*

1431

*/

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1432

MBEDTLS_SSL_CHK_BUF_READ_PTR(

1433

buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1434

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1435

if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,

1436

sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {

1437

return SSL_SERVER_HELLO_HRR;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1438

}

1439

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1440

return SSL_SERVER_HELLO;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1441

}

1442

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1443

/*

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1444

* Returns a negative value on failure, and otherwise

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1445

* - SSL_SERVER_HELLO or

1446

* - SSL_SERVER_HELLO_HRR or

1447

* - SSL_SERVER_HELLO_TLS1_2

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1448

*/

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1449

#define SSL_SERVER_HELLO_TLS1_2 2

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1450

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1451

static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,

1452

const unsigned char *buf,

1453

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1454

{

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1455

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1456

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1457

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1458

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(

1459

ssl, buf, end));

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1460

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1461

if (ret == 0) {

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1462

MBEDTLS_SSL_PROC_CHK_NEG(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1463

ssl_tls13_is_downgrade_negotiation(ssl, buf, end));

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1464

1465

/* If the server is negotiating TLS 1.2 or below and:

1466

* . we did not propose TLS 1.2 or

1467

* . the server responded it is TLS 1.3 capable but negotiating a lower

1468

* version of the protocol and thus we are under downgrade attack

1469

* abort the handshake with an "illegal parameter" alert.

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1470

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1471

if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {

1472

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1473

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1474

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1475

}

1476

Ronald Cron

b828c7d

2023-04-03 16:37:22 +0200

[diff] [blame]

1477

/*

1478

* Version 1.2 of the protocol has been negotiated, set the

1479

* ssl->keep_current_message flag for the ServerHello to be kept and

1480

* parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to

1481

* MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()

1482

* will dispatch to the TLS 1.2 state machine.

1483

*/

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1484

ssl->keep_current_message = 1;

Glenn Strauss

60bfe60

2022-03-14 19:04:24 -0400

[diff] [blame]

1485

ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1486

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

1487

ssl, MBEDTLS_SSL_HS_SERVER_HELLO,

1488

buf, (size_t) (end - buf)));

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1489

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1490

if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {

1491

ret = ssl_tls13_reset_key_share(ssl);

1492

if (ret != 0) {

1493

return ret;

1494

}

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1495

}

1496

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1497

return SSL_SERVER_HELLO_TLS1_2;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1498

}

1499

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1500

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

1501

ssl->session_negotiate->endpoint = ssl->conf->endpoint;

1502

ssl->session_negotiate->tls_version = ssl->tls_version;

1503

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

1504

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1505

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1506

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1507

ret = ssl_server_hello_is_hrr(ssl, buf, end);

1508

switch (ret) {

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1509

case SSL_SERVER_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1510

MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1511

break;

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1512

case SSL_SERVER_HELLO_HRR:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1513

MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1514

/* If a client receives a second HelloRetryRequest in the same

1515

* connection (i.e., where the ClientHello was itself in response

1516

* to a HelloRetryRequest), it MUST abort the handshake with an

1517

* "unexpected_message" alert.

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1518

*/

1519

if (handshake->hello_retry_request_count > 0) {

1520

MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1521

MBEDTLS_SSL_PEND_FATAL_ALERT(

1522

MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,

1523

MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1524

return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1525

}

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1526

/*

1527

* Clients must abort the handshake with an "illegal_parameter"

1528

* alert if the HelloRetryRequest would not result in any change

1529

* in the ClientHello.

1530

* In a PSK only key exchange that what we expect.

1531

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1532

if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {

1533

MBEDTLS_SSL_DEBUG_MSG(1,

1534

("Unexpected HRR in pure PSK key exchange."));

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1535

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1536

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1537

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1538

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1539

}

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1540

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1541

handshake->hello_retry_request_count++;

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1542

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1543

break;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

}

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1548

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1549

}

1550

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1551

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1552

static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,

1553

const unsigned char **buf,

1554

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1555

{

1556

const unsigned char *p = *buf;

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1557

size_t legacy_session_id_echo_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1558

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1559

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

1560

legacy_session_id_echo_len = *p++;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1561

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1562

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1563

1564

/* legacy_session_id_echo */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1565

if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||

1566

memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {

1567

MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",

1568

ssl->session_negotiate->id,

1569

ssl->session_negotiate->id_len);

1570

MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,

1571

legacy_session_id_echo_len);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1572

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1573

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1574

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1575

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1576

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1577

}

1578

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1579

p += legacy_session_id_echo_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1580

*buf = p;

1581

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1582

MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,

1583

ssl->session_negotiate->id_len);

1584

return 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1585

}

1586

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1587

/* Parse ServerHello message and configure context

1588

*

1589

* struct {

1590

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

1591

* Random random;

1592

* opaque legacy_session_id_echo<0..32>;

1593

* CipherSuite cipher_suite;

1594

* uint8 legacy_compression_method = 0;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1595

* Extension extensions<6..2^16-1>;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1596

* } ServerHello;

1597

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1598

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1599

static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,

1600

const unsigned char *buf,

1601

const unsigned char *end,

1602

int is_hrr)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1603

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1604

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1605

const unsigned char *p = buf;

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1606

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1607

size_t extensions_len;

1608

const unsigned char *extensions_end;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1609

uint16_t cipher_suite;

Jerry Yu

de4fb2c

2021-09-19 18:05:08 +0800

[diff] [blame]

1610

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

XiaokangQian

b119a35

2022-01-26 03:29:10 +0000

[diff] [blame]

1611

int fatal_alert = 0;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1612

uint32_t allowed_extensions_mask;

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1613

int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1614

MBEDTLS_SSL_HS_SERVER_HELLO;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1615

1616

/*

1617

* Check there is space for minimal fields

1618

*

1619

* - legacy_version ( 2 bytes)

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1620

* - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1621

* - legacy_session_id_echo ( 1 byte ), minimum size

1622

* - cipher_suite ( 2 bytes)

1623

* - legacy_compression_method ( 1 byte )

1624

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1625

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1626

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1627

MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);

1628

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1629

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1630

/* ...

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1631

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1632

* ...

1633

* with ProtocolVersion defined as:

1634

* uint16 ProtocolVersion;

1635

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1636

if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=

1637

MBEDTLS_SSL_VERSION_TLS1_2) {

1638

MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));

1639

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,

1640

MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1641

ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;

1642

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1643

}

1644

p += 2;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1645

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1646

/* ...

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1647

* Random random;

1648

* ...

1649

* with Random defined as:

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1650

* opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1651

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1652

if (!is_hrr) {

1653

memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,

1654

MBEDTLS_SERVER_HELLO_RANDOM_LEN);

1655

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",

1656

p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1657

}

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1658

p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1659

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1660

/* ...

1661

* opaque legacy_session_id_echo<0..32>;

1662

* ...

1663

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1664

if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1665

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1666

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1667

}

1668

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1669

/* ...

1670

* CipherSuite cipher_suite;

1671

* ...

1672

* with CipherSuite defined as:

1673

* uint8 CipherSuite[2];

1674

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1675

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

1676

cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1677

p += 2;

1678

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1679

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1680

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1681

/*

Ronald Cron

ba120bb

2022-03-30 22:09:48 +0200

[diff] [blame]

1682

* Check whether this ciphersuite is valid and offered.

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1683

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1684

if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,

1685

ssl->tls_version,

1686

ssl->tls_version) != 0) ||

1687

!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1688

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1689

}

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1690

/*

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1691

* If we received an HRR before and that the proposed selected

1692

* ciphersuite in this server hello is not the same as the one

1693

* proposed in the HRR, we abort the handshake and send an

1694

* "illegal_parameter" alert.

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1695

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1696

else if ((!is_hrr) && (handshake->hello_retry_request_count > 0) &&

1697

(cipher_suite != ssl->session_negotiate->ciphersuite)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1698

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1699

}

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1700

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1701

if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {

1702

MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",

1703

cipher_suite));

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1704

goto cleanup;

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1705

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1706

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1707

/* Configure ciphersuites */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1708

mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1709

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1710

handshake->ciphersuite_info = ciphersuite_info;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1711

MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",

1712

cipher_suite, ciphersuite_info->name));

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1713

1714

#if defined(MBEDTLS_HAVE_TIME)

YxC

da60913

2023-05-22 12:08:12 -0700

[diff] [blame]

1715

ssl->session_negotiate->start = mbedtls_time(NULL);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1716

#endif /* MBEDTLS_HAVE_TIME */

1717

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1718

/* ...

1719

* uint8 legacy_compression_method = 0;

1720

* ...

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1721

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1722

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

1723

if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {

1724

MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1725

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1726

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

}

p++;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1730

/* ...

1731

* Extension extensions<6..2^16-1>;

1732

* ...

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1733

* struct {

1734

* ExtensionType extension_type; (2 bytes)

1735

* opaque extension_data<0..2^16-1>;

1736

* } Extension;

1737

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1738

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

1739

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1740

p += 2;

Jerry Yu

de4fb2c

2021-09-19 18:05:08 +0800

[diff] [blame]

1741

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1742

/* Check extensions do not go beyond the buffer of data. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1743

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1744

extensions_end = p + extensions_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1745

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1746

MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1747

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1748

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1749

allowed_extensions_mask = is_hrr ?

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1750

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :

1751

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1752

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1753

while (p < extensions_end) {

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1754

unsigned int extension_type;

1755

size_t extension_data_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

1756

const unsigned char *extension_data_end;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1757

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1758

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

1759

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

1760

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1761

p += 4;

1762

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1763

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

1764

extension_data_end = p + extension_data_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1765

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

1766

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1767

ssl, hs_msg_type, extension_type, allowed_extensions_mask);

1768

if (ret != 0) {

1769

return ret;

1770

}

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1771

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1772

switch (extension_type) {

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1773

case MBEDTLS_TLS_EXT_COOKIE:

1774

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1775

ret = ssl_tls13_parse_cookie_ext(ssl,

1776

p, extension_data_end);

1777

if (ret != 0) {

1778

MBEDTLS_SSL_DEBUG_RET(1,

1779

"ssl_tls13_parse_cookie_ext",

1780

ret);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1781

goto cleanup;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1782

}

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1783

break;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1784

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1785

case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1786

ret = ssl_tls13_parse_supported_versions_ext(ssl,

1787

p,

1788

extension_data_end);

1789

if (ret != 0) {

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1790

goto cleanup;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1791

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1792

break;

1793

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1794

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1795

case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1796

MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1797

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1798

if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(

1799

ssl, p, extension_data_end)) != 0) {

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1800

MBEDTLS_SSL_DEBUG_RET(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1801

1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);

1802

return ret;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1803

}

1804

break;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1805

#endif

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1806

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1807

case MBEDTLS_TLS_EXT_KEY_SHARE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1808

MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));

1809

if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1810

fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

goto cleanup;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1814

if (is_hrr) {

1815

ret = ssl_tls13_parse_hrr_key_share_ext(ssl,

1816

p, extension_data_end);

1817

} else {

1818

ret = ssl_tls13_parse_key_share_ext(ssl,

1819

p, extension_data_end);

1820

}

1821

if (ret != 0) {

1822

MBEDTLS_SSL_DEBUG_RET(1,

1823

"ssl_tls13_parse_key_share_ext",

1824

ret);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1825

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1826

}

1827

break;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1828

1829

default:

Jerry Yu

9872eb2

2022-08-29 13:42:01 +0800

[diff] [blame]

1830

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

1831

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1832

}

1833

1834

p += extension_data_len;

1835

}

1836

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1837

MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1838

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1839

cleanup:

1840

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1841

if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {

1842

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,

1843

MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1844

ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1845

} else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {

1846

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1847

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1848

ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1849

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1850

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1851

}

1852

Xiaokang Qian

cb6e963

2022-09-26 11:59:32 +0000

[diff] [blame]

1853

#if defined(MBEDTLS_DEBUG_C)

1854

static const char *ssl_tls13_get_kex_mode_str(int mode)

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1855

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1856

switch (mode) {

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1857

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:

1858

return "psk";

1859

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:

1860

return "ephemeral";

1861

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:

1862

return "psk_ephemeral";

1863

default:

1864

return "unknown mode";

1865

}

1866

}

Xiaokang Qian

cb6e963

2022-09-26 11:59:32 +0000

[diff] [blame]

1867

#endif /* MBEDTLS_DEBUG_C */

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1868

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1869

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1870

static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1871

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1872

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1873

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1874

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1875

/* Determine the key exchange mode:

1876

* 1) If both the pre_shared_key and key_share extensions were received

1877

* then the key exchange mode is PSK with EPHEMERAL.

1878

* 2) If only the pre_shared_key extension was received then the key

1879

* exchange mode is PSK-only.

1880

* 3) If only the key_share extension was received then the key

1881

* exchange mode is EPHEMERAL-only.

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1882

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1883

switch (handshake->received_extensions &

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1884

(MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

1885

MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1886

/* Only the pre_shared_key extension was received */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1887

case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1888

handshake->key_exchange_mode =

1889

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1890

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1891

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1892

/* Only the key_share extension was received */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1893

case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1894

handshake->key_exchange_mode =

1895

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1896

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1897

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1898

/* Both the pre_shared_key and key_share extensions were received */

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1899

case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

1900

MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):

1901

handshake->key_exchange_mode =

1902

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1903

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1904

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1905

/* Neither pre_shared_key nor key_share extension was received */

1906

default:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1907

MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1908

ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

1909

goto cleanup;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1910

}

Xiaokang Qian

3f616c2

2023-01-12 03:36:31 +0000

[diff] [blame]

1911

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

02f5e14

2023-02-06 10:44:17 +0000

[diff] [blame]

1912

if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA) &&

1913

(handshake->selected_identity != 0 ||

1914

handshake->ciphersuite_info->id !=

1915

ssl->session_negotiate->ciphersuite)) {

Xiaokang Qian

3f616c2

2023-01-12 03:36:31 +0000

[diff] [blame]

1916

/* RFC8446 4.2.11

1917

* If the server supplies an "early_data" extension, the

1918

* client MUST verify that the server's selected_identity

1919

* is 0. If any other value is returned, the client MUST

1920

* abort the handshake with an "illegal_parameter" alert.

Xiaokang Qian

02f5e14

2023-02-06 10:44:17 +0000

[diff] [blame]

1921

*

Xiaokang Qian

53c4c27

2023-02-07 02:42:01 +0000

[diff] [blame]

1922

* RFC 8446 4.2.10

1923

* In order to accept early data, the server MUST have accepted a PSK

1924

* cipher suite and selected the first key offered in the client's

1925

* "pre_shared_key" extension. In addition, it MUST verify that the

1926

* following values are the same as those associated with the

1927

* selected PSK:

1928

* - The TLS version number

1929

* - The selected cipher suite

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1930

* - The selected ALPN [RFC7301] protocol, if any

1931

*

1932

* We check here that when early data is involved the server

1933

* selected the cipher suite associated to the pre-shared key

1934

* as it must have.

Xiaokang Qian

3f616c2

2023-01-12 03:36:31 +0000

[diff] [blame]

1935

*/

1936

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1937

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1938

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1939

}

1940

#endif

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1941

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1942

if (!mbedtls_ssl_conf_tls13_check_kex_modes(

1943

ssl, handshake->key_exchange_mode)) {

Xiaokang Qian

ac8195f

2022-09-26 04:01:06 +0000

[diff] [blame]

1944

ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1945

MBEDTLS_SSL_DEBUG_MSG(

1946

2, ("Key exchange mode(%s) is not supported.",

1947

ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));

Xiaokang Qian

ac8195f

2022-09-26 04:01:06 +0000

[diff] [blame]

goto cleanup;

}

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1951

MBEDTLS_SSL_DEBUG_MSG(

1952

3, ("Selected key exchange mode: %s",

1953

ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1954

Xiaokang Qian

7892b6c

2023-02-02 06:05:48 +0000

[diff] [blame]

1955

/* Start the TLS 1.3 key scheduling if not already done.

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1956

*

Xiaokang Qian

7892b6c

2023-02-02 06:05:48 +0000

[diff] [blame]

1957

* If we proposed early data then we have already derived an

1958

* early secret using the selected PSK and its associated hash.

1959

* It means that if the negotiated key exchange mode is psk or

1960

* psk_ephemeral, we have already correctly computed the

1961

* early secret and thus we do not do it again. In all other

1962

* cases we compute it here.

Xiaokang Qian

303f82c5

2023-01-04 08:43:46 +0000

[diff] [blame]

1963

*/

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1964

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

e04afdc

2023-02-07 02:19:42 +0000

[diff] [blame]

1965

if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT ||

1966

handshake->key_exchange_mode ==

1967

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1968

#endif

1969

{

Xiaokang Qian

303f82c5

2023-01-04 08:43:46 +0000

[diff] [blame]

1970

ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);

1971

if (ret != 0) {

1972

MBEDTLS_SSL_DEBUG_RET(

1973

1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);

1974

goto cleanup;

1975

}

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1976

}

1977

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1978

ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);

1979

if (ret != 0) {

1980

MBEDTLS_SSL_DEBUG_RET(1,

1981

"mbedtls_ssl_tls13_compute_handshake_transform",

1982

ret);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1983

goto cleanup;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1984

}

1985

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1986

mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);

1987

MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));

Xiaokang Qian

4ef8ba2

2023-02-06 11:06:16 +0000

[diff] [blame]

1988

ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1989

ssl->session_in = ssl->session_negotiate;

1990

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1991

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1992

if (ret != 0) {

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1993

MBEDTLS_SSL_PEND_FATAL_ALERT(

1994

MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1995

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1996

}

Jerry Yu

e110d25

2022-05-05 10:19:22 +0800

[diff] [blame]

1997

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1998

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1999

}

2000

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2001

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2002

static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

2003

{

2004

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2005

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2006

mbedtls_ssl_session_reset_msg_layer(ssl, 0);

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

2007

XiaokangQian

78b1fa7

2022-01-19 06:56:30 +0000

[diff] [blame]

2008

/*

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

2009

* We are going to re-generate a shared secret corresponding to the group

2010

* selected by the server, which is different from the group for which we

2011

* generated a shared secret in the first client hello.

2012

* Thus, reset the shared secret.

XiaokangQian

51eff22

2021-12-10 10:33:56 +0000

[diff] [blame]

2013

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2014

ret = ssl_tls13_reset_key_share(ssl);

2015

if (ret != 0) {

2016

return ret;

2017

}

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

2018

Xiaokang Qian

4ef8ba2

2023-02-06 11:06:16 +0000

[diff] [blame]

2019

ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2020

return 0;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

2021

}

2022

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2023

/*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

2024

* Wait and parse ServerHello handshake message.

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2025

* Handler for MBEDTLS_SSL_SERVER_HELLO

2026

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2027

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2028

static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2029

{

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

2030

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

2031

unsigned char *buf = NULL;

2032

size_t buf_len = 0;

XiaokangQian

78b1fa7

2022-01-19 06:56:30 +0000

[diff] [blame]

2033

int is_hrr = 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2034

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2035

MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2036

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2037

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2038

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));

Ronald Cron

db5dfa1

2022-05-31 11:44:38 +0200

[diff] [blame]

2039

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2040

ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);

2041

if (ret < 0) {

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

2042

goto cleanup;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2043

} else {

2044

is_hrr = (ret == SSL_SERVER_HELLO_HRR);

2045

}

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

2046

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2047

if (ret == SSL_SERVER_HELLO_TLS1_2) {

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

ret = 0;

goto cleanup;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2052

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,

buf + buf_len,

is_hrr));

if (is_hrr) {

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2057

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2058

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2059

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2060

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2061

2062

if (is_hrr) {

2063

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));

2064

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2065

/* If not offering early data, the client sends a dummy CCS record

2066

* immediately before its second flight. This may either be before

2067

* its second ClientHello or before its encrypted handshake flight.

2068

*/

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2069

mbedtls_ssl_handshake_set_state(

2070

ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2071

#else

2072

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

2073

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

2074

} else {

2075

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));

2076

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2077

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2078

2079

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2080

MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,

2081

is_hrr ? "HelloRetryRequest" : "ServerHello"));

2082

return ret;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2083

}

2084

2085

/*

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2086

*

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2087

* Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2088

*

2089

* The EncryptedExtensions message contains any extensions which

2090

* should be protected, i.e., any which are not needed to establish

2091

* the cryptographic context.

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2092

*/

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2093

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2094

/* Parse EncryptedExtensions message

2095

* struct {

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2096

* Extension extensions<0..2^16-1>;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2097

* } EncryptedExtensions;

2098

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2099

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2100

static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,

2101

const unsigned char *buf,

2102

const unsigned char *end)

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2103

{

2104

int ret = 0;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2105

size_t extensions_len;

XiaokangQian

140f045

2021-10-08 08:05:53 +0000

[diff] [blame]

2106

const unsigned char *p = buf;

XiaokangQian

8db25ff

2021-10-13 05:56:18 +0000

[diff] [blame]

2107

const unsigned char *extensions_end;

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2108

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2109

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2110

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2111

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2112

p += 2;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2113

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2114

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Ronald Cron

c808359

2022-05-31 16:24:05 +0200

[diff] [blame]

2115

extensions_end = p + extensions_len;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2116

Jan Bruckner

5a3629b

2023-02-23 12:08:09 +0100

[diff] [blame]

2117

MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);

2118

Jerry Yu

9eba750

2022-10-31 13:46:16 +0800

[diff] [blame]

2119

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2120

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2121

while (p < extensions_end) {

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2122

unsigned int extension_type;

2123

size_t extension_data_len;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2124

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2125

/*

2126

* struct {

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2127

* ExtensionType extension_type; (2 bytes)

2128

* opaque extension_data<0..2^16-1>;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2129

* } Extension;

2130

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2131

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

2132

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2133

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2134

p += 4;

2135

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2136

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2137

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2138

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2139

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,

2140

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);

2141

if (ret != 0) {

2142

return ret;

2143

}

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2144

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2145

switch (extension_type) {

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

2146

#if defined(MBEDTLS_SSL_ALPN)

2147

case MBEDTLS_TLS_EXT_ALPN:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2148

MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

2149

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2150

if ((ret = ssl_tls13_parse_alpn_ext(

2151

ssl, p, (size_t) extension_data_len)) != 0) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2152

return ret;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

}

break;

#endif /* MBEDTLS_SSL_ALPN */

Xiaokang Qian

8bee899

2022-10-27 10:21:05 +0000

[diff] [blame]

2157

2158

#if defined(MBEDTLS_SSL_EARLY_DATA)

2159

case MBEDTLS_TLS_EXT_EARLY_DATA:

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2160

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2161

if (extension_data_len != 0) {

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2162

/* The message must be empty. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2163

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2164

MBEDTLS_ERR_SSL_DECODE_ERROR);

2165

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2166

}

2167

Xiaokang Qian

8bee899

2022-10-27 10:21:05 +0000

[diff] [blame]

2168

break;

2169

#endif /* MBEDTLS_SSL_EARLY_DATA */

2170

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

2171

#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)

2172

case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:

2173

MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));

2174

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2175

ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(

2176

ssl, p, p + extension_data_len);

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

2177

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2178

/* TODO: Return unconditionally here until we handle the record

2179

* size limit correctly. Once handled correctly, only return in

2180

* case of errors. */

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

return ret;

break;

#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */

2185

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2186

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2187

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

9eba750

2022-10-31 13:46:16 +0800

[diff] [blame]

2188

3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2189

extension_type, "( ignored )");

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2190

break;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2191

}

2192

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2193

p += extension_data_len;

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2194

}

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2195

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2196

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2197

handshake->received_extensions);

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2198

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2199

/* Check that we consumed all the message. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2200

if (p != end) {

2201

MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));

2202

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2203

MBEDTLS_ERR_SSL_DECODE_ERROR);

2204

return MBEDTLS_ERR_SSL_DECODE_ERROR;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2205

}

2206

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2207

return ret;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2208

}

2209

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2210

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2211

static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

{

int ret;

unsigned char *buf;

size_t buf_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2217

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2218

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2219

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2220

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2221

&buf, &buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2222

2223

/* Process the message contents */

2224

MBEDTLS_SSL_PROC_CHK(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2225

ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2226

Xiaokang Qian

b157e91

2022-11-23 08:12:26 +0000

[diff] [blame]

2227

#if defined(MBEDTLS_SSL_EARLY_DATA)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2228

if (ssl->handshake->received_extensions &

2229

MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {

Xiaokang Qian

b157e91

2022-11-23 08:12:26 +0000

[diff] [blame]

2230

ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;

}

#endif

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2234

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2235

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2236

buf, buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2237

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2238

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2239

if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {

2240

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2241

} else {

2242

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);

2243

}

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2244

#else

2245

((void) ssl);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2246

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2247

#endif

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2251

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));

2252

return ret;

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

}

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2256

/*

2257

* Handler for MBEDTLS_SSL_END_OF_EARLY_DATA

2258

*

Xiaokang Qian

c81a15a

2022-12-19 02:43:33 +0000

[diff] [blame]

2259

* RFC 8446 section 4.5

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2260

*

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2261

* struct {} EndOfEarlyData;

Xiaokang Qian

c81a15a

2022-12-19 02:43:33 +0000

[diff] [blame]

2262

*

2263

* If the server sent an "early_data" extension in EncryptedExtensions, the

2264

* client MUST send an EndOfEarlyData message after receiving the server

2265

* Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2266

*/

2267

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2268

MBEDTLS_CHECK_RETURN_CRITICAL

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2269

static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)

2270

{

2271

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2272

unsigned char *buf = NULL;

2273

size_t buf_len;

Xiaokang Qian

57a138d

2022-12-19 06:40:47 +0000

[diff] [blame]

2274

MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2275

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2276

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

2277

ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,

2278

&buf, &buf_len));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2279

Manuel Pégourié-Gonnard

63e33dd

2023-02-21 15:45:15 +0100

[diff] [blame]

2280

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(

2281

ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2282

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2283

MBEDTLS_SSL_PROC_CHK(

2284

mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));

Xiaokang Qian

da8402d

2022-12-15 14:55:35 +0000

[diff] [blame]

2285

Xiaokang Qian

19d4416

2023-01-03 03:39:50 +0000

[diff] [blame]

2286

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

cleanup:

MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));

return ret;

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2294

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2295

/*

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2296

* STATE HANDLING: CertificateRequest

2297

*

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2298

*/

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2299

#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0

2300

#define SSL_CERTIFICATE_REQUEST_SKIP 1

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2301

/* Coordination:

2302

* Deals with the ambiguity of not knowing if a CertificateRequest

2303

* will be sent. Returns a negative code on failure, or

2304

* - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST

2305

* - SSL_CERTIFICATE_REQUEST_SKIP

2306

* indicating if a Certificate Request is expected or not.

2307

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2308

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2309

static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2310

{

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2311

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2312

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2313

if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {

2314

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);

2315

return ret;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2316

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2317

ssl->keep_current_message = 1;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2318

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2319

if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&

2320

(ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {

2321

MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));

2322

return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2323

}

2324

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2325

MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));

Ronald Cron

1938588

2022-06-15 16:26:13 +0200

[diff] [blame]

2326

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2327

return SSL_CERTIFICATE_REQUEST_SKIP;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2328

}

2329

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2330

/*

2331

* ssl_tls13_parse_certificate_request()

2332

* Parse certificate request

2333

* struct {

2334

* opaque certificate_request_context<0..2^8-1>;

2335

* Extension extensions<2..2^16-1>;

2336

* } CertificateRequest;

2337

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2338

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2339

static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,

2340

const unsigned char *buf,

2341

const unsigned char *end)

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2342

{

2343

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2344

const unsigned char *p = buf;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2345

size_t certificate_request_context_len = 0;

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2346

size_t extensions_len = 0;

2347

const unsigned char *extensions_end;

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2348

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2349

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2350

/* ...

2351

* opaque certificate_request_context<0..2^8-1>

2352

* ...

2353

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2354

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2355

certificate_request_context_len = (size_t) p[0];

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2356

p += 1;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2357

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2358

if (certificate_request_context_len > 0) {

2359

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);

2360

MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",

2361

p, certificate_request_context_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2362

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2363

handshake->certificate_request_context =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2364

mbedtls_calloc(1, certificate_request_context_len);

2365

if (handshake->certificate_request_context == NULL) {

2366

MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));

2367

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2368

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2369

memcpy(handshake->certificate_request_context, p,

2370

certificate_request_context_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2371

p += certificate_request_context_len;

2372

}

2373

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2374

/* ...

2375

* Extension extensions<2..2^16-1>;

2376

* ...

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2377

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2378

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2379

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2380

p += 2;

2381

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2382

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2383

extensions_end = p + extensions_len;

2384

Jerry Yu

6d0e78b

2022-10-31 14:13:25 +0800

[diff] [blame]

2385

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2386

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2387

while (p < extensions_end) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2388

unsigned int extension_type;

2389

size_t extension_data_len;

2390

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2391

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

2392

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2393

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2394

p += 4;

2395

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2396

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2397

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2398

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2399

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,

2400

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);

2401

if (ret != 0) {

2402

return ret;

2403

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2404

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2405

switch (extension_type) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2406

case MBEDTLS_TLS_EXT_SIG_ALG:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2407

MBEDTLS_SSL_DEBUG_MSG(3,

2408

("found signature algorithms extension"));

2409

ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,

2410

p + extension_data_len);

2411

if (ret != 0) {

2412

return ret;

2413

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2414

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2415

break;

2416

2417

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2418

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

6d0e78b

2022-10-31 14:13:25 +0800

[diff] [blame]

2419

3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2420

extension_type, "( ignored )");

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2421

break;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2422

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2423

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2424

p += extension_data_len;

2425

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2426

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2427

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2428

handshake->received_extensions);

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2429

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2430

/* Check that we consumed all the message. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2431

if (p != end) {

2432

MBEDTLS_SSL_DEBUG_MSG(1,

2433

("CertificateRequest misaligned"));

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2434

goto decode_error;

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2435

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2436

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

2437

/* RFC 8446 section 4.3.2

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2438

*

2439

* The "signature_algorithms" extension MUST be specified

2440

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2441

if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {

2442

MBEDTLS_SSL_DEBUG_MSG(3,

2443

("no signature algorithms extension found"));

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2444

goto decode_error;

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2445

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2446

Jerry Yu

7840f81

2022-01-29 10:26:51 +0800

[diff] [blame]

2447

ssl->handshake->client_auth = 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2448

return 0;

Xiaofei Bai

51f515a

2022-02-08 07:28:04 +0000

[diff] [blame]

2449

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2450

decode_error:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2451

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2452

MBEDTLS_ERR_SSL_DECODE_ERROR);

2453

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2454

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2455

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2456

/*

2457

* Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST

2458

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2459

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2460

static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2461

{

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2462

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2463

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2464

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2465

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2466

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2467

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2468

if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

unsigned char *buf;

size_t buf_len;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2472

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2473

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2474

&buf, &buf_len));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2475

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2476

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(

2477

ssl, buf, buf + buf_len));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2478

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2479

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2480

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2481

buf, buf_len));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2482

} else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {

Xiaofei Bai

f6d3696

2022-01-16 14:54:35 +0000

[diff] [blame]

2483

ret = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2484

} else {

2485

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

Xiaofei Bai

51f515a

2022-02-08 07:28:04 +0000

[diff] [blame]

2486

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

2487

goto cleanup;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2488

}

2489

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2490

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2491

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2492

cleanup:

2493

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2494

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));

2495

return ret;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2496

}

2497

2498

/*

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2499

* Handler for MBEDTLS_SSL_SERVER_CERTIFICATE

2500

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2501

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2502

static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2503

{

Xiaofei Bai

947571e

2021-09-29 09:12:03 +0000

[diff] [blame]

2504

int ret;

2505

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2506

ret = mbedtls_ssl_tls13_process_certificate(ssl);

2507

if (ret != 0) {

2508

return ret;

2509

}

Xiaofei Bai

947571e

2021-09-29 09:12:03 +0000

[diff] [blame]

2510

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2511

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);

2512

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY

2517

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2518

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2519

static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2520

{

Jerry Yu

30b071c

2021-09-12 20:16:03 +0800

[diff] [blame]

2521

int ret;

2522

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2523

ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);

2524

if (ret != 0) {

2525

return ret;

2526

}

Jerry Yu

30b071c

2021-09-12 20:16:03 +0800

[diff] [blame]

2527

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2528

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2529

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2530

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2531

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Ronald Cron

d4c6402

2021-12-06 09:06:46 +0100

[diff] [blame]

2532

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2533

/*

2534

* Handler for MBEDTLS_SSL_SERVER_FINISHED

2535

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2536

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2537

static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2538

{

XiaokangQian

ac0385c

2021-11-03 06:40:11 +0000

[diff] [blame]

2539

int ret;

2540

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2541

ret = mbedtls_ssl_tls13_process_finished_message(ssl);

2542

if (ret != 0) {

2543

return ret;

2544

}

XiaokangQian

ac0385c

2021-11-03 06:40:11 +0000

[diff] [blame]

2545

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2546

ret = mbedtls_ssl_tls13_compute_application_transform(ssl);

2547

if (ret != 0) {

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2548

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2549

MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

2550

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

2551

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2552

}

2553

Xiaokang Qian

bc75bc0

2022-12-19 06:16:42 +0000

[diff] [blame]

2554

#if defined(MBEDTLS_SSL_EARLY_DATA)

2555

if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {

2556

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);

Xiaokang Qian

bd0ab06

2023-02-02 05:56:30 +0000

[diff] [blame]

2557

} else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {

2558

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Xiaokang Qian

bc75bc0

2022-12-19 06:16:42 +0000

[diff] [blame]

2559

} else

2560

#endif /* MBEDTLS_SSL_EARLY_DATA */

2561

{

2562

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2563

mbedtls_ssl_handshake_set_state(

2564

ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);

2565

#else

2566

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

2567

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

2568

}

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

2569

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2570

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2571

}

2572

2573

/*

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2574

* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE

2575

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2576

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2577

static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2578

{

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2579

int non_empty_certificate_msg = 0;

2580

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2581

MBEDTLS_SSL_DEBUG_MSG(1,

2582

("Switch to handshake traffic keys for outbound traffic"));

2583

mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);

Jerry Yu

5cc3506

2022-01-28 16:16:08 +0800

[diff] [blame]

2584

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2585

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2586

if (ssl->handshake->client_auth) {

2587

int ret = mbedtls_ssl_tls13_write_certificate(ssl);

2588

if (ret != 0) {

2589

return ret;

2590

}

Ronald Cron

5bb8fc8

2022-03-09 07:00:13 +0100

[diff] [blame]

2591

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2592

if (mbedtls_ssl_own_cert(ssl) != NULL) {

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2593

non_empty_certificate_msg = 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2594

}

2595

} else {

2596

MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2597

}

Ronald Cron

9df7c80

2022-03-08 18:38:54 +0100

[diff] [blame]

2598

#endif

Ronald Cron

5bb8fc8

2022-03-09 07:00:13 +0100

[diff] [blame]

2599

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2600

if (non_empty_certificate_msg) {

2601

mbedtls_ssl_handshake_set_state(ssl,

2602

MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);

2603

} else {

2604

MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));

2605

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);

2606

}

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2607

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2608

return 0;

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2609

}

2610

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2611

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2612

/*

2613

* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY

2614

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2615

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2616

static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2617

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2618

int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);

Ronald Cron

a8b3887

2022-03-09 07:59:25 +0100

[diff] [blame]

2619

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2620

if (ret == 0) {

2621

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);

2622

}

Ronald Cron

a8b3887

2022-03-09 07:59:25 +0100

[diff] [blame]

2623

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2624

return ret;

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2625

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2626

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2627

2628

/*

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2629

* Handler for MBEDTLS_SSL_CLIENT_FINISHED

2630

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2631

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2632

static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2633

{

XiaokangQian

0fa6643

2021-11-15 03:33:57 +0000

[diff] [blame]

2634

int ret;

2635

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2636

ret = mbedtls_ssl_tls13_write_finished_message(ssl);

2637

if (ret != 0) {

2638

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2639

}

2640

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2641

ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);

2642

if (ret != 0) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2643

MBEDTLS_SSL_DEBUG_RET(

2644

1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

return ret;

}

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);

2649

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_FLUSH_BUFFERS

2654

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2655

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2656

static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2657

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2658

MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));

2659

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);

2660

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP

2665

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2666

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2667

static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2668

{

Jerry Yu

378254d

2021-10-30 21:44:47 +0800

[diff] [blame]

2669

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2670

mbedtls_ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

378254d

2021-10-30 21:44:47 +0800

[diff] [blame]

2671

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2672

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

2673

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2674

}

2675

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2676

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

2677

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2678

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2679

static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,

2680

const unsigned char *buf,

2681

const unsigned char *end)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2682

{

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2683

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

af2c0c8

2022-07-12 05:47:21 +0000

[diff] [blame]

2684

const unsigned char *p = buf;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2685

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2686

Jerry Yu

edab637

2022-10-31 14:37:31 +0800

[diff] [blame]

2687

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2688

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2689

while (p < end) {

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2690

unsigned int extension_type;

2691

size_t extension_data_len;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

2692

int ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2693

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2694

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);

2695

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2696

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2697

p += 4;

2698

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2699

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2700

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2701

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2702

ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,

2703

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);

2704

if (ret != 0) {

2705

return ret;

2706

}

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2707

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2708

switch (extension_type) {

Xiaokang Qian

0cc4320

2022-11-16 08:43:50 +0000

[diff] [blame]

2709

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

2022-11-08 07:02:27 +0000

[diff] [blame]

2710

case MBEDTLS_TLS_EXT_EARLY_DATA:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2711

if (extension_data_len != 4) {

Xiaokang Qian

2d87a9e

2022-11-09 07:55:48 +0000

[diff] [blame]

2712

MBEDTLS_SSL_PEND_FATAL_ALERT(

2713

MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2714

MBEDTLS_ERR_SSL_DECODE_ERROR);

2715

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaokang Qian

2d87a9e

2022-11-09 07:55:48 +0000

[diff] [blame]

2716

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2717

if (ssl->session != NULL) {

Xiaokang Qian

2022-11-08 07:02:27 +0000

[diff] [blame]

2718

ssl->session->ticket_flags |=

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2719

MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;

Xiaokang Qian

2d87a9e

2022-11-09 07:55:48 +0000

[diff] [blame]

2720

}

Xiaokang Qian

2022-11-08 07:02:27 +0000

[diff] [blame]

2721

break;

Xiaokang Qian

0cc4320

2022-11-16 08:43:50 +0000

[diff] [blame]

2722

#endif /* MBEDTLS_SSL_EARLY_DATA */

Xiaokang Qian

2022-11-08 07:02:27 +0000

[diff] [blame]

2723

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2724

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2725

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

edab637

2022-10-31 14:37:31 +0800

[diff] [blame]

2726

3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2727

extension_type, "( ignored )");

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2728

break;

2729

}

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2730

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2731

p += extension_data_len;

2732

}

2733

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2734

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

2735

handshake->received_extensions);

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2736

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2737

return 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2738

}

2739

2740

/*

Jerry Yu

08aed4d

2022-07-20 10:36:12 +0800

[diff] [blame]

2741

* From RFC8446, page 74

2742

*

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2743

* struct {

2744

* uint32 ticket_lifetime;

2745

* uint32 ticket_age_add;

2746

* opaque ticket_nonce<0..255>;

2747

* opaque ticket<1..2^16-1>;

2748

* Extension extensions<0..2^16-2>;

2749

* } NewSessionTicket;

2750

*

2751

*/

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2752

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2753

static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,

2754

unsigned char *buf,

2755

unsigned char *end,

2756

unsigned char **ticket_nonce,

2757

size_t *ticket_nonce_len)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2758

{

2759

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2760

unsigned char *p = buf;

2761

mbedtls_ssl_session *session = ssl->session;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2762

size_t ticket_len;

2763

unsigned char *ticket;

2764

size_t extensions_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2765

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2766

*ticket_nonce = NULL;

2767

*ticket_nonce_len = 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2768

/*

2769

* ticket_lifetime 4 bytes

2770

* ticket_age_add 4 bytes

Jerry Yu

08aed4d

2022-07-20 10:36:12 +0800

[diff] [blame]

2771

* ticket_nonce_len 1 byte

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2772

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2773

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2774

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2775

session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);

2776

MBEDTLS_SSL_DEBUG_MSG(3,

2777

("ticket_lifetime: %u",

2778

(unsigned int) session->ticket_lifetime));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2779

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2780

session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);

2781

MBEDTLS_SSL_DEBUG_MSG(3,

2782

("ticket_age_add: %u",

2783

(unsigned int) session->ticket_age_add));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2784

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2785

*ticket_nonce_len = p[8];

2786

p += 9;

2787

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2788

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2789

*ticket_nonce = p;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2790

MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2791

p += *ticket_nonce_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2792

2793

/* Ticket */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2794

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2795

ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2796

p += 2;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2797

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);

2798

MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2799

2800

/* Check if we previously received a ticket already. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2801

if (session->ticket != NULL || session->ticket_len > 0) {

2802

mbedtls_free(session->ticket);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2803

session->ticket = NULL;

2804

session->ticket_len = 0;

2805

}

2806

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2807

if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {

2808

MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));

2809

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2810

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2811

memcpy(ticket, p, ticket_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2812

p += ticket_len;

2813

session->ticket = ticket;

2814

session->ticket_len = ticket_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2815

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2816

/* Clear all flags in ticket_flags */

Pengyu Lv

80270b2

2023-01-12 11:54:04 +0800

[diff] [blame]

2817

mbedtls_ssl_session_clear_ticket_flags(

Pengyu Lv

9eacb44

2022-12-09 14:39:19 +0800

[diff] [blame]

2818

session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2819

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2820

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2821

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2822

p += 2;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2823

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2824

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2825

MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2826

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2827

ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);

2828

if (ret != 0) {

2829

MBEDTLS_SSL_DEBUG_RET(1,

2830

"ssl_tls13_parse_new_session_ticket_exts",

2831

ret);

2832

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2833

}

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2834

Jerry Yu

db8c5fa

2022-08-03 12:10:13 +0800

[diff] [blame]

2835

/* session has been updated, allow export */

2836

session->exported = 0;

2837

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2838

return 0;

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2839

}

2840

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2841

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2842

static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,

2843

unsigned char *ticket_nonce,

2844

size_t ticket_nonce_len)

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2845

{

2846

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2847

mbedtls_ssl_session *session = ssl->session;

2848

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

2849

psa_algorithm_t psa_hash_alg;

2850

int hash_length;

2851

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2852

#if defined(MBEDTLS_HAVE_TIME)

2853

/* Store ticket creation time */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2854

session->ticket_received = mbedtls_time(NULL);

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2855

#endif

2856

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2857

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);

2858

if (ciphersuite_info == NULL) {

2859

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

2860

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2861

}

2862

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

2863

psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2864

hash_length = PSA_HASH_LENGTH(psa_hash_alg);

2865

if (hash_length == -1 ||

2866

(size_t) hash_length > sizeof(session->resumption_key)) {

2867

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

3afdf36

2022-07-20 17:34:14 +0800

[diff] [blame]

2868

}

2869

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2870

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2871

MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",

2872

session->app_secrets.resumption_master_secret,

2873

hash_length);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2874

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2875

/* Compute resumption key

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2876

*

2877

* HKDF-Expand-Label( resumption_master_secret,

2878

* "resumption", ticket_nonce, Hash.length )

2879

*/

2880

ret = mbedtls_ssl_tls13_hkdf_expand_label(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2881

psa_hash_alg,

2882

session->app_secrets.resumption_master_secret,

2883

hash_length,

2884

MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),

2885

ticket_nonce,

2886

ticket_nonce_len,

2887

session->resumption_key,

2888

hash_length);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2889

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2890

if (ret != 0) {

2891

MBEDTLS_SSL_DEBUG_RET(2,

2892

"Creating the ticket-resumed PSK failed",

2893

ret);

2894

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2895

}

2896

Jerry Yu

0a430c8

2022-07-20 11:02:48 +0800

[diff] [blame]

2897

session->resumption_key_len = hash_length;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2898

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2899

MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",

2900

session->resumption_key,

2901

session->resumption_key_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2902

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2903

/* Set ticket_flags depends on the selected key exchange modes */

Pengyu Lv

80270b2

2023-01-12 11:54:04 +0800

[diff] [blame]

2904

mbedtls_ssl_session_set_ticket_flags(

Pengyu Lv

9eacb44

2022-12-09 14:39:19 +0800

[diff] [blame]

2905

session, ssl->conf->tls13_kex_modes);

Pengyu Lv

4938a56

2023-01-16 11:28:49 +0800

[diff] [blame]

2906

MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2907

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2908

return 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2909

}

2910

2911

/*

Jerry Yu

a8d3c50

2022-10-30 14:51:23 +0800

[diff] [blame]

2912

* Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2913

*/

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2914

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2915

static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2916

{

2917

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2918

unsigned char *buf;

2919

size_t buf_len;

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2920

unsigned char *ticket_nonce;

2921

size_t ticket_nonce_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2922

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2923

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2924

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2925

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2926

ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

2927

&buf, &buf_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2928

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2929

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(

2930

ssl, buf, buf + buf_len,

2931

&ticket_nonce, &ticket_nonce_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2932

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2933

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_new_session_ticket(

2934

ssl, ticket_nonce, ticket_nonce_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2935

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2936

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2937

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2938

cleanup:

2939

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2940

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));

2941

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2942

}

2943

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

2944

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2945

int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

2946

{

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

2947

int ret = 0;

Jerry Yu

c8a392c

2021-08-18 16:46:28 +0800

[diff] [blame]

2948

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2949

switch (ssl->state) {

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

2950

case MBEDTLS_SSL_HELLO_REQUEST:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2951

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

Jerry Yu

ddda050

2022-12-01 19:43:12 +0800

[diff] [blame]

2952

break;

2953

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

2954

case MBEDTLS_SSL_CLIENT_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2955

ret = mbedtls_ssl_write_client_hello(ssl);

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

2956

break;

2957

2958

case MBEDTLS_SSL_SERVER_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2959

ret = ssl_tls13_process_server_hello(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2960

break;

2961

2962

case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2963

ret = ssl_tls13_process_encrypted_extensions(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2964

break;

2965

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2966

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2967

case MBEDTLS_SSL_CERTIFICATE_REQUEST:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2968

ret = ssl_tls13_process_certificate_request(ssl);

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2969

break;

2970

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2971

case MBEDTLS_SSL_SERVER_CERTIFICATE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2972

ret = ssl_tls13_process_server_certificate(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2973

break;

2974

2975

case MBEDTLS_SSL_CERTIFICATE_VERIFY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2976

ret = ssl_tls13_process_certificate_verify(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2977

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2978

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2979

2980

case MBEDTLS_SSL_SERVER_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2981

ret = ssl_tls13_process_server_finished(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2982

break;

2983

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2984

case MBEDTLS_SSL_END_OF_EARLY_DATA:

2985

ret = ssl_tls13_write_end_of_early_data(ssl);

2986

break;

2987

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2988

case MBEDTLS_SSL_CLIENT_CERTIFICATE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2989

ret = ssl_tls13_write_client_certificate(ssl);

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2990

break;

2991

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2992

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2993

case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2994

ret = ssl_tls13_write_client_certificate_verify(ssl);

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2995

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2996

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2997

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2998

case MBEDTLS_SSL_CLIENT_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2999

ret = ssl_tls13_write_client_finished(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3000

break;

3001

3002

case MBEDTLS_SSL_FLUSH_BUFFERS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3003

ret = ssl_tls13_flush_buffers(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3004

break;

3005

3006

case MBEDTLS_SSL_HANDSHAKE_WRAPUP:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3007

ret = ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3008

break;

3009

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3010

/*

3011

* Injection of dummy-CCS's for middlebox compatibility

3012

*/

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3013

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

XiaokangQian

0b56a8f

2021-12-22 02:39:32 +0000

[diff] [blame]

3014

case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3015

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3016

if (ret == 0) {

3017

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

3018

}

Ronald Cron

9f55f63

2022-02-02 16:02:47 +0100

[diff] [blame]

3019

break;

3020

3021

case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3022

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3023

if (ret == 0) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

3024

mbedtls_ssl_handshake_set_state(

3025

ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3026

}

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3027

break;

Xiaokang Qian

f6d8fd3

2023-02-02 02:46:26 +0000

[diff] [blame]

3028

Xiaokang Qian

2023-01-04 10:47:05 +0000

[diff] [blame]

3029

case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:

3030

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3031

if (ret == 0) {

3032

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);

3033

Xiaokang Qian

33ff868

2023-01-10 06:32:12 +0000

[diff] [blame]

3034

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

2023-01-04 10:47:05 +0000

[diff] [blame]

3035

MBEDTLS_SSL_DEBUG_MSG(

3036

1, ("Switch to early data keys for outbound traffic"));

3037

mbedtls_ssl_set_outbound_transform(

3038

ssl, ssl->handshake->transform_earlydata);

Xiaokang Qian

33ff868

2023-01-10 06:32:12 +0000

[diff] [blame]

3039

#endif

Xiaokang Qian

2023-01-04 10:47:05 +0000

[diff] [blame]

3040

}

3041

break;

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3042

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

3043

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3044

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Jerry Yu

a8d3c50

2022-10-30 14:51:23 +0800

[diff] [blame]

3045

case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3046

ret = ssl_tls13_process_new_session_ticket(ssl);

3047

if (ret != 0) {

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3048

break;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3049

}

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3050

ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;

3051

break;

3052

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

3053

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3054

default:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3055

MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));

3056

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3057

}

3058

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3059

return ret;

Jerry Yu