TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 75d40ef8cb241e312df1a4ee455ded6ed5105e2b / . / library / ssl_tls13_server.c
blob: a8e523a774f07531d9aebad26e1f5d9910929fb3 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18*/
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]23
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]24#include "mbedtls/debug.h"
25
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]26#include "ssl_misc.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]27#include "ssl_tls13_keys.h"
Gilles Peskine923d5c92021-12-15 12:56:54 +0100[diff] [blame]28#include "ssl_debug_helpers.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]29#include <string.h>
30#if defined(MBEDTLS_ECP_C)
31#include "mbedtls/ecp.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]32#endif /* MBEDTLS_ECP_C */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]33
XiaokangQiana9c58412022-02-17 09:41:26 +0000[diff] [blame]34#if defined(MBEDTLS_PLATFORM_C)
35#include "mbedtls/platform.h"
36#else
37#include <stdlib.h>
38#define mbedtls_calloc calloc
39#define mbedtls_free free
40#endif /* MBEDTLS_PLATFORM_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]41
42/* From RFC 8446:
43 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]44 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]45 * } SupportedVersions;
46 */
47static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
48 const unsigned char *buf,
49 const unsigned char *end )
50{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]51 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]52 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]53 const unsigned char *versions_end;
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]54 int tls_version;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]55 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]56
57 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]58 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]59 p += 1;
60
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]61 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, versions_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]62 versions_end = p + versions_len;
63 while( p < versions_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]64 {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]65 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, versions_end, 2 );
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]66 tls_version = mbedtls_ssl_read_version( p, ssl->conf->transport );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]67 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]68
69 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]70 if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]71 {
72 tls13_supported = 1;
73 break;
74 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]75 }
76
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]77 if( !tls13_supported )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]78 {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]79 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 is not supported by the client" ) );
80
81 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
82 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
83 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
84 }
85
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]86 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%04x]",
87 tls_version ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]88
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]89 return( 0 );
90}
91
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]92#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]93/* This function parses the TLS 1.3 supported_groups extension and
94 * stores the received groups in ssl->handshake->curves.
95 *
96 * From RFC 8446:
97 * enum {
98 * ... (0xFFFF)
99 * } NamedGroup;
100 * struct {
101 * NamedGroup named_group_list<2..2^16-1>;
102 * } NamedGroupList;
103 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]104static int ssl_tls13_parse_supported_groups_ext(
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]105 mbedtls_ssl_context *ssl,
106 const unsigned char *buf, const unsigned char *end )
107{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]108 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000[diff] [blame]109 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]110 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]111
112 MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", p, end - buf );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]113 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]114 named_group_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]115 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]116 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]117 named_group_list_end = p + named_group_list_len;
XiaokangQian75d40ef2022-04-20 11:05:24 +0000[diff] [blame^]118 ssl->handshake->selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]119
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]120 while( p < named_group_list_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]121 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]122 uint16_t named_group;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]123 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, named_group_list_end, 2 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]124 named_group = MBEDTLS_GET_UINT16_BE( p, 0 );
125 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]126
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]127 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got named group: %d", named_group ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]128
129 if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
130 ! mbedtls_ssl_named_group_is_supported( named_group ) ||
XiaokangQian75d40ef2022-04-20 11:05:24 +0000[diff] [blame^]131 ssl->handshake->selected_group != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]132 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]133 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]134 }
135
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]136 MBEDTLS_SSL_DEBUG_MSG(
137 2, ( "add named group (%04x) into received list.",
138 named_group ) );
XiaokangQian75d40ef2022-04-20 11:05:24 +0000[diff] [blame^]139 ssl->handshake->selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]140 }
141
142 return( 0 );
143
144}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]145#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]146
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]147#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
148
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]149#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]150/*
151 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
152 * extension is correct and stores the provided key shares. Whether this is an
153 * acceptable key share depends on the selected ciphersuite.
154 *
155 * Possible return values are:
156 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]157 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]158 * does not match a group supported by the server. A HelloRetryRequest will
159 * be needed.
160 * - Another negative return value for fatal errors.
161*/
162
163static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
164 const unsigned char *buf,
165 const unsigned char *end )
166{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]167 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]168 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]169 unsigned char const *client_shares_end;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]170 size_t client_shares_len, key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]171 int match_found = 0;
172
173 /* From RFC 8446:
174 *
175 * struct {
176 * KeyShareEntry client_shares<0..2^16-1>;
177 * } KeyShareClientHello;
178 *
179 */
180
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]181 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]182 client_shares_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]183 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]184 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, client_shares_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]185
186 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]187 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]188
189 /* We try to find a suitable key share entry and copy it to the
190 * handshake context. Later, we have to find out whether we can do
191 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]192 * dismiss it and send a HelloRetryRequest message.
193 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]194
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]195 for( ; p < client_shares_end; p += key_exchange_len )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]196 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]197 uint16_t group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]198
199 /*
200 * struct {
201 * NamedGroup group;
202 * opaque key_exchange<1..2^16-1>;
203 * } KeyShareEntry;
204 */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]205 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, 4 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]206 group = MBEDTLS_GET_UINT16_BE( p, 0 );
207 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]208 key_exchange_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]209 p += 2;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]210 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, key_exchange_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]211
212 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]213 * for input validation purposes.
214 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]215 if( match_found == 1 )
216 continue;
217
218 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]219 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]220 */
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]221 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
222 {
223 const mbedtls_ecp_curve_info *curve_info =
224 mbedtls_ecp_curve_info_from_tls_id( group );
225 if( curve_info == NULL )
226 {
227 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]228 continue;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]229 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]230
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]231 match_found = 1;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]232 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]233 ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
234 ssl, p - 2, key_exchange_len + 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]235 if( ret != 0 )
236 return( ret );
237 }
238 else
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]239 {
240 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]241 (unsigned) group ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]242 continue;
243 }
244
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]245 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]246 }
247
248 if( match_found == 0 )
249 {
250 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching key share" ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]251 return( SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]252 }
253 return( 0 );
254}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]255#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]256
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]257#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]258static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]259{
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]260 ((void) ssl);
261
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]262 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]263 MBEDTLS_SSL_DEBUG_MSG( 3,
264 ( "- KEY_SHARE_EXTENSION ( %s )",
265 ( ( ssl->handshake->extensions_present
266 & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
267 MBEDTLS_SSL_DEBUG_MSG( 3,
268 ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
269 ( ( ssl->handshake->extensions_present
270 & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
271 "TRUE" : "FALSE" ) );
272 MBEDTLS_SSL_DEBUG_MSG( 3,
273 ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
274 ( ( ssl->handshake->extensions_present
275 & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
276 MBEDTLS_SSL_DEBUG_MSG( 3,
277 ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
278 ( ( ssl->handshake->extensions_present
279 & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
280 MBEDTLS_SSL_DEBUG_MSG( 3,
281 ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
282 ( ( ssl->handshake->extensions_present
283 & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
284 "TRUE" : "FALSE" ) );
285 MBEDTLS_SSL_DEBUG_MSG( 3,
286 ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
287 ( ( ssl->handshake->extensions_present
288 & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
289 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]290#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]291 MBEDTLS_SSL_DEBUG_MSG( 3,
292 ( "- SERVERNAME_EXTENSION ( %s )",
293 ( ( ssl->handshake->extensions_present
294 & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
295 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]296#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]297}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]298#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]299
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]300static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]301 int exts_mask )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]302{
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]303 int masked = ssl->handshake->extensions_present & exts_mask;
304 return( masked == exts_mask );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]305}
306
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]307static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
308 mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]309{
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]310 return( ssl_tls13_client_hello_has_exts( ssl,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]311 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
312 MBEDTLS_SSL_EXT_KEY_SHARE |
313 MBEDTLS_SSL_EXT_SIG_ALG ) );
314}
315
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]316static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]317{
318 if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) )
319 return( 0 );
320
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]321 if( !ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]322 return( 0 );
323
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]324 ssl->handshake->tls13_kex_modes =
325 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]326 return( 1 );
327}
328
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]329/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]330 *
331 * STATE HANDLING: ClientHello
332 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]333 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]334 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]335 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]336 *
337 * In this case, the server progresses to sending its ServerHello.
338 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]339 * 2) The ClientHello was well-formed but didn't match the server's
340 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]341 *
342 * For example, the client might not have offered a key share which
343 * the server supports, or the server might require a cookie.
344 *
345 * In this case, the server sends a HelloRetryRequest.
346 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]347 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]348 *
349 * In this case, we abort the handshake.
350 *
351 */
352
353/*
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]354 * Structure of this message:
355 *
356 * uint16 ProtocolVersion;
357 * opaque Random[32];
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]358 * uint8 CipherSuite[2]; // Cryptographic suite selector
359 *
360 * struct {
361 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
362 * Random random;
363 * opaque legacy_session_id<0..32>;
364 * CipherSuite cipher_suites<2..2^16-2>;
365 * opaque legacy_compression_methods<1..2^8-1>;
366 * Extension extensions<8..2^16-1>;
367 * } ClientHello;
368 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]369
370#define SSL_CLIENT_HELLO_OK 0
371#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
372
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]373static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
374 const unsigned char *buf,
375 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]376{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]377 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
378 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]379 size_t legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]380 const unsigned char *cipher_suites_start;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]381 size_t cipher_suites_len;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]382 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]383 const unsigned char *extensions_end;
384
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]385 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]386
387 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
388
389 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]390 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]391 * 0 . 1 protocol version
392 * 2 . 33 random bytes ( starting with 4 bytes of Unix time )
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]393 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]394 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]395 * .. . .. ciphersuite list length ( 2 bytes )
396 * .. . .. ciphersuite list
397 * .. . .. compression alg. list length ( 1 byte )
398 * .. . .. compression alg. list
399 * .. . .. extensions length ( 2 bytes, optional )
400 * .. . .. extensions ( optional )
401 */
402
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]403 /*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]404 * Minimal length ( with everything empty and extensions ommitted ) is
405 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
406 * read at least up to session id length without worrying.
407 */
408 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 38 );
409
410 /* ...
411 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
412 * ...
413 * with ProtocolVersion defined as:
414 * uint16 ProtocolVersion;
415 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]416 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
417 MBEDTLS_SSL_VERSION_TLS1_2 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]418 {
419 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
420 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
421 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]422 return ( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]423 }
424 p += 2;
425
426 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]427 * Only support TLS 1.3 currently, temporarily set the version.
428 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]429 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]430
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]431 /* ---
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]432 * Random random;
433 * ---
434 * with Random defined as:
435 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]436 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]437 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]438 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]439
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]440 memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
441 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]442
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]443 /* ---
444 * opaque legacy_session_id<0..32>;
445 * ---
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]446 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]447 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]448 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]449
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]450 if( legacy_session_id_len > sizeof( ssl->session_negotiate->id ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]451 {
452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
453 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
454 }
455
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]456 ssl->session_negotiate->id_len = legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]457 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
458 buf, legacy_session_id_len );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]459 /*
460 * Check we have enough data for the legacy session identifier
461 * and the ciphersuite list length.
462 */
463 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]464
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]465 memcpy( &ssl->session_negotiate->id[0], p, legacy_session_id_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]466 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]467
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]468 cipher_suites_len = MBEDTLS_GET_UINT16_BE( p, 0 );
469 p += 2;
470
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]471 /* Check we have enough data for the ciphersuite list, the legacy
472 * compression methods and the length of the extensions.
473 */
474 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]475
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]476 /* ---
477 * CipherSuite cipher_suites<2..2^16-2>;
478 * ---
479 * with CipherSuite defined as:
480 * uint8 CipherSuite[2];
481 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]482 cipher_suites_start = p;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]483 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
484 p, cipher_suites_len );
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]485 /*
486 * Search for a matching ciphersuite
487 */
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]488 int ciphersuite_match = 0;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]489 ciphersuite_info = NULL;
490 for ( size_t j = 0; j < cipher_suites_len;
491 j += 2, p += 2 )
492 {
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]493 uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]494 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
495 cipher_suite );
496 /*
497 * Check whether this ciphersuite is valid and offered.
498 */
499 if( ( mbedtls_ssl_validate_ciphersuite(
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]500 ssl, ciphersuite_info, ssl->tls_version,
501 ssl->tls_version ) != 0 ) ||
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]502 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
503 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]504
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]505 ssl->session_negotiate->ciphersuite = cipher_suite;
506 ssl->handshake->ciphersuite_info = ciphersuite_info;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]507 ciphersuite_match = 1;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]508
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]509 break;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]510
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]511 }
512
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]513 if( !ciphersuite_match )
514 {
515 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
516 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
517 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
518 }
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]519
520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
521 ciphersuite_info->name ) );
522
523 p = cipher_suites_start + cipher_suites_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]524 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]525 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]526 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]527 */
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]528 if( p[0] != 1 || p[1] != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]529 {
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]530 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
531 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
532 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
533 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]534 }
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]535 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]536
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]537 /* ---
538 * Extension extensions<8..2^16-1>;
539 * ---
540 * with Extension defined as:
541 * struct {
542 * ExtensionType extension_type;
543 * opaque extension_data<0..2^16-1>;
544 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]545 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]546 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]547 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]548 extensions_end = p + extensions_len;
549 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]550
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]551 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]552
553 while( p < extensions_end )
554 {
555 unsigned int extension_type;
556 size_t extension_data_len;
557 const unsigned char *extension_data_end;
558
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]559 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]560 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
561 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
562 p += 4;
563
564 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
565 extension_data_end = p + extension_data_len;
566
567 switch( extension_type )
568 {
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]569#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]570 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
571 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
572
573 /* Supported Groups Extension
574 *
575 * When sent by the client, the "supported_groups" extension
576 * indicates the named groups which the client supports,
577 * ordered from most preferred to least preferred.
578 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]579 ret = ssl_tls13_parse_supported_groups_ext( ssl, p,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]580 extension_data_end );
581 if( ret != 0 )
582 {
583 MBEDTLS_SSL_DEBUG_RET( 1,
584 "mbedtls_ssl_parse_supported_groups_ext", ret );
585 return( ret );
586 }
587
588 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
589 break;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]590#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]591
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]592#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]593 case MBEDTLS_TLS_EXT_KEY_SHARE:
594 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) );
595
596 /*
597 * Key Share Extension
598 *
599 * When sent by the client, the "key_share" extension
600 * contains the endpoint's cryptographic parameters for
601 * ECDHE/DHE key establishment methods.
602 */
603 ret = ssl_tls13_parse_key_shares_ext( ssl, p, extension_data_end );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]604 if( ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]605 {
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]606 MBEDTLS_SSL_DEBUG_MSG( 2, ( "HRR needed " ) );
607 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]608 }
609
610 if( ret != 0 )
611 return( ret );
612
613 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
614 break;
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]615#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]616
617 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
618 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) );
619
620 ret = ssl_tls13_parse_supported_versions_ext(
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]621 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]622 if( ret != 0 )
623 {
624 MBEDTLS_SSL_DEBUG_RET( 1,
625 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
626 return( ret );
627 }
628 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
629 break;
630
631#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
632 case MBEDTLS_TLS_EXT_SIG_ALG:
633 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
634
635 ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ssl, p,
636 extension_data_end );
637 if( ret != 0 )
638 {
639 MBEDTLS_SSL_DEBUG_MSG( 1,
640 ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
641 ret ) );
642 return( ret );
643 }
644 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
645 break;
646#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
647
648 default:
649 MBEDTLS_SSL_DEBUG_MSG( 3,
650 ( "unknown extension found: %ud ( ignoring )",
651 extension_type ) );
652 }
653
654 p += extension_data_len;
655 }
656
657 /* Update checksum with either
658 * - The entire content of the CH message, if no PSK extension is present
659 * - The content up to but excluding the PSK extension, if present.
660 */
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]661 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
XiaokangQianc4b8c992022-04-07 11:31:38 +0000[diff] [blame]662 buf, p - buf );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]663
664 /* List all the extensions we have received */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]665#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]666 ssl_tls13_debug_print_client_hello_exts( ssl );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]667#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]668
669 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]670 * Here we only support the ephemeral or (EC)DHE key echange mode
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]671 */
672
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]673 if( !ssl_tls13_check_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]674 {
675 MBEDTLS_SSL_DEBUG_MSG(
676 1,
677 ( "ClientHello message misses mandatory extensions." ) );
678 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ,
679 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
680 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
681 }
682
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]683 return( 0 );
684}
685
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]686/* Update the handshake state machine */
687
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]688static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]689{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]690 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]691
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]692 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
693 if( ret != 0 )
694 {
695 MBEDTLS_SSL_DEBUG_RET( 1,
696 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret );
697 return( ret );
698 }
699
700 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
701 return( 0 );
702
703}
704
705/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]706 * Main entry point from the state machine; orchestrates the otherfunctions.
707 */
708
709static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
710{
711
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]712 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]713 unsigned char* buf = NULL;
714 size_t buflen = 0;
715 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
716
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]717 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
718 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
719 &buf, &buflen ) );
720
721 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_parse_client_hello( ssl, buf,
722 buf + buflen ) );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]723 MBEDTLS_SSL_DEBUG_MSG( 1, ( "postprocess" ) );
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]724 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_client_hello( ssl ) );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]725
726cleanup:
727
728 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
729 return( ret );
730}
731
732/*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]733 * TLS and DTLS 1.3 State Maschine -- server side
734 */
Jerry Yu27561932021-08-27 17:07:38 +0800[diff] [blame]735int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]736{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]737 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]738
739 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
740 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
741
Jerry Yue3b34122021-09-28 17:53:35 +0800[diff] [blame]742 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)",
743 mbedtls_ssl_states_str( ssl->state ),
744 ssl->state ) );
Jerry Yu6e81b272021-09-27 11:16:17 +0800[diff] [blame]745
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]746 switch( ssl->state )
747 {
748 /* start state */
749 case MBEDTLS_SSL_HELLO_REQUEST:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]750 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
751
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]752 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]753 break;
754
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]755 case MBEDTLS_SSL_CLIENT_HELLO:
756
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]757 ret = ssl_tls13_process_client_hello( ssl );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]758 if( ret != 0 )
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]759 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_client_hello", ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]760
761 break;
762
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]763 case MBEDTLS_SSL_SERVER_HELLO:
764 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSL - The requested feature is not available" ) );
765 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
766
767 break;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]768 default:
769 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
770 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
771 }
772
773 return( ret );
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]774}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]775
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]776#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */