TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / de33391fa009e5922d1157bdaac176b6f5eb3692 / . / library / ssl_tls13_server.c
blob: 2e0dd39c9cf118d52bc27974a242c3d639d0dd10 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18*/
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]23
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]24#include "mbedtls/debug.h"
25
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]26#include "ssl_misc.h"
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]27#include "ssl_client.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]28#include "ssl_tls13_keys.h"
Gilles Peskine923d5c92021-12-15 12:56:54 +0100[diff] [blame]29#include "ssl_debug_helpers.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]30#include <string.h>
31#if defined(MBEDTLS_ECP_C)
32#include "mbedtls/ecp.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]33#endif /* MBEDTLS_ECP_C */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]34
XiaokangQiana9c58412022-02-17 09:41:26 +0000[diff] [blame]35#if defined(MBEDTLS_PLATFORM_C)
36#include "mbedtls/platform.h"
37#else
38#include <stdlib.h>
39#define mbedtls_calloc calloc
40#define mbedtls_free free
41#endif /* MBEDTLS_PLATFORM_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]42
43/* From RFC 8446:
44 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]45 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]46 * } SupportedVersions;
47 */
48static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
49 const unsigned char *buf,
50 const unsigned char *end )
51{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]52 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]53 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]54 const unsigned char *versions_end;
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame^]55 int tls_version;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]56 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]57
58 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]59 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]60 p += 1;
61
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]62 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, versions_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]63 versions_end = p + versions_len;
64 while( p < versions_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]65 {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]66 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, versions_end, 2 );
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame^]67 tls_version = mbedtls_ssl_read_version( p, ssl->conf->transport );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]68 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]69
70 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame^]71 if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]72 {
73 tls13_supported = 1;
74 break;
75 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]76 }
77
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]78 if( !tls13_supported )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]79 {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]80 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 is not supported by the client" ) );
81
82 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
83 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
84 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
85 }
86
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame^]87 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%04x]",
88 tls_version ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]89
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]90 return( 0 );
91}
92
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]93#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]94/* This function parses the TLS 1.3 supported_groups extension and
95 * stores the received groups in ssl->handshake->curves.
96 *
97 * From RFC 8446:
98 * enum {
99 * ... (0xFFFF)
100 * } NamedGroup;
101 * struct {
102 * NamedGroup named_group_list<2..2^16-1>;
103 * } NamedGroupList;
104 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]105static int ssl_tls13_parse_supported_groups_ext(
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]106 mbedtls_ssl_context *ssl,
107 const unsigned char *buf, const unsigned char *end )
108{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]109 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000[diff] [blame]110 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]111 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]112
113 MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", p, end - buf );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]114 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]115 named_group_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]116 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]117 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]118 named_group_list_end = p + named_group_list_len;
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]119 ssl->handshake->hrr_selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]120
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]121 while( p < named_group_list_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]122 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]123 uint16_t named_group;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]124 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, named_group_list_end, 2 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]125 named_group = MBEDTLS_GET_UINT16_BE( p, 0 );
126 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]127
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]128 MBEDTLS_SSL_DEBUG_MSG(
129 2, ( "got named group: %d",
130 named_group ) );
131
132 if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
133 ! mbedtls_ssl_named_group_is_supported( named_group ) ||
134 ssl->handshake->hrr_selected_group != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]135 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]136 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]137 }
138
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]139 MBEDTLS_SSL_DEBUG_MSG(
140 2, ( "add named group (%04x) into received list.",
141 named_group ) );
142 ssl->handshake->hrr_selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]143 }
144
145 return( 0 );
146
147}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]148#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]149
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]150#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
151
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]152#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]153/*
154 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
155 * extension is correct and stores the provided key shares. Whether this is an
156 * acceptable key share depends on the selected ciphersuite.
157 *
158 * Possible return values are:
159 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]160 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]161 * does not match a group supported by the server. A HelloRetryRequest will
162 * be needed.
163 * - Another negative return value for fatal errors.
164*/
165
166static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
167 const unsigned char *buf,
168 const unsigned char *end )
169{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]170 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]171 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]172 unsigned char const *client_shares_end;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]173 size_t client_shares_len, key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]174 int match_found = 0;
175
176 /* From RFC 8446:
177 *
178 * struct {
179 * KeyShareEntry client_shares<0..2^16-1>;
180 * } KeyShareClientHello;
181 *
182 */
183
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]184 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]185 client_shares_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]186 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]187 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, client_shares_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]188
189 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]190 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]191
192 /* We try to find a suitable key share entry and copy it to the
193 * handshake context. Later, we have to find out whether we can do
194 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]195 * dismiss it and send a HelloRetryRequest message.
196 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]197
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]198 for( ; p < client_shares_end; p += key_exchange_len )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]199 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]200 uint16_t group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]201
202 /*
203 * struct {
204 * NamedGroup group;
205 * opaque key_exchange<1..2^16-1>;
206 * } KeyShareEntry;
207 */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]208 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, 4 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]209 group = MBEDTLS_GET_UINT16_BE( p, 0 );
210 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]211 key_exchange_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]212 p += 2;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]213 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, key_exchange_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]214
215 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]216 * for input validation purposes.
217 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]218 if( match_found == 1 )
219 continue;
220
221 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]222 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]223 */
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]224 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
225 {
226 const mbedtls_ecp_curve_info *curve_info =
227 mbedtls_ecp_curve_info_from_tls_id( group );
228 if( curve_info == NULL )
229 {
230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]231 continue;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]232 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]233
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]234 match_found = 1;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]235 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]236 ret = psa_crypto_init();
237 if( ret != PSA_SUCCESS )
238 {
239 MBEDTLS_SSL_DEBUG_RET( 1, "psa_crypto_init()", ret );
240 return( ret );
241 }
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]242 ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ssl, p - 2, key_exchange_len + 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]243 if( ret != 0 )
244 return( ret );
245 }
246 else
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]247 {
248 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]249 (unsigned) group ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]250 continue;
251 }
252
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]253 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]254 }
255
256 if( match_found == 0 )
257 {
258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching key share" ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]259 return( SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]260 }
261 return( 0 );
262}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]263#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]264
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]265#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]266static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]267{
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]268 ((void) ssl);
269
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]270 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]271 MBEDTLS_SSL_DEBUG_MSG( 3,
272 ( "- KEY_SHARE_EXTENSION ( %s )",
273 ( ( ssl->handshake->extensions_present
274 & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
275 MBEDTLS_SSL_DEBUG_MSG( 3,
276 ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
277 ( ( ssl->handshake->extensions_present
278 & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
279 "TRUE" : "FALSE" ) );
280 MBEDTLS_SSL_DEBUG_MSG( 3,
281 ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
282 ( ( ssl->handshake->extensions_present
283 & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
284 MBEDTLS_SSL_DEBUG_MSG( 3,
285 ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
286 ( ( ssl->handshake->extensions_present
287 & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
288 MBEDTLS_SSL_DEBUG_MSG( 3,
289 ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
290 ( ( ssl->handshake->extensions_present
291 & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
292 "TRUE" : "FALSE" ) );
293 MBEDTLS_SSL_DEBUG_MSG( 3,
294 ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
295 ( ( ssl->handshake->extensions_present
296 & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
297 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]298#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]299 MBEDTLS_SSL_DEBUG_MSG( 3,
300 ( "- SERVERNAME_EXTENSION ( %s )",
301 ( ( ssl->handshake->extensions_present
302 & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
303 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]304#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]305}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]306#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]307
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]308static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]309 int exts_mask )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]310{
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]311 int masked = ssl->handshake->extensions_present & exts_mask;
312 return( masked == exts_mask );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]313}
314
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]315static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
316 mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]317{
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]318 return( ssl_tls13_client_hello_has_exts( ssl,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]319 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
320 MBEDTLS_SSL_EXT_KEY_SHARE |
321 MBEDTLS_SSL_EXT_SIG_ALG ) );
322}
323
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]324static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]325{
326 if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) )
327 return( 0 );
328
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]329 if( !ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]330 return( 0 );
331
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]332 ssl->handshake->tls13_kex_modes =
333 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]334 return( 1 );
335}
336
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]337/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]338 *
339 * STATE HANDLING: ClientHello
340 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]341 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]342 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]343 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]344 *
345 * In this case, the server progresses to sending its ServerHello.
346 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]347 * 2) The ClientHello was well-formed but didn't match the server's
348 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]349 *
350 * For example, the client might not have offered a key share which
351 * the server supports, or the server might require a cookie.
352 *
353 * In this case, the server sends a HelloRetryRequest.
354 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]355 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]356 *
357 * In this case, we abort the handshake.
358 *
359 */
360
361/*
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]362 * Structure of this message:
363 *
364 * uint16 ProtocolVersion;
365 * opaque Random[32];
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]366 * uint8 CipherSuite[2]; // Cryptographic suite selector
367 *
368 * struct {
369 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
370 * Random random;
371 * opaque legacy_session_id<0..32>;
372 * CipherSuite cipher_suites<2..2^16-2>;
373 * opaque legacy_compression_methods<1..2^8-1>;
374 * Extension extensions<8..2^16-1>;
375 * } ClientHello;
376 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]377
378#define SSL_CLIENT_HELLO_OK 0
379#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
380
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]381static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
382 const unsigned char *buf,
383 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]384{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]385 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
386 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]387 size_t legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]388 size_t cipher_suites_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]389 const unsigned char *cipher_suites_start;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]390 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]391 const unsigned char *extensions_end;
392
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]393 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]394 int hrr_required = 0;
395
396 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
397
398 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]399 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]400 * 0 . 1 protocol version
401 * 2 . 33 random bytes ( starting with 4 bytes of Unix time )
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]402 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]403 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]404 * .. . .. ciphersuite list length ( 2 bytes )
405 * .. . .. ciphersuite list
406 * .. . .. compression alg. list length ( 1 byte )
407 * .. . .. compression alg. list
408 * .. . .. extensions length ( 2 bytes, optional )
409 * .. . .. extensions ( optional )
410 */
411
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]412 /*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]413 * Minimal length ( with everything empty and extensions ommitted ) is
414 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
415 * read at least up to session id length without worrying.
416 */
417 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 38 );
418
419 /* ...
420 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
421 * ...
422 * with ProtocolVersion defined as:
423 * uint16 ProtocolVersion;
424 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame^]425 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
426 MBEDTLS_SSL_VERSION_TLS1_2 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]427 {
428 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
429 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
430 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]431 return ( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]432 }
433 p += 2;
434
435 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]436 * Only support TLS 1.3 currently, temporarily set the version.
437 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame^]438 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]439
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]440 /* ---
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]441 * Random random;
442 * ---
443 * with Random defined as:
444 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]445 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]446 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]447 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]448
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]449 memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
450 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]451
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]452 /* ---
453 * opaque legacy_session_id<0..32>;
454 * ---
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]455 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]456 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]457 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]458
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]459 if( legacy_session_id_len > sizeof( ssl->session_negotiate->id ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]460 {
461 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
462 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
463 }
464
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]465 ssl->session_negotiate->id_len = legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]466 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
467 buf, legacy_session_id_len );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]468 /*
469 * Check we have enough data for the legacy session identifier
470 * and the ciphersuite list length.
471 */
472 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]473
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]474 memcpy( &ssl->session_negotiate->id[0], p, legacy_session_id_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]475 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]476
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]477 cipher_suites_len = MBEDTLS_GET_UINT16_BE( p, 0 );
478 p += 2;
479
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]480 /* Check we have enough data for the ciphersuite list, the legacy
481 * compression methods and the length of the extensions.
482 */
483 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]484
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]485 /* ---
486 * CipherSuite cipher_suites<2..2^16-2>;
487 * ---
488 * with CipherSuite defined as:
489 * uint8 CipherSuite[2];
490 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]491 cipher_suites_start = p;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]492 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
493 p, cipher_suites_len );
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]494 /*
495 * Search for a matching ciphersuite
496 */
497 size_t ciphersuite_exist = 0;
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]498 uint16_t cipher_suite;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]499 ciphersuite_info = NULL;
500 for ( size_t j = 0; j < cipher_suites_len;
501 j += 2, p += 2 )
502 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]503 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
504 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
505 cipher_suite );
506 /*
507 * Check whether this ciphersuite is valid and offered.
508 */
509 if( ( mbedtls_ssl_validate_ciphersuite(
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame^]510 ssl, ciphersuite_info, ssl->tls_version,
511 ssl->tls_version ) != 0 ) ||
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]512 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
513 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]514
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]515 ssl->session_negotiate->ciphersuite = cipher_suite;
516 ssl->handshake->ciphersuite_info = ciphersuite_info;
517 ciphersuite_exist = 1;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]518
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]519 break;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]520
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]521 }
522
523 if( !ciphersuite_exist )
524 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
525
526 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
527 ciphersuite_info->name ) );
528
529 p = cipher_suites_start + cipher_suites_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]530 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]531 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]532 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]533 */
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]534 if( p[0] != 1 || p[1] != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]535 {
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]536 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
537 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
538 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
539 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]540 }
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]541 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]542
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]543 /* ---
544 * Extension extensions<8..2^16-1>;
545 * ---
546 * with Extension defined as:
547 * struct {
548 * ExtensionType extension_type;
549 * opaque extension_data<0..2^16-1>;
550 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]551 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]552 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]553 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]554 extensions_end = p + extensions_len;
555 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]556
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]557 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]558
559 while( p < extensions_end )
560 {
561 unsigned int extension_type;
562 size_t extension_data_len;
563 const unsigned char *extension_data_end;
564
565 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
566 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
567 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
568 p += 4;
569
570 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
571 extension_data_end = p + extension_data_len;
572
573 switch( extension_type )
574 {
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]575#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]576 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
577 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
578
579 /* Supported Groups Extension
580 *
581 * When sent by the client, the "supported_groups" extension
582 * indicates the named groups which the client supports,
583 * ordered from most preferred to least preferred.
584 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]585 ret = ssl_tls13_parse_supported_groups_ext( ssl, p,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]586 extension_data_end );
587 if( ret != 0 )
588 {
589 MBEDTLS_SSL_DEBUG_RET( 1,
590 "mbedtls_ssl_parse_supported_groups_ext", ret );
591 return( ret );
592 }
593
594 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
595 break;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]596#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]597
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]598#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]599 case MBEDTLS_TLS_EXT_KEY_SHARE:
600 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) );
601
602 /*
603 * Key Share Extension
604 *
605 * When sent by the client, the "key_share" extension
606 * contains the endpoint's cryptographic parameters for
607 * ECDHE/DHE key establishment methods.
608 */
609 ret = ssl_tls13_parse_key_shares_ext( ssl, p, extension_data_end );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]610 if( ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]611 {
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]612 MBEDTLS_SSL_DEBUG_MSG( 2, ( "HRR needed " ) );
613 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]614 }
615
616 if( ret != 0 )
617 return( ret );
618
619 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
620 break;
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]621#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]622
623 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
624 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) );
625
626 ret = ssl_tls13_parse_supported_versions_ext(
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]627 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]628 if( ret != 0 )
629 {
630 MBEDTLS_SSL_DEBUG_RET( 1,
631 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
632 return( ret );
633 }
634 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
635 break;
636
637#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
638 case MBEDTLS_TLS_EXT_SIG_ALG:
639 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
640
641 ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ssl, p,
642 extension_data_end );
643 if( ret != 0 )
644 {
645 MBEDTLS_SSL_DEBUG_MSG( 1,
646 ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
647 ret ) );
648 return( ret );
649 }
650 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
651 break;
652#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
653
654 default:
655 MBEDTLS_SSL_DEBUG_MSG( 3,
656 ( "unknown extension found: %ud ( ignoring )",
657 extension_type ) );
658 }
659
660 p += extension_data_len;
661 }
662
663 /* Update checksum with either
664 * - The entire content of the CH message, if no PSK extension is present
665 * - The content up to but excluding the PSK extension, if present.
666 */
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]667 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
XiaokangQianc4b8c992022-04-07 11:31:38 +0000[diff] [blame]668 buf, p - buf );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]669
670 /* List all the extensions we have received */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]671#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]672 ssl_tls13_debug_print_client_hello_exts( ssl );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]673#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]674
675 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]676 * Here we only support the ephemeral or (EC)DHE key echange mode
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]677 */
678
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]679 if( !ssl_tls13_check_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]680 {
681 MBEDTLS_SSL_DEBUG_MSG(
682 1,
683 ( "ClientHello message misses mandatory extensions." ) );
684 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ,
685 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
686 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
687 }
688
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]689 if( hrr_required == 1 )
690 return( SSL_CLIENT_HELLO_HRR_REQUIRED );
691
692 return( 0 );
693}
694
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]695/* Update the handshake state machine */
696
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]697static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]698{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]699 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]700
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]701 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
702 if( ret != 0 )
703 {
704 MBEDTLS_SSL_DEBUG_RET( 1,
705 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret );
706 return( ret );
707 }
708
709 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
710 return( 0 );
711
712}
713
714/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]715 * Main entry point from the state machine; orchestrates the otherfunctions.
716 */
717
718static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
719{
720
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]721 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]722 unsigned char* buf = NULL;
723 size_t buflen = 0;
724 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
725
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]726 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
727 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
728 &buf, &buflen ) );
729
730 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_parse_client_hello( ssl, buf,
731 buf + buflen ) );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]732 MBEDTLS_SSL_DEBUG_MSG( 1, ( "postprocess" ) );
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]733 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_client_hello( ssl ) );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]734
735cleanup:
736
737 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
738 return( ret );
739}
740
741/*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]742 * TLS and DTLS 1.3 State Maschine -- server side
743 */
Jerry Yu27561932021-08-27 17:07:38 +0800[diff] [blame]744int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]745{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]746 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]747
748 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
749 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
750
Jerry Yue3b34122021-09-28 17:53:35 +0800[diff] [blame]751 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)",
752 mbedtls_ssl_states_str( ssl->state ),
753 ssl->state ) );
Jerry Yu6e81b272021-09-27 11:16:17 +0800[diff] [blame]754
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]755 switch( ssl->state )
756 {
757 /* start state */
758 case MBEDTLS_SSL_HELLO_REQUEST:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]759 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
760
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]761 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]762 break;
763
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]764 case MBEDTLS_SSL_CLIENT_HELLO:
765
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]766 ret = ssl_tls13_process_client_hello( ssl );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]767 if( ret != 0 )
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]768 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_client_hello", ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]769
770 break;
771
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]772 case MBEDTLS_SSL_SERVER_HELLO:
773 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSL - The requested feature is not available" ) );
774 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
775
776 break;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]777 default:
778 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
779 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
780 }
781
782 return( ret );
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]783}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]784
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]785#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */