Blame - library/ssl_tls13_client.c - mirror/mbed-tls

2021-08-06 16:29:08 +0800

[diff] [blame]

1

/*

2

* TLS 1.3 client-side functions

3

*

4

* Copyright The Mbed TLS Contributors

Dave Rodgman

16799db

2023-11-02 19:47:20 +0000

[diff] [blame]

5

* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later

Jerry Yu

2021-08-06 16:29:08 +0800

[diff] [blame]

6

*/

7

Harry Ramsey

0f6bc41

2024-10-04 10:36:54 +0100

[diff] [blame]

8

#include "ssl_misc.h"

Jerry Yu

2021-08-06 16:29:08 +0800

[diff] [blame]

9

Jerry Yu

cc43c6b

2022-01-28 10:24:45 +0800

[diff] [blame]

10

#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)

Jerry Yu

2021-08-06 16:29:08 +0800

[diff] [blame]

11

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

12

#include <string.h>

13

Valerio Setti

b4f5076

2024-01-17 10:24:52 +0100

[diff] [blame]

14

#include "debug_internal.h"

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

15

#include "mbedtls/error.h"

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

16

#include "mbedtls/platform.h"

Jerry Yu

a13c7e7

2021-08-17 10:44:40 +0800

[diff] [blame]

17

Ronald Cron

3d580bf

2022-02-18 17:24:56 +0100

[diff] [blame]

18

#include "ssl_client.h"

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

19

#include "ssl_tls13_keys.h"

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

20

#include "ssl_debug_helpers.h"

Valerio Setti

384fbde

2024-01-02 13:26:40 +0100

[diff] [blame]

21

#include "mbedtls/psa_util.h"

Jerry Yu

bdc7188

2021-09-14 19:30:36 +0800

[diff] [blame]

22

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

23

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Andrzej Kurek

0064484

2023-05-30 05:45:00 -0400

[diff] [blame]

24

/* Define a local translating function to save code size by not using too many

25

* arguments in each translating place. */

26

static int local_err_translation(psa_status_t status)

27

{

28

return psa_status_to_mbedtls(status, psa_to_ssl_errors,

Andrzej Kurek

1e4a030

2023-05-30 09:45:17 -0400

[diff] [blame]

29

ARRAY_LENGTH(psa_to_ssl_errors),

Andrzej Kurek

0064484

2023-05-30 05:45:00 -0400

[diff] [blame]

30

psa_generic_status_to_mbedtls);

31

}

32

#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)

Andrzej Kurek

a6033ac

2023-05-30 15:16:34 -0400

[diff] [blame]

33

#endif

34

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

35

/* Write extensions */

36

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

37

/*

38

* ssl_tls13_write_supported_versions_ext():

39

*

40

* struct {

41

* ProtocolVersion versions<2..254>;

42

* } SupportedVersions;

43

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

44

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

45

static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,

46

unsigned char *buf,

47

unsigned char *end,

48

size_t *out_len)

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

49

{

50

unsigned char *p = buf;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

51

unsigned char versions_len = (ssl->handshake->min_tls_version <=

52

MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

53

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

54

*out_len = 0;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

55

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

56

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

57

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

58

/* Check if we have space to write the extension:

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

59

* - extension_type (2 bytes)

60

* - extension_data_length (2 bytes)

61

* - versions_length (1 byte )

Ronald Cron

a77fc27

2022-03-30 17:20:47 +0200

[diff] [blame]

62

* - versions (2 or 4 bytes)

Jerry Yu

159c5a0

2021-08-31 12:51:25 +0800

[diff] [blame]

63

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

64

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

65

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

66

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);

67

MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);

Jerry Yu

eecfbf0

2021-08-30 18:32:07 +0800

[diff] [blame]

68

p += 4;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

69

Jerry Yu

1bc2c1f

2021-09-01 12:57:29 +0800

[diff] [blame]

70

/* Length of versions */

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

71

*p++ = versions_len;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

72

Jerry Yu

0c63af6

2021-09-02 12:59:12 +0800

[diff] [blame]

73

/* Write values of supported versions.

Jerry Yu

0c63af6

2021-09-02 12:59:12 +0800

[diff] [blame]

74

* They are defined by the configuration.

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

75

* Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

76

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

77

mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,

78

MBEDTLS_SSL_VERSION_TLS1_3);

79

MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

80

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

81

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

82

if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {

83

mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,

84

MBEDTLS_SSL_VERSION_TLS1_2);

85

MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

86

}

87

88

*out_len = 5 + versions_len;

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

89

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

90

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

91

ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

92

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

93

return 0;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

94

}

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

95

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

96

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

97

static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,

98

const unsigned char *buf,

99

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

100

{

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

101

((void) ssl);

102

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

103

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);

104

if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=

105

MBEDTLS_SSL_VERSION_TLS1_3) {

106

MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

107

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

108

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

109

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

110

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

111

}

112

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

113

if (&buf[2] != end) {

Xiaokang Qian

91bb3f0

2023-04-03 09:07:03 +0000

[diff] [blame]

114

MBEDTLS_SSL_DEBUG_MSG(

115

1, ("supported_versions ext data length incorrect"));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

116

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

117

MBEDTLS_ERR_SSL_DECODE_ERROR);

118

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Ronald Cron

9847338

2022-03-30 20:04:10 +0200

[diff] [blame]

119

}

120

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

121

return 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

122

}

123

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

124

#if defined(MBEDTLS_SSL_ALPN)

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

125

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

126

static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,

127

const unsigned char *buf, size_t len)

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

128

{

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

129

const unsigned char *p = buf;

130

const unsigned char *end = buf + len;

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

131

size_t protocol_name_list_len, protocol_name_len;

132

const unsigned char *protocol_name_list_end;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

133

134

/* If we didn't send it, the server shouldn't send it */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

135

if (ssl->conf->alpn_list == NULL) {

136

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

137

}

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

138

139

/*

140

* opaque ProtocolName<1..2^8-1>;

141

*

142

* struct {

143

* ProtocolName protocol_name_list<2..2^16-1>

144

* } ProtocolNameList;

145

*

146

* the "ProtocolNameList" MUST contain exactly one "ProtocolName"

147

*/

148

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

149

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

150

protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

151

p += 2;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

152

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

153

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

154

protocol_name_list_end = p + protocol_name_list_len;

155

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

156

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

157

protocol_name_len = *p++;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

158

159

/* Check that the server chosen protocol was in our list and save it */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

160

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);

161

for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {

162

if (protocol_name_len == strlen(*alpn) &&

163

memcmp(p, *alpn, protocol_name_len) == 0) {

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

164

ssl->alpn_chosen = *alpn;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

165

return 0;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

}

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

169

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

170

}

171

#endif /* MBEDTLS_SSL_ALPN */

172

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

173

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

174

static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

175

{

176

uint16_t group_id = ssl->handshake->offered_group_id;

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

177

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

178

if (group_id == 0) {

179

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

180

}

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

181

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

182

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

183

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

184

mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

185

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

186

psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;

187

188

/* Destroy generated private key. */

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

189

status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

190

if (status != PSA_SUCCESS) {

Andrzej Kurek

8a045ce

2022-12-23 11:00:06 -0500

[diff] [blame]

191

ret = PSA_TO_MBEDTLS_ERR(status);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

192

MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);

193

return ret;

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

194

}

195

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

196

ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

197

return 0;

198

} else

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

199

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

200

if (0 /* other KEMs? */) {

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

/* Do something */

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

204

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

205

}

206

207

/*

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

208

* Functions for writing key_share extension.

209

*/

Ronald Cron

766c0cd

2022-10-18 12:17:11 +0200

[diff] [blame]

210

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

211

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

212

static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,

213

uint16_t *group_id)

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

214

{

215

int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

216

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

217

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

218

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

219

const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

220

/* Pick first available ECDHE group compatible with TLS 1.3 */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

221

if (group_list == NULL) {

222

return MBEDTLS_ERR_SSL_BAD_CONFIG;

223

}

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

224

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

225

for (; *group_list != 0; group_list++) {

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

226

#if defined(PSA_WANT_ALG_ECDH)

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

227

if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(

228

*group_list, NULL, NULL) == PSA_SUCCESS) &&

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

229

mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {

Brett Warren

14efd33

2021-10-06 09:32:11 +0100

[diff] [blame]

230

*group_id = *group_list;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

231

return 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

232

}

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

233

#endif

234

#if defined(PSA_WANT_ALG_FFDH)

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

235

if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

236

*group_id = *group_list;

237

return 0;

238

}

239

#endif

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

240

}

241

#else

242

((void) ssl);

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

243

((void) group_id);

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

244

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

245

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

246

return ret;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

}

/*

* ssl_tls13_write_key_share_ext

251

*

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

252

* Structure of key_share extension in ClientHello:

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

*

* struct {

* NamedGroup group;

* opaque key_exchange<1..2^16-1>;

257

* } KeyShareEntry;

258

* struct {

259

* KeyShareEntry client_shares<0..2^16-1>;

260

* } KeyShareClientHello;

261

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

262

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

263

static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,

264

unsigned char *buf,

265

unsigned char *end,

266

size_t *out_len)

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

267

{

268

unsigned char *p = buf;

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

269

unsigned char *client_shares; /* Start of client_shares */

270

size_t client_shares_len; /* Length of client_shares */

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

271

uint16_t group_id;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

272

int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

273

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

274

*out_len = 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

275

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

276

/* Check if we have space for header and length fields:

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

277

* - extension_type (2 bytes)

278

* - extension_data_length (2 bytes)

279

* - client_shares_length (2 bytes)

280

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

281

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

282

p += 6;

283

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

284

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

285

286

/* HRR could already have requested something else. */

287

group_id = ssl->handshake->offered_group_id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

288

if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

289

!mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

290

MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,

291

&group_id));

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

}

/*

* Dispatch to type-specific key generation function.

296

*

297

* So far, we're only supporting ECDHE. With the introduction

298

* of PQC KEMs, we'll want to have multiple branches, one per

299

* type of KEM, and dispatch to the corresponding crypto. And

300

* only one key share entry is allowed.

301

*/

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

302

client_shares = p;

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

303

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

304

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

305

mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

306

/* Pointer to group */

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

307

unsigned char *group = p;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

308

/* Length of key_exchange */

Przemyslaw Stekiel

4f419e5

2022-02-10 15:56:26 +0100

[diff] [blame]

309

size_t key_exchange_len = 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

310

311

/* Check there is space for header of KeyShareEntry

312

* - group (2 bytes)

313

* - key_exchange_length (2 bytes)

314

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

315

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

316

p += 4;

Przemek Stekiel

408569f

2023-07-06 11:26:44 +0200

[diff] [blame]

317

ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

318

ssl, group_id, p, end, &key_exchange_len);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

319

p += key_exchange_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

320

if (ret != 0) {

321

return ret;

322

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

323

324

/* Write group */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

325

MBEDTLS_PUT_UINT16_BE(group_id, group, 0);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

326

/* Write key_exchange_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

327

MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);

328

} else

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

329

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

330

if (0 /* other KEMs? */) {

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

331

/* Do something */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

332

} else {

333

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

334

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

335

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

336

/* Length of client_shares */

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

337

client_shares_len = p - client_shares;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

338

if (client_shares_len == 0) {

339

MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));

340

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

7c522d4

2021-09-08 17:55:09 +0800

[diff] [blame]

341

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

342

/* Write extension_type */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

343

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

344

/* Write extension_data_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

345

MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

346

/* Write client_shares_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

347

MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

348

349

/* Update offered_group_id field */

350

ssl->handshake->offered_group_id = group_id;

351

352

/* Output the total length of key_share extension. */

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

353

*out_len = p - buf;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

354

Xiaokang Qian

91bb3f0

2023-04-03 09:07:03 +0000

[diff] [blame]

355

MBEDTLS_SSL_DEBUG_BUF(

356

3, "client hello, key_share extension", buf, *out_len);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

357

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

358

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

362

return ret;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

363

}

Ronald Cron

766c0cd

2022-10-18 12:17:11 +0200

[diff] [blame]

364

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

365

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

366

/*

367

* ssl_tls13_parse_hrr_key_share_ext()

368

* Parse key_share extension in Hello Retry Request

369

*

370

* struct {

371

* NamedGroup selected_group;

372

* } KeyShareHelloRetryRequest;

373

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

374

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

375

static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,

376

const unsigned char *buf,

377

const unsigned char *end)

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

378

{

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

379

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

380

const unsigned char *p = buf;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

381

int selected_group;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

382

int found = 0;

383

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

384

const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);

385

if (group_list == NULL) {

386

return MBEDTLS_ERR_SSL_BAD_CONFIG;

387

}

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

388

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

389

MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

390

391

/* Read selected_group */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

392

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

393

selected_group = MBEDTLS_GET_UINT16_BE(p, 0);

394

MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

395

396

/* Upon receipt of this extension in a HelloRetryRequest, the client

397

* MUST first verify that the selected_group field corresponds to a

398

* group which was provided in the "supported_groups" extension in the

399

* original ClientHello.

400

* The supported_group was based on the info in ssl->conf->group_list.

401

*

402

* If the server provided a key share that was not sent in the ClientHello

403

* then the client MUST abort the handshake with an "illegal_parameter" alert.

404

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

405

for (; *group_list != 0; group_list++) {

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

406

#if defined(PSA_WANT_ALG_ECDH)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

407

if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {

408

if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(

409

*group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||

410

*group_list != selected_group) {

411

found = 1;

412

break;

413

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

414

}

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

415

#endif /* PSA_WANT_ALG_ECDH */

416

#if defined(PSA_WANT_ALG_FFDH)

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

417

if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

418

found = 1;

419

break;

420

}

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

421

#endif /* PSA_WANT_ALG_FFDH */

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

422

}

423

424

/* Client MUST verify that the selected_group field does not

425

* correspond to a group which was provided in the "key_share"

426

* extension in the original ClientHello. If the server sent an

427

* HRR message with a key share already provided in the

428

* ClientHello then the client MUST abort the handshake with

429

* an "illegal_parameter" alert.

430

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

431

if (found == 0 || selected_group == ssl->handshake->offered_group_id) {

432

MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

433

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

434

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

435

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

436

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

437

}

438

439

/* Remember server's preference for next ClientHello */

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

440

ssl->handshake->offered_group_id = selected_group;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

441

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

442

return 0;

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

443

#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Andrzej Kurek

c19fb08

2022-10-03 10:52:24 -0400

[diff] [blame]

444

(void) ssl;

445

(void) buf;

446

(void) end;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

447

return MBEDTLS_ERR_SSL_BAD_CONFIG;

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

448

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

449

}

450

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

451

/*

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

452

* ssl_tls13_parse_key_share_ext()

453

* Parse key_share extension in Server Hello

454

*

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

455

* struct {

456

* KeyShareEntry server_share;

457

* } KeyShareServerHello;

458

* struct {

459

* NamedGroup group;

460

* opaque key_exchange<1..2^16-1>;

461

* } KeyShareEntry;

462

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

463

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

464

static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,

465

const unsigned char *buf,

466

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

467

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

468

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

469

const unsigned char *p = buf;

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

470

uint16_t group, offered_group;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

471

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

472

/* ...

473

* NamedGroup group; (2 bytes)

474

* ...

475

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

476

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

477

group = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

478

p += 2;

479

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

480

/* Check that the chosen group matches the one we offered. */

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

481

offered_group = ssl->handshake->offered_group_id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

482

if (offered_group != group) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

483

MBEDTLS_SSL_DEBUG_MSG(

484

1, ("Invalid server key share, our group %u, their group %u",

485

(unsigned) offered_group, (unsigned) group));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

486

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

487

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

488

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

489

}

490

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

491

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

492

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

493

mbedtls_ssl_tls13_named_group_is_ffdh(group)) {

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

494

MBEDTLS_SSL_DEBUG_MSG(2,

495

("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

496

ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

if (ret != 0) {

return ret;

}

} else

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

501

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

502

if (0 /* other KEMs? */) {

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

503

/* Do something */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

504

} else {

505

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

506

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

507

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

508

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

509

}

510

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

511

/*

512

* ssl_tls13_parse_cookie_ext()

513

* Parse cookie extension in Hello Retry Request

514

*

515

* struct {

516

* opaque cookie<1..2^16-1>;

517

* } Cookie;

518

*

519

* When sending a HelloRetryRequest, the server MAY provide a "cookie"

520

* extension to the client (this is an exception to the usual rule that

521

* the only extensions that may be sent are those that appear in the

522

* ClientHello). When sending the new ClientHello, the client MUST copy

523

* the contents of the extension received in the HelloRetryRequest into

524

* a "cookie" extension in the new ClientHello. Clients MUST NOT use

525

* cookies in their initial ClientHello in subsequent connections.

526

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

527

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

528

static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,

529

const unsigned char *buf,

530

const unsigned char *end)

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

531

{

XiaokangQian

25c9c90

2022-02-08 10:49:53 +0000

[diff] [blame]

532

uint16_t cookie_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

533

const unsigned char *p = buf;

534

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

535

536

/* Retrieve length field of cookie */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

537

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

538

cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

539

p += 2;

540

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

541

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);

542

MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

543

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

544

mbedtls_free(handshake->cookie);

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

545

handshake->cookie_len = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

546

handshake->cookie = mbedtls_calloc(1, cookie_len);

547

if (handshake->cookie == NULL) {

548

MBEDTLS_SSL_DEBUG_MSG(1,

549

("alloc failed ( %ud bytes )",

550

cookie_len));

551

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

552

}

553

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

554

memcpy(handshake->cookie, p, cookie_len);

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

555

handshake->cookie_len = cookie_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

556

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

557

return 0;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

558

}

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

559

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

560

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

561

static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,

562

unsigned char *buf,

563

unsigned char *end,

564

size_t *out_len)

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

565

{

566

unsigned char *p = buf;

XiaokangQian

9deb90f

2022-02-08 10:31:07 +0000

[diff] [blame]

567

*out_len = 0;

XiaokangQian

c02768a

2022-02-10 07:31:25 +0000

[diff] [blame]

568

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

569

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

570

if (handshake->cookie == NULL) {

571

MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));

572

return 0;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

573

}

574

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

575

MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",

576

handshake->cookie,

577

handshake->cookie_len);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

578

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

579

MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

580

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

581

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

582

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

583

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);

584

MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);

585

MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);

XiaokangQian

233397e

2022-02-07 08:32:16 +0000

[diff] [blame]

586

p += 6;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

587

588

/* Cookie */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

589

memcpy(p, handshake->cookie, handshake->cookie_len);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

590

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

591

*out_len = handshake->cookie_len + 6;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

592

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

593

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

594

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

595

return 0;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

596

}

597

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

598

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

599

/*

600

* ssl_tls13_write_psk_key_exchange_modes_ext() structure:

601

*

602

* enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;

603

*

604

* struct {

605

* PskKeyExchangeMode ke_modes<1..255>;

606

* } PskKeyExchangeModes;

607

*/

XiaokangQian

8698195

2022-07-19 09:51:50 +0000

[diff] [blame]

608

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

609

static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,

610

unsigned char *buf,

611

unsigned char *end,

612

size_t *out_len)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

613

{

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

614

unsigned char *p = buf;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

615

int ke_modes_len = 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

616

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

617

((void) ke_modes_len);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

618

*out_len = 0;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

619

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

620

/* Skip writing extension if no PSK key exchange mode

XiaokangQian

7c12d31

2022-07-20 07:25:43 +0000

[diff] [blame]

621

* is enabled in the config.

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

622

*/

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

623

if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

624

MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));

625

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

626

}

627

628

/* Require 7 bytes of data, otherwise fail,

629

* even if extension might be shorter.

630

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

631

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

632

MBEDTLS_SSL_DEBUG_MSG(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

633

3, ("client hello, adding psk_key_exchange_modes extension"));

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

634

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

635

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

636

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

637

/* Skip extension length (2 bytes) and

638

* ke_modes length (1 byte) for now.

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

*/

p += 5;

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

642

if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

643

*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

644

ke_modes_len++;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

645

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

646

MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

647

}

648

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

649

if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {

Ronald Cron

a709a0f

2022-09-27 16:46:11 +0200

[diff] [blame]

650

*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;

651

ke_modes_len++;

652

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

653

MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));

Ronald Cron

a709a0f

2022-09-27 16:46:11 +0200

[diff] [blame]

654

}

655

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

656

/* Now write the extension and ke_modes length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

657

MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

658

buf[4] = ke_modes_len;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

659

660

*out_len = p - buf;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

661

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

662

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

663

ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

664

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

665

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

666

}

Jerry Yu

db8c5fa

2022-08-03 12:10:13 +0800

[diff] [blame]

667

Norbert Fabritius

8ceeff9

2023-01-24 17:58:13 +0100

[diff] [blame]

668

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

669

static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

670

{

Jerry Yu

21f9095

2022-10-08 10:30:53 +0800

[diff] [blame]

671

const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

672

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

673

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

674

if (ciphersuite_info != NULL) {

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

675

return mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

676

}

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

677

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

678

return PSA_ALG_NONE;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

679

}

680

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

681

static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)

Xiaokang Qian

b781a23

2022-11-01 07:39:46 +0000

[diff] [blame]

682

{

683

mbedtls_ssl_session *session = ssl->session_negotiate;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

684

return ssl->handshake->resume &&

Pengyu Lv

9356678

2022-12-07 12:10:05 +0800

[diff] [blame]

685

session != NULL && session->ticket != NULL &&

Pengyu Lv

fc2cb96

2023-11-10 10:22:36 +0800

[diff] [blame]

686

mbedtls_ssl_conf_tls13_is_kex_mode_enabled(

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

687

ssl, mbedtls_ssl_tls13_session_get_ticket_flags(

Pengyu Lv

9b84ea7

2023-01-16 14:08:23 +0800

[diff] [blame]

688

session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));

Xiaokang Qian

b781a23

2022-11-01 07:39:46 +0000

[diff] [blame]

689

}

690

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

691

#if defined(MBEDTLS_SSL_EARLY_DATA)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

692

static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

693

{

694

mbedtls_ssl_session *session = ssl->session_negotiate;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

695

return ssl->handshake->resume &&

696

session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

697

mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&

Jerry Yu

c2b1bc4

2023-11-22 10:08:13 +0800

[diff] [blame]

698

mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

}

#endif

Xiaokang Qian

2022-11-01 07:39:46 +0000

[diff] [blame]

702

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

703

static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,

704

psa_algorithm_t *hash_alg,

705

const unsigned char **identity,

706

size_t *identity_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

707

{

708

mbedtls_ssl_session *session = ssl->session_negotiate;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

709

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

710

if (!ssl_tls13_has_configured_ticket(ssl)) {

711

return -1;

712

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

713

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

714

*hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

715

*identity = session->ticket;

716

*identity_len = session->ticket_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

717

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

718

}

719

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

720

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

721

static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,

722

psa_algorithm_t *hash_alg,

723

const unsigned char **psk,

724

size_t *psk_len)

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

725

{

726

727

mbedtls_ssl_session *session = ssl->session_negotiate;

728

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

729

if (!ssl_tls13_has_configured_ticket(ssl)) {

730

return -1;

731

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

732

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

733

*hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

734

*psk = session->resumption_key;

735

*psk_len = session->resumption_key_len;

736

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

737

return 0;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

738

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

739

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

740

741

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

742

static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,

743

psa_algorithm_t *hash_alg,

744

const unsigned char **identity,

745

size_t *identity_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

746

{

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

747

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

748

if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

749

return -1;

750

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

751

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

752

*hash_alg = PSA_ALG_SHA_256;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

753

*identity = ssl->conf->psk_identity;

754

*identity_len = ssl->conf->psk_identity_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

755

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

756

}

757

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

758

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

759

static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,

760

psa_algorithm_t *hash_alg,

761

const unsigned char **psk,

762

size_t *psk_len)

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

763

{

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

764

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

765

if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

766

return -1;

767

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

768

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

769

*hash_alg = PSA_ALG_SHA_256;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

770

*psk = ssl->conf->psk;

771

*psk_len = ssl->conf->psk_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

772

return 0;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

773

}

774

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

775

static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

776

{

777

int configured_psk_count = 0;

778

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

779

if (ssl_tls13_has_configured_ticket(ssl)) {

780

MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

781

configured_psk_count++;

782

}

783

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

784

if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

785

MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

786

configured_psk_count++;

787

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

788

return configured_psk_count;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

789

}

790

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

791

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

792

static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,

793

unsigned char *buf,

794

unsigned char *end,

795

const unsigned char *identity,

796

size_t identity_len,

797

uint32_t obfuscated_ticket_age,

798

size_t *out_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

799

{

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

800

((void) ssl);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

801

*out_len = 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

802

803

/*

804

* - identity_len (2 bytes)

805

* - identity (psk_identity_len bytes)

806

* - obfuscated_ticket_age (4 bytes)

807

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

808

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

809

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

810

MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);

811

memcpy(buf + 2, identity, identity_len);

812

MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

813

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

814

MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

815

816

*out_len = 6 + identity_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

817

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

818

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

819

}

820

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

821

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

822

static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,

unsigned char *buf,

unsigned char *end,

int psk_type,

psa_algorithm_t hash_alg,

827

const unsigned char *psk,

828

size_t psk_len,

829

size_t *out_len)

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

830

{

831

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

832

unsigned char binder_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

833

unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

834

size_t transcript_len = 0;

*out_len = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

838

binder_len = PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

839

840

/*

841

* - binder_len (1 bytes)

842

* - binder (binder_len bytes)

843

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

844

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

845

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

846

buf[0] = binder_len;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

847

848

/* Get current state of handshake transcript. */

849

ret = mbedtls_ssl_get_handshake_transcript(

Manuel Pégourié-Gonnard

2d6d993

2023-03-28 11:38:08 +0200

[diff] [blame]

850

ssl, mbedtls_md_type_from_psa_alg(hash_alg),

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

851

transcript, sizeof(transcript), &transcript_len);

852

if (ret != 0) {

853

return ret;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

854

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

855

856

ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,

857

psk, psk_len, psk_type,

858

transcript, buf + 1);

859

if (ret != 0) {

860

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);

861

return ret;

862

}

863

MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

864

865

*out_len = 1 + binder_len;

866

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

867

return 0;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

}

/*

* mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:

872

*

873

* struct {

874

* opaque identity<1..2^16-1>;

875

* uint32 obfuscated_ticket_age;

876

* } PskIdentity;

877

*

878

* opaque PskBinderEntry<32..255>;

879

*

880

* struct {

881

* PskIdentity identities<7..2^16-1>;

882

* PskBinderEntry binders<33..2^16-1>;

* } OfferedPsks;

*

* struct {

* select (Handshake.msg_type) {

887

* case client_hello: OfferedPsks;

888

* ...

889

* };

890

* } PreSharedKeyExtension;

891

*

892

*/

XiaokangQian

3ad67bf

2022-07-21 02:26:21 +0000

[diff] [blame]

893

int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

894

mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,

895

size_t *out_len, size_t *binders_len)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

896

{

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

897

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

898

int configured_psk_count = 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

899

unsigned char *p = buf;

Xiaokang Qian

854db28

2022-12-19 07:31:27 +0000

[diff] [blame]

900

psa_algorithm_t hash_alg = PSA_ALG_NONE;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

901

const unsigned char *identity;

902

size_t identity_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

903

size_t l_binders_len = 0;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

904

size_t output_len;

Xiaokang Qian

7179f81

2023-02-03 03:38:44 +0000

[diff] [blame]

905

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

*out_len = 0;

*binders_len = 0;

/* Check if we have any PSKs to offer. If no, skip pre_shared_key */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

910

configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);

911

if (configured_psk_count == 0) {

912

MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));

913

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

914

}

915

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

916

MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",

917

configured_psk_count));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

918

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

919

/* Check if we have space to write the extension, binders included.

920

* - extension_type (2 bytes)

921

* - extension_data_len (2 bytes)

922

* - identities_len (2 bytes)

923

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

924

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

925

p += 6;

926

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

927

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

928

if (ssl_tls13_ticket_get_identity(

929

ssl, &hash_alg, &identity, &identity_len) == 0) {

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

930

#if defined(MBEDTLS_HAVE_TIME)

Jerry Yu

cebffc3

2022-12-15 18:00:05 +0800

[diff] [blame]

931

mbedtls_ms_time_t now = mbedtls_ms_time();

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

932

mbedtls_ssl_session *session = ssl->session_negotiate;

Jerry Yu

cf91351

2023-11-14 11:06:52 +0800

[diff] [blame]

933

/* The ticket age has been checked to be smaller than the

Jerry Yu

46c7926

2023-11-10 13:58:16 +0800

[diff] [blame]

934

* `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than

935

* 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the

936

* cast to `uint32_t` of the ticket age is safe. */

Jerry Yu

6916e70

2022-10-10 21:33:51 +0800

[diff] [blame]

937

uint32_t obfuscated_ticket_age =

Jerry Yu

342a555

2023-11-10 14:23:39 +0800

[diff] [blame]

938

(uint32_t) (now - session->ticket_reception_time);

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

939

obfuscated_ticket_age += session->ticket_age_add;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

940

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

941

ret = ssl_tls13_write_identity(ssl, p, end,

942

identity, identity_len,

943

obfuscated_ticket_age,

944

&output_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

945

#else

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

946

ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,

947

0, &output_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

948

#endif /* MBEDTLS_HAVE_TIME */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

949

if (ret != 0) {

950

return ret;

951

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

952

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

953

p += output_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

954

l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

955

}

956

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

957

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

958

if (ssl_tls13_psk_get_identity(

959

ssl, &hash_alg, &identity, &identity_len) == 0) {

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

960

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

961

ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

966

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

967

p += output_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

968

l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

969

}

970

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

971

MBEDTLS_SSL_DEBUG_MSG(3,

972

("client hello, adding pre_shared_key extension, "

973

"omitting PSK binder list"));

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

974

975

/* Take into account the two bytes for the length of the binders. */

976

l_binders_len += 2;

Jerry Yu

6916e70

2022-10-10 21:33:51 +0800

[diff] [blame]

977

/* Check if there is enough space for binders */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

978

MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

979

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

980

/*

981

* - extension_type (2 bytes)

982

* - extension_data_len (2 bytes)

983

* - identities_len (2 bytes)

984

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

985

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);

986

MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);

987

MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

988

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

989

*out_len = (p - buf) + l_binders_len;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

990

*binders_len = l_binders_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

991

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

992

MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

993

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

994

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

995

}

996

XiaokangQian

8698195

2022-07-19 09:51:50 +0000

[diff] [blame]

997

int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

998

mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

999

{

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1000

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1001

unsigned char *p = buf;

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1002

psa_algorithm_t hash_alg = PSA_ALG_NONE;

1003

const unsigned char *psk;

1004

size_t psk_len;

1005

size_t output_len;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1006

1007

/* Check if we have space to write binders_len.

1008

* - binders_len (2 bytes)

1009

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1010

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1011

p += 2;

1012

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1013

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1014

if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1015

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1016

ret = ssl_tls13_write_binder(ssl, p, end,

1017

MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,

1018

hash_alg, psk, psk_len,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1023

p += output_len;

1024

}

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1025

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1026

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1027

if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1028

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1029

ret = ssl_tls13_write_binder(ssl, p, end,

1030

MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,

1031

hash_alg, psk, psk_len,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

p += output_len;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1039

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1040

1041

/*

1042

* - binders_len (2 bytes)

1043

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1044

MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1045

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1046

MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1047

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

1048

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1049

ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1050

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1051

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1052

}

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

/*

* struct {

* opaque identity<1..2^16-1>;

1057

* uint32 obfuscated_ticket_age;

1058

* } PskIdentity;

1059

*

1060

* opaque PskBinderEntry<32..255>;

*

* struct {

*

* select (Handshake.msg_type) {

1065

* ...

1066

* case server_hello: uint16 selected_identity;

1067

* };

1068

*

1069

* } PreSharedKeyExtension;

1070

*

1071

*/

1072

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1073

static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,

1074

const unsigned char *buf,

1075

const unsigned char *end)

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

1076

{

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1077

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1078

int selected_identity;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1079

const unsigned char *psk;

1080

size_t psk_len;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1081

psa_algorithm_t hash_alg;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1082

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1083

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);

1084

selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);

Xiaokang Qian

2a67493

2023-01-04 03:15:09 +0000

[diff] [blame]

1085

ssl->handshake->selected_identity = (uint16_t) selected_identity;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1086

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1087

MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1088

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1089

if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {

1090

MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1091

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1092

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1093

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1094

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1095

}

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1096

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1097

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1098

if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {

1099

ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);

1100

} else

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1101

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1102

if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

1103

ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);

1104

} else {

1105

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

1106

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1107

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1108

if (ret != 0) {

1109

return ret;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1110

}

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1111

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

1112

if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac)

Xiaokang Qian

eb31cbc

2023-02-07 02:08:56 +0000

[diff] [blame]

1113

!= hash_alg) {

1114

MBEDTLS_SSL_DEBUG_MSG(

1115

1, ("Invalid ciphersuite for external psk."));

1116

1117

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1118

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1119

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1120

}

1121

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1122

ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);

1123

if (ret != 0) {

1124

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);

return ret;

}

return 0;

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

1129

}

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1130

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1131

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1132

int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,

1133

unsigned char *buf,

1134

unsigned char *end,

1135

size_t *out_len)

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1136

{

1137

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1138

unsigned char *p = buf;

size_t ext_len;

*out_len = 0;

/* Write supported_versions extension

1144

*

1145

* Supported Versions Extension is mandatory with TLS 1.3.

1146

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1147

ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);

1148

if (ret != 0) {

1149

return ret;

1150

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1151

p += ext_len;

1152

1153

/* Echo the cookie if the server provided one in its preceding

1154

* HelloRetryRequest message.

1155

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1156

ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);

1157

if (ret != 0) {

1158

return ret;

1159

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1160

p += ext_len;

1161

Yanray Wang

42017cd

2023-11-08 11:15:23 +0800

[diff] [blame]

1162

#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)

1163

ret = mbedtls_ssl_tls13_write_record_size_limit_ext(

Waleed Elmelegy

148dfb6

2024-01-04 18:02:35 +0000

[diff] [blame]

1164

ssl, p, end, &ext_len);

Yanray Wang

42017cd

2023-11-08 11:15:23 +0800

[diff] [blame]

if (ret != 0) {

return ret;

}

p += ext_len;

#endif

Ronald Cron

2022-10-18 12:17:11 +0200

[diff] [blame]

1171

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1172

if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1173

ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);

1174

if (ret != 0) {

1175

return ret;

1176

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1177

p += ext_len;

1178

}

Ronald Cron

766c0cd

2022-10-18 12:17:11 +0200

[diff] [blame]

1179

#endif

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1180

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1181

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

84dfbf4

2024-02-14 10:38:09 +0100

[diff] [blame]

1182

/* In the first ClientHello, write the early data indication extension if

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1183

* necessary and update the early data state.

Ronald Cron

84dfbf4

2024-02-14 10:38:09 +0100

[diff] [blame]

1184

* If an HRR has been received and thus we are currently writing the

1185

* second ClientHello, the second ClientHello must not contain an early

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1186

* data extension and the early data state must stay as it is:

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1187

* MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT or

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1188

* MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED.

Ronald Cron

84dfbf4

2024-02-14 10:38:09 +0100

[diff] [blame]

1189

*/

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1190

if (!ssl->handshake->hello_retry_request_flag) {

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

1191

if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&

1192

ssl_tls13_early_data_has_valid_ticket(ssl) &&

1193

ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {

1194

ret = mbedtls_ssl_tls13_write_early_data_ext(

1195

ssl, 0, p, end, &ext_len);

if (ret != 0) {

return ret;

}

p += ext_len;

Jerry Yu

5233539

2023-11-23 18:06:06 +0800

[diff] [blame]

1200

Ronald Cron

3641df2

2024-03-03 16:10:58 +0100

[diff] [blame]

1201

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT;

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

1202

} else {

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1203

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1204

}

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1205

}

1206

#endif /* MBEDTLS_SSL_EARLY_DATA */

1207

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1208

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1209

/* For PSK-based key exchange we need the pre_shared_key extension

1210

* and the psk_key_exchange_modes extension.

1211

*

1212

* The pre_shared_key extension MUST be the last extension in the

1213

* ClientHello. Servers MUST check that it is the last extension and

1214

* otherwise fail the handshake with an "illegal_parameter" alert.

1215

*

1216

* Add the psk_key_exchange_modes extension.

1217

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1218

ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);

1219

if (ret != 0) {

1220

return ret;

1221

}

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1222

p += ext_len;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1223

#endif

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1224

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1225

*out_len = p - buf;

1226

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1227

return 0;

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1228

}

1229

Xiaokang Qian

934ce6f

2023-02-06 10:23:04 +0000

[diff] [blame]

1230

int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1231

{

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1232

((void) ssl);

Xiaokang Qian

79f7752

2023-01-28 10:35:29 +0000

[diff] [blame]

1233

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1234

#if defined(MBEDTLS_SSL_EARLY_DATA)

1235

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1236

psa_algorithm_t hash_alg = PSA_ALG_NONE;

1237

const unsigned char *psk;

1238

size_t psk_len;

1239

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

Xiaokang Qian

592021a

2023-01-04 10:47:05 +0000

[diff] [blame]

1240

Ronald Cron

3641df2

2024-03-03 16:10:58 +0100

[diff] [blame]

1241

if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT) {

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1242

MBEDTLS_SSL_DEBUG_MSG(

1243

1, ("Set hs psk for early data when writing the first psk"));

1244

1245

ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);

1246

if (ret != 0) {

1247

MBEDTLS_SSL_DEBUG_RET(

1248

1, "ssl_tls13_ticket_get_psk", ret);

return ret;

}

ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);

1253

if (ret != 0) {

1254

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);

return ret;

}

Xiaokang Qian

2023-02-07 02:32:23 +0000

[diff] [blame]

1258

/*

1259

* Early data are going to be encrypted using the ciphersuite

1260

* associated with the pre-shared key used for the handshake.

1261

* Note that if the server rejects early data, the handshake

1262

* based on the pre-shared key may complete successfully

1263

* with a selected ciphersuite different from the ciphersuite

1264

* associated with the pre-shared key. Only the hashes of the

1265

* two ciphersuites have to be the same. In that case, the

1266

* encrypted handshake data and application data are

1267

* encrypted using a different ciphersuite than the one used for

1268

* the rejected early data.

1269

*/

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1270

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(

1271

ssl->session_negotiate->ciphersuite);

1272

ssl->handshake->ciphersuite_info = ciphersuite_info;

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1273

Tom Cosgrove

5c8505f

2023-03-07 11:39:52 +0000

[diff] [blame]

1274

/* Enable psk and psk_ephemeral to make stage early happy */

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1275

ssl->handshake->key_exchange_mode =

1276

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;

1277

1278

/* Start the TLS 1.3 key schedule:

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1279

* Set the PSK and derive early secret.

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1280

*/

1281

ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);

1282

if (ret != 0) {

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1283

MBEDTLS_SSL_DEBUG_RET(

1284

1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

return ret;

}

/* Derive early data key material */

1289

ret = mbedtls_ssl_tls13_compute_early_transform(ssl);

1290

if (ret != 0) {

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1291

MBEDTLS_SSL_DEBUG_RET(

1292

1, "mbedtls_ssl_tls13_compute_early_transform", ret);

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

return ret;

}

Ronald Cron

2024-01-19 08:15:33 +0100

[diff] [blame]

1296

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

1297

mbedtls_ssl_handshake_set_state(

1298

ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);

1299

#else

1300

MBEDTLS_SSL_DEBUG_MSG(

1301

1, ("Switch to early data keys for outbound traffic"));

1302

mbedtls_ssl_set_outbound_transform(

1303

ssl, ssl->handshake->transform_earlydata);

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1304

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;

Ronald Cron

297c608

2024-01-19 08:15:33 +0100

[diff] [blame]

1305

#endif

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1306

}

1307

#endif /* MBEDTLS_SSL_EARLY_DATA */

1308

return 0;

1309

}

Jerry Yu

1bc2c1f

2021-09-01 12:57:29 +0800

[diff] [blame]

1310

/*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1311

* Functions for parsing and processing Server Hello

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1312

*/

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1313

Ronald Cron

da41b38

2022-03-30 09:57:11 +0200

[diff] [blame]

1314

/**

1315

* \brief Detect if the ServerHello contains a supported_versions extension

1316

* or not.

1317

*

1318

* \param[in] ssl SSL context

1319

* \param[in] buf Buffer containing the ServerHello message

1320

* \param[in] end End of the buffer containing the ServerHello message

1321

*

1322

* \return 0 if the ServerHello does not contain a supported_versions extension

1323

* \return 1 if the ServerHello contains a supported_versions extension

1324

* \return A negative value if an error occurred while parsing the ServerHello.

1325

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1326

MBEDTLS_CHECK_RETURN_CRITICAL

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1327

static int ssl_tls13_is_supported_versions_ext_present(

1328

mbedtls_ssl_context *ssl,

1329

const unsigned char *buf,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1330

const unsigned char *end)

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1331

{

1332

const unsigned char *p = buf;

1333

size_t legacy_session_id_echo_len;

Ronald Cron

eff5673

2023-04-03 17:36:31 +0200

[diff] [blame]

1334

const unsigned char *supported_versions_data;

1335

const unsigned char *supported_versions_data_end;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1336

1337

/*

1338

* Check there is enough data to access the legacy_session_id_echo vector

Ronald Cron

da41b38

2022-03-30 09:57:11 +0200

[diff] [blame]

1339

* length:

1340

* - legacy_version 2 bytes

1341

* - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes

1342

* - legacy_session_id_echo length 1 byte

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1343

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1344

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1345

p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;

1346

legacy_session_id_echo_len = *p;

1347

1348

/*

1349

* Jump to the extensions, jumping over:

1350

* - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes

1351

* - cipher_suite 2 bytes

1352

* - legacy_compression_method 1 byte

1353

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1354

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);

1355

p += legacy_session_id_echo_len + 4;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1356

Ronald Cron

47dce63

2023-02-08 17:38:29 +0100

[diff] [blame]

1357

return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(

1358

ssl, p, end,

Ronald Cron

eff5673

2023-04-03 17:36:31 +0200

[diff] [blame]

1359

&supported_versions_data, &supported_versions_data_end);

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1360

}

1361

Jerry Yu

7a186a0

2021-10-15 18:46:14 +0800

[diff] [blame]

1362

/* Returns a negative value on failure, and otherwise

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1363

* - 1 if the last eight bytes of the ServerHello random bytes indicate that

1364

* the server is TLS 1.3 capable but negotiating TLS 1.2 or below.

1365

* - 0 otherwise

1366

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1367

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1368

static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,

1369

const unsigned char *buf,

1370

const unsigned char *end)

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1371

{

1372

/* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */

1373

static const unsigned char magic_downgrade_string[] =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1374

{ 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1375

const unsigned char *last_eight_bytes_of_random;

1376

unsigned char last_byte_of_random;

1377

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1378

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1379

last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;

1380

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1381

if (memcmp(last_eight_bytes_of_random,

1382

magic_downgrade_string,

1383

sizeof(magic_downgrade_string)) == 0) {

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1384

last_byte_of_random = last_eight_bytes_of_random[7];

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1385

return last_byte_of_random == 0 ||

1386

last_byte_of_random == 1;

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1387

}

1388

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1389

return 0;

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1390

}

1391

1392

/* Returns a negative value on failure, and otherwise

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1393

* - SSL_SERVER_HELLO or

1394

* - SSL_SERVER_HELLO_HRR

XiaokangQian

51eff22

2021-12-10 10:33:56 +0000

[diff] [blame]

1395

* to indicate which message is expected and to be parsed next.

1396

*/

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1397

#define SSL_SERVER_HELLO 0

1398

#define SSL_SERVER_HELLO_HRR 1

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1399

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1400

static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,

1401

const unsigned char *buf,

1402

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1403

{

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1404

1405

/* Check whether this message is a HelloRetryRequest ( HRR ) message.

1406

*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1407

* Server Hello and HRR are only distinguished by Random set to the

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1408

* special value of the SHA-256 of "HelloRetryRequest".

1409

*

1410

* struct {

1411

* ProtocolVersion legacy_version = 0x0303;

1412

* Random random;

1413

* opaque legacy_session_id_echo<0..32>;

1414

* CipherSuite cipher_suite;

1415

* uint8 legacy_compression_method = 0;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1416

* Extension extensions<6..2^16-1>;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1417

* } ServerHello;

1418

*

1419

*/

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1420

MBEDTLS_SSL_CHK_BUF_READ_PTR(

1421

buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1422

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1423

if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,

1424

sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {

1425

return SSL_SERVER_HELLO_HRR;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1426

}

1427

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1428

return SSL_SERVER_HELLO;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1429

}

1430

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1431

/*

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1432

* Returns a negative value on failure, and otherwise

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1433

* - SSL_SERVER_HELLO or

1434

* - SSL_SERVER_HELLO_HRR or

1435

* - SSL_SERVER_HELLO_TLS1_2

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1436

*/

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1437

#define SSL_SERVER_HELLO_TLS1_2 2

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1438

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1439

static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,

1440

const unsigned char *buf,

1441

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1442

{

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1443

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1444

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1445

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1446

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(

1447

ssl, buf, end));

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1448

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1449

if (ret == 0) {

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1450

MBEDTLS_SSL_PROC_CHK_NEG(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1451

ssl_tls13_is_downgrade_negotiation(ssl, buf, end));

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1452

1453

/* If the server is negotiating TLS 1.2 or below and:

1454

* . we did not propose TLS 1.2 or

1455

* . the server responded it is TLS 1.3 capable but negotiating a lower

1456

* version of the protocol and thus we are under downgrade attack

1457

* abort the handshake with an "illegal parameter" alert.

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1458

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1459

if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {

1460

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1461

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1462

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1463

}

1464

Ronald Cron

b828c7d

2023-04-03 16:37:22 +0200

[diff] [blame]

1465

/*

1466

* Version 1.2 of the protocol has been negotiated, set the

1467

* ssl->keep_current_message flag for the ServerHello to be kept and

1468

* parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to

1469

* MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()

1470

* will dispatch to the TLS 1.2 state machine.

1471

*/

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1472

ssl->keep_current_message = 1;

Glenn Strauss

60bfe60

2022-03-14 19:04:24 -0400

[diff] [blame]

1473

ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1474

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

1475

ssl, MBEDTLS_SSL_HS_SERVER_HELLO,

1476

buf, (size_t) (end - buf)));

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1477

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1478

if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1479

ret = ssl_tls13_reset_key_share(ssl);

1480

if (ret != 0) {

1481

return ret;

1482

}

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1483

}

1484

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1485

return SSL_SERVER_HELLO_TLS1_2;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1486

}

1487

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1488

ssl->session_negotiate->tls_version = ssl->tls_version;

Ronald Cron

17ef8df

2023-11-22 10:29:42 +0100

[diff] [blame]

1489

ssl->session_negotiate->endpoint = ssl->conf->endpoint;

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1490

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1491

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1492

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1493

ret = ssl_server_hello_is_hrr(ssl, buf, end);

1494

switch (ret) {

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1495

case SSL_SERVER_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1496

MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1497

break;

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1498

case SSL_SERVER_HELLO_HRR:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1499

MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1500

/* If a client receives a second HelloRetryRequest in the same

1501

* connection (i.e., where the ClientHello was itself in response

1502

* to a HelloRetryRequest), it MUST abort the handshake with an

1503

* "unexpected_message" alert.

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1504

*/

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1505

if (handshake->hello_retry_request_flag) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1506

MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1507

MBEDTLS_SSL_PEND_FATAL_ALERT(

1508

MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,

1509

MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1510

return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1511

}

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1512

/*

1513

* Clients must abort the handshake with an "illegal_parameter"

1514

* alert if the HelloRetryRequest would not result in any change

1515

* in the ClientHello.

1516

* In a PSK only key exchange that what we expect.

1517

*/

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1518

if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1519

MBEDTLS_SSL_DEBUG_MSG(1,

1520

("Unexpected HRR in pure PSK key exchange."));

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1521

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1522

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1523

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1524

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1525

}

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1526

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1527

handshake->hello_retry_request_flag = 1;

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1528

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1529

break;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

}

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1534

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1535

}

1536

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1537

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1538

static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,

1539

const unsigned char **buf,

1540

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1541

{

1542

const unsigned char *p = *buf;

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1543

size_t legacy_session_id_echo_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1544

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1545

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

1546

legacy_session_id_echo_len = *p++;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1547

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1548

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1549

1550

/* legacy_session_id_echo */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1551

if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||

1552

memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {

1553

MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",

1554

ssl->session_negotiate->id,

1555

ssl->session_negotiate->id_len);

1556

MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,

1557

legacy_session_id_echo_len);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1558

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1559

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1560

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1561

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1562

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1563

}

1564

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1565

p += legacy_session_id_echo_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1566

*buf = p;

1567

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1568

MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,

1569

ssl->session_negotiate->id_len);

1570

return 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1571

}

1572

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1573

/* Parse ServerHello message and configure context

1574

*

1575

* struct {

1576

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

1577

* Random random;

1578

* opaque legacy_session_id_echo<0..32>;

1579

* CipherSuite cipher_suite;

1580

* uint8 legacy_compression_method = 0;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1581

* Extension extensions<6..2^16-1>;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1582

* } ServerHello;

1583

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1584

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1585

static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,

1586

const unsigned char *buf,

1587

const unsigned char *end,

1588

int is_hrr)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1589

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1590

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1591

const unsigned char *p = buf;

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1592

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1593

size_t extensions_len;

1594

const unsigned char *extensions_end;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1595

uint16_t cipher_suite;

Jerry Yu

de4fb2c

2021-09-19 18:05:08 +0800

[diff] [blame]

1596

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

XiaokangQian

b119a35

2022-01-26 03:29:10 +0000

[diff] [blame]

1597

int fatal_alert = 0;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1598

uint32_t allowed_extensions_mask;

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1599

int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1600

MBEDTLS_SSL_HS_SERVER_HELLO;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1601

1602

/*

1603

* Check there is space for minimal fields

1604

*

1605

* - legacy_version ( 2 bytes)

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1606

* - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1607

* - legacy_session_id_echo ( 1 byte ), minimum size

1608

* - cipher_suite ( 2 bytes)

1609

* - legacy_compression_method ( 1 byte )

1610

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1611

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1612

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1613

MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);

1614

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1615

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1616

/* ...

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1617

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1618

* ...

1619

* with ProtocolVersion defined as:

1620

* uint16 ProtocolVersion;

1621

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1622

if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=

1623

MBEDTLS_SSL_VERSION_TLS1_2) {

1624

MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));

1625

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,

1626

MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1627

ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;

1628

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1629

}

1630

p += 2;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1631

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1632

/* ...

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1633

* Random random;

1634

* ...

1635

* with Random defined as:

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1636

* opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1637

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1638

if (!is_hrr) {

1639

memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,

1640

MBEDTLS_SERVER_HELLO_RANDOM_LEN);

1641

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",

1642

p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1643

}

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1644

p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1645

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1646

/* ...

1647

* opaque legacy_session_id_echo<0..32>;

1648

* ...

1649

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1650

if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1651

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1652

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1653

}

1654

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1655

/* ...

1656

* CipherSuite cipher_suite;

1657

* ...

1658

* with CipherSuite defined as:

1659

* uint8 CipherSuite[2];

1660

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1661

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

1662

cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1663

p += 2;

1664

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1665

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1666

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1667

/*

Ronald Cron

ba120bb

2022-03-30 22:09:48 +0200

[diff] [blame]

1668

* Check whether this ciphersuite is valid and offered.

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1669

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1670

if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,

1671

ssl->tls_version,

1672

ssl->tls_version) != 0) ||

1673

!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1674

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1675

}

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1676

/*

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1677

* If we received an HRR before and that the proposed selected

1678

* ciphersuite in this server hello is not the same as the one

1679

* proposed in the HRR, we abort the handshake and send an

1680

* "illegal_parameter" alert.

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1681

*/

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1682

else if ((!is_hrr) && handshake->hello_retry_request_flag &&

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1683

(cipher_suite != ssl->session_negotiate->ciphersuite)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1684

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1685

}

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1686

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1687

if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {

1688

MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",

1689

cipher_suite));

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1690

goto cleanup;

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1691

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1692

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1693

/* Configure ciphersuites */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1694

mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1695

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1696

handshake->ciphersuite_info = ciphersuite_info;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1697

MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",

1698

cipher_suite, ciphersuite_info->name));

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1699

1700

#if defined(MBEDTLS_HAVE_TIME)

YxC

da60913

2023-05-22 12:08:12 -0700

[diff] [blame]

1701

ssl->session_negotiate->start = mbedtls_time(NULL);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1702

#endif /* MBEDTLS_HAVE_TIME */

1703

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1704

/* ...

1705

* uint8 legacy_compression_method = 0;

1706

* ...

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1707

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1708

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

1709

if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {

1710

MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1711

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1712

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

}

p++;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1716

/* ...

1717

* Extension extensions<6..2^16-1>;

1718

* ...

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1719

* struct {

1720

* ExtensionType extension_type; (2 bytes)

1721

* opaque extension_data<0..2^16-1>;

1722

* } Extension;

1723

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1724

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

1725

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1726

p += 2;

Jerry Yu

de4fb2c

2021-09-19 18:05:08 +0800

[diff] [blame]

1727

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1728

/* Check extensions do not go beyond the buffer of data. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1729

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1730

extensions_end = p + extensions_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1731

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1732

MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1733

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1734

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1735

allowed_extensions_mask = is_hrr ?

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1736

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :

1737

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1738

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1739

while (p < extensions_end) {

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1740

unsigned int extension_type;

1741

size_t extension_data_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

1742

const unsigned char *extension_data_end;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1743

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1744

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

1745

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

1746

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1747

p += 4;

1748

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1749

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

1750

extension_data_end = p + extension_data_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1751

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

1752

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1753

ssl, hs_msg_type, extension_type, allowed_extensions_mask);

1754

if (ret != 0) {

1755

return ret;

1756

}

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1757

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1758

switch (extension_type) {

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1759

case MBEDTLS_TLS_EXT_COOKIE:

1760

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1761

ret = ssl_tls13_parse_cookie_ext(ssl,

1762

p, extension_data_end);

1763

if (ret != 0) {

1764

MBEDTLS_SSL_DEBUG_RET(1,

1765

"ssl_tls13_parse_cookie_ext",

1766

ret);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1767

goto cleanup;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1768

}

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1769

break;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1770

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1771

case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1772

ret = ssl_tls13_parse_supported_versions_ext(ssl,

1773

p,

1774

extension_data_end);

1775

if (ret != 0) {

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1776

goto cleanup;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1777

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1778

break;

1779

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1780

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1781

case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1782

MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1783

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1784

if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(

1785

ssl, p, extension_data_end)) != 0) {

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1786

MBEDTLS_SSL_DEBUG_RET(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1787

1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);

1788

return ret;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1789

}

1790

break;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1791

#endif

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1792

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1793

case MBEDTLS_TLS_EXT_KEY_SHARE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1794

MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1795

if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1796

fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

goto cleanup;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1800

if (is_hrr) {

1801

ret = ssl_tls13_parse_hrr_key_share_ext(ssl,

1802

p, extension_data_end);

1803

} else {

1804

ret = ssl_tls13_parse_key_share_ext(ssl,

1805

p, extension_data_end);

1806

}

1807

if (ret != 0) {

1808

MBEDTLS_SSL_DEBUG_RET(1,

1809

"ssl_tls13_parse_key_share_ext",

1810

ret);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1811

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1812

}

1813

break;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1814

1815

default:

Jerry Yu

9872eb2

2022-08-29 13:42:01 +0800

[diff] [blame]

1816

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

1817

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1818

}

1819

1820

p += extension_data_len;

1821

}

1822

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1823

MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1824

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1825

cleanup:

1826

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1827

if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {

1828

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,

1829

MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1830

ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1831

} else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {

1832

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1833

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1834

ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1835

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1836

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1837

}

1838

Xiaokang Qian

cb6e963

2022-09-26 11:59:32 +0000

[diff] [blame]

1839

#if defined(MBEDTLS_DEBUG_C)

1840

static const char *ssl_tls13_get_kex_mode_str(int mode)

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1841

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1842

switch (mode) {

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1843

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:

1844

return "psk";

1845

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:

1846

return "ephemeral";

1847

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:

1848

return "psk_ephemeral";

1849

default:

1850

return "unknown mode";

1851

}

1852

}

Xiaokang Qian

cb6e963

2022-09-26 11:59:32 +0000

[diff] [blame]

1853

#endif /* MBEDTLS_DEBUG_C */

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1854

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1855

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1856

static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1857

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1858

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1859

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1860

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1861

/* Determine the key exchange mode:

1862

* 1) If both the pre_shared_key and key_share extensions were received

1863

* then the key exchange mode is PSK with EPHEMERAL.

1864

* 2) If only the pre_shared_key extension was received then the key

1865

* exchange mode is PSK-only.

1866

* 3) If only the key_share extension was received then the key

1867

* exchange mode is EPHEMERAL-only.

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1868

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1869

switch (handshake->received_extensions &

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1870

(MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

1871

MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1872

/* Only the pre_shared_key extension was received */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1873

case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1874

handshake->key_exchange_mode =

1875

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1876

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1877

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1878

/* Only the key_share extension was received */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1879

case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1880

handshake->key_exchange_mode =

1881

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1882

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1883

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1884

/* Both the pre_shared_key and key_share extensions were received */

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1885

case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

1886

MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):

1887

handshake->key_exchange_mode =

1888

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1889

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1890

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1891

/* Neither pre_shared_key nor key_share extension was received */

1892

default:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1893

MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1894

ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

1895

goto cleanup;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1896

}

1897

Pengyu Lv

fc2cb96

2023-11-10 10:22:36 +0800

[diff] [blame]

1898

if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1899

ssl, handshake->key_exchange_mode)) {

Xiaokang Qian

ac8195f

2022-09-26 04:01:06 +0000

[diff] [blame]

1900

ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1901

MBEDTLS_SSL_DEBUG_MSG(

1902

2, ("Key exchange mode(%s) is not supported.",

1903

ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));

Xiaokang Qian

ac8195f

2022-09-26 04:01:06 +0000

[diff] [blame]

goto cleanup;

}

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1907

MBEDTLS_SSL_DEBUG_MSG(

1908

3, ("Selected key exchange mode: %s",

1909

ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1910

Xiaokang Qian

7892b6c

2023-02-02 06:05:48 +0000

[diff] [blame]

1911

/* Start the TLS 1.3 key scheduling if not already done.

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1912

*

Xiaokang Qian

7892b6c

2023-02-02 06:05:48 +0000

[diff] [blame]

1913

* If we proposed early data then we have already derived an

1914

* early secret using the selected PSK and its associated hash.

1915

* It means that if the negotiated key exchange mode is psk or

1916

* psk_ephemeral, we have already correctly computed the

1917

* early secret and thus we do not do it again. In all other

1918

* cases we compute it here.

Xiaokang Qian

303f82c5

2023-01-04 08:43:46 +0000

[diff] [blame]

1919

*/

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1920

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1921

if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT ||

Xiaokang Qian

e04afdc

2023-02-07 02:19:42 +0000

[diff] [blame]

1922

handshake->key_exchange_mode ==

1923

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1924

#endif

1925

{

Xiaokang Qian

303f82c5

2023-01-04 08:43:46 +0000

[diff] [blame]

1926

ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);

1927

if (ret != 0) {

1928

MBEDTLS_SSL_DEBUG_RET(

1929

1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);

1930

goto cleanup;

1931

}

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1932

}

1933

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1934

ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);

1935

if (ret != 0) {

1936

MBEDTLS_SSL_DEBUG_RET(1,

1937

"mbedtls_ssl_tls13_compute_handshake_transform",

1938

ret);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1939

goto cleanup;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1940

}

1941

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1942

mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);

1943

MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1944

ssl->session_in = ssl->session_negotiate;

1945

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1946

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1947

if (ret != 0) {

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1948

MBEDTLS_SSL_PEND_FATAL_ALERT(

1949

MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1950

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1951

}

Jerry Yu

e110d25

2022-05-05 10:19:22 +0800

[diff] [blame]

1952

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1953

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1954

}

1955

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1956

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1957

static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1958

{

1959

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1960

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1961

mbedtls_ssl_session_reset_msg_layer(ssl, 0);

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1962

XiaokangQian

78b1fa7

2022-01-19 06:56:30 +0000

[diff] [blame]

1963

/*

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1964

* We are going to re-generate a shared secret corresponding to the group

1965

* selected by the server, which is different from the group for which we

1966

* generated a shared secret in the first client hello.

1967

* Thus, reset the shared secret.

XiaokangQian

51eff22

2021-12-10 10:33:56 +0000

[diff] [blame]

1968

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1969

ret = ssl_tls13_reset_key_share(ssl);

1970

if (ret != 0) {

1971

return ret;

1972

}

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1973

Xiaokang Qian

4ef8ba2

2023-02-06 11:06:16 +0000

[diff] [blame]

1974

ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

1975

1976

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1977

if (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1978

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

}

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1982

return 0;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1983

}

1984

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1985

/*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1986

* Wait and parse ServerHello handshake message.

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

1987

* Handler for MBEDTLS_SSL_SERVER_HELLO

1988

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1989

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1990

static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

1991

{

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1992

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1993

unsigned char *buf = NULL;

1994

size_t buf_len = 0;

XiaokangQian

78b1fa7

2022-01-19 06:56:30 +0000

[diff] [blame]

1995

int is_hrr = 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1996

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1997

MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1998

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1999

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2000

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));

Ronald Cron

db5dfa1

2022-05-31 11:44:38 +0200

[diff] [blame]

2001

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2002

ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);

2003

if (ret < 0) {

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

2004

goto cleanup;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2005

} else {

2006

is_hrr = (ret == SSL_SERVER_HELLO_HRR);

2007

}

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

2008

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2009

if (ret == SSL_SERVER_HELLO_TLS1_2) {

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

ret = 0;

goto cleanup;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2014

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,

buf + buf_len,

is_hrr));

if (is_hrr) {

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2019

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2020

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2021

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2022

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2023

2024

if (is_hrr) {

2025

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));

2026

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2027

/* If not offering early data, the client sends a dummy CCS record

2028

* immediately before its second flight. This may either be before

2029

* its second ClientHello or before its encrypted handshake flight.

2030

*/

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2031

mbedtls_ssl_handshake_set_state(

2032

ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2033

#else

2034

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

2035

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

2036

} else {

2037

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));

2038

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2039

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2040

2041

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2042

MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,

2043

is_hrr ? "HelloRetryRequest" : "ServerHello"));

2044

return ret;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2045

}

2046

2047

/*

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2048

*

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2049

* Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2050

*

2051

* The EncryptedExtensions message contains any extensions which

2052

* should be protected, i.e., any which are not needed to establish

2053

* the cryptographic context.

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2054

*/

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2055

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2056

/* Parse EncryptedExtensions message

2057

* struct {

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2058

* Extension extensions<0..2^16-1>;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2059

* } EncryptedExtensions;

2060

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2061

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2062

static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,

2063

const unsigned char *buf,

2064

const unsigned char *end)

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2065

{

2066

int ret = 0;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2067

size_t extensions_len;

XiaokangQian

140f045

2021-10-08 08:05:53 +0000

[diff] [blame]

2068

const unsigned char *p = buf;

XiaokangQian

8db25ff

2021-10-13 05:56:18 +0000

[diff] [blame]

2069

const unsigned char *extensions_end;

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2070

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2071

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2072

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2073

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2074

p += 2;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2075

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2076

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Ronald Cron

c808359

2022-05-31 16:24:05 +0200

[diff] [blame]

2077

extensions_end = p + extensions_len;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2078

Jan Bruckner

5a3629b

2023-02-23 12:08:09 +0100

[diff] [blame]

2079

MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);

2080

Jerry Yu

9eba750

2022-10-31 13:46:16 +0800

[diff] [blame]

2081

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2082

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2083

while (p < extensions_end) {

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2084

unsigned int extension_type;

2085

size_t extension_data_len;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2086

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2087

/*

2088

* struct {

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2089

* ExtensionType extension_type; (2 bytes)

2090

* opaque extension_data<0..2^16-1>;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2091

* } Extension;

2092

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2093

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

2094

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2095

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2096

p += 4;

2097

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2098

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2099

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2100

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2101

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,

2102

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);

2103

if (ret != 0) {

2104

return ret;

2105

}

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2106

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2107

switch (extension_type) {

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

2108

#if defined(MBEDTLS_SSL_ALPN)

2109

case MBEDTLS_TLS_EXT_ALPN:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2110

MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

2111

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2112

if ((ret = ssl_tls13_parse_alpn_ext(

2113

ssl, p, (size_t) extension_data_len)) != 0) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2114

return ret;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

}

break;

#endif /* MBEDTLS_SSL_ALPN */

Xiaokang Qian

8bee899

2022-10-27 10:21:05 +0000

[diff] [blame]

2119

2120

#if defined(MBEDTLS_SSL_EARLY_DATA)

2121

case MBEDTLS_TLS_EXT_EARLY_DATA:

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2122

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2123

if (extension_data_len != 0) {

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2124

/* The message must be empty. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2125

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2126

MBEDTLS_ERR_SSL_DECODE_ERROR);

2127

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2128

}

2129

Xiaokang Qian

8bee899

2022-10-27 10:21:05 +0000

[diff] [blame]

2130

break;

2131

#endif /* MBEDTLS_SSL_EARLY_DATA */

2132

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

2133

#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)

2134

case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:

2135

MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));

2136

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2137

ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(

2138

ssl, p, p + extension_data_len);

Jan Bruckner

f482dcc

2023-03-15 09:09:06 +0100

[diff] [blame]

2139

if (ret != 0) {

2140

MBEDTLS_SSL_DEBUG_RET(

2141

1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);

2142

return ret;

2143

}

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

2144

break;

2145

#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */

2146

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2147

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2148

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

9eba750

2022-10-31 13:46:16 +0800

[diff] [blame]

2149

3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2150

extension_type, "( ignored )");

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2151

break;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2152

}

2153

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2154

p += extension_data_len;

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2155

}

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2156

Waleed Elmelegy

049cd30

2023-12-20 17:28:31 +0000

[diff] [blame]

2157

if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&

2158

(handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {

Waleed Elmelegy

6a971fd

2023-12-28 17:48:16 +0000

[diff] [blame]

2159

MBEDTLS_SSL_DEBUG_MSG(3,

2160

(

2161

"Record size limit extension cannot be used with max fragment length extension"));

Waleed Elmelegy

049cd30

2023-12-20 17:28:31 +0000

[diff] [blame]

2162

MBEDTLS_SSL_PEND_FATAL_ALERT(

2163

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

2164

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

2165

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

2166

}

2167

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2168

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2169

handshake->received_extensions);

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2170

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2171

/* Check that we consumed all the message. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2172

if (p != end) {

2173

MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));

2174

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2175

MBEDTLS_ERR_SSL_DECODE_ERROR);

2176

return MBEDTLS_ERR_SSL_DECODE_ERROR;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2177

}

2178

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2179

return ret;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2180

}

2181

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2182

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2183

static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

{

int ret;

unsigned char *buf;

size_t buf_len;

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2188

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2189

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2190

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2191

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2192

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2193

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2194

&buf, &buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2195

2196

/* Process the message contents */

2197

MBEDTLS_SSL_PROC_CHK(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2198

ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2199

Xiaokang Qian

b157e91

2022-11-23 08:12:26 +0000

[diff] [blame]

2200

#if defined(MBEDTLS_SSL_EARLY_DATA)

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2201

if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {

2202

/* RFC8446 4.2.11

2203

* If the server supplies an "early_data" extension, the

2204

* client MUST verify that the server's selected_identity

2205

* is 0. If any other value is returned, the client MUST

2206

* abort the handshake with an "illegal_parameter" alert.

2207

*

2208

* RFC 8446 4.2.10

2209

* In order to accept early data, the server MUST have accepted a PSK

2210

* cipher suite and selected the first key offered in the client's

2211

* "pre_shared_key" extension. In addition, it MUST verify that the

2212

* following values are the same as those associated with the

2213

* selected PSK:

2214

* - The TLS version number

2215

* - The selected cipher suite

2216

* - The selected ALPN [RFC7301] protocol, if any

2217

*

Yanray Wang

03a0076

2023-12-01 17:40:19 +0800

[diff] [blame]

2218

* The server has sent an early data extension in its Encrypted

2219

* Extension message thus accepted to receive early data. We

2220

* check here that the additional constraints on the handshake

2221

* parameters, when early data are exchanged, are met,

2222

* namely:

Yanray Wang

744577a

2023-12-01 22:33:59 +0800

[diff] [blame]

2223

* - a PSK has been selected for the handshake

Yanray Wang

03a0076

2023-12-01 17:40:19 +0800

[diff] [blame]

2224

* - the selected PSK for the handshake was the first one proposed

2225

* by the client.

2226

* - the selected ciphersuite for the handshake is the ciphersuite

2227

* associated with the selected PSK.

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2228

*/

Yanray Wang

744577a

2023-12-01 22:33:59 +0800

[diff] [blame]

2229

if ((!mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) ||

2230

handshake->selected_identity != 0 ||

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2231

handshake->ciphersuite_info->id !=

2232

ssl->session_negotiate->ciphersuite) {

2233

2234

MBEDTLS_SSL_PEND_FATAL_ALERT(

2235

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

2236

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

2237

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

2238

}

2239

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2240

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED;

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

2241

} else if (ssl->early_data_state !=

2242

MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2243

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;

Xiaokang Qian

b157e91

2022-11-23 08:12:26 +0000

[diff] [blame]

}

#endif

Yanray Wang

2023-11-30 14:06:14 +0800

[diff] [blame]

2247

/*

Yanray Wang

9ae6534

2023-12-01 17:46:06 +0800

[diff] [blame]

2248

* In case the client has proposed a PSK associated with a ticket,

2249

* `ssl->session_negotiate->ciphersuite` still contains at this point the

2250

* identifier of the ciphersuite associated with the ticket. This is that

2251

* way because, if an exchange of early data is agreed upon, we need

2252

* it to check that the ciphersuite selected for the handshake is the

2253

* ticket ciphersuite (see above). This information is not needed

2254

* anymore thus we can now set it to the identifier of the ciphersuite

2255

* used in this session under negotiation.

Yanray Wang

a29db7d

2023-11-30 14:06:14 +0800

[diff] [blame]

2256

*/

2257

ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;

2258

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2259

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2260

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2261

buf, buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2262

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2263

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2264

if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {

2265

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2266

} else {

2267

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);

2268

}

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2269

#else

2270

((void) ssl);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2271

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2272

#endif

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2276

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));

2277

return ret;

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

}

Ronald Cron

2024-02-21 16:37:16 +0100

[diff] [blame]

2281

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2282

/*

2283

* Handler for MBEDTLS_SSL_END_OF_EARLY_DATA

2284

*

Xiaokang Qian

c81a15a

2022-12-19 02:43:33 +0000

[diff] [blame]

2285

* RFC 8446 section 4.5

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2286

*

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2287

* struct {} EndOfEarlyData;

Xiaokang Qian

c81a15a

2022-12-19 02:43:33 +0000

[diff] [blame]

2288

*

2289

* If the server sent an "early_data" extension in EncryptedExtensions, the

2290

* client MUST send an EndOfEarlyData message after receiving the server

2291

* Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2292

*/

2293

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2294

MBEDTLS_CHECK_RETURN_CRITICAL

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2295

static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)

2296

{

2297

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2298

unsigned char *buf = NULL;

2299

size_t buf_len;

Xiaokang Qian

57a138d

2022-12-19 06:40:47 +0000

[diff] [blame]

2300

MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2301

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2302

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

2303

ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,

2304

&buf, &buf_len));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2305

Manuel Pégourié-Gonnard

63e33dd

2023-02-21 15:45:15 +0100

[diff] [blame]

2306

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(

2307

ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2308

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2309

MBEDTLS_SSL_PROC_CHK(

2310

mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));

Xiaokang Qian

da8402d

2022-12-15 14:55:35 +0000

[diff] [blame]

2311

Xiaokang Qian

19d4416

2023-01-03 03:39:50 +0000

[diff] [blame]

2312

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

cleanup:

MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));

return ret;

}

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2320

int mbedtls_ssl_get_early_data_status(mbedtls_ssl_context *ssl)

2321

{

Ronald Cron

f19989d

2024-02-22 12:05:42 +0100

[diff] [blame]

2322

if ((ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) ||

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2323

(!mbedtls_ssl_is_handshake_over(ssl))) {

2324

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

2325

}

2326

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2327

switch (ssl->early_data_state) {

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

2328

case MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT:

Ronald Cron

840de7f

2024-03-11 17:49:35 +0100

[diff] [blame]

2329

return MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED;

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2330

break;

2331

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2332

case MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED:

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2333

return MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;

2334

break;

2335

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2336

case MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED:

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2337

return MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;

break;

default:

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

2342

}

2343

}

Ronald Cron

e21c2d2

2024-02-21 16:37:16 +0100

[diff] [blame]

2344

#endif /* MBEDTLS_SSL_EARLY_DATA */

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2345

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2346

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2347

/*

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2348

* STATE HANDLING: CertificateRequest

2349

*

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2350

*/

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2351

#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0

2352

#define SSL_CERTIFICATE_REQUEST_SKIP 1

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2353

/* Coordination:

2354

* Deals with the ambiguity of not knowing if a CertificateRequest

2355

* will be sent. Returns a negative code on failure, or

2356

* - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST

2357

* - SSL_CERTIFICATE_REQUEST_SKIP

2358

* indicating if a Certificate Request is expected or not.

2359

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2360

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2361

static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2362

{

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2363

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2364

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2365

if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {

2366

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);

2367

return ret;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2368

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2369

ssl->keep_current_message = 1;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2370

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2371

if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&

2372

(ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {

2373

MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));

2374

return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2375

}

2376

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2377

MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));

Ronald Cron

1938588

2022-06-15 16:26:13 +0200

[diff] [blame]

2378

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2379

return SSL_CERTIFICATE_REQUEST_SKIP;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2380

}

2381

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2382

/*

2383

* ssl_tls13_parse_certificate_request()

2384

* Parse certificate request

2385

* struct {

2386

* opaque certificate_request_context<0..2^8-1>;

2387

* Extension extensions<2..2^16-1>;

2388

* } CertificateRequest;

2389

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2390

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2391

static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,

2392

const unsigned char *buf,

2393

const unsigned char *end)

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2394

{

2395

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2396

const unsigned char *p = buf;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2397

size_t certificate_request_context_len = 0;

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2398

size_t extensions_len = 0;

2399

const unsigned char *extensions_end;

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2400

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2401

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2402

/* ...

2403

* opaque certificate_request_context<0..2^8-1>

2404

* ...

2405

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2406

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2407

certificate_request_context_len = (size_t) p[0];

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2408

p += 1;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2409

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2410

if (certificate_request_context_len > 0) {

2411

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);

2412

MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",

2413

p, certificate_request_context_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2414

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2415

handshake->certificate_request_context =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2416

mbedtls_calloc(1, certificate_request_context_len);

2417

if (handshake->certificate_request_context == NULL) {

2418

MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));

2419

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2420

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2421

memcpy(handshake->certificate_request_context, p,

2422

certificate_request_context_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2423

p += certificate_request_context_len;

2424

}

2425

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2426

/* ...

2427

* Extension extensions<2..2^16-1>;

2428

* ...

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2429

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2430

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2431

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2432

p += 2;

2433

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2434

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2435

extensions_end = p + extensions_len;

2436

Jerry Yu

6d0e78b

2022-10-31 14:13:25 +0800

[diff] [blame]

2437

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2438

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2439

while (p < extensions_end) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2440

unsigned int extension_type;

2441

size_t extension_data_len;

2442

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2443

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

2444

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2445

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2446

p += 4;

2447

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2448

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2449

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2450

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2451

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,

2452

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);

2453

if (ret != 0) {

2454

return ret;

2455

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2456

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2457

switch (extension_type) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2458

case MBEDTLS_TLS_EXT_SIG_ALG:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2459

MBEDTLS_SSL_DEBUG_MSG(3,

2460

("found signature algorithms extension"));

2461

ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,

2462

p + extension_data_len);

2463

if (ret != 0) {

2464

return ret;

2465

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2466

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2467

break;

2468

2469

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2470

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

6d0e78b

2022-10-31 14:13:25 +0800

[diff] [blame]

2471

3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2472

extension_type, "( ignored )");

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2473

break;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2474

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2475

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2476

p += extension_data_len;

2477

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2478

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2479

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2480

handshake->received_extensions);

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2481

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2482

/* Check that we consumed all the message. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2483

if (p != end) {

2484

MBEDTLS_SSL_DEBUG_MSG(1,

2485

("CertificateRequest misaligned"));

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2486

goto decode_error;

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2487

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2488

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

2489

/* RFC 8446 section 4.3.2

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2490

*

2491

* The "signature_algorithms" extension MUST be specified

2492

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2493

if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {

2494

MBEDTLS_SSL_DEBUG_MSG(3,

2495

("no signature algorithms extension found"));

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2496

goto decode_error;

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2497

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2498

Jerry Yu

7840f81

2022-01-29 10:26:51 +0800

[diff] [blame]

2499

ssl->handshake->client_auth = 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2500

return 0;

Xiaofei Bai

51f515a

2022-02-08 07:28:04 +0000

[diff] [blame]

2501

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2502

decode_error:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2503

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2504

MBEDTLS_ERR_SSL_DECODE_ERROR);

2505

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2506

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2507

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2508

/*

2509

* Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST

2510

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2511

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2512

static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2513

{

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2514

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2515

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2516

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2517

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2518

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2519

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2520

if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

unsigned char *buf;

size_t buf_len;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2524

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2525

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2526

&buf, &buf_len));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2527

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2528

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(

2529

ssl, buf, buf + buf_len));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2530

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2531

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2532

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2533

buf, buf_len));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2534

} else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {

Xiaofei Bai

f6d3696

2022-01-16 14:54:35 +0000

[diff] [blame]

2535

ret = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2536

} else {

2537

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

Xiaofei Bai

51f515a

2022-02-08 07:28:04 +0000

[diff] [blame]

2538

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

2539

goto cleanup;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2540

}

2541

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2542

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2543

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2544

cleanup:

2545

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2546

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));

2547

return ret;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2548

}

2549

2550

/*

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2551

* Handler for MBEDTLS_SSL_SERVER_CERTIFICATE

2552

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2553

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2554

static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2555

{

Xiaofei Bai

947571e

2021-09-29 09:12:03 +0000

[diff] [blame]

2556

int ret;

2557

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2558

ret = mbedtls_ssl_tls13_process_certificate(ssl);

2559

if (ret != 0) {

2560

return ret;

2561

}

Xiaofei Bai

947571e

2021-09-29 09:12:03 +0000

[diff] [blame]

2562

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2563

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);

2564

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY

2569

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2570

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2571

static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2572

{

Jerry Yu

30b071c

2021-09-12 20:16:03 +0800

[diff] [blame]

2573

int ret;

2574

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2575

ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);

2576

if (ret != 0) {

2577

return ret;

2578

}

Jerry Yu

30b071c

2021-09-12 20:16:03 +0800

[diff] [blame]

2579

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2580

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2581

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2582

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2583

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Ronald Cron

d4c6402

2021-12-06 09:06:46 +0100

[diff] [blame]

2584

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2585

/*

2586

* Handler for MBEDTLS_SSL_SERVER_FINISHED

2587

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2588

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2589

static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2590

{

XiaokangQian

ac0385c

2021-11-03 06:40:11 +0000

[diff] [blame]

2591

int ret;

2592

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2593

ret = mbedtls_ssl_tls13_process_finished_message(ssl);

2594

if (ret != 0) {

2595

return ret;

2596

}

XiaokangQian

ac0385c

2021-11-03 06:40:11 +0000

[diff] [blame]

2597

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2598

ret = mbedtls_ssl_tls13_compute_application_transform(ssl);

2599

if (ret != 0) {

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2600

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2601

MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

2602

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

2603

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2604

}

2605

Xiaokang Qian

bc75bc0

2022-12-19 06:16:42 +0000

[diff] [blame]

2606

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2607

if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED) {

2608

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED;

Xiaokang Qian

bc75bc0

2022-12-19 06:16:42 +0000

[diff] [blame]

2609

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);

2610

} else

2611

#endif /* MBEDTLS_SSL_EARLY_DATA */

2612

{

2613

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2614

mbedtls_ssl_handshake_set_state(

2615

ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);

2616

#else

2617

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

2618

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

2619

}

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

2620

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2621

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2622

}

2623

2624

/*

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2625

* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE

2626

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2627

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2628

static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2629

{

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2630

int non_empty_certificate_msg = 0;

2631

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2632

MBEDTLS_SSL_DEBUG_MSG(1,

2633

("Switch to handshake traffic keys for outbound traffic"));

2634

mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);

Jerry Yu

5cc3506

2022-01-28 16:16:08 +0800

[diff] [blame]

2635

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2636

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2637

if (ssl->handshake->client_auth) {

2638

int ret = mbedtls_ssl_tls13_write_certificate(ssl);

2639

if (ret != 0) {

2640

return ret;

2641

}

Ronald Cron

5bb8fc8

2022-03-09 07:00:13 +0100

[diff] [blame]

2642

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2643

if (mbedtls_ssl_own_cert(ssl) != NULL) {

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2644

non_empty_certificate_msg = 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2645

}

2646

} else {

2647

MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2648

}

Ronald Cron

9df7c80

2022-03-08 18:38:54 +0100

[diff] [blame]

2649

#endif

Ronald Cron

5bb8fc8

2022-03-09 07:00:13 +0100

[diff] [blame]

2650

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2651

if (non_empty_certificate_msg) {

2652

mbedtls_ssl_handshake_set_state(ssl,

2653

MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);

2654

} else {

2655

MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));

2656

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);

2657

}

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2658

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2659

return 0;

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2660

}

2661

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2662

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2663

/*

2664

* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY

2665

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2666

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2667

static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2668

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2669

int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);

Ronald Cron

a8b3887

2022-03-09 07:59:25 +0100

[diff] [blame]

2670

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2671

if (ret == 0) {

2672

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);

2673

}

Ronald Cron

a8b3887

2022-03-09 07:59:25 +0100

[diff] [blame]

2674

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2675

return ret;

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2676

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2677

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2678

2679

/*

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2680

* Handler for MBEDTLS_SSL_CLIENT_FINISHED

2681

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2682

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2683

static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2684

{

XiaokangQian

0fa6643

2021-11-15 03:33:57 +0000

[diff] [blame]

2685

int ret;

2686

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2687

ret = mbedtls_ssl_tls13_write_finished_message(ssl);

2688

if (ret != 0) {

2689

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2690

}

2691

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2692

ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);

2693

if (ret != 0) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2694

MBEDTLS_SSL_DEBUG_RET(

2695

1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

return ret;

}

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);

2700

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_FLUSH_BUFFERS

2705

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2706

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2707

static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2708

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2709

MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));

2710

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);

2711

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP

2716

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2717

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2718

static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2719

{

Jerry Yu

378254d

2021-10-30 21:44:47 +0800

[diff] [blame]

2720

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2721

mbedtls_ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

378254d

2021-10-30 21:44:47 +0800

[diff] [blame]

2722

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2723

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

2724

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2725

}

2726

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2727

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

2728

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2729

#if defined(MBEDTLS_SSL_EARLY_DATA)

2730

/* From RFC 8446 section 4.2.10

2731

*

2732

* struct {

2733

* select (Handshake.msg_type) {

2734

* case new_session_ticket: uint32 max_early_data_size;

2735

* ...

2736

* };

2737

* } EarlyDataIndication;

2738

*/

2739

MBEDTLS_CHECK_RETURN_CRITICAL

Yanray Wang

b3e207d

2023-11-30 16:49:49 +0800

[diff] [blame]

2740

static int ssl_tls13_parse_new_session_ticket_early_data_ext(

2741

mbedtls_ssl_context *ssl,

2742

const unsigned char *buf,

2743

const unsigned char *end)

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2744

{

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2745

mbedtls_ssl_session *session = ssl->session;

2746

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2747

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2748

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2749

session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

2750

mbedtls_ssl_tls13_session_set_ticket_flags(

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2751

session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);

2752

MBEDTLS_SSL_DEBUG_MSG(

2753

3, ("received max_early_data_size: %u",

2754

(unsigned int) session->max_early_data_size));

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2755

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2756

return 0;

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2757

}

2758

#endif /* MBEDTLS_SSL_EARLY_DATA */

2759

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2760

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2761

static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,

2762

const unsigned char *buf,

2763

const unsigned char *end)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2764

{

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2765

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

af2c0c8

2022-07-12 05:47:21 +0000

[diff] [blame]

2766

const unsigned char *p = buf;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2767

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2768

Jerry Yu

edab637

2022-10-31 14:37:31 +0800

[diff] [blame]

2769

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2770

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2771

while (p < end) {

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2772

unsigned int extension_type;

2773

size_t extension_data_len;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

2774

int ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2775

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2776

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);

2777

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2778

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2779

p += 4;

2780

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2781

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2782

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2783

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2784

ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,

2785

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);

2786

if (ret != 0) {

2787

return ret;

2788

}

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2789

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2790

switch (extension_type) {

Xiaokang Qian

0cc4320

2022-11-16 08:43:50 +0000

[diff] [blame]

2791

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

f447e8a

2022-11-08 07:02:27 +0000

[diff] [blame]

2792

case MBEDTLS_TLS_EXT_EARLY_DATA:

Yanray Wang

b3e207d

2023-11-30 16:49:49 +0800

[diff] [blame]

2793

ret = ssl_tls13_parse_new_session_ticket_early_data_ext(

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2794

ssl, p, p + extension_data_len);

2795

if (ret != 0) {

2796

MBEDTLS_SSL_DEBUG_RET(

Yanray Wang

b3e207d

2023-11-30 16:49:49 +0800

[diff] [blame]

2797

1, "ssl_tls13_parse_new_session_ticket_early_data_ext",

2798

ret);

Xiaokang Qian

2d87a9e

2022-11-09 07:55:48 +0000

[diff] [blame]

2799

}

Xiaokang Qian

f447e8a

2022-11-08 07:02:27 +0000

[diff] [blame]

2800

break;

Xiaokang Qian

0cc4320

2022-11-16 08:43:50 +0000

[diff] [blame]

2801

#endif /* MBEDTLS_SSL_EARLY_DATA */

Xiaokang Qian

f447e8a

2022-11-08 07:02:27 +0000

[diff] [blame]

2802

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2803

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2804

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

edab637

2022-10-31 14:37:31 +0800

[diff] [blame]

2805

3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2806

extension_type, "( ignored )");

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2807

break;

2808

}

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2809

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2810

p += extension_data_len;

2811

}

2812

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2813

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

2814

handshake->received_extensions);

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2815

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2816

return 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2817

}

2818

2819

/*

Jerry Yu

08aed4d

2022-07-20 10:36:12 +0800

[diff] [blame]

2820

* From RFC8446, page 74

2821

*

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2822

* struct {

2823

* uint32 ticket_lifetime;

2824

* uint32 ticket_age_add;

2825

* opaque ticket_nonce<0..255>;

2826

* opaque ticket<1..2^16-1>;

2827

* Extension extensions<0..2^16-2>;

2828

* } NewSessionTicket;

2829

*

2830

*/

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2831

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2832

static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,

2833

unsigned char *buf,

2834

unsigned char *end,

2835

unsigned char **ticket_nonce,

2836

size_t *ticket_nonce_len)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2837

{

2838

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2839

unsigned char *p = buf;

2840

mbedtls_ssl_session *session = ssl->session;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2841

size_t ticket_len;

2842

unsigned char *ticket;

2843

size_t extensions_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2844

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2845

*ticket_nonce = NULL;

2846

*ticket_nonce_len = 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2847

/*

2848

* ticket_lifetime 4 bytes

2849

* ticket_age_add 4 bytes

Jerry Yu

08aed4d

2022-07-20 10:36:12 +0800

[diff] [blame]

2850

* ticket_nonce_len 1 byte

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2851

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2852

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2853

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2854

session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);

2855

MBEDTLS_SSL_DEBUG_MSG(3,

2856

("ticket_lifetime: %u",

2857

(unsigned int) session->ticket_lifetime));

Jerry Yu

8e0174a

2023-11-10 13:58:16 +0800

[diff] [blame]

2858

if (session->ticket_lifetime >

2859

MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {

Jerry Yu

46c7926

2023-11-10 13:58:16 +0800

[diff] [blame]

2860

MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));

Jerry Yu

cf91351

2023-11-14 11:06:52 +0800

[diff] [blame]

2861

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

46c7926

2023-11-10 13:58:16 +0800

[diff] [blame]

2862

}

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2863

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2864

session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);

2865

MBEDTLS_SSL_DEBUG_MSG(3,

2866

("ticket_age_add: %u",

2867

(unsigned int) session->ticket_age_add));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2868

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2869

*ticket_nonce_len = p[8];

2870

p += 9;

2871

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2872

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2873

*ticket_nonce = p;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2874

MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2875

p += *ticket_nonce_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2876

2877

/* Ticket */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2878

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2879

ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2880

p += 2;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2881

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);

2882

MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2883

2884

/* Check if we previously received a ticket already. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2885

if (session->ticket != NULL || session->ticket_len > 0) {

2886

mbedtls_free(session->ticket);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2887

session->ticket = NULL;

2888

session->ticket_len = 0;

2889

}

2890

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2891

if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {

2892

MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));

2893

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2894

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2895

memcpy(ticket, p, ticket_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2896

p += ticket_len;

2897

session->ticket = ticket;

2898

session->ticket_len = ticket_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2899

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2900

/* Clear all flags in ticket_flags */

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

2901

mbedtls_ssl_tls13_session_clear_ticket_flags(

Pengyu Lv

9eacb44

2022-12-09 14:39:19 +0800

[diff] [blame]

2902

session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2903

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2904

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2905

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2906

p += 2;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2907

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2908

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2909

MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2910

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2911

ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);

2912

if (ret != 0) {

2913

MBEDTLS_SSL_DEBUG_RET(1,

2914

"ssl_tls13_parse_new_session_ticket_exts",

2915

ret);

2916

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2917

}

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2918

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2919

return 0;

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2920

}

2921

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

2922

/* Non negative return values for ssl_tls13_postprocess_new_session_ticket().

2923

* - POSTPROCESS_NEW_SESSION_TICKET_SIGNAL, all good, we have to signal the

2924

* application that a valid ticket has been received.

2925

* - POSTPROCESS_NEW_SESSION_TICKET_DISCARD, no fatal error, we keep the

2926

* connection alive but we do not signal the ticket to the application.

2927

*/

2928

#define POSTPROCESS_NEW_SESSION_TICKET_SIGNAL 0

2929

#define POSTPROCESS_NEW_SESSION_TICKET_DISCARD 1

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2930

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2931

static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,

2932

unsigned char *ticket_nonce,

2933

size_t ticket_nonce_len)

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2934

{

2935

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2936

mbedtls_ssl_session *session = ssl->session;

2937

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

2938

psa_algorithm_t psa_hash_alg;

2939

int hash_length;

2940

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

2941

if (session->ticket_lifetime == 0) {

2942

return POSTPROCESS_NEW_SESSION_TICKET_DISCARD;

2943

}

2944

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2945

#if defined(MBEDTLS_HAVE_TIME)

2946

/* Store ticket creation time */

Jerry Yu

342a555

2023-11-10 14:23:39 +0800

[diff] [blame]

2947

session->ticket_reception_time = mbedtls_ms_time();

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2948

#endif

2949

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2950

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);

2951

if (ciphersuite_info == NULL) {

2952

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

2953

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2954

}

2955

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

2956

psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2957

hash_length = PSA_HASH_LENGTH(psa_hash_alg);

2958

if (hash_length == -1 ||

2959

(size_t) hash_length > sizeof(session->resumption_key)) {

2960

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

3afdf36

2022-07-20 17:34:14 +0800

[diff] [blame]

2961

}

2962

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2963

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2964

MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",

2965

session->app_secrets.resumption_master_secret,

2966

hash_length);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2967

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2968

/* Compute resumption key

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2969

*

2970

* HKDF-Expand-Label( resumption_master_secret,

2971

* "resumption", ticket_nonce, Hash.length )

2972

*/

2973

ret = mbedtls_ssl_tls13_hkdf_expand_label(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2974

psa_hash_alg,

2975

session->app_secrets.resumption_master_secret,

2976

hash_length,

2977

MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),

2978

ticket_nonce,

2979

ticket_nonce_len,

2980

session->resumption_key,

2981

hash_length);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2982

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2983

if (ret != 0) {

2984

MBEDTLS_SSL_DEBUG_RET(2,

2985

"Creating the ticket-resumed PSK failed",

2986

ret);

2987

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2988

}

2989

Jerry Yu

0a430c8

2022-07-20 11:02:48 +0800

[diff] [blame]

2990

session->resumption_key_len = hash_length;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2991

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2992

MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",

2993

session->resumption_key,

2994

session->resumption_key_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2995

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2996

/* Set ticket_flags depends on the selected key exchange modes */

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

2997

mbedtls_ssl_tls13_session_set_ticket_flags(

Pengyu Lv

9eacb44

2022-12-09 14:39:19 +0800

[diff] [blame]

2998

session, ssl->conf->tls13_kex_modes);

Pengyu Lv

4938a56

2023-01-16 11:28:49 +0800

[diff] [blame]

2999

MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

3000

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

3001

return POSTPROCESS_NEW_SESSION_TICKET_SIGNAL;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3002

}

3003

3004

/*

Jerry Yu

a8d3c50

2022-10-30 14:51:23 +0800

[diff] [blame]

3005

* Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3006

*/

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

3007

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3008

static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3009

{

3010

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

3011

unsigned char *buf;

3012

size_t buf_len;

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

3013

unsigned char *ticket_nonce;

3014

size_t ticket_nonce_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3015

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3016

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3017

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3018

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

3019

ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

3020

&buf, &buf_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3021

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

3022

/*

3023

* We are about to update (maybe only partially) ticket data thus block

3024

* any session export for the time being.

3025

*/

3026

ssl->session->exported = 1;

3027

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3028

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(

3029

ssl, buf, buf + buf_len,

3030

&ticket_nonce, &ticket_nonce_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3031

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

3032

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_postprocess_new_session_ticket(

3033

ssl, ticket_nonce, ticket_nonce_len));

3034

3035

switch (ret) {

3036

case POSTPROCESS_NEW_SESSION_TICKET_SIGNAL:

3037

/*

3038

* All good, we have received a new valid ticket, session data can

3039

* be exported now and we signal the ticket to the application.

3040

*/

3041

ssl->session->exported = 0;

3042

ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;

3043

break;

3044

3045

case POSTPROCESS_NEW_SESSION_TICKET_DISCARD:

3046

ret = 0;

3047

MBEDTLS_SSL_DEBUG_MSG(2, ("Discard new session ticket"));

break;

default:

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

3052

}

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3053

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3054

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

3055

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3056

cleanup:

3057

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3058

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));

3059

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3060

}

3061

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

3062

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3063

int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

3064

{

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3065

int ret = 0;

Jerry Yu

c8a392c

2021-08-18 16:46:28 +0800

[diff] [blame]

3066

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3067

switch (ssl->state) {

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3068

case MBEDTLS_SSL_HELLO_REQUEST:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3069

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

Jerry Yu

ddda050

2022-12-01 19:43:12 +0800

[diff] [blame]

3070

break;

3071

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3072

case MBEDTLS_SSL_CLIENT_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3073

ret = mbedtls_ssl_write_client_hello(ssl);

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3074

break;

3075

3076

case MBEDTLS_SSL_SERVER_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3077

ret = ssl_tls13_process_server_hello(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3078

break;

3079

3080

case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3081

ret = ssl_tls13_process_encrypted_extensions(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3082

break;

3083

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3084

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

3085

case MBEDTLS_SSL_CERTIFICATE_REQUEST:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3086

ret = ssl_tls13_process_certificate_request(ssl);

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

3087

break;

3088

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3089

case MBEDTLS_SSL_SERVER_CERTIFICATE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3090

ret = ssl_tls13_process_server_certificate(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3091

break;

3092

3093

case MBEDTLS_SSL_CERTIFICATE_VERIFY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3094

ret = ssl_tls13_process_certificate_verify(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3095

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3096

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3097

3098

case MBEDTLS_SSL_SERVER_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3099

ret = ssl_tls13_process_server_finished(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3100

break;

3101

Ronald Cron

e21c2d2

2024-02-21 16:37:16 +0100

[diff] [blame]

3102

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

3103

case MBEDTLS_SSL_END_OF_EARLY_DATA:

3104

ret = ssl_tls13_write_end_of_early_data(ssl);

3105

break;

Ronald Cron

e21c2d2

2024-02-21 16:37:16 +0100

[diff] [blame]

3106

#endif

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

3107

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3108

case MBEDTLS_SSL_CLIENT_CERTIFICATE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3109

ret = ssl_tls13_write_client_certificate(ssl);

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3110

break;

3111

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3112

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3113

case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3114

ret = ssl_tls13_write_client_certificate_verify(ssl);

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3115

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3116

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3117

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3118

case MBEDTLS_SSL_CLIENT_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3119

ret = ssl_tls13_write_client_finished(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3120

break;

3121

3122

case MBEDTLS_SSL_FLUSH_BUFFERS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3123

ret = ssl_tls13_flush_buffers(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3124

break;

3125

3126

case MBEDTLS_SSL_HANDSHAKE_WRAPUP:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3127

ret = ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3128

break;

3129

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3130

/*

3131

* Injection of dummy-CCS's for middlebox compatibility

3132

*/

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3133

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

XiaokangQian

0b56a8f

2021-12-22 02:39:32 +0000

[diff] [blame]

3134

case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:

Ronald Cron

e273f72

2024-02-13 18:22:26 +0100

[diff] [blame]

3135

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3136

if (ret != 0) {

3137

break;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3138

}

Ronald Cron

fe59ff7

2024-01-24 14:31:50 +0100

[diff] [blame]

3139

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

Ronald Cron

9f55f63

2022-02-02 16:02:47 +0100

[diff] [blame]

3140

break;

3141

3142

case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:

Ronald Cron

e273f72

2024-02-13 18:22:26 +0100

[diff] [blame]

3143

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3144

if (ret != 0) {

3145

break;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3146

}

Ronald Cron

fe59ff7

2024-01-24 14:31:50 +0100

[diff] [blame]

3147

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3148

break;

Xiaokang Qian

f6d8fd3

2023-02-02 02:46:26 +0000

[diff] [blame]

3149

Ronald Cron

297c608

2024-01-19 08:15:33 +0100

[diff] [blame]

3150

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

592021a

2023-01-04 10:47:05 +0000

[diff] [blame]

3151

case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:

3152

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3153

if (ret == 0) {

3154

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);

3155

3156

MBEDTLS_SSL_DEBUG_MSG(

3157

1, ("Switch to early data keys for outbound traffic"));

3158

mbedtls_ssl_set_outbound_transform(

3159

ssl, ssl->handshake->transform_earlydata);

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

3160

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;

Xiaokang Qian

592021a

2023-01-04 10:47:05 +0000

[diff] [blame]

3161

}

3162

break;

Ronald Cron

297c608

2024-01-19 08:15:33 +0100

[diff] [blame]

3163

#endif /* MBEDTLS_SSL_EARLY_DATA */

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3164

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

3165

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3166

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Jerry Yu

a8d3c50

2022-10-30 14:51:23 +0800

[diff] [blame]

3167

case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3168

ret = ssl_tls13_process_new_session_ticket(ssl);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3169

break;

3170

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

3171

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3172

default:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3173

MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));

3174

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3175

}

3176

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3177

return ret;

Jerry Yu