TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 3e60cada5d4bf2980096cd4c222c6d884eae096b / . / library / ssl_tls13_client.c
blob: 1cd2ac57529feca8aa8583b696ebd42ec4a6b09b [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS ( https://tls.mbed.org )
20 */
21
22#include "common.h"
23
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]24#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]25
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]26#include <string.h>
27
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]30#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]31
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]32#include "ssl_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]33#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]34#include "ssl_tls13_keys.h"
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]35#include "ssl_debug_helpers.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]36
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]37/* Write extensions */
38
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]39/*
40 * ssl_tls13_write_supported_versions_ext():
41 *
42 * struct {
43 * ProtocolVersion versions<2..254>;
44 * } SupportedVersions;
45 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]46MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]47static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]48 unsigned char *buf,
49 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]50 size_t *out_len )
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]51{
52 unsigned char *p = buf;
Glenn Strausscd78df62022-04-07 19:07:11 -0400[diff] [blame]53 unsigned char versions_len = ( ssl->handshake->min_tls_version <=
54 MBEDTLS_SSL_VERSION_TLS1_2 ) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]55
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]56 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]57
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]58 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported versions extension" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]59
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]60 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]61 * - extension_type (2 bytes)
62 * - extension_data_length (2 bytes)
63 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]64 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]65 */
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]66 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + versions_len );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]67
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]68 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]69 MBEDTLS_PUT_UINT16_BE( versions_len + 1, p, 2 );
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]70 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]71
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]72 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]73 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]74
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]76 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]77 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]78 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]79 mbedtls_ssl_write_version( p, MBEDTLS_SSL_TRANSPORT_STREAM,
80 MBEDTLS_SSL_VERSION_TLS1_3 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]81 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:4]" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]83
Glenn Strausscd78df62022-04-07 19:07:11 -0400[diff] [blame]84 if( ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 )
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]85 {
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]86 mbedtls_ssl_write_version( p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
87 MBEDTLS_SSL_VERSION_TLS1_2 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]88 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:3]" ) );
89 }
90
91 *out_len = 5 + versions_len;
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]92
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]93 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
94 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS );
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]95
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]96 return( 0 );
97}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]98
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]99MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]100static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
101 const unsigned char *buf,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]102 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]103{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]104 ((void) ssl);
105
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]106 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]107 if( mbedtls_ssl_read_version( buf, ssl->conf->transport ) !=
108 MBEDTLS_SSL_VERSION_TLS1_3 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]109 {
110 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]111
112 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
113 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
114 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]115 }
116
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]117 if( &buf[2] != end )
118 {
119 MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions ext data length incorrect" ) );
120 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
121 MBEDTLS_ERR_SSL_DECODE_ERROR );
122 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
123 }
124
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]125 return( 0 );
126}
127
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]128#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]129MBEDTLS_CHECK_RETURN_CRITICAL
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]130static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl,
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]131 const unsigned char *buf, size_t len )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]132{
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]133 const unsigned char *p = buf;
134 const unsigned char *end = buf + len;
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]135 size_t protocol_name_list_len, protocol_name_len;
136 const unsigned char *protocol_name_list_end;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]137
138 /* If we didn't send it, the server shouldn't send it */
139 if( ssl->conf->alpn_list == NULL )
140 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
141
142 /*
143 * opaque ProtocolName<1..2^8-1>;
144 *
145 * struct {
146 * ProtocolName protocol_name_list<2..2^16-1>
147 * } ProtocolNameList;
148 *
149 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
150 */
151
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]152 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
153 protocol_name_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]154 p += 2;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]155
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]156 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, protocol_name_list_len );
157 protocol_name_list_end = p + protocol_name_list_len;
158
159 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, 1 );
160 protocol_name_len = *p++;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]161
162 /* Check that the server chosen protocol was in our list and save it */
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]163 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, protocol_name_len );
164 for( const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++ )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]165 {
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]166 if( protocol_name_len == strlen( *alpn ) &&
167 memcmp( p, *alpn, protocol_name_len ) == 0 )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]168 {
169 ssl->alpn_chosen = *alpn;
170 return( 0 );
171 }
172 }
173
174 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
175}
176#endif /* MBEDTLS_SSL_ALPN */
177
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]178MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]179static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]180{
181 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]182
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]183 if( group_id == 0 )
184 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
185
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]186#if defined(MBEDTLS_ECDH_C)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]187 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]188 {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]189 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
190 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
191
192 /* Destroy generated private key. */
193 status = psa_destroy_key( ssl->handshake->ecdh_psa_privkey );
194 if( status != PSA_SUCCESS )
195 {
196 ret = psa_ssl_status_to_mbedtls( status );
197 MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
198 return( ret );
199 }
200
201 ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]202 return( 0 );
203 }
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]204 else
205#endif /* MBEDTLS_ECDH_C */
206 if( 0 /* other KEMs? */ )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]207 {
208 /* Do something */
209 }
210
211 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
212}
213
214/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]215 * Functions for writing key_share extension.
216 */
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]217#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]218MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]219static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
220 uint16_t *group_id )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]221{
222 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
223
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]224
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]225#if defined(MBEDTLS_ECDH_C)
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]226 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]227 /* Pick first available ECDHE group compatible with TLS 1.3 */
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]228 if( group_list == NULL )
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]229 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
230
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]231 for ( ; *group_list != 0; group_list++ )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]232 {
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]233 const mbedtls_ecp_curve_info *curve_info;
234 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
235 if( curve_info != NULL &&
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]236 mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]237 {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]238 *group_id = *group_list;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]239 return( 0 );
240 }
241 }
242#else
243 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]244 ((void) group_id);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]245#endif /* MBEDTLS_ECDH_C */
246
247 /*
248 * Add DHE named groups here.
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]249 * Pick first available DHE group compatible with TLS 1.3
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]250 */
251
252 return( ret );
253}
254
255/*
256 * ssl_tls13_write_key_share_ext
257 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]258 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]259 *
260 * struct {
261 * NamedGroup group;
262 * opaque key_exchange<1..2^16-1>;
263 * } KeyShareEntry;
264 * struct {
265 * KeyShareEntry client_shares<0..2^16-1>;
266 * } KeyShareClientHello;
267 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]268MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]269static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
270 unsigned char *buf,
271 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]272 size_t *out_len )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]273{
274 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]275 unsigned char *client_shares; /* Start of client_shares */
276 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]277 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]278 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
279
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]280 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]281
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]282 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]283 * - extension_type (2 bytes)
284 * - extension_data_length (2 bytes)
285 * - client_shares_length (2 bytes)
286 */
287 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
288 p += 6;
289
290 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello: adding key share extension" ) );
291
292 /* HRR could already have requested something else. */
293 group_id = ssl->handshake->offered_group_id;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]294 if( !mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) &&
295 !mbedtls_ssl_tls13_named_group_is_dhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]296 {
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]297 MBEDTLS_SSL_PROC_CHK( ssl_tls13_get_default_group_id( ssl,
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]298 &group_id ) );
299 }
300
301 /*
302 * Dispatch to type-specific key generation function.
303 *
304 * So far, we're only supporting ECDHE. With the introduction
305 * of PQC KEMs, we'll want to have multiple branches, one per
306 * type of KEM, and dispatch to the corresponding crypto. And
307 * only one key share entry is allowed.
308 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]309 client_shares = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]310#if defined(MBEDTLS_ECDH_C)
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]311 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]312 {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]313 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]314 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]315 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]316 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]317
318 /* Check there is space for header of KeyShareEntry
319 * - group (2 bytes)
320 * - key_exchange_length (2 bytes)
321 */
322 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
323 p += 4;
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]324 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
325 ssl, group_id, p, end, &key_exchange_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]326 p += key_exchange_len;
327 if( ret != 0 )
328 return( ret );
329
330 /* Write group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]331 MBEDTLS_PUT_UINT16_BE( group_id, group, 0 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]332 /* Write key_exchange_length */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]333 MBEDTLS_PUT_UINT16_BE( key_exchange_len, group, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]334 }
335 else
336#endif /* MBEDTLS_ECDH_C */
337 if( 0 /* other KEMs? */ )
338 {
339 /* Do something */
340 }
341 else
342 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
343
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]344 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]345 client_shares_len = p - client_shares;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]346 if( client_shares_len == 0)
347 {
348 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No key share defined." ) );
349 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]350 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]351 /* Write extension_type */
352 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
353 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]354 MBEDTLS_PUT_UINT16_BE( client_shares_len + 2, buf, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]355 /* Write client_shares_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]356 MBEDTLS_PUT_UINT16_BE( client_shares_len, buf, 4 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]357
358 /* Update offered_group_id field */
359 ssl->handshake->offered_group_id = group_id;
360
361 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]362 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]363
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]364 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]365
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]366 mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]367
368cleanup:
369
370 return( ret );
371}
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]372#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]373
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]374/*
375 * ssl_tls13_parse_hrr_key_share_ext()
376 * Parse key_share extension in Hello Retry Request
377 *
378 * struct {
379 * NamedGroup selected_group;
380 * } KeyShareHelloRetryRequest;
381 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]382MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]383static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]384 const unsigned char *buf,
385 const unsigned char *end )
386{
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400[diff] [blame]387#if defined(MBEDTLS_ECDH_C)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]388 const mbedtls_ecp_curve_info *curve_info = NULL;
389 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]390 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]391 int found = 0;
392
393 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
394 if( group_list == NULL )
395 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
396
397 MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", p, end - buf );
398
399 /* Read selected_group */
XiaokangQianb48894e2022-01-17 02:05:52 +0000[diff] [blame]400 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]401 selected_group = MBEDTLS_GET_UINT16_BE( p, 0 );
402 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", selected_group ) );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]403
404 /* Upon receipt of this extension in a HelloRetryRequest, the client
405 * MUST first verify that the selected_group field corresponds to a
406 * group which was provided in the "supported_groups" extension in the
407 * original ClientHello.
408 * The supported_group was based on the info in ssl->conf->group_list.
409 *
410 * If the server provided a key share that was not sent in the ClientHello
411 * then the client MUST abort the handshake with an "illegal_parameter" alert.
412 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]413 for( ; *group_list != 0; group_list++ )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]414 {
415 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]416 if( curve_info == NULL || curve_info->tls_id != selected_group )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]417 continue;
418
419 /* We found a match */
420 found = 1;
421 break;
422 }
423
424 /* Client MUST verify that the selected_group field does not
425 * correspond to a group which was provided in the "key_share"
426 * extension in the original ClientHello. If the server sent an
427 * HRR message with a key share already provided in the
428 * ClientHello then the client MUST abort the handshake with
429 * an "illegal_parameter" alert.
430 */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]431 if( found == 0 || selected_group == ssl->handshake->offered_group_id )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]432 {
433 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) );
434 MBEDTLS_SSL_PEND_FATAL_ALERT(
435 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
436 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
437 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
438 }
439
440 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]441 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]442
443 return( 0 );
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400[diff] [blame]444#else
445 (void) ssl;
446 (void) buf;
447 (void) end;
448 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
449#endif
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]450}
451
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]452/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]453 * ssl_tls13_parse_key_share_ext()
454 * Parse key_share extension in Server Hello
455 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]456 * struct {
457 * KeyShareEntry server_share;
458 * } KeyShareServerHello;
459 * struct {
460 * NamedGroup group;
461 * opaque key_exchange<1..2^16-1>;
462 * } KeyShareEntry;
463 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]464MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]465static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]466 const unsigned char *buf,
467 const unsigned char *end )
468{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]469 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]470 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]471 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]472
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]473 /* ...
474 * NamedGroup group; (2 bytes)
475 * ...
476 */
477 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
478 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]479 p += 2;
480
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]481 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]482 offered_group = ssl->handshake->offered_group_id;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]483 if( offered_group != group )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]484 {
485 MBEDTLS_SSL_DEBUG_MSG( 1,
486 ( "Invalid server key share, our group %u, their group %u",
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]487 (unsigned) offered_group, (unsigned) group ) );
488 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
489 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
490 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]491 }
492
493#if defined(MBEDTLS_ECDH_C)
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]494 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]495 {
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]496 const mbedtls_ecp_curve_info *curve_info =
497 mbedtls_ecp_curve_info_from_tls_id( group );
498 if( curve_info == NULL )
499 {
500 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
501 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
502 }
503
504 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
505
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]506 ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ssl, p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]507 if( ret != 0 )
508 return( ret );
509 }
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]510 else
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]511#endif /* MBEDTLS_ECDH_C */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]512 if( 0 /* other KEMs? */ )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]513 {
514 /* Do something */
515 }
516 else
517 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
518
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]519 return( ret );
520}
521
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]522/*
523 * ssl_tls13_parse_cookie_ext()
524 * Parse cookie extension in Hello Retry Request
525 *
526 * struct {
527 * opaque cookie<1..2^16-1>;
528 * } Cookie;
529 *
530 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
531 * extension to the client (this is an exception to the usual rule that
532 * the only extensions that may be sent are those that appear in the
533 * ClientHello). When sending the new ClientHello, the client MUST copy
534 * the contents of the extension received in the HelloRetryRequest into
535 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
536 * cookies in their initial ClientHello in subsequent connections.
537 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]538MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]539static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
540 const unsigned char *buf,
541 const unsigned char *end )
542{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]543 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]544 const unsigned char *p = buf;
545 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
546
547 /* Retrieve length field of cookie */
548 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
549 cookie_len = MBEDTLS_GET_UINT16_BE( p, 0 );
550 p += 2;
551
552 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
553 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
554
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]555 mbedtls_free( handshake->cookie );
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]556 handshake->cookie_len = 0;
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]557 handshake->cookie = mbedtls_calloc( 1, cookie_len );
558 if( handshake->cookie == NULL )
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]559 {
560 MBEDTLS_SSL_DEBUG_MSG( 1,
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]561 ( "alloc failed ( %ud bytes )",
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]562 cookie_len ) );
563 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
564 }
565
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]566 memcpy( handshake->cookie, p, cookie_len );
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]567 handshake->cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]568
569 return( 0 );
570}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]571
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]572MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]573static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]574 unsigned char *buf,
575 unsigned char *end,
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]576 size_t *out_len )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]577{
578 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]579 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]580 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]581
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]582 if( handshake->cookie == NULL )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]583 {
584 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) );
585 return( 0 );
586 }
587
588 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]589 handshake->cookie,
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]590 handshake->cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]591
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]592 MBEDTLS_SSL_CHK_BUF_PTR( p, end, handshake->cookie_len + 6 );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]593
594 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) );
595
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]596 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 );
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]597 MBEDTLS_PUT_UINT16_BE( handshake->cookie_len + 2, p, 2 );
598 MBEDTLS_PUT_UINT16_BE( handshake->cookie_len, p, 4 );
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]599 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]600
601 /* Cookie */
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]602 memcpy( p, handshake->cookie, handshake->cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]603
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]604 *out_len = handshake->cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]605
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]606 mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_COOKIE );
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]607
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]608 return( 0 );
609}
610
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]611#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]612/*
613 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
614 *
615 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
616 *
617 * struct {
618 * PskKeyExchangeMode ke_modes<1..255>;
619 * } PskKeyExchangeModes;
620 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]621MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]622static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
623 unsigned char *buf,
624 unsigned char *end,
625 size_t *out_len )
626{
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]627 unsigned char *p = buf;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]628 int ke_modes_len = 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]629
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]630 ((void) ke_modes_len );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]631 *out_len = 0;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]632
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]633 /* Skip writing extension if no PSK key exchange mode
XiaokangQian7c12d312022-07-20 07:25:43 +0000[diff] [blame]634 * is enabled in the config.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]635 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]636 if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]637 {
638 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip psk_key_exchange_modes extension" ) );
639 return( 0 );
640 }
641
642 /* Require 7 bytes of data, otherwise fail,
643 * even if extension might be shorter.
644 */
645 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 );
646 MBEDTLS_SSL_DEBUG_MSG(
647 3, ( "client hello, adding psk_key_exchange_modes extension" ) );
648
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]649 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0 );
650
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]651 /* Skip extension length (2 bytes) and
652 * ke_modes length (1 byte) for now.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]653 */
654 p += 5;
655
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]656 if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
657 {
658 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]659 ke_modes_len++;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]660
661 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
662 }
663
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]664 if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
665 {
666 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
667 ke_modes_len++;
668
669 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
670 }
671
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]672 /* Now write the extension and ke_modes length */
673 MBEDTLS_PUT_UINT16_BE( ke_modes_len + 1, buf, 2 );
674 buf[4] = ke_modes_len;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]675
676 *out_len = p - buf;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]677
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]678 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
679 ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES );
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]680
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]681 return ( 0 );
682}
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]683
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]684static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]685{
Jerry Yu21f90952022-10-08 10:30:53 +0800[diff] [blame]686 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
687 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]688
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]689 if( ciphersuite_info != NULL )
690 return( mbedtls_psa_translate_md( ciphersuite_info->mac ) );
691
Jerry Yu21f90952022-10-08 10:30:53 +0800[diff] [blame]692 return( PSA_ALG_NONE );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]693}
694
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]695#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]696static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
697{
698 mbedtls_ssl_session *session = ssl->session_negotiate;
699 return( ssl->handshake->resume &&
700 session != NULL && session->ticket != NULL );
701}
702
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]703#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qiana3412252022-11-04 10:13:19 +0000[diff] [blame]704static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl )
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]705{
706 mbedtls_ssl_session *session = ssl->session_negotiate;
707 return( ssl->handshake->resume &&
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]708 session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
Xiaokang Qianae07cd92022-11-09 08:09:47 +0000[diff] [blame]709 ( session->ticket_flags &
Xiaokang Qianfe3483f2022-11-09 10:45:23 +0000[diff] [blame]710 MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ) &&
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]711 mbedtls_ssl_tls13_cipher_suite_is_offered(
712 ssl, session->ciphersuite ) );
713}
714#endif
715
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]716MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]717static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]718 psa_algorithm_t *hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]719 const unsigned char **identity,
720 size_t *identity_len )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]721{
722 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]723
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]724 if( !ssl_tls13_has_configured_ticket( ssl ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]725 return( -1 );
726
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]727 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]728 *identity = session->ticket;
729 *identity_len = session->ticket_len;
730 return( 0 );
731}
732
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]733MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]734static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]735 psa_algorithm_t *hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]736 const unsigned char **psk,
737 size_t *psk_len )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]738{
739
740 mbedtls_ssl_session *session = ssl->session_negotiate;
741
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]742 if( !ssl_tls13_has_configured_ticket( ssl ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]743 return( -1 );
744
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]745 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]746 *psk = session->resumption_key;
747 *psk_len = session->resumption_key_len;
748
749 return( 0 );
750}
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]751#endif /* MBEDTLS_SSL_SESSION_TICKETS */
752
753MBEDTLS_CHECK_RETURN_CRITICAL
754static int ssl_tls13_psk_get_identity( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]755 psa_algorithm_t *hash_alg,
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]756 const unsigned char **identity,
757 size_t *identity_len )
758{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]759
Ronald Cron083da8e2022-10-20 15:53:51 +0200[diff] [blame]760 if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]761 return( -1 );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]762
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]763 *hash_alg = PSA_ALG_SHA_256;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]764 *identity = ssl->conf->psk_identity;
765 *identity_len = ssl->conf->psk_identity_len;
766 return( 0 );
767}
768
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]769MBEDTLS_CHECK_RETURN_CRITICAL
770static int ssl_tls13_psk_get_psk( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]771 psa_algorithm_t *hash_alg,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]772 const unsigned char **psk,
773 size_t *psk_len )
774{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]775
Ronald Cron083da8e2022-10-20 15:53:51 +0200[diff] [blame]776 if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]777 return( -1 );
778
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]779 *hash_alg = PSA_ALG_SHA_256;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]780 *psk = ssl->conf->psk;
781 *psk_len = ssl->conf->psk_len;
782 return( 0 );
783}
784
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]785static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl )
786{
787 int configured_psk_count = 0;
788#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]789 if( ssl_tls13_has_configured_ticket( ssl ) )
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]790 {
791 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket is configured" ) );
792 configured_psk_count++;
793 }
794#endif
Ronald Crond29e13e2022-10-19 10:33:48 +0200[diff] [blame]795 if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]796 {
797 MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK is configured" ) );
798 configured_psk_count++;
799 }
800 return( configured_psk_count );
801}
802
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]803MBEDTLS_CHECK_RETURN_CRITICAL
804static int ssl_tls13_write_identity( mbedtls_ssl_context *ssl,
805 unsigned char *buf,
806 unsigned char *end,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]807 const unsigned char *identity,
808 size_t identity_len,
809 uint32_t obfuscated_ticket_age,
810 size_t *out_len )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]811{
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]812 ((void) ssl);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]813 *out_len = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]814
815 /*
816 * - identity_len (2 bytes)
817 * - identity (psk_identity_len bytes)
818 * - obfuscated_ticket_age (4 bytes)
819 */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]820 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]821
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]822 MBEDTLS_PUT_UINT16_BE( identity_len, buf, 0 );
823 memcpy( buf + 2, identity, identity_len );
824 MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, buf, 2 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]825
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]826 MBEDTLS_SSL_DEBUG_BUF( 4, "write identity", buf, 6 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]827
828 *out_len = 6 + identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]829
830 return( 0 );
831}
832
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]833MBEDTLS_CHECK_RETURN_CRITICAL
834static int ssl_tls13_write_binder( mbedtls_ssl_context *ssl,
835 unsigned char *buf,
836 unsigned char *end,
837 int psk_type,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]838 psa_algorithm_t hash_alg,
839 const unsigned char *psk,
840 size_t psk_len,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]841 size_t *out_len )
842{
843 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]844 unsigned char binder_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]845 unsigned char transcript[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]846 size_t transcript_len = 0;
847
848 *out_len = 0;
849
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]850 binder_len = PSA_HASH_LENGTH( hash_alg );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]851
852 /*
853 * - binder_len (1 bytes)
854 * - binder (binder_len bytes)
855 */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]856 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 + binder_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]857
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]858 buf[0] = binder_len;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]859
860 /* Get current state of handshake transcript. */
861 ret = mbedtls_ssl_get_handshake_transcript(
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]862 ssl, mbedtls_hash_info_md_from_psa( hash_alg ),
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]863 transcript, sizeof( transcript ), &transcript_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]864 if( ret != 0 )
865 return( ret );
866
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]867 ret = mbedtls_ssl_tls13_create_psk_binder( ssl, hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]868 psk, psk_len, psk_type,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]869 transcript, buf + 1 );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]870 if( ret != 0 )
871 {
872 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret );
873 return( ret );
874 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]875 MBEDTLS_SSL_DEBUG_BUF( 4, "write binder", buf, 1 + binder_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]876
877 *out_len = 1 + binder_len;
878
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]879 return( 0 );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]880}
881
882/*
883 * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
884 *
885 * struct {
886 * opaque identity<1..2^16-1>;
887 * uint32 obfuscated_ticket_age;
888 * } PskIdentity;
889 *
890 * opaque PskBinderEntry<32..255>;
891 *
892 * struct {
893 * PskIdentity identities<7..2^16-1>;
894 * PskBinderEntry binders<33..2^16-1>;
895 * } OfferedPsks;
896 *
897 * struct {
898 * select (Handshake.msg_type) {
899 * case client_hello: OfferedPsks;
900 * ...
901 * };
902 * } PreSharedKeyExtension;
903 *
904 */
XiaokangQian3ad67bf2022-07-21 02:26:21 +0000[diff] [blame]905int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]906 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
907 size_t *out_len, size_t *binders_len )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]908{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]909 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]910 int configured_psk_count = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]911 unsigned char *p = buf;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]912 psa_algorithm_t hash_alg;
913 const unsigned char *identity;
914 size_t identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]915 size_t l_binders_len = 0;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]916 size_t output_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]917
918 *out_len = 0;
919 *binders_len = 0;
920
921 /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]922 configured_psk_count = ssl_tls13_get_configured_psk_count( ssl );
923 if( configured_psk_count == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]924 {
925 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) );
926 return( 0 );
927 }
928
929 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Pre-configured PSK number = %d",
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]930 configured_psk_count ) );
931
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]932 /* Check if we have space to write the extension, binders included.
933 * - extension_type (2 bytes)
934 * - extension_data_len (2 bytes)
935 * - identities_len (2 bytes)
936 */
937 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
938 p += 6;
939
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]940#if defined(MBEDTLS_SSL_SESSION_TICKETS)
941 if( ssl_tls13_ticket_get_identity(
942 ssl, &hash_alg, &identity, &identity_len ) == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]943 {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]944#if defined(MBEDTLS_HAVE_TIME)
945 mbedtls_time_t now = mbedtls_time( NULL );
946 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]947 uint32_t obfuscated_ticket_age =
948 (uint32_t)( now - session->ticket_received );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]949
Jerry Yu3e60cad2023-01-10 14:58:08 +0800[diff] [blame^]950 /*
951 * The ticket timestamp is in seconds but the ticket age is in
952 * milliseconds. If the ticket was received at the end of a second and
953 * re-used here just at the beginning of the next second, the computed
954 * age `now - session->ticket_received` is equal to 1s thus 1000 ms
955 * while the actual age could be just a few milliseconds or tens of
956 * milliseconds. If the server has more accurate ticket timestamps
957 * (typically timestamps in milliseconds), as part of the processing of
958 * the ClientHello, it may compute a ticket lifetime smaller than the
959 * one computed here and potentially reject the ticket. To avoid that,
960 * remove one second to the ticket age if possible.
Jerry Yubdb936b2023-01-07 16:07:46 +0800[diff] [blame]961 */
962 if( obfuscated_ticket_age > 0 )
963 obfuscated_ticket_age -= 1;
964
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]965 obfuscated_ticket_age *= 1000;
966 obfuscated_ticket_age += session->ticket_age_add;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]967
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]968 ret = ssl_tls13_write_identity( ssl, p, end,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]969 identity, identity_len,
970 obfuscated_ticket_age,
971 &output_len );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]972#else
973 ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len,
974 0, &output_len );
975#endif /* MBEDTLS_HAVE_TIME */
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]976 if( ret != 0 )
977 return( ret );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]978
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]979 p += output_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]980 l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg );
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]981 }
982#endif /* MBEDTLS_SSL_SESSION_TICKETS */
983
984 if( ssl_tls13_psk_get_identity(
985 ssl, &hash_alg, &identity, &identity_len ) == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]986 {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]987
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]988 ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len, 0,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]989 &output_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]990 if( ret != 0 )
991 return( ret );
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]992
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]993 p += output_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]994 l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]995 }
996
997 MBEDTLS_SSL_DEBUG_MSG( 3,
998 ( "client hello, adding pre_shared_key extension, "
999 "omitting PSK binder list" ) );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1000
1001 /* Take into account the two bytes for the length of the binders. */
1002 l_binders_len += 2;
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]1003 /* Check if there is enough space for binders */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1004 MBEDTLS_SSL_CHK_BUF_PTR( p, end, l_binders_len );
1005
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]1006 /*
1007 * - extension_type (2 bytes)
1008 * - extension_data_len (2 bytes)
1009 * - identities_len (2 bytes)
1010 */
1011 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0 );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1012 MBEDTLS_PUT_UINT16_BE( p - buf - 4 + l_binders_len , buf, 2 );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]1013 MBEDTLS_PUT_UINT16_BE( p - buf - 6 , buf, 4 );
1014
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1015 *out_len = ( p - buf ) + l_binders_len;
1016 *binders_len = l_binders_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]1017
1018 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key identities", buf, p - buf );
1019
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1020 return( 0 );
1021}
1022
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1023int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1024 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1025{
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1026 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1027 unsigned char *p = buf;
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1028 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1029 const unsigned char *psk;
1030 size_t psk_len;
1031 size_t output_len;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1032
1033 /* Check if we have space to write binders_len.
1034 * - binders_len (2 bytes)
1035 */
1036 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1037 p += 2;
1038
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1039#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1040 if( ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1041 {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1042
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1043 ret = ssl_tls13_write_binder( ssl, p, end,
1044 MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1045 hash_alg, psk, psk_len,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1046 &output_len );
1047 if( ret != 0 )
1048 return( ret );
1049 p += output_len;
1050 }
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1051#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1052
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1053 if( ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1054 {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1055
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1056 ret = ssl_tls13_write_binder( ssl, p, end,
1057 MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1058 hash_alg, psk, psk_len,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1059 &output_len );
1060 if( ret != 0 )
1061 return( ret );
1062 p += output_len;
1063 }
1064
1065 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list." ) );
1066
1067 /*
1068 * - binders_len (2 bytes)
1069 */
1070 MBEDTLS_PUT_UINT16_BE( p - buf - 2, buf, 0 );
1071
1072 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key binders", buf, p - buf );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1073
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1074 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
1075 ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY );
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1076
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1077 return( 0 );
1078}
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1079
1080/*
1081 * struct {
1082 * opaque identity<1..2^16-1>;
1083 * uint32 obfuscated_ticket_age;
1084 * } PskIdentity;
1085 *
1086 * opaque PskBinderEntry<32..255>;
1087 *
1088 * struct {
1089 *
1090 * select (Handshake.msg_type) {
1091 * ...
1092 * case server_hello: uint16 selected_identity;
1093 * };
1094 *
1095 * } PreSharedKeyExtension;
1096 *
1097 */
1098MBEDTLS_CHECK_RETURN_CRITICAL
1099static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
1100 const unsigned char *buf,
1101 const unsigned char *end )
1102{
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1103 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1104 int selected_identity;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1105 const unsigned char *psk;
1106 size_t psk_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1107 psa_algorithm_t hash_alg;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1108
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1109 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1110 selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1111
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1112 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_identity = %d", selected_identity ) );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1113
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1114 if( selected_identity >= ssl_tls13_get_configured_psk_count( ssl ) )
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1115 {
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid PSK identity." ) );
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1117
1118 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1119 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1120 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1121 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1122
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1123#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Xiaokang Qianecc29482022-11-02 07:52:47 +0000[diff] [blame]1124 if( selected_identity == 0 && ssl_tls13_has_configured_ticket( ssl ) )
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1125 {
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1126 ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len );
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1127 }
1128 else
1129#endif
Ronald Crond29e13e2022-10-19 10:33:48 +0200[diff] [blame]1130 if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1131 {
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1132 ret = ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1133 }
1134 else
1135 {
1136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1137 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1138 }
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1139 if( ret != 0 )
1140 return( ret );
1141
1142 ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len );
1143 if( ret != 0 )
1144 {
1145 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret );
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]1146 return( ret );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1147 }
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1148
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]1149 return( 0 );
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1150}
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1151#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1152
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]1153int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
1154 unsigned char *buf,
1155 unsigned char *end,
1156 size_t *out_len )
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1157{
1158 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1159 unsigned char *p = buf;
1160 size_t ext_len;
1161
1162 *out_len = 0;
1163
1164 /* Write supported_versions extension
1165 *
1166 * Supported Versions Extension is mandatory with TLS 1.3.
1167 */
1168 ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &ext_len );
1169 if( ret != 0 )
1170 return( ret );
1171 p += ext_len;
1172
1173 /* Echo the cookie if the server provided one in its preceding
1174 * HelloRetryRequest message.
1175 */
1176 ret = ssl_tls13_write_cookie_ext( ssl, p, end, &ext_len );
1177 if( ret != 0 )
1178 return( ret );
1179 p += ext_len;
1180
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1181#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1182 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1183 {
1184 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &ext_len );
1185 if( ret != 0 )
1186 return( ret );
1187 p += ext_len;
1188 }
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1189#endif
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1190
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1191#if defined(MBEDTLS_SSL_EARLY_DATA)
1192 if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]1193 ssl_tls13_early_data_has_valid_ticket( ssl ) &&
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1194 ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED )
1195 {
1196 ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len );
1197 if( ret != 0 )
1198 return( ret );
1199 p += ext_len;
1200
Ronald Cron4a8c9e22022-10-26 18:49:09 +0200[diff] [blame]1201 /* Initializes the status to `rejected`. It will be updated to
1202 * `accepted` if the EncryptedExtension message contain an early data
1203 * indication extension.
Xiaokang Qiana042b842022-11-09 01:59:33 +0000[diff] [blame]1204 */
Ronald Cron4a8c9e22022-10-26 18:49:09 +0200[diff] [blame]1205 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1206 }
1207 else
1208 {
1209 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write early_data extension" ) );
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]1210 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1211 }
1212#endif /* MBEDTLS_SSL_EARLY_DATA */
1213
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1214#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1215 /* For PSK-based key exchange we need the pre_shared_key extension
1216 * and the psk_key_exchange_modes extension.
1217 *
1218 * The pre_shared_key extension MUST be the last extension in the
1219 * ClientHello. Servers MUST check that it is the last extension and
1220 * otherwise fail the handshake with an "illegal_parameter" alert.
1221 *
1222 * Add the psk_key_exchange_modes extension.
1223 */
1224 ret = ssl_tls13_write_psk_key_exchange_modes_ext( ssl, p, end, &ext_len );
1225 if( ret != 0 )
1226 return( ret );
1227 p += ext_len;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1228#endif
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1229
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1230 *out_len = p - buf;
1231
1232 return( 0 );
1233}
1234
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]1235/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1236 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1237 */
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1238
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1239/**
1240 * \brief Detect if the ServerHello contains a supported_versions extension
1241 * or not.
1242 *
1243 * \param[in] ssl SSL context
1244 * \param[in] buf Buffer containing the ServerHello message
1245 * \param[in] end End of the buffer containing the ServerHello message
1246 *
1247 * \return 0 if the ServerHello does not contain a supported_versions extension
1248 * \return 1 if the ServerHello contains a supported_versions extension
1249 * \return A negative value if an error occurred while parsing the ServerHello.
1250 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1251MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1252static int ssl_tls13_is_supported_versions_ext_present(
1253 mbedtls_ssl_context *ssl,
1254 const unsigned char *buf,
1255 const unsigned char *end )
1256{
1257 const unsigned char *p = buf;
1258 size_t legacy_session_id_echo_len;
1259 size_t extensions_len;
1260 const unsigned char *extensions_end;
1261
1262 /*
1263 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1264 * length:
1265 * - legacy_version 2 bytes
1266 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1267 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1268 */
1269 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3 );
1270 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1271 legacy_session_id_echo_len = *p;
1272
1273 /*
1274 * Jump to the extensions, jumping over:
1275 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1276 * - cipher_suite 2 bytes
1277 * - legacy_compression_method 1 byte
1278 */
Ronald Cron28271062022-06-10 14:43:55 +0200[diff] [blame]1279 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len + 4 );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1280 p += legacy_session_id_echo_len + 4;
1281
1282 /* Case of no extension */
1283 if( p == end )
1284 return( 0 );
1285
1286 /* ...
1287 * Extension extensions<6..2^16-1>;
1288 * ...
1289 * struct {
1290 * ExtensionType extension_type; (2 bytes)
1291 * opaque extension_data<0..2^16-1>;
1292 * } Extension;
1293 */
1294 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1295 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1296 p += 2;
1297
1298 /* Check extensions do not go beyond the buffer of data. */
1299 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1300 extensions_end = p + extensions_len;
1301
1302 while( p < extensions_end )
1303 {
1304 unsigned int extension_type;
1305 size_t extension_data_len;
1306
1307 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
1308 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1309 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1310 p += 4;
1311
1312 if( extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS )
1313 return( 1 );
1314
1315 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1316 p += extension_data_len;
1317 }
1318
1319 return( 0 );
1320}
1321
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]1322/* Returns a negative value on failure, and otherwise
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1323 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1324 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1325 * - 0 otherwise
1326 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1327MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1328static int ssl_tls13_is_downgrade_negotiation( mbedtls_ssl_context *ssl,
1329 const unsigned char *buf,
1330 const unsigned char *end )
1331{
1332 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1333 static const unsigned char magic_downgrade_string[] =
1334 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
1335 const unsigned char *last_eight_bytes_of_random;
1336 unsigned char last_byte_of_random;
1337
1338 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2 );
1339 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1340
1341 if( memcmp( last_eight_bytes_of_random,
1342 magic_downgrade_string,
1343 sizeof( magic_downgrade_string ) ) == 0 )
1344 {
1345 last_byte_of_random = last_eight_bytes_of_random[7];
1346 return( last_byte_of_random == 0 ||
1347 last_byte_of_random == 1 );
1348 }
1349
1350 return( 0 );
1351}
1352
1353/* Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1354 * - SSL_SERVER_HELLO or
1355 * - SSL_SERVER_HELLO_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1356 * to indicate which message is expected and to be parsed next.
1357 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1358#define SSL_SERVER_HELLO 0
1359#define SSL_SERVER_HELLO_HRR 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1360MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1361static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
1362 const unsigned char *buf,
1363 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1364{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1365
1366 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1367 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1368 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1369 * special value of the SHA-256 of "HelloRetryRequest".
1370 *
1371 * struct {
1372 * ProtocolVersion legacy_version = 0x0303;
1373 * Random random;
1374 * opaque legacy_session_id_echo<0..32>;
1375 * CipherSuite cipher_suite;
1376 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1377 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1378 * } ServerHello;
1379 *
1380 */
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]1381 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end,
1382 2 + sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1383
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]1384 if( memcmp( buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1385 sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) ) == 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1386 {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1387 return( SSL_SERVER_HELLO_HRR );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1388 }
1389
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1390 return( SSL_SERVER_HELLO );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1391}
1392
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1393/*
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1394 * Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1395 * - SSL_SERVER_HELLO or
1396 * - SSL_SERVER_HELLO_HRR or
1397 * - SSL_SERVER_HELLO_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1398 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1399#define SSL_SERVER_HELLO_TLS1_2 2
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1400MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1401static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl,
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1402 const unsigned char *buf,
1403 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1404{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1405 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1406 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1407
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1408 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_is_supported_versions_ext_present(
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1409 ssl, buf, end ) );
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1410
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1411 if( ret == 0 )
1412 {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1413 MBEDTLS_SSL_PROC_CHK_NEG(
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1414 ssl_tls13_is_downgrade_negotiation( ssl, buf, end ) );
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1415
1416 /* If the server is negotiating TLS 1.2 or below and:
1417 * . we did not propose TLS 1.2 or
1418 * . the server responded it is TLS 1.3 capable but negotiating a lower
1419 * version of the protocol and thus we are under downgrade attack
1420 * abort the handshake with an "illegal parameter" alert.
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1421 */
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1422 if( handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret )
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1423 {
1424 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1425 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1426 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1427 }
1428
1429 ssl->keep_current_message = 1;
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1430 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1431 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1432 buf, (size_t)(end - buf) );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1433
1434 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1435 {
1436 ret = ssl_tls13_reset_key_share( ssl );
1437 if( ret != 0 )
1438 return( ret );
1439 }
1440
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1441 return( SSL_SERVER_HELLO_TLS1_2 );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1442 }
1443
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1444#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1445 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1446 ssl->session_negotiate->tls_version = ssl->tls_version;
1447#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1448
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1449 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1450
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1451 ret = ssl_server_hello_is_hrr( ssl, buf, end );
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1452 switch( ret )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1453 {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1454 case SSL_SERVER_HELLO:
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1455 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) );
1456 break;
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1457 case SSL_SERVER_HELLO_HRR:
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1458 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1459 /* If a client receives a second
1460 * HelloRetryRequest in the same connection (i.e., where the ClientHello
1461 * was itself in response to a HelloRetryRequest), it MUST abort the
1462 * handshake with an "unexpected_message" alert.
1463 */
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1464 if( handshake->hello_retry_request_count > 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1465 {
1466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) );
1467 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1468 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1469 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1470 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1471 /*
1472 * Clients must abort the handshake with an "illegal_parameter"
1473 * alert if the HelloRetryRequest would not result in any change
1474 * in the ClientHello.
1475 * In a PSK only key exchange that what we expect.
1476 */
1477 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1478 {
1479 MBEDTLS_SSL_DEBUG_MSG( 1,
1480 ( "Unexpected HRR in pure PSK key exchange." ) );
1481 MBEDTLS_SSL_PEND_FATAL_ALERT(
1482 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1483 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1484 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1485 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1486
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1487 handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1488
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1489 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1490 }
1491
1492cleanup:
1493
1494 return( ret );
1495}
1496
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1497MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1498static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl,
1499 const unsigned char **buf,
1500 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1501{
1502 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1503 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1504
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1505 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1506 legacy_session_id_echo_len = *p++ ;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1507
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1508 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1509
1510 /* legacy_session_id_echo */
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1511 if( ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1512 memcmp( ssl->session_negotiate->id, p , legacy_session_id_echo_len ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1513 {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1514 MBEDTLS_SSL_DEBUG_BUF( 3, "Expected Session ID",
1515 ssl->session_negotiate->id,
1516 ssl->session_negotiate->id_len );
1517 MBEDTLS_SSL_DEBUG_BUF( 3, "Received Session ID", p,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1518 legacy_session_id_echo_len );
1519
1520 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1521 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1522
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1523 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1524 }
1525
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1526 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1527 *buf = p;
1528
1529 MBEDTLS_SSL_DEBUG_BUF( 3, "Session ID", ssl->session_negotiate->id,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1530 ssl->session_negotiate->id_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1531 return( 0 );
1532}
1533
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1534/* Parse ServerHello message and configure context
1535 *
1536 * struct {
1537 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1538 * Random random;
1539 * opaque legacy_session_id_echo<0..32>;
1540 * CipherSuite cipher_suite;
1541 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1542 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1543 * } ServerHello;
1544 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1545MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1546static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
1547 const unsigned char *buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1548 const unsigned char *end,
1549 int is_hrr )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1550{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1551 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1552 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1553 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1554 size_t extensions_len;
1555 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1556 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1557 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1558 int fatal_alert = 0;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1559 uint32_t allowed_extensions_mask;
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1560 int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
1561 MBEDTLS_SSL_HS_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1562
1563 /*
1564 * Check there is space for minimal fields
1565 *
1566 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1567 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1568 * - legacy_session_id_echo ( 1 byte ), minimum size
1569 * - cipher_suite ( 2 bytes)
1570 * - legacy_compression_method ( 1 byte )
1571 */
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1572 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1573
1574 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello", p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1575 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", p, 2 );
1576
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1577 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1578 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1579 * ...
1580 * with ProtocolVersion defined as:
1581 * uint16 ProtocolVersion;
1582 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]1583 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
1584 MBEDTLS_SSL_VERSION_TLS1_2 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1585 {
1586 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1587 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1588 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1589 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1590 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1591 }
1592 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1593
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1594 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1595 * Random random;
1596 * ...
1597 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1598 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1599 */
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1600 if( !is_hrr )
1601 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1602 memcpy( &handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1603 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1604 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
1605 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1606 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1607 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1608
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1609 /* ...
1610 * opaque legacy_session_id_echo<0..32>;
1611 * ...
1612 */
1613 if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1614 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1615 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1616 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1617 }
1618
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1619 /* ...
1620 * CipherSuite cipher_suite;
1621 * ...
1622 * with CipherSuite defined as:
1623 * uint8 CipherSuite[2];
1624 */
1625 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1626 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
1627 p += 2;
1628
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1629
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1630 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1631 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1632 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1633 */
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1634 if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
1635 ssl->tls_version,
1636 ssl->tls_version ) != 0 ) ||
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1637 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1638 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1639 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1640 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1641 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1642 * If we received an HRR before and that the proposed selected
1643 * ciphersuite in this server hello is not the same as the one
1644 * proposed in the HRR, we abort the handshake and send an
1645 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1646 */
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1647 else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
1648 ( cipher_suite != ssl->session_negotiate->ciphersuite ) )
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1649 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1650 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1651 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1652
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1653 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1654 {
1655 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
1656 cipher_suite ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1657 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1658 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1659
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1660 /* Configure ciphersuites */
1661 mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info );
1662
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1663 handshake->ciphersuite_info = ciphersuite_info;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1664 ssl->session_negotiate->ciphersuite = cipher_suite;
1665
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1666 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s",
1667 cipher_suite, ciphersuite_info->name ) );
1668
1669#if defined(MBEDTLS_HAVE_TIME)
1670 ssl->session_negotiate->start = time( NULL );
1671#endif /* MBEDTLS_HAVE_TIME */
1672
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1673 /* ...
1674 * uint8 legacy_compression_method = 0;
1675 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1676 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1677 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Thomas Daubney31e03a82022-07-25 15:59:25 +0100[diff] [blame]1678 if( p[0] != MBEDTLS_SSL_COMPRESS_NULL )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1679 {
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1680 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1681 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1682 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1683 }
1684 p++;
1685
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1686 /* ...
1687 * Extension extensions<6..2^16-1>;
1688 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1689 * struct {
1690 * ExtensionType extension_type; (2 bytes)
1691 * opaque extension_data<0..2^16-1>;
1692 * } Extension;
1693 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1694 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1695 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1696 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1697
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1698 /* Check extensions do not go beyond the buffer of data. */
1699 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1700 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1701
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1702 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1703
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1704 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1705 allowed_extensions_mask = is_hrr ?
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1706 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
1707 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
1708
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1709 while( p < extensions_end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1710 {
1711 unsigned int extension_type;
1712 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1713 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1714
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1715 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1716 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1717 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1718 p += 4;
1719
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1720 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1721 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1722
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1723 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1724 ssl, hs_msg_type, extension_type, allowed_extensions_mask );
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1725 if( ret != 0 )
1726 return( ret );
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1727
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1728 switch( extension_type )
1729 {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1730 case MBEDTLS_TLS_EXT_COOKIE:
1731
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1732 ret = ssl_tls13_parse_cookie_ext( ssl,
1733 p, extension_data_end );
1734 if( ret != 0 )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1735 {
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1736 MBEDTLS_SSL_DEBUG_RET( 1,
1737 "ssl_tls13_parse_cookie_ext",
1738 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1739 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1740 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1741 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1742
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1743 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1744 ret = ssl_tls13_parse_supported_versions_ext( ssl,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1745 p,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1746 extension_data_end );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1747 if( ret != 0 )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1748 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1749 break;
1750
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1751#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1752 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1753 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1754
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1755 if( ( ret = ssl_tls13_parse_server_pre_shared_key_ext(
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]1756 ssl, p, extension_data_end ) ) != 0 )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1757 {
1758 MBEDTLS_SSL_DEBUG_RET(
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1759 1, ( "ssl_tls13_parse_server_pre_shared_key_ext" ), ret );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1760 return( ret );
1761 }
1762 break;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1763#endif
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1764
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1765 case MBEDTLS_TLS_EXT_KEY_SHARE:
1766 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1767 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1768 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1769 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1770 goto cleanup;
1771 }
1772
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1773 if( is_hrr )
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1774 ret = ssl_tls13_parse_hrr_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1775 p, extension_data_end );
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1776 else
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1777 ret = ssl_tls13_parse_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1778 p, extension_data_end );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1779 if( ret != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1780 {
1781 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1782 "ssl_tls13_parse_key_share_ext",
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1783 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1784 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1785 }
1786 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1787
1788 default:
Jerry Yu9872eb22022-08-29 13:42:01 +0800[diff] [blame]1789 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1790 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1791 }
1792
1793 p += extension_data_len;
1794 }
1795
Jerry Yu97be6a92022-11-09 22:43:31 +0800[diff] [blame]1796 MBEDTLS_SSL_PRINT_EXTS( 3, hs_msg_type, handshake->received_extensions );
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1797
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1798cleanup:
1799
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1800 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1801 {
1802 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1803 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1804 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1805 }
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1806 else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1807 {
1808 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1809 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1810 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1811 }
1812 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1813}
1814
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1815#if defined(MBEDTLS_DEBUG_C)
1816static const char *ssl_tls13_get_kex_mode_str(int mode)
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1817{
1818 switch( mode )
1819 {
1820 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1821 return "psk";
1822 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1823 return "ephemeral";
1824 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1825 return "psk_ephemeral";
1826 default:
1827 return "unknown mode";
1828 }
1829}
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1830#endif /* MBEDTLS_DEBUG_C */
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1831
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1832MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1833static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1834{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1835 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1836 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1837
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1838 /* Determine the key exchange mode:
1839 * 1) If both the pre_shared_key and key_share extensions were received
1840 * then the key exchange mode is PSK with EPHEMERAL.
1841 * 2) If only the pre_shared_key extension was received then the key
1842 * exchange mode is PSK-only.
1843 * 3) If only the key_share extension was received then the key
1844 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1845 */
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1846 switch( handshake->received_extensions &
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1847 ( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) ) )
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1848 {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1849 /* Only the pre_shared_key extension was received */
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1850 case MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ):
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1851 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1852 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1853
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1854 /* Only the key_share extension was received */
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1855 case MBEDTLS_SSL_EXT_MASK( KEY_SHARE ):
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1856 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1857 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1858
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1859 /* Both the pre_shared_key and key_share extensions were received */
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1860 case ( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) ):
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1861 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1862 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1863
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1864 /* Neither pre_shared_key nor key_share extension was received */
1865 default:
1866 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) );
1867 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1868 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1869 }
1870
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1871 if( !mbedtls_ssl_conf_tls13_check_kex_modes( ssl, handshake->key_exchange_mode ) )
1872 {
1873 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1874 MBEDTLS_SSL_DEBUG_MSG( 2,
Xiaokang Qianca343ae2022-09-28 02:07:54 +0000[diff] [blame]1875 ( "Key exchange mode(%s) is not supported.",
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1876 ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1877 goto cleanup;
1878 }
1879
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1880 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaokang Qianca343ae2022-09-28 02:07:54 +0000[diff] [blame]1881 ( "Selected key exchange mode: %s",
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1882 ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1883
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1884 /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
1885 *
1886 * TODO: We don't have to do this in case we offered 0-RTT and the
1887 * server accepted it. In this case, we could skip generating
1888 * the early secret. */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1889 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1890 if( ret != 0 )
1891 {
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1892 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_key_schedule_stage_early",
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1893 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1894 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1895 }
1896
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1897 ret = mbedtls_ssl_tls13_compute_handshake_transform( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1898 if( ret != 0 )
1899 {
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1900 MBEDTLS_SSL_DEBUG_RET( 1,
1901 "mbedtls_ssl_tls13_compute_handshake_transform",
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1902 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1903 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1904 }
1905
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1906 mbedtls_ssl_set_inbound_transform( ssl, handshake->transform_handshake );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1907 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
1908 ssl->session_in = ssl->session_negotiate;
1909
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1910cleanup:
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1911 if( ret != 0 )
1912 {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1913 MBEDTLS_SSL_PEND_FATAL_ALERT(
1914 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1915 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1916 }
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1917
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1918 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1919}
1920
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1921MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1922static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1923{
1924 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1925
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1926 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1927
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1928 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1929 * We are going to re-generate a shared secret corresponding to the group
1930 * selected by the server, which is different from the group for which we
1931 * generated a shared secret in the first client hello.
1932 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1933 */
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1934 ret = ssl_tls13_reset_key_share( ssl );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1935 if( ret != 0 )
1936 return( ret );
1937
1938 return( 0 );
1939}
1940
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1941/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1942 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1943 * Handler for MBEDTLS_SSL_SERVER_HELLO
1944 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1945MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1946static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1947{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1948 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1949 unsigned char *buf = NULL;
1950 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1951 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1952
1953 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
1954
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1955 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
1956 MBEDTLS_SSL_HS_SERVER_HELLO,
1957 &buf, &buf_len ) );
1958
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1959 ret = ssl_tls13_preprocess_server_hello( ssl, buf, buf + buf_len );
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1960 if( ret < 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1961 goto cleanup;
1962 else
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1963 is_hrr = ( ret == SSL_SERVER_HELLO_HRR );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1964
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1965 if( ret == SSL_SERVER_HELLO_TLS1_2 )
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1966 {
1967 ret = 0;
1968 goto cleanup;
1969 }
1970
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1971 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1972 buf + buf_len,
1973 is_hrr ) );
1974 if( is_hrr )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1975 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) );
1976
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1977 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1978 buf, buf_len );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1979
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1980 if( is_hrr )
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1981 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1982 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1983#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1984 /* If not offering early data, the client sends a dummy CCS record
1985 * immediately before its second flight. This may either be before
1986 * its second ClientHello or before its encrypted handshake flight.
1987 */
1988 mbedtls_ssl_handshake_set_state( ssl,
1989 MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
1990#else
1991 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
1992#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1993 }
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1994 else
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1995 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1996 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1997 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
1998 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1999
2000cleanup:
XiaokangQiana9090612022-01-27 03:48:27 +0000[diff] [blame]2001 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__,
2002 is_hrr?"HelloRetryRequest":"ServerHello" ) );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]2003 return( ret );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2004}
2005
2006/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2007 *
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2008 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2009 *
2010 * The EncryptedExtensions message contains any extensions which
2011 * should be protected, i.e., any which are not needed to establish
2012 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2013 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2014
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2015/* Parse EncryptedExtensions message
2016 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2017 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2018 * } EncryptedExtensions;
2019 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2020MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2021static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
2022 const unsigned char *buf,
2023 const unsigned char *end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2024{
2025 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2026 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]2027 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2028 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2029 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2030
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2031 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2032 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2033 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2034
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2035 MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len );
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2036 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
Ronald Cronc8083592022-05-31 16:24:05 +0200[diff] [blame]2037 extensions_end = p + extensions_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2038
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2039 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2040
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2041 while( p < extensions_end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2042 {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2043 unsigned int extension_type;
2044 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2045
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2046 /*
2047 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2048 * ExtensionType extension_type; (2 bytes)
2049 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2050 * } Extension;
2051 */
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2052 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2053 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2054 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2055 p += 4;
2056
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2057 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2058
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2059 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2060 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
2061 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE );
2062 if( ret != 0 )
2063 return( ret );
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2064
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2065 switch( extension_type )
2066 {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2067#if defined(MBEDTLS_SSL_ALPN)
2068 case MBEDTLS_TLS_EXT_ALPN:
2069 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
2070
2071 if( ( ret = ssl_tls13_parse_alpn_ext( ssl, p, (size_t)extension_data_len ) ) != 0 )
2072 {
2073 return( ret );
2074 }
2075
2076 break;
2077#endif /* MBEDTLS_SSL_ALPN */
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2078
2079#if defined(MBEDTLS_SSL_EARLY_DATA)
2080 case MBEDTLS_TLS_EXT_EARLY_DATA:
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2081
2082 if( extension_data_len != 0 )
2083 {
2084 /* The message must be empty. */
2085 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2086 MBEDTLS_ERR_SSL_DECODE_ERROR );
2087 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
2088 }
2089
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2090 break;
2091#endif /* MBEDTLS_SSL_EARLY_DATA */
2092
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2093 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2094 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2095 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2096 extension_type, "( ignored )" );
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2097 break;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2098 }
2099
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2100 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2101 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2102
Jerry Yu7de2ff02022-11-08 21:43:46 +0800[diff] [blame]2103 MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
Jerry Yu97be6a92022-11-09 22:43:31 +0800[diff] [blame]2104 handshake->received_extensions );
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2105
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2106 /* Check that we consumed all the message. */
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]2107 if( p != end )
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2108 {
2109 MBEDTLS_SSL_DEBUG_MSG( 1, ( "EncryptedExtension lengths misaligned" ) );
Jerry Yu7aa71862021-10-28 21:41:30 +0800[diff] [blame]2110 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]2111 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2112 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2113 }
2114
2115 return( ret );
2116}
2117
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2118MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2119static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
2120{
2121 int ret;
2122 unsigned char *buf;
2123 size_t buf_len;
2124
2125 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) );
2126
2127 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
2128 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2129 &buf, &buf_len ) );
2130
2131 /* Process the message contents */
2132 MBEDTLS_SSL_PROC_CHK(
2133 ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
2134
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2135#if defined(MBEDTLS_SSL_EARLY_DATA)
2136 if( ssl->handshake->received_extensions &
2137 MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) )
2138 {
2139 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
2140 }
2141#endif
2142
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2143 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2144 buf, buf_len );
2145
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2146#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]2147 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2148 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2149 else
2150 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
2151#else
2152 ((void) ssl);
2153 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2154#endif
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2155
2156cleanup:
2157
2158 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) );
2159 return( ret );
2160
2161}
2162
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2163#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2164/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2165 * STATE HANDLING: CertificateRequest
2166 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2167 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2168#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2169#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2170/* Coordination:
2171 * Deals with the ambiguity of not knowing if a CertificateRequest
2172 * will be sent. Returns a negative code on failure, or
2173 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2174 * - SSL_CERTIFICATE_REQUEST_SKIP
2175 * indicating if a Certificate Request is expected or not.
2176 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2177MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2178static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2179{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2180 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2181
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2182 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2183 {
2184 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2185 return( ret );
2186 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2187 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2188
2189 if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) &&
2190 ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) )
2191 {
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2192 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got a certificate request" ) );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2193 return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2194 }
2195
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2196 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got no certificate request" ) );
2197
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2198 return( SSL_CERTIFICATE_REQUEST_SKIP );
2199}
2200
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2201/*
2202 * ssl_tls13_parse_certificate_request()
2203 * Parse certificate request
2204 * struct {
2205 * opaque certificate_request_context<0..2^8-1>;
2206 * Extension extensions<2..2^16-1>;
2207 * } CertificateRequest;
2208 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2209MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2210static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
2211 const unsigned char *buf,
2212 const unsigned char *end )
2213{
2214 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2215 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2216 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2217 size_t extensions_len = 0;
2218 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2219 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2220
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2221 /* ...
2222 * opaque certificate_request_context<0..2^8-1>
2223 * ...
2224 */
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2225 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
2226 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2227 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2228
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2229 if( certificate_request_context_len > 0 )
2230 {
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2231 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2232 MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context",
2233 p, certificate_request_context_len );
2234
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2235 handshake->certificate_request_context =
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]2236 mbedtls_calloc( 1, certificate_request_context_len );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2237 if( handshake->certificate_request_context == NULL )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2238 {
2239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2240 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2241 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2242 memcpy( handshake->certificate_request_context, p,
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2243 certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2244 p += certificate_request_context_len;
2245 }
2246
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2247 /* ...
2248 * Extension extensions<2..2^16-1>;
2249 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2250 */
2251 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
2252 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2253 p += 2;
2254
2255 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2256 extensions_end = p + extensions_len;
2257
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2258 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2259
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2260 while( p < extensions_end )
2261 {
2262 unsigned int extension_type;
2263 size_t extension_data_len;
2264
2265 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
2266 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2267 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2268 p += 4;
2269
2270 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
2271
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2272 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2273 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
2274 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR );
2275 if( ret != 0 )
2276 return( ret );
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2277
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2278 switch( extension_type )
2279 {
2280 case MBEDTLS_TLS_EXT_SIG_ALG:
2281 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2282 ( "found signature algorithms extension" ) );
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]2283 ret = mbedtls_ssl_parse_sig_alg_ext( ssl, p,
Gabor Mezei696956d2022-05-13 16:27:29 +0200[diff] [blame]2284 p + extension_data_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2285 if( ret != 0 )
2286 return( ret );
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2287
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2288 break;
2289
2290 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2291 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2292 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2293 extension_type, "( ignored )" );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2294 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2295 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2296
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2297 p += extension_data_len;
2298 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2299
Jerry Yu7de2ff02022-11-08 21:43:46 +0800[diff] [blame]2300 MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
Jerry Yu97be6a92022-11-09 22:43:31 +0800[diff] [blame]2301 handshake->received_extensions );
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2302
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2303 /* Check that we consumed all the message. */
2304 if( p != end )
2305 {
2306 MBEDTLS_SSL_DEBUG_MSG( 1,
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2307 ( "CertificateRequest misaligned" ) );
2308 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2309 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2310
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2311 /* RFC 8446 section 4.3.2
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2312 *
2313 * The "signature_algorithms" extension MUST be specified
2314 */
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2315 if( ( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( SIG_ALG ) ) == 0 )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2316 {
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]2317 MBEDTLS_SSL_DEBUG_MSG( 3,
2318 ( "no signature algorithms extension found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2319 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2320 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2321
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]2322 ssl->handshake->client_auth = 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2323 return( 0 );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2324
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2325decode_error:
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2326 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2327 MBEDTLS_ERR_SSL_DECODE_ERROR );
2328 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2329}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2330
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2331/*
2332 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2333 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2334MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2335static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2336{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2337 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2338
2339 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2340
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2341 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
2342
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2343 if( ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST )
2344 {
2345 unsigned char *buf;
2346 size_t buf_len;
2347
2348 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
2349 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2350 &buf, &buf_len ) );
2351
2352 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_request( ssl,
2353 buf, buf + buf_len ) );
2354
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]2355 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2356 buf, buf_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2357 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2358 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2359 {
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]2360 ret = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2361 }
2362 else
2363 {
2364 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2365 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2366 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2367 }
2368
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2369 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
2370
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2371cleanup:
2372
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2373 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
2374 return( ret );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2375}
2376
2377/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2378 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2379 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2380MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2381static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2382{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2383 int ret;
2384
2385 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]2386 if( ret != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2387 return( ret );
2388
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2389 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
2390 return( 0 );
2391}
2392
2393/*
2394 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2395 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2396MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2397static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2398{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2399 int ret;
2400
2401 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
2402 if( ret != 0 )
2403 return( ret );
2404
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2405 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2406 return( 0 );
2407}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2408#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]2409
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2410/*
2411 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2412 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2413MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2414static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2415{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2416 int ret;
2417
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]2418 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2419 if( ret != 0 )
2420 return( ret );
2421
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2422 ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
2423 if( ret != 0 )
2424 {
2425 MBEDTLS_SSL_PEND_FATAL_ALERT(
2426 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2427 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2428 return( ret );
2429 }
2430
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2431#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2432 mbedtls_ssl_handshake_set_state(
2433 ssl,
2434 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED );
2435#else
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]2436 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2437#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2438
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2439 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2440}
2441
2442/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2443 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2444 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2445MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2446static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
2447{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2448 int non_empty_certificate_msg = 0;
2449
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2450 MBEDTLS_SSL_DEBUG_MSG( 1,
2451 ( "Switch to handshake traffic keys for outbound traffic" ) );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2452 mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2453
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2454#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2455 if( ssl->handshake->client_auth )
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2456 {
2457 int ret = mbedtls_ssl_tls13_write_certificate( ssl );
2458 if( ret != 0 )
2459 return( ret );
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2460
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2461 if( mbedtls_ssl_own_cert( ssl ) != NULL )
2462 non_empty_certificate_msg = 1;
2463 }
2464 else
2465 {
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]2466 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2467 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2468#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2469
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2470 if( non_empty_certificate_msg )
2471 {
2472 mbedtls_ssl_handshake_set_state( ssl,
2473 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
2474 }
2475 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2476 {
2477 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate verify" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2478 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2479 }
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2480
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2481 return( 0 );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2482}
2483
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2484#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2485/*
2486 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2487 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2488MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2489static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
2490{
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2491 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
2492
2493 if( ret == 0 )
2494 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
2495
2496 return( ret );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2497}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2498#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2499
2500/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2501 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2502 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2503MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2504static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2505{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2506 int ret;
2507
2508 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
2509 if( ret != 0 )
2510 return( ret );
2511
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2512 ret = mbedtls_ssl_tls13_compute_resumption_master_secret( ssl );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2513 if( ret != 0 )
2514 {
2515 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2516 "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2517 return ( ret );
2518 }
2519
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2520 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
2521 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2522}
2523
2524/*
2525 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2526 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2527MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2528static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2529{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2530 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
Jerry Yuad8d0ba2021-09-28 17:58:26 +0800[diff] [blame]2531 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2532 return( 0 );
2533}
2534
2535/*
2536 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2537 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2538MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2539static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2540{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2541
2542 mbedtls_ssl_tls13_handshake_wrapup( ssl );
2543
2544 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2545 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2546}
2547
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2548#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2549
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2550MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2551static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
2552 const unsigned char *buf,
2553 const unsigned char *end )
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2554{
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2555 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2556 const unsigned char *p = buf;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2557
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2558
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2559 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2560
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2561 while( p < end )
2562 {
2563 unsigned int extension_type;
2564 size_t extension_data_len;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2565 int ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2566
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2567 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
2568 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2569 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2570 p += 4;
2571
2572 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2573
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2574 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2575 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
2576 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST );
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2577 if( ret != 0 )
2578 return( ret );
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2579
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2580 switch( extension_type )
2581 {
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2582#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2583 case MBEDTLS_TLS_EXT_EARLY_DATA:
Xiaokang Qian2d87a9e2022-11-09 07:55:48 +0000[diff] [blame]2584 if( extension_data_len != 4 )
2585 {
2586 MBEDTLS_SSL_PEND_FATAL_ALERT(
2587 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2588 MBEDTLS_ERR_SSL_DECODE_ERROR );
2589 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
2590 }
2591 if( ssl->session != NULL )
2592 {
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2593 ssl->session->ticket_flags |=
Xiaokang Qianfe3483f2022-11-09 10:45:23 +0000[diff] [blame]2594 MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
Xiaokang Qian2d87a9e2022-11-09 07:55:48 +0000[diff] [blame]2595 }
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2596 break;
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2597#endif /* MBEDTLS_SSL_EARLY_DATA */
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2598
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2599 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2600 MBEDTLS_SSL_PRINT_EXT(
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2601 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2602 extension_type, "( ignored )" );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2603 break;
2604 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2605
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2606 p += extension_data_len;
2607 }
2608
Jerry Yu7de2ff02022-11-08 21:43:46 +0800[diff] [blame]2609 MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
Jerry Yu97be6a92022-11-09 22:43:31 +0800[diff] [blame]2610 handshake->received_extensions );
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2611
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2612 return( 0 );
2613}
2614
2615/*
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2616 * From RFC8446, page 74
2617 *
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2618 * struct {
2619 * uint32 ticket_lifetime;
2620 * uint32 ticket_age_add;
2621 * opaque ticket_nonce<0..255>;
2622 * opaque ticket<1..2^16-1>;
2623 * Extension extensions<0..2^16-2>;
2624 * } NewSessionTicket;
2625 *
2626 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2627MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2628static int ssl_tls13_parse_new_session_ticket( mbedtls_ssl_context *ssl,
2629 unsigned char *buf,
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2630 unsigned char *end,
2631 unsigned char **ticket_nonce,
2632 size_t *ticket_nonce_len )
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2633{
2634 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2635 unsigned char *p = buf;
2636 mbedtls_ssl_session *session = ssl->session;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2637 size_t ticket_len;
2638 unsigned char *ticket;
2639 size_t extensions_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2640
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2641 *ticket_nonce = NULL;
2642 *ticket_nonce_len = 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2643 /*
2644 * ticket_lifetime 4 bytes
2645 * ticket_age_add 4 bytes
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2646 * ticket_nonce_len 1 byte
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2647 */
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2648 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 9 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2649
2650 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE( p, 0 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2651 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2652 ( "ticket_lifetime: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2653 ( unsigned int )session->ticket_lifetime ) );
2654
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2655 session->ticket_age_add = MBEDTLS_GET_UINT32_BE( p, 4 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2656 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2657 ( "ticket_age_add: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2658 ( unsigned int )session->ticket_age_add ) );
2659
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2660 *ticket_nonce_len = p[8];
2661 p += 9;
2662
2663 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, *ticket_nonce_len );
2664 *ticket_nonce = p;
2665 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len );
2666 p += *ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2667
2668 /* Ticket */
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2669 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2670 ticket_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2671 p += 2;
2672 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ticket_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2673 MBEDTLS_SSL_DEBUG_BUF( 3, "received ticket", p, ticket_len ) ;
2674
2675 /* Check if we previously received a ticket already. */
2676 if( session->ticket != NULL || session->ticket_len > 0 )
2677 {
2678 mbedtls_free( session->ticket );
2679 session->ticket = NULL;
2680 session->ticket_len = 0;
2681 }
2682
2683 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
2684 {
2685 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
2686 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2687 }
2688 memcpy( ticket, p, ticket_len );
2689 p += ticket_len;
2690 session->ticket = ticket;
2691 session->ticket_len = ticket_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2692
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2693 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2694 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2695 p += 2;
2696 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2697
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2698 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket extension", p, extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2699
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2700 ret = ssl_tls13_parse_new_session_ticket_exts( ssl, p, p + extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2701 if( ret != 0 )
2702 {
2703 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2704 "ssl_tls13_parse_new_session_ticket_exts",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2705 ret );
2706 return( ret );
2707 }
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2708
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]2709 /* session has been updated, allow export */
2710 session->exported = 0;
2711
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2712 return( 0 );
2713}
2714
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2715MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2716static int ssl_tls13_postprocess_new_session_ticket( mbedtls_ssl_context *ssl,
2717 unsigned char *ticket_nonce,
2718 size_t ticket_nonce_len )
2719{
2720 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2721 mbedtls_ssl_session *session = ssl->session;
2722 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2723 psa_algorithm_t psa_hash_alg;
2724 int hash_length;
2725
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2726#if defined(MBEDTLS_HAVE_TIME)
2727 /* Store ticket creation time */
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2728 session->ticket_received = mbedtls_time( NULL );
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2729#endif
2730
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2731 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( session->ciphersuite );
2732 if( ciphersuite_info == NULL )
2733 {
2734 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2735 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2736 }
2737
2738 psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
2739 hash_length = PSA_HASH_LENGTH( psa_hash_alg );
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2740 if( hash_length == -1 ||
2741 ( size_t )hash_length > sizeof( session->resumption_key ) )
2742 {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2743 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2744 }
2745
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2746
2747 MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
2748 session->app_secrets.resumption_master_secret,
2749 hash_length );
2750
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2751 /* Compute resumption key
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2752 *
2753 * HKDF-Expand-Label( resumption_master_secret,
2754 * "resumption", ticket_nonce, Hash.length )
2755 */
2756 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2757 psa_hash_alg,
2758 session->app_secrets.resumption_master_secret,
2759 hash_length,
2760 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
2761 ticket_nonce,
2762 ticket_nonce_len,
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2763 session->resumption_key,
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2764 hash_length );
2765
2766 if( ret != 0 )
2767 {
2768 MBEDTLS_SSL_DEBUG_RET( 2,
2769 "Creating the ticket-resumed PSK failed",
2770 ret );
2771 return( ret );
2772 }
2773
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2774 session->resumption_key_len = hash_length;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2775
2776 MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2777 session->resumption_key,
2778 session->resumption_key_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2779
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2780 return( 0 );
2781}
2782
2783/*
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2784 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2785 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2786MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2787static int ssl_tls13_process_new_session_ticket( mbedtls_ssl_context *ssl )
2788{
2789 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2790 unsigned char *buf;
2791 size_t buf_len;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2792 unsigned char *ticket_nonce;
2793 size_t ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2794
2795 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2796
2797 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
2798 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2799 &buf, &buf_len ) );
2800
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2801 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_new_session_ticket(
2802 ssl, buf, buf + buf_len,
2803 &ticket_nonce, &ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2804
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2805 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_new_session_ticket(
2806 ssl, ticket_nonce, ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2807
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2808 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2809
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2810cleanup:
2811
2812 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2813 return( ret );
2814}
2815#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2816
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2817int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]2818{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2819 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]2820
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2821 switch( ssl->state )
2822 {
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2823 case MBEDTLS_SSL_HELLO_REQUEST:
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]2824 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2825 break;
2826
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2827 case MBEDTLS_SSL_CLIENT_HELLO:
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]2828 ret = mbedtls_ssl_write_client_hello( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2829 break;
2830
2831 case MBEDTLS_SSL_SERVER_HELLO:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2832 ret = ssl_tls13_process_server_hello( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2833 break;
2834
2835 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2836 ret = ssl_tls13_process_encrypted_extensions( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2837 break;
2838
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2839#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2840 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
2841 ret = ssl_tls13_process_certificate_request( ssl );
2842 break;
2843
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2844 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2845 ret = ssl_tls13_process_server_certificate( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2846 break;
2847
2848 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2849 ret = ssl_tls13_process_certificate_verify( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2850 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2851#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2852
2853 case MBEDTLS_SSL_SERVER_FINISHED:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2854 ret = ssl_tls13_process_server_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2855 break;
2856
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2857 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2858 ret = ssl_tls13_write_client_certificate( ssl );
2859 break;
2860
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2861#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2862 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2863 ret = ssl_tls13_write_client_certificate_verify( ssl );
2864 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2865#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2866
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2867 case MBEDTLS_SSL_CLIENT_FINISHED:
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2868 ret = ssl_tls13_write_client_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2869 break;
2870
2871 case MBEDTLS_SSL_FLUSH_BUFFERS:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2872 ret = ssl_tls13_flush_buffers( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2873 break;
2874
2875 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2876 ret = ssl_tls13_handshake_wrapup( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2877 break;
2878
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2879 /*
2880 * Injection of dummy-CCS's for middlebox compatibility
2881 */
2882#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]2883 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]2884 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2885 if( ret == 0 )
2886 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2887 break;
2888
2889 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
2890 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2891 if( ret == 0 )
2892 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2893 break;
2894#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2895
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2896#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2897 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2898 ret = ssl_tls13_process_new_session_ticket( ssl );
2899 if( ret != 0 )
2900 break;
2901 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
2902 break;
2903#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2904
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2905 default:
2906 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2907 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2908 }
2909
2910 return( ret );
2911}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]2912
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2913#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]2914
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2915