TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fd13a0f85195cc5cf7e0d650713935b88a28ac52 / . / library / ssl_tls13_client.c
blob: 025183d4429daab230b76f1b78ccf101158bcb74 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS ( https://tls.mbed.org )
20 */
21
22#include "common.h"
23
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]24#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]25
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]26#include <string.h>
27
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]30#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]31
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]32#include "ssl_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]33#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]34#include "ssl_tls13_keys.h"
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]35#include "ssl_debug_helpers.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]36
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]37/* Write extensions */
38
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]39/*
40 * ssl_tls13_write_supported_versions_ext():
41 *
42 * struct {
43 * ProtocolVersion versions<2..254>;
44 * } SupportedVersions;
45 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]46MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]47static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]48 unsigned char *buf,
49 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]50 size_t *out_len )
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]51{
52 unsigned char *p = buf;
Glenn Strausscd78df62022-04-07 19:07:11 -0400[diff] [blame]53 unsigned char versions_len = ( ssl->handshake->min_tls_version <=
54 MBEDTLS_SSL_VERSION_TLS1_2 ) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]55
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]56 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]57
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]58 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported versions extension" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]59
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]60 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]61 * - extension_type (2 bytes)
62 * - extension_data_length (2 bytes)
63 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]64 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]65 */
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]66 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + versions_len );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]67
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]68 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]69 MBEDTLS_PUT_UINT16_BE( versions_len + 1, p, 2 );
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]70 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]71
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]72 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]73 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]74
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]76 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]77 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]78 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]79 mbedtls_ssl_write_version( p, MBEDTLS_SSL_TRANSPORT_STREAM,
80 MBEDTLS_SSL_VERSION_TLS1_3 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]81 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:4]" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]83
Glenn Strausscd78df62022-04-07 19:07:11 -0400[diff] [blame]84 if( ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 )
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]85 {
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]86 mbedtls_ssl_write_version( p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
87 MBEDTLS_SSL_VERSION_TLS1_2 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]88 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:3]" ) );
89 }
90
91 *out_len = 5 + versions_len;
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]92
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]93 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
94 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS );
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]95
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]96 return( 0 );
97}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]98
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]99MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]100static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
101 const unsigned char *buf,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]102 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]103{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]104 ((void) ssl);
105
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]106 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]107 if( mbedtls_ssl_read_version( buf, ssl->conf->transport ) !=
108 MBEDTLS_SSL_VERSION_TLS1_3 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]109 {
110 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]111
112 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
113 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
114 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]115 }
116
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]117 if( &buf[2] != end )
118 {
119 MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions ext data length incorrect" ) );
120 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
121 MBEDTLS_ERR_SSL_DECODE_ERROR );
122 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
123 }
124
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]125 return( 0 );
126}
127
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]128#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]129MBEDTLS_CHECK_RETURN_CRITICAL
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]130static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl,
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]131 const unsigned char *buf, size_t len )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]132{
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]133 const unsigned char *p = buf;
134 const unsigned char *end = buf + len;
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]135 size_t protocol_name_list_len, protocol_name_len;
136 const unsigned char *protocol_name_list_end;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]137
138 /* If we didn't send it, the server shouldn't send it */
139 if( ssl->conf->alpn_list == NULL )
140 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
141
142 /*
143 * opaque ProtocolName<1..2^8-1>;
144 *
145 * struct {
146 * ProtocolName protocol_name_list<2..2^16-1>
147 * } ProtocolNameList;
148 *
149 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
150 */
151
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]152 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
153 protocol_name_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]154 p += 2;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]155
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]156 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, protocol_name_list_len );
157 protocol_name_list_end = p + protocol_name_list_len;
158
159 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, 1 );
160 protocol_name_len = *p++;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]161
162 /* Check that the server chosen protocol was in our list and save it */
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]163 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, protocol_name_len );
164 for( const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++ )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]165 {
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]166 if( protocol_name_len == strlen( *alpn ) &&
167 memcmp( p, *alpn, protocol_name_len ) == 0 )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]168 {
169 ssl->alpn_chosen = *alpn;
170 return( 0 );
171 }
172 }
173
174 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
175}
176#endif /* MBEDTLS_SSL_ALPN */
177
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]178MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]179static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]180{
181 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]182
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]183 if( group_id == 0 )
184 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
185
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]186#if defined(MBEDTLS_ECDH_C)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]187 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]188 {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]189 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
190 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
191
192 /* Destroy generated private key. */
193 status = psa_destroy_key( ssl->handshake->ecdh_psa_privkey );
194 if( status != PSA_SUCCESS )
195 {
196 ret = psa_ssl_status_to_mbedtls( status );
197 MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
198 return( ret );
199 }
200
201 ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]202 return( 0 );
203 }
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]204 else
205#endif /* MBEDTLS_ECDH_C */
206 if( 0 /* other KEMs? */ )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]207 {
208 /* Do something */
209 }
210
211 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
212}
213
214/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]215 * Functions for writing key_share extension.
216 */
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]217#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]218MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]219static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
220 uint16_t *group_id )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]221{
222 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
223
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]224
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]225#if defined(MBEDTLS_ECDH_C)
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]226 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]227 /* Pick first available ECDHE group compatible with TLS 1.3 */
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]228 if( group_list == NULL )
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]229 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
230
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]231 for ( ; *group_list != 0; group_list++ )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]232 {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]233 if( ( mbedtls_ssl_get_psa_curve_info_from_tls_id( *group_list,
234 NULL, NULL ) == PSA_SUCCESS ) &&
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]235 mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]236 {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]237 *group_id = *group_list;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]238 return( 0 );
239 }
240 }
241#else
242 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]243 ((void) group_id);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]244#endif /* MBEDTLS_ECDH_C */
245
246 /*
247 * Add DHE named groups here.
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]248 * Pick first available DHE group compatible with TLS 1.3
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]249 */
250
251 return( ret );
252}
253
254/*
255 * ssl_tls13_write_key_share_ext
256 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]257 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]258 *
259 * struct {
260 * NamedGroup group;
261 * opaque key_exchange<1..2^16-1>;
262 * } KeyShareEntry;
263 * struct {
264 * KeyShareEntry client_shares<0..2^16-1>;
265 * } KeyShareClientHello;
266 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]267MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]268static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
269 unsigned char *buf,
270 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]271 size_t *out_len )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]272{
273 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]274 unsigned char *client_shares; /* Start of client_shares */
275 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]276 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]277 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
278
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]279 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]280
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]281 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]282 * - extension_type (2 bytes)
283 * - extension_data_length (2 bytes)
284 * - client_shares_length (2 bytes)
285 */
286 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
287 p += 6;
288
289 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello: adding key share extension" ) );
290
291 /* HRR could already have requested something else. */
292 group_id = ssl->handshake->offered_group_id;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]293 if( !mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) &&
294 !mbedtls_ssl_tls13_named_group_is_dhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]295 {
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]296 MBEDTLS_SSL_PROC_CHK( ssl_tls13_get_default_group_id( ssl,
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]297 &group_id ) );
298 }
299
300 /*
301 * Dispatch to type-specific key generation function.
302 *
303 * So far, we're only supporting ECDHE. With the introduction
304 * of PQC KEMs, we'll want to have multiple branches, one per
305 * type of KEM, and dispatch to the corresponding crypto. And
306 * only one key share entry is allowed.
307 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]308 client_shares = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]309#if defined(MBEDTLS_ECDH_C)
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]310 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]311 {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]312 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]313 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]314 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]315 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]316
317 /* Check there is space for header of KeyShareEntry
318 * - group (2 bytes)
319 * - key_exchange_length (2 bytes)
320 */
321 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
322 p += 4;
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]323 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
324 ssl, group_id, p, end, &key_exchange_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]325 p += key_exchange_len;
326 if( ret != 0 )
327 return( ret );
328
329 /* Write group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]330 MBEDTLS_PUT_UINT16_BE( group_id, group, 0 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]331 /* Write key_exchange_length */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]332 MBEDTLS_PUT_UINT16_BE( key_exchange_len, group, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]333 }
334 else
335#endif /* MBEDTLS_ECDH_C */
336 if( 0 /* other KEMs? */ )
337 {
338 /* Do something */
339 }
340 else
341 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
342
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]343 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]344 client_shares_len = p - client_shares;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]345 if( client_shares_len == 0)
346 {
347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No key share defined." ) );
348 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]349 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]350 /* Write extension_type */
351 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
352 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]353 MBEDTLS_PUT_UINT16_BE( client_shares_len + 2, buf, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]354 /* Write client_shares_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]355 MBEDTLS_PUT_UINT16_BE( client_shares_len, buf, 4 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]356
357 /* Update offered_group_id field */
358 ssl->handshake->offered_group_id = group_id;
359
360 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]361 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]362
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]363 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]364
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]365 mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]366
367cleanup:
368
369 return( ret );
370}
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]371#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]372
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]373/*
374 * ssl_tls13_parse_hrr_key_share_ext()
375 * Parse key_share extension in Hello Retry Request
376 *
377 * struct {
378 * NamedGroup selected_group;
379 * } KeyShareHelloRetryRequest;
380 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]381MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]382static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]383 const unsigned char *buf,
384 const unsigned char *end )
385{
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400[diff] [blame]386#if defined(MBEDTLS_ECDH_C)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]387 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]388 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]389 int found = 0;
390
391 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
392 if( group_list == NULL )
393 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
394
395 MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", p, end - buf );
396
397 /* Read selected_group */
XiaokangQianb48894e2022-01-17 02:05:52 +0000[diff] [blame]398 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]399 selected_group = MBEDTLS_GET_UINT16_BE( p, 0 );
400 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", selected_group ) );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]401
402 /* Upon receipt of this extension in a HelloRetryRequest, the client
403 * MUST first verify that the selected_group field corresponds to a
404 * group which was provided in the "supported_groups" extension in the
405 * original ClientHello.
406 * The supported_group was based on the info in ssl->conf->group_list.
407 *
408 * If the server provided a key share that was not sent in the ClientHello
409 * then the client MUST abort the handshake with an "illegal_parameter" alert.
410 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]411 for( ; *group_list != 0; group_list++ )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]412 {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]413 if( ( mbedtls_ssl_get_psa_curve_info_from_tls_id( *group_list,
414 NULL, NULL ) == PSA_ERROR_NOT_SUPPORTED ) ||
415 *group_list != selected_group )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]416 continue;
417
418 /* We found a match */
419 found = 1;
420 break;
421 }
422
423 /* Client MUST verify that the selected_group field does not
424 * correspond to a group which was provided in the "key_share"
425 * extension in the original ClientHello. If the server sent an
426 * HRR message with a key share already provided in the
427 * ClientHello then the client MUST abort the handshake with
428 * an "illegal_parameter" alert.
429 */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]430 if( found == 0 || selected_group == ssl->handshake->offered_group_id )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]431 {
432 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) );
433 MBEDTLS_SSL_PEND_FATAL_ALERT(
434 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
435 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
436 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
437 }
438
439 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]440 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]441
442 return( 0 );
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400[diff] [blame]443#else
444 (void) ssl;
445 (void) buf;
446 (void) end;
447 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
448#endif
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]449}
450
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]451/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]452 * ssl_tls13_parse_key_share_ext()
453 * Parse key_share extension in Server Hello
454 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]455 * struct {
456 * KeyShareEntry server_share;
457 * } KeyShareServerHello;
458 * struct {
459 * NamedGroup group;
460 * opaque key_exchange<1..2^16-1>;
461 * } KeyShareEntry;
462 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]463MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]464static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]465 const unsigned char *buf,
466 const unsigned char *end )
467{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]468 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]469 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]470 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]471
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]472 /* ...
473 * NamedGroup group; (2 bytes)
474 * ...
475 */
476 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
477 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]478 p += 2;
479
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]480 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]481 offered_group = ssl->handshake->offered_group_id;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]482 if( offered_group != group )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]483 {
484 MBEDTLS_SSL_DEBUG_MSG( 1,
485 ( "Invalid server key share, our group %u, their group %u",
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]486 (unsigned) offered_group, (unsigned) group ) );
487 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
488 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
489 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]490 }
491
492#if defined(MBEDTLS_ECDH_C)
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]493 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]494 {
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]495 if( mbedtls_ssl_get_psa_curve_info_from_tls_id( group, NULL, NULL )
496 == PSA_ERROR_NOT_SUPPORTED )
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]497 {
498 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
499 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
500 }
501
Valerio Setti18c9fed2022-12-30 17:44:24 +0100[diff] [blame]502 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s",
503 mbedtls_ssl_get_curve_name_from_tls_id( group ) ) );
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]504
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]505 ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ssl, p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]506 if( ret != 0 )
507 return( ret );
508 }
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]509 else
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]510#endif /* MBEDTLS_ECDH_C */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]511 if( 0 /* other KEMs? */ )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]512 {
513 /* Do something */
514 }
515 else
516 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
517
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]518 return( ret );
519}
520
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]521/*
522 * ssl_tls13_parse_cookie_ext()
523 * Parse cookie extension in Hello Retry Request
524 *
525 * struct {
526 * opaque cookie<1..2^16-1>;
527 * } Cookie;
528 *
529 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
530 * extension to the client (this is an exception to the usual rule that
531 * the only extensions that may be sent are those that appear in the
532 * ClientHello). When sending the new ClientHello, the client MUST copy
533 * the contents of the extension received in the HelloRetryRequest into
534 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
535 * cookies in their initial ClientHello in subsequent connections.
536 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]537MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]538static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
539 const unsigned char *buf,
540 const unsigned char *end )
541{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]542 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]543 const unsigned char *p = buf;
544 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
545
546 /* Retrieve length field of cookie */
547 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
548 cookie_len = MBEDTLS_GET_UINT16_BE( p, 0 );
549 p += 2;
550
551 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
552 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
553
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]554 mbedtls_free( handshake->cookie );
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]555 handshake->cookie_len = 0;
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]556 handshake->cookie = mbedtls_calloc( 1, cookie_len );
557 if( handshake->cookie == NULL )
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]558 {
559 MBEDTLS_SSL_DEBUG_MSG( 1,
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]560 ( "alloc failed ( %ud bytes )",
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]561 cookie_len ) );
562 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
563 }
564
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]565 memcpy( handshake->cookie, p, cookie_len );
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]566 handshake->cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]567
568 return( 0 );
569}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]570
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]571MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]572static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]573 unsigned char *buf,
574 unsigned char *end,
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]575 size_t *out_len )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]576{
577 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]578 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]579 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]580
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]581 if( handshake->cookie == NULL )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]582 {
583 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) );
584 return( 0 );
585 }
586
587 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]588 handshake->cookie,
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]589 handshake->cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]590
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]591 MBEDTLS_SSL_CHK_BUF_PTR( p, end, handshake->cookie_len + 6 );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]592
593 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) );
594
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]595 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 );
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]596 MBEDTLS_PUT_UINT16_BE( handshake->cookie_len + 2, p, 2 );
597 MBEDTLS_PUT_UINT16_BE( handshake->cookie_len, p, 4 );
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]598 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]599
600 /* Cookie */
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]601 memcpy( p, handshake->cookie, handshake->cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]602
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]603 *out_len = handshake->cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]604
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]605 mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_COOKIE );
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]606
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]607 return( 0 );
608}
609
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]610#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]611/*
612 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
613 *
614 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
615 *
616 * struct {
617 * PskKeyExchangeMode ke_modes<1..255>;
618 * } PskKeyExchangeModes;
619 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]620MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]621static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
622 unsigned char *buf,
623 unsigned char *end,
624 size_t *out_len )
625{
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]626 unsigned char *p = buf;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]627 int ke_modes_len = 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]628
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]629 ((void) ke_modes_len );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]630 *out_len = 0;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]631
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]632 /* Skip writing extension if no PSK key exchange mode
XiaokangQian7c12d312022-07-20 07:25:43 +0000[diff] [blame]633 * is enabled in the config.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]634 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]635 if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]636 {
637 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip psk_key_exchange_modes extension" ) );
638 return( 0 );
639 }
640
641 /* Require 7 bytes of data, otherwise fail,
642 * even if extension might be shorter.
643 */
644 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 );
645 MBEDTLS_SSL_DEBUG_MSG(
646 3, ( "client hello, adding psk_key_exchange_modes extension" ) );
647
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]648 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0 );
649
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]650 /* Skip extension length (2 bytes) and
651 * ke_modes length (1 byte) for now.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]652 */
653 p += 5;
654
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]655 if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
656 {
657 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]658 ke_modes_len++;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]659
660 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
661 }
662
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]663 if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
664 {
665 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
666 ke_modes_len++;
667
668 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
669 }
670
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]671 /* Now write the extension and ke_modes length */
672 MBEDTLS_PUT_UINT16_BE( ke_modes_len + 1, buf, 2 );
673 buf[4] = ke_modes_len;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]674
675 *out_len = p - buf;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]676
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]677 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
678 ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES );
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]679
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]680 return ( 0 );
681}
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]682
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]683static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]684{
Jerry Yu21f90952022-10-08 10:30:53 +0800[diff] [blame]685 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
686 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]687
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]688 if( ciphersuite_info != NULL )
689 return( mbedtls_psa_translate_md( ciphersuite_info->mac ) );
690
Jerry Yu21f90952022-10-08 10:30:53 +0800[diff] [blame]691 return( PSA_ALG_NONE );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]692}
693
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]694#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]695static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
696{
697 mbedtls_ssl_session *session = ssl->session_negotiate;
698 return( ssl->handshake->resume &&
699 session != NULL && session->ticket != NULL );
700}
701
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]702#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qiana3412252022-11-04 10:13:19 +0000[diff] [blame]703static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl )
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]704{
705 mbedtls_ssl_session *session = ssl->session_negotiate;
706 return( ssl->handshake->resume &&
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]707 session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
Xiaokang Qianae07cd92022-11-09 08:09:47 +0000[diff] [blame]708 ( session->ticket_flags &
Xiaokang Qianfe3483f2022-11-09 10:45:23 +0000[diff] [blame]709 MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA ) &&
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]710 mbedtls_ssl_tls13_cipher_suite_is_offered(
711 ssl, session->ciphersuite ) );
712}
713#endif
714
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]715MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]716static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]717 psa_algorithm_t *hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]718 const unsigned char **identity,
719 size_t *identity_len )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]720{
721 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]722
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]723 if( !ssl_tls13_has_configured_ticket( ssl ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]724 return( -1 );
725
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]726 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]727 *identity = session->ticket;
728 *identity_len = session->ticket_len;
729 return( 0 );
730}
731
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]732MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]733static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]734 psa_algorithm_t *hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]735 const unsigned char **psk,
736 size_t *psk_len )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]737{
738
739 mbedtls_ssl_session *session = ssl->session_negotiate;
740
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]741 if( !ssl_tls13_has_configured_ticket( ssl ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]742 return( -1 );
743
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]744 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]745 *psk = session->resumption_key;
746 *psk_len = session->resumption_key_len;
747
748 return( 0 );
749}
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]750#endif /* MBEDTLS_SSL_SESSION_TICKETS */
751
752MBEDTLS_CHECK_RETURN_CRITICAL
753static int ssl_tls13_psk_get_identity( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]754 psa_algorithm_t *hash_alg,
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]755 const unsigned char **identity,
756 size_t *identity_len )
757{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]758
Ronald Cron083da8e2022-10-20 15:53:51 +0200[diff] [blame]759 if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]760 return( -1 );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]761
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]762 *hash_alg = PSA_ALG_SHA_256;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]763 *identity = ssl->conf->psk_identity;
764 *identity_len = ssl->conf->psk_identity_len;
765 return( 0 );
766}
767
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]768MBEDTLS_CHECK_RETURN_CRITICAL
769static int ssl_tls13_psk_get_psk( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]770 psa_algorithm_t *hash_alg,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]771 const unsigned char **psk,
772 size_t *psk_len )
773{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]774
Ronald Cron083da8e2022-10-20 15:53:51 +0200[diff] [blame]775 if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]776 return( -1 );
777
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]778 *hash_alg = PSA_ALG_SHA_256;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]779 *psk = ssl->conf->psk;
780 *psk_len = ssl->conf->psk_len;
781 return( 0 );
782}
783
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]784static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl )
785{
786 int configured_psk_count = 0;
787#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]788 if( ssl_tls13_has_configured_ticket( ssl ) )
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]789 {
790 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket is configured" ) );
791 configured_psk_count++;
792 }
793#endif
Ronald Crond29e13e2022-10-19 10:33:48 +0200[diff] [blame]794 if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]795 {
796 MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK is configured" ) );
797 configured_psk_count++;
798 }
799 return( configured_psk_count );
800}
801
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]802MBEDTLS_CHECK_RETURN_CRITICAL
803static int ssl_tls13_write_identity( mbedtls_ssl_context *ssl,
804 unsigned char *buf,
805 unsigned char *end,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]806 const unsigned char *identity,
807 size_t identity_len,
808 uint32_t obfuscated_ticket_age,
809 size_t *out_len )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]810{
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]811 ((void) ssl);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]812 *out_len = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]813
814 /*
815 * - identity_len (2 bytes)
816 * - identity (psk_identity_len bytes)
817 * - obfuscated_ticket_age (4 bytes)
818 */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]819 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]820
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]821 MBEDTLS_PUT_UINT16_BE( identity_len, buf, 0 );
822 memcpy( buf + 2, identity, identity_len );
823 MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, buf, 2 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]824
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]825 MBEDTLS_SSL_DEBUG_BUF( 4, "write identity", buf, 6 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]826
827 *out_len = 6 + identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]828
829 return( 0 );
830}
831
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]832MBEDTLS_CHECK_RETURN_CRITICAL
833static int ssl_tls13_write_binder( mbedtls_ssl_context *ssl,
834 unsigned char *buf,
835 unsigned char *end,
836 int psk_type,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]837 psa_algorithm_t hash_alg,
838 const unsigned char *psk,
839 size_t psk_len,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]840 size_t *out_len )
841{
842 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]843 unsigned char binder_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]844 unsigned char transcript[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]845 size_t transcript_len = 0;
846
847 *out_len = 0;
848
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]849 binder_len = PSA_HASH_LENGTH( hash_alg );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]850
851 /*
852 * - binder_len (1 bytes)
853 * - binder (binder_len bytes)
854 */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]855 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 + binder_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]856
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]857 buf[0] = binder_len;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]858
859 /* Get current state of handshake transcript. */
860 ret = mbedtls_ssl_get_handshake_transcript(
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]861 ssl, mbedtls_hash_info_md_from_psa( hash_alg ),
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]862 transcript, sizeof( transcript ), &transcript_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]863 if( ret != 0 )
864 return( ret );
865
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]866 ret = mbedtls_ssl_tls13_create_psk_binder( ssl, hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]867 psk, psk_len, psk_type,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]868 transcript, buf + 1 );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]869 if( ret != 0 )
870 {
871 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret );
872 return( ret );
873 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]874 MBEDTLS_SSL_DEBUG_BUF( 4, "write binder", buf, 1 + binder_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]875
876 *out_len = 1 + binder_len;
877
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]878 return( 0 );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]879}
880
881/*
882 * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
883 *
884 * struct {
885 * opaque identity<1..2^16-1>;
886 * uint32 obfuscated_ticket_age;
887 * } PskIdentity;
888 *
889 * opaque PskBinderEntry<32..255>;
890 *
891 * struct {
892 * PskIdentity identities<7..2^16-1>;
893 * PskBinderEntry binders<33..2^16-1>;
894 * } OfferedPsks;
895 *
896 * struct {
897 * select (Handshake.msg_type) {
898 * case client_hello: OfferedPsks;
899 * ...
900 * };
901 * } PreSharedKeyExtension;
902 *
903 */
XiaokangQian3ad67bf2022-07-21 02:26:21 +0000[diff] [blame]904int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]905 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
906 size_t *out_len, size_t *binders_len )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]907{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]908 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]909 int configured_psk_count = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]910 unsigned char *p = buf;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]911 psa_algorithm_t hash_alg;
912 const unsigned char *identity;
913 size_t identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]914 size_t l_binders_len = 0;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]915 size_t output_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]916
917 *out_len = 0;
918 *binders_len = 0;
919
920 /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]921 configured_psk_count = ssl_tls13_get_configured_psk_count( ssl );
922 if( configured_psk_count == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]923 {
924 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) );
925 return( 0 );
926 }
927
928 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Pre-configured PSK number = %d",
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]929 configured_psk_count ) );
930
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]931 /* Check if we have space to write the extension, binders included.
932 * - extension_type (2 bytes)
933 * - extension_data_len (2 bytes)
934 * - identities_len (2 bytes)
935 */
936 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
937 p += 6;
938
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]939#if defined(MBEDTLS_SSL_SESSION_TICKETS)
940 if( ssl_tls13_ticket_get_identity(
941 ssl, &hash_alg, &identity, &identity_len ) == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]942 {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]943#if defined(MBEDTLS_HAVE_TIME)
944 mbedtls_time_t now = mbedtls_time( NULL );
945 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]946 uint32_t obfuscated_ticket_age =
947 (uint32_t)( now - session->ticket_received );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]948
Jerry Yu3e60cad2023-01-10 14:58:08 +0800[diff] [blame]949 /*
950 * The ticket timestamp is in seconds but the ticket age is in
951 * milliseconds. If the ticket was received at the end of a second and
952 * re-used here just at the beginning of the next second, the computed
953 * age `now - session->ticket_received` is equal to 1s thus 1000 ms
954 * while the actual age could be just a few milliseconds or tens of
955 * milliseconds. If the server has more accurate ticket timestamps
956 * (typically timestamps in milliseconds), as part of the processing of
957 * the ClientHello, it may compute a ticket lifetime smaller than the
958 * one computed here and potentially reject the ticket. To avoid that,
959 * remove one second to the ticket age if possible.
Jerry Yubdb936b2023-01-07 16:07:46 +0800[diff] [blame]960 */
961 if( obfuscated_ticket_age > 0 )
962 obfuscated_ticket_age -= 1;
963
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]964 obfuscated_ticket_age *= 1000;
965 obfuscated_ticket_age += session->ticket_age_add;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]966
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]967 ret = ssl_tls13_write_identity( ssl, p, end,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]968 identity, identity_len,
969 obfuscated_ticket_age,
970 &output_len );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]971#else
972 ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len,
973 0, &output_len );
974#endif /* MBEDTLS_HAVE_TIME */
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]975 if( ret != 0 )
976 return( ret );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]977
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]978 p += output_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]979 l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg );
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]980 }
981#endif /* MBEDTLS_SSL_SESSION_TICKETS */
982
983 if( ssl_tls13_psk_get_identity(
984 ssl, &hash_alg, &identity, &identity_len ) == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]985 {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]986
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]987 ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len, 0,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]988 &output_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]989 if( ret != 0 )
990 return( ret );
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]991
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]992 p += output_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]993 l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]994 }
995
996 MBEDTLS_SSL_DEBUG_MSG( 3,
997 ( "client hello, adding pre_shared_key extension, "
998 "omitting PSK binder list" ) );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]999
1000 /* Take into account the two bytes for the length of the binders. */
1001 l_binders_len += 2;
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]1002 /* Check if there is enough space for binders */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1003 MBEDTLS_SSL_CHK_BUF_PTR( p, end, l_binders_len );
1004
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]1005 /*
1006 * - extension_type (2 bytes)
1007 * - extension_data_len (2 bytes)
1008 * - identities_len (2 bytes)
1009 */
1010 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0 );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1011 MBEDTLS_PUT_UINT16_BE( p - buf - 4 + l_binders_len , buf, 2 );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]1012 MBEDTLS_PUT_UINT16_BE( p - buf - 6 , buf, 4 );
1013
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1014 *out_len = ( p - buf ) + l_binders_len;
1015 *binders_len = l_binders_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]1016
1017 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key identities", buf, p - buf );
1018
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1019 return( 0 );
1020}
1021
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1022int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1023 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1024{
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1025 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1026 unsigned char *p = buf;
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1027 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1028 const unsigned char *psk;
1029 size_t psk_len;
1030 size_t output_len;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1031
1032 /* Check if we have space to write binders_len.
1033 * - binders_len (2 bytes)
1034 */
1035 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1036 p += 2;
1037
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1038#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1039 if( ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1040 {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1041
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1042 ret = ssl_tls13_write_binder( ssl, p, end,
1043 MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1044 hash_alg, psk, psk_len,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1045 &output_len );
1046 if( ret != 0 )
1047 return( ret );
1048 p += output_len;
1049 }
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1050#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1051
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1052 if( ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1053 {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1054
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1055 ret = ssl_tls13_write_binder( ssl, p, end,
1056 MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1057 hash_alg, psk, psk_len,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1058 &output_len );
1059 if( ret != 0 )
1060 return( ret );
1061 p += output_len;
1062 }
1063
1064 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list." ) );
1065
1066 /*
1067 * - binders_len (2 bytes)
1068 */
1069 MBEDTLS_PUT_UINT16_BE( p - buf - 2, buf, 0 );
1070
1071 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key binders", buf, p - buf );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1072
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1073 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
1074 ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY );
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1075
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1076 return( 0 );
1077}
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1078
1079/*
1080 * struct {
1081 * opaque identity<1..2^16-1>;
1082 * uint32 obfuscated_ticket_age;
1083 * } PskIdentity;
1084 *
1085 * opaque PskBinderEntry<32..255>;
1086 *
1087 * struct {
1088 *
1089 * select (Handshake.msg_type) {
1090 * ...
1091 * case server_hello: uint16 selected_identity;
1092 * };
1093 *
1094 * } PreSharedKeyExtension;
1095 *
1096 */
1097MBEDTLS_CHECK_RETURN_CRITICAL
1098static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
1099 const unsigned char *buf,
1100 const unsigned char *end )
1101{
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1102 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1103 int selected_identity;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1104 const unsigned char *psk;
1105 size_t psk_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1106 psa_algorithm_t hash_alg;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1107
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1108 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1109 selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1110
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1111 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_identity = %d", selected_identity ) );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1112
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1113 if( selected_identity >= ssl_tls13_get_configured_psk_count( ssl ) )
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1114 {
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1115 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid PSK identity." ) );
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1116
1117 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1118 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1119 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1120 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1121
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1122#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Xiaokang Qianecc29482022-11-02 07:52:47 +0000[diff] [blame]1123 if( selected_identity == 0 && ssl_tls13_has_configured_ticket( ssl ) )
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1124 {
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1125 ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len );
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1126 }
1127 else
1128#endif
Ronald Crond29e13e2022-10-19 10:33:48 +0200[diff] [blame]1129 if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1130 {
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1131 ret = ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1132 }
1133 else
1134 {
1135 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1136 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1137 }
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1138 if( ret != 0 )
1139 return( ret );
1140
1141 ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len );
1142 if( ret != 0 )
1143 {
1144 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret );
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]1145 return( ret );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1146 }
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1147
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]1148 return( 0 );
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1149}
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1150#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1151
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]1152int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
1153 unsigned char *buf,
1154 unsigned char *end,
1155 size_t *out_len )
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1156{
1157 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1158 unsigned char *p = buf;
1159 size_t ext_len;
1160
1161 *out_len = 0;
1162
1163 /* Write supported_versions extension
1164 *
1165 * Supported Versions Extension is mandatory with TLS 1.3.
1166 */
1167 ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &ext_len );
1168 if( ret != 0 )
1169 return( ret );
1170 p += ext_len;
1171
1172 /* Echo the cookie if the server provided one in its preceding
1173 * HelloRetryRequest message.
1174 */
1175 ret = ssl_tls13_write_cookie_ext( ssl, p, end, &ext_len );
1176 if( ret != 0 )
1177 return( ret );
1178 p += ext_len;
1179
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1180#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1181 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1182 {
1183 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &ext_len );
1184 if( ret != 0 )
1185 return( ret );
1186 p += ext_len;
1187 }
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1188#endif
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1189
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1190#if defined(MBEDTLS_SSL_EARLY_DATA)
1191 if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]1192 ssl_tls13_early_data_has_valid_ticket( ssl ) &&
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1193 ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED )
1194 {
1195 ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len );
1196 if( ret != 0 )
1197 return( ret );
1198 p += ext_len;
1199
Ronald Cron4a8c9e22022-10-26 18:49:09 +0200[diff] [blame]1200 /* Initializes the status to `rejected`. It will be updated to
1201 * `accepted` if the EncryptedExtension message contain an early data
1202 * indication extension.
Xiaokang Qiana042b842022-11-09 01:59:33 +0000[diff] [blame]1203 */
Ronald Cron4a8c9e22022-10-26 18:49:09 +0200[diff] [blame]1204 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1205 }
1206 else
1207 {
1208 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write early_data extension" ) );
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]1209 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1210 }
1211#endif /* MBEDTLS_SSL_EARLY_DATA */
1212
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1213#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1214 /* For PSK-based key exchange we need the pre_shared_key extension
1215 * and the psk_key_exchange_modes extension.
1216 *
1217 * The pre_shared_key extension MUST be the last extension in the
1218 * ClientHello. Servers MUST check that it is the last extension and
1219 * otherwise fail the handshake with an "illegal_parameter" alert.
1220 *
1221 * Add the psk_key_exchange_modes extension.
1222 */
1223 ret = ssl_tls13_write_psk_key_exchange_modes_ext( ssl, p, end, &ext_len );
1224 if( ret != 0 )
1225 return( ret );
1226 p += ext_len;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1227#endif
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1228
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1229 *out_len = p - buf;
1230
1231 return( 0 );
1232}
1233
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]1234/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1235 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1236 */
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1237
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1238/**
1239 * \brief Detect if the ServerHello contains a supported_versions extension
1240 * or not.
1241 *
1242 * \param[in] ssl SSL context
1243 * \param[in] buf Buffer containing the ServerHello message
1244 * \param[in] end End of the buffer containing the ServerHello message
1245 *
1246 * \return 0 if the ServerHello does not contain a supported_versions extension
1247 * \return 1 if the ServerHello contains a supported_versions extension
1248 * \return A negative value if an error occurred while parsing the ServerHello.
1249 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1250MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1251static int ssl_tls13_is_supported_versions_ext_present(
1252 mbedtls_ssl_context *ssl,
1253 const unsigned char *buf,
1254 const unsigned char *end )
1255{
1256 const unsigned char *p = buf;
1257 size_t legacy_session_id_echo_len;
1258 size_t extensions_len;
1259 const unsigned char *extensions_end;
1260
1261 /*
1262 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1263 * length:
1264 * - legacy_version 2 bytes
1265 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1266 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1267 */
1268 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3 );
1269 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1270 legacy_session_id_echo_len = *p;
1271
1272 /*
1273 * Jump to the extensions, jumping over:
1274 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1275 * - cipher_suite 2 bytes
1276 * - legacy_compression_method 1 byte
1277 */
Ronald Cron28271062022-06-10 14:43:55 +0200[diff] [blame]1278 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len + 4 );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1279 p += legacy_session_id_echo_len + 4;
1280
1281 /* Case of no extension */
1282 if( p == end )
1283 return( 0 );
1284
1285 /* ...
1286 * Extension extensions<6..2^16-1>;
1287 * ...
1288 * struct {
1289 * ExtensionType extension_type; (2 bytes)
1290 * opaque extension_data<0..2^16-1>;
1291 * } Extension;
1292 */
1293 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1294 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1295 p += 2;
1296
1297 /* Check extensions do not go beyond the buffer of data. */
1298 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1299 extensions_end = p + extensions_len;
1300
1301 while( p < extensions_end )
1302 {
1303 unsigned int extension_type;
1304 size_t extension_data_len;
1305
1306 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
1307 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1308 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1309 p += 4;
1310
1311 if( extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS )
1312 return( 1 );
1313
1314 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1315 p += extension_data_len;
1316 }
1317
1318 return( 0 );
1319}
1320
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]1321/* Returns a negative value on failure, and otherwise
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1322 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1323 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1324 * - 0 otherwise
1325 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1326MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1327static int ssl_tls13_is_downgrade_negotiation( mbedtls_ssl_context *ssl,
1328 const unsigned char *buf,
1329 const unsigned char *end )
1330{
1331 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1332 static const unsigned char magic_downgrade_string[] =
1333 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
1334 const unsigned char *last_eight_bytes_of_random;
1335 unsigned char last_byte_of_random;
1336
1337 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2 );
1338 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1339
1340 if( memcmp( last_eight_bytes_of_random,
1341 magic_downgrade_string,
1342 sizeof( magic_downgrade_string ) ) == 0 )
1343 {
1344 last_byte_of_random = last_eight_bytes_of_random[7];
1345 return( last_byte_of_random == 0 ||
1346 last_byte_of_random == 1 );
1347 }
1348
1349 return( 0 );
1350}
1351
1352/* Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1353 * - SSL_SERVER_HELLO or
1354 * - SSL_SERVER_HELLO_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1355 * to indicate which message is expected and to be parsed next.
1356 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1357#define SSL_SERVER_HELLO 0
1358#define SSL_SERVER_HELLO_HRR 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1359MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1360static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
1361 const unsigned char *buf,
1362 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1363{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1364
1365 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1366 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1367 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1368 * special value of the SHA-256 of "HelloRetryRequest".
1369 *
1370 * struct {
1371 * ProtocolVersion legacy_version = 0x0303;
1372 * Random random;
1373 * opaque legacy_session_id_echo<0..32>;
1374 * CipherSuite cipher_suite;
1375 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1376 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1377 * } ServerHello;
1378 *
1379 */
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]1380 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end,
1381 2 + sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1382
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]1383 if( memcmp( buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1384 sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) ) == 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1385 {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1386 return( SSL_SERVER_HELLO_HRR );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1387 }
1388
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1389 return( SSL_SERVER_HELLO );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1390}
1391
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1392/*
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1393 * Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1394 * - SSL_SERVER_HELLO or
1395 * - SSL_SERVER_HELLO_HRR or
1396 * - SSL_SERVER_HELLO_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1397 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1398#define SSL_SERVER_HELLO_TLS1_2 2
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1399MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1400static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl,
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1401 const unsigned char *buf,
1402 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1403{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1404 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1405 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1406
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1407 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_is_supported_versions_ext_present(
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1408 ssl, buf, end ) );
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1409
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1410 if( ret == 0 )
1411 {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1412 MBEDTLS_SSL_PROC_CHK_NEG(
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1413 ssl_tls13_is_downgrade_negotiation( ssl, buf, end ) );
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1414
1415 /* If the server is negotiating TLS 1.2 or below and:
1416 * . we did not propose TLS 1.2 or
1417 * . the server responded it is TLS 1.3 capable but negotiating a lower
1418 * version of the protocol and thus we are under downgrade attack
1419 * abort the handshake with an "illegal parameter" alert.
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1420 */
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1421 if( handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret )
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1422 {
1423 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1424 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1425 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1426 }
1427
1428 ssl->keep_current_message = 1;
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1429 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1430 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1431 buf, (size_t)(end - buf) );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1432
1433 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1434 {
1435 ret = ssl_tls13_reset_key_share( ssl );
1436 if( ret != 0 )
1437 return( ret );
1438 }
1439
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1440 return( SSL_SERVER_HELLO_TLS1_2 );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1441 }
1442
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1443#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1444 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1445 ssl->session_negotiate->tls_version = ssl->tls_version;
1446#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1447
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1448 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1449
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1450 ret = ssl_server_hello_is_hrr( ssl, buf, end );
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1451 switch( ret )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1452 {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1453 case SSL_SERVER_HELLO:
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1454 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) );
1455 break;
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1456 case SSL_SERVER_HELLO_HRR:
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1457 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1458 /* If a client receives a second
1459 * HelloRetryRequest in the same connection (i.e., where the ClientHello
1460 * was itself in response to a HelloRetryRequest), it MUST abort the
1461 * handshake with an "unexpected_message" alert.
1462 */
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1463 if( handshake->hello_retry_request_count > 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1464 {
1465 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) );
1466 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1467 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1468 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1469 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1470 /*
1471 * Clients must abort the handshake with an "illegal_parameter"
1472 * alert if the HelloRetryRequest would not result in any change
1473 * in the ClientHello.
1474 * In a PSK only key exchange that what we expect.
1475 */
1476 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1477 {
1478 MBEDTLS_SSL_DEBUG_MSG( 1,
1479 ( "Unexpected HRR in pure PSK key exchange." ) );
1480 MBEDTLS_SSL_PEND_FATAL_ALERT(
1481 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1482 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1483 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1484 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1485
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1486 handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1487
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1488 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1489 }
1490
1491cleanup:
1492
1493 return( ret );
1494}
1495
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1496MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1497static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl,
1498 const unsigned char **buf,
1499 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1500{
1501 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1502 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1503
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1504 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1505 legacy_session_id_echo_len = *p++ ;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1506
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1507 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1508
1509 /* legacy_session_id_echo */
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1510 if( ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1511 memcmp( ssl->session_negotiate->id, p , legacy_session_id_echo_len ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1512 {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1513 MBEDTLS_SSL_DEBUG_BUF( 3, "Expected Session ID",
1514 ssl->session_negotiate->id,
1515 ssl->session_negotiate->id_len );
1516 MBEDTLS_SSL_DEBUG_BUF( 3, "Received Session ID", p,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1517 legacy_session_id_echo_len );
1518
1519 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1520 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1521
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1522 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1523 }
1524
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1525 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1526 *buf = p;
1527
1528 MBEDTLS_SSL_DEBUG_BUF( 3, "Session ID", ssl->session_negotiate->id,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1529 ssl->session_negotiate->id_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1530 return( 0 );
1531}
1532
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1533/* Parse ServerHello message and configure context
1534 *
1535 * struct {
1536 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1537 * Random random;
1538 * opaque legacy_session_id_echo<0..32>;
1539 * CipherSuite cipher_suite;
1540 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1541 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1542 * } ServerHello;
1543 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1544MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1545static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
1546 const unsigned char *buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1547 const unsigned char *end,
1548 int is_hrr )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1549{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1550 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1551 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1552 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1553 size_t extensions_len;
1554 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1555 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1556 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1557 int fatal_alert = 0;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1558 uint32_t allowed_extensions_mask;
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1559 int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
1560 MBEDTLS_SSL_HS_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1561
1562 /*
1563 * Check there is space for minimal fields
1564 *
1565 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1566 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1567 * - legacy_session_id_echo ( 1 byte ), minimum size
1568 * - cipher_suite ( 2 bytes)
1569 * - legacy_compression_method ( 1 byte )
1570 */
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1571 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1572
1573 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello", p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1574 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", p, 2 );
1575
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1576 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1577 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1578 * ...
1579 * with ProtocolVersion defined as:
1580 * uint16 ProtocolVersion;
1581 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]1582 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
1583 MBEDTLS_SSL_VERSION_TLS1_2 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1584 {
1585 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1586 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1587 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1588 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1589 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1590 }
1591 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1592
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1593 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1594 * Random random;
1595 * ...
1596 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1597 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1598 */
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1599 if( !is_hrr )
1600 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1601 memcpy( &handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1602 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1603 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
1604 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1605 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1606 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1607
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1608 /* ...
1609 * opaque legacy_session_id_echo<0..32>;
1610 * ...
1611 */
1612 if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1613 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1614 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1615 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1616 }
1617
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1618 /* ...
1619 * CipherSuite cipher_suite;
1620 * ...
1621 * with CipherSuite defined as:
1622 * uint8 CipherSuite[2];
1623 */
1624 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1625 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
1626 p += 2;
1627
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1628
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1629 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1630 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1631 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1632 */
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1633 if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
1634 ssl->tls_version,
1635 ssl->tls_version ) != 0 ) ||
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1636 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1637 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1638 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1639 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1640 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1641 * If we received an HRR before and that the proposed selected
1642 * ciphersuite in this server hello is not the same as the one
1643 * proposed in the HRR, we abort the handshake and send an
1644 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1645 */
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1646 else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
1647 ( cipher_suite != ssl->session_negotiate->ciphersuite ) )
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1648 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1649 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1650 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1651
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1652 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1653 {
1654 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
1655 cipher_suite ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1656 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1657 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1658
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1659 /* Configure ciphersuites */
1660 mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info );
1661
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1662 handshake->ciphersuite_info = ciphersuite_info;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1663 ssl->session_negotiate->ciphersuite = cipher_suite;
1664
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1665 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s",
1666 cipher_suite, ciphersuite_info->name ) );
1667
1668#if defined(MBEDTLS_HAVE_TIME)
1669 ssl->session_negotiate->start = time( NULL );
1670#endif /* MBEDTLS_HAVE_TIME */
1671
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1672 /* ...
1673 * uint8 legacy_compression_method = 0;
1674 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1675 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1676 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Thomas Daubney31e03a82022-07-25 15:59:25 +0100[diff] [blame]1677 if( p[0] != MBEDTLS_SSL_COMPRESS_NULL )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1678 {
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1680 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1681 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1682 }
1683 p++;
1684
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1685 /* ...
1686 * Extension extensions<6..2^16-1>;
1687 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1688 * struct {
1689 * ExtensionType extension_type; (2 bytes)
1690 * opaque extension_data<0..2^16-1>;
1691 * } Extension;
1692 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1693 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1694 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1695 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1696
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1697 /* Check extensions do not go beyond the buffer of data. */
1698 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1699 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1700
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1701 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1702
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1703 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1704 allowed_extensions_mask = is_hrr ?
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1705 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
1706 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
1707
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1708 while( p < extensions_end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1709 {
1710 unsigned int extension_type;
1711 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1712 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1713
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1714 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1715 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1716 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1717 p += 4;
1718
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1719 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1720 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1721
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1722 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1723 ssl, hs_msg_type, extension_type, allowed_extensions_mask );
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1724 if( ret != 0 )
1725 return( ret );
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1726
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1727 switch( extension_type )
1728 {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1729 case MBEDTLS_TLS_EXT_COOKIE:
1730
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1731 ret = ssl_tls13_parse_cookie_ext( ssl,
1732 p, extension_data_end );
1733 if( ret != 0 )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1734 {
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1735 MBEDTLS_SSL_DEBUG_RET( 1,
1736 "ssl_tls13_parse_cookie_ext",
1737 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1738 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1739 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1740 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1741
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1742 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1743 ret = ssl_tls13_parse_supported_versions_ext( ssl,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1744 p,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1745 extension_data_end );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1746 if( ret != 0 )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1747 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1748 break;
1749
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1750#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1751 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1752 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1753
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1754 if( ( ret = ssl_tls13_parse_server_pre_shared_key_ext(
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]1755 ssl, p, extension_data_end ) ) != 0 )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1756 {
1757 MBEDTLS_SSL_DEBUG_RET(
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1758 1, ( "ssl_tls13_parse_server_pre_shared_key_ext" ), ret );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1759 return( ret );
1760 }
1761 break;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1762#endif
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1763
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1764 case MBEDTLS_TLS_EXT_KEY_SHARE:
1765 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1766 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1767 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1768 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1769 goto cleanup;
1770 }
1771
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1772 if( is_hrr )
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1773 ret = ssl_tls13_parse_hrr_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1774 p, extension_data_end );
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1775 else
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1776 ret = ssl_tls13_parse_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1777 p, extension_data_end );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1778 if( ret != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1779 {
1780 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1781 "ssl_tls13_parse_key_share_ext",
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1782 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1783 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1784 }
1785 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1786
1787 default:
Jerry Yu9872eb22022-08-29 13:42:01 +0800[diff] [blame]1788 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1789 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1790 }
1791
1792 p += extension_data_len;
1793 }
1794
Jerry Yu97be6a92022-11-09 22:43:31 +0800[diff] [blame]1795 MBEDTLS_SSL_PRINT_EXTS( 3, hs_msg_type, handshake->received_extensions );
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1796
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1797cleanup:
1798
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1799 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1800 {
1801 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1802 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1803 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1804 }
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1805 else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1806 {
1807 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1808 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1809 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1810 }
1811 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1812}
1813
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1814#if defined(MBEDTLS_DEBUG_C)
1815static const char *ssl_tls13_get_kex_mode_str(int mode)
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1816{
1817 switch( mode )
1818 {
1819 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1820 return "psk";
1821 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1822 return "ephemeral";
1823 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1824 return "psk_ephemeral";
1825 default:
1826 return "unknown mode";
1827 }
1828}
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1829#endif /* MBEDTLS_DEBUG_C */
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1830
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1831MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1832static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1833{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1834 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1835 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1836
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1837 /* Determine the key exchange mode:
1838 * 1) If both the pre_shared_key and key_share extensions were received
1839 * then the key exchange mode is PSK with EPHEMERAL.
1840 * 2) If only the pre_shared_key extension was received then the key
1841 * exchange mode is PSK-only.
1842 * 3) If only the key_share extension was received then the key
1843 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1844 */
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1845 switch( handshake->received_extensions &
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1846 ( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) ) )
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1847 {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1848 /* Only the pre_shared_key extension was received */
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1849 case MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ):
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1850 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1851 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1852
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1853 /* Only the key_share extension was received */
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1854 case MBEDTLS_SSL_EXT_MASK( KEY_SHARE ):
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1855 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1856 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1857
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1858 /* Both the pre_shared_key and key_share extensions were received */
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1859 case ( MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) ):
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1860 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1861 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1862
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1863 /* Neither pre_shared_key nor key_share extension was received */
1864 default:
1865 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) );
1866 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1867 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1868 }
1869
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1870 if( !mbedtls_ssl_conf_tls13_check_kex_modes( ssl, handshake->key_exchange_mode ) )
1871 {
1872 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1873 MBEDTLS_SSL_DEBUG_MSG( 2,
Xiaokang Qianca343ae2022-09-28 02:07:54 +0000[diff] [blame]1874 ( "Key exchange mode(%s) is not supported.",
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1875 ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1876 goto cleanup;
1877 }
1878
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1879 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaokang Qianca343ae2022-09-28 02:07:54 +0000[diff] [blame]1880 ( "Selected key exchange mode: %s",
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1881 ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1882
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1883 /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
1884 *
1885 * TODO: We don't have to do this in case we offered 0-RTT and the
1886 * server accepted it. In this case, we could skip generating
1887 * the early secret. */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1888 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1889 if( ret != 0 )
1890 {
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1891 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_key_schedule_stage_early",
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1892 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1893 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1894 }
1895
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1896 ret = mbedtls_ssl_tls13_compute_handshake_transform( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1897 if( ret != 0 )
1898 {
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1899 MBEDTLS_SSL_DEBUG_RET( 1,
1900 "mbedtls_ssl_tls13_compute_handshake_transform",
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1901 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1902 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1903 }
1904
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1905 mbedtls_ssl_set_inbound_transform( ssl, handshake->transform_handshake );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1906 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
1907 ssl->session_in = ssl->session_negotiate;
1908
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1909cleanup:
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1910 if( ret != 0 )
1911 {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1912 MBEDTLS_SSL_PEND_FATAL_ALERT(
1913 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1914 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1915 }
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1916
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1917 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1918}
1919
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1920MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1921static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1922{
1923 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1924
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1925 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1926
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1927 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1928 * We are going to re-generate a shared secret corresponding to the group
1929 * selected by the server, which is different from the group for which we
1930 * generated a shared secret in the first client hello.
1931 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1932 */
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1933 ret = ssl_tls13_reset_key_share( ssl );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1934 if( ret != 0 )
1935 return( ret );
1936
1937 return( 0 );
1938}
1939
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1940/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1941 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1942 * Handler for MBEDTLS_SSL_SERVER_HELLO
1943 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1944MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1945static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1946{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1947 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1948 unsigned char *buf = NULL;
1949 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1950 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1951
1952 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
1953
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1954 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
1955 MBEDTLS_SSL_HS_SERVER_HELLO,
1956 &buf, &buf_len ) );
1957
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1958 ret = ssl_tls13_preprocess_server_hello( ssl, buf, buf + buf_len );
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1959 if( ret < 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1960 goto cleanup;
1961 else
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1962 is_hrr = ( ret == SSL_SERVER_HELLO_HRR );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1963
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1964 if( ret == SSL_SERVER_HELLO_TLS1_2 )
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1965 {
1966 ret = 0;
1967 goto cleanup;
1968 }
1969
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1970 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1971 buf + buf_len,
1972 is_hrr ) );
1973 if( is_hrr )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1974 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) );
1975
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1976 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1977 buf, buf_len );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1978
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1979 if( is_hrr )
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1980 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1981 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1982#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1983 /* If not offering early data, the client sends a dummy CCS record
1984 * immediately before its second flight. This may either be before
1985 * its second ClientHello or before its encrypted handshake flight.
1986 */
1987 mbedtls_ssl_handshake_set_state( ssl,
1988 MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
1989#else
1990 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
1991#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1992 }
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1993 else
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1994 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1995 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1996 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
1997 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1998
1999cleanup:
XiaokangQiana9090612022-01-27 03:48:27 +0000[diff] [blame]2000 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__,
2001 is_hrr?"HelloRetryRequest":"ServerHello" ) );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]2002 return( ret );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2003}
2004
2005/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2006 *
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2007 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2008 *
2009 * The EncryptedExtensions message contains any extensions which
2010 * should be protected, i.e., any which are not needed to establish
2011 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2012 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2013
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2014/* Parse EncryptedExtensions message
2015 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2016 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2017 * } EncryptedExtensions;
2018 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2019MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2020static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
2021 const unsigned char *buf,
2022 const unsigned char *end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2023{
2024 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2025 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]2026 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2027 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2028 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2029
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2030 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2031 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2032 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2033
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2034 MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len );
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2035 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
Ronald Cronc8083592022-05-31 16:24:05 +0200[diff] [blame]2036 extensions_end = p + extensions_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2037
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2038 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2039
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2040 while( p < extensions_end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2041 {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2042 unsigned int extension_type;
2043 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2044
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2045 /*
2046 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2047 * ExtensionType extension_type; (2 bytes)
2048 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2049 * } Extension;
2050 */
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2051 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2052 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2053 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2054 p += 4;
2055
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2056 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2057
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2058 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2059 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
2060 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE );
2061 if( ret != 0 )
2062 return( ret );
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2063
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2064 switch( extension_type )
2065 {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2066#if defined(MBEDTLS_SSL_ALPN)
2067 case MBEDTLS_TLS_EXT_ALPN:
2068 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
2069
2070 if( ( ret = ssl_tls13_parse_alpn_ext( ssl, p, (size_t)extension_data_len ) ) != 0 )
2071 {
2072 return( ret );
2073 }
2074
2075 break;
2076#endif /* MBEDTLS_SSL_ALPN */
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2077
2078#if defined(MBEDTLS_SSL_EARLY_DATA)
2079 case MBEDTLS_TLS_EXT_EARLY_DATA:
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2080
2081 if( extension_data_len != 0 )
2082 {
2083 /* The message must be empty. */
2084 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2085 MBEDTLS_ERR_SSL_DECODE_ERROR );
2086 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
2087 }
2088
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2089 break;
2090#endif /* MBEDTLS_SSL_EARLY_DATA */
2091
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2092 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2093 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2094 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2095 extension_type, "( ignored )" );
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2096 break;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2097 }
2098
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2099 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2100 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2101
Jerry Yu7de2ff02022-11-08 21:43:46 +0800[diff] [blame]2102 MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
Jerry Yu97be6a92022-11-09 22:43:31 +0800[diff] [blame]2103 handshake->received_extensions );
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2104
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2105 /* Check that we consumed all the message. */
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]2106 if( p != end )
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2107 {
2108 MBEDTLS_SSL_DEBUG_MSG( 1, ( "EncryptedExtension lengths misaligned" ) );
Jerry Yu7aa71862021-10-28 21:41:30 +0800[diff] [blame]2109 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]2110 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2111 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2112 }
2113
2114 return( ret );
2115}
2116
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2117MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2118static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
2119{
2120 int ret;
2121 unsigned char *buf;
2122 size_t buf_len;
2123
2124 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) );
2125
2126 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
2127 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2128 &buf, &buf_len ) );
2129
2130 /* Process the message contents */
2131 MBEDTLS_SSL_PROC_CHK(
2132 ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
2133
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2134#if defined(MBEDTLS_SSL_EARLY_DATA)
2135 if( ssl->handshake->received_extensions &
2136 MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) )
2137 {
2138 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
2139 }
2140#endif
2141
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2142 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2143 buf, buf_len );
2144
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2145#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]2146 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2147 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2148 else
2149 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
2150#else
2151 ((void) ssl);
2152 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2153#endif
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2154
2155cleanup:
2156
2157 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) );
2158 return( ret );
2159
2160}
2161
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2162#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2163/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2164 * STATE HANDLING: CertificateRequest
2165 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2166 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2167#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2168#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2169/* Coordination:
2170 * Deals with the ambiguity of not knowing if a CertificateRequest
2171 * will be sent. Returns a negative code on failure, or
2172 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2173 * - SSL_CERTIFICATE_REQUEST_SKIP
2174 * indicating if a Certificate Request is expected or not.
2175 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2176MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2177static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2178{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2179 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2180
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2181 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2182 {
2183 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2184 return( ret );
2185 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2186 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2187
2188 if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) &&
2189 ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) )
2190 {
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2191 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got a certificate request" ) );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2192 return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2193 }
2194
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2195 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got no certificate request" ) );
2196
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2197 return( SSL_CERTIFICATE_REQUEST_SKIP );
2198}
2199
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2200/*
2201 * ssl_tls13_parse_certificate_request()
2202 * Parse certificate request
2203 * struct {
2204 * opaque certificate_request_context<0..2^8-1>;
2205 * Extension extensions<2..2^16-1>;
2206 * } CertificateRequest;
2207 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2208MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2209static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
2210 const unsigned char *buf,
2211 const unsigned char *end )
2212{
2213 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2214 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2215 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2216 size_t extensions_len = 0;
2217 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2218 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2219
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2220 /* ...
2221 * opaque certificate_request_context<0..2^8-1>
2222 * ...
2223 */
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2224 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
2225 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2226 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2227
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2228 if( certificate_request_context_len > 0 )
2229 {
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2230 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2231 MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context",
2232 p, certificate_request_context_len );
2233
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2234 handshake->certificate_request_context =
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]2235 mbedtls_calloc( 1, certificate_request_context_len );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2236 if( handshake->certificate_request_context == NULL )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2237 {
2238 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2239 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2240 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2241 memcpy( handshake->certificate_request_context, p,
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2242 certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2243 p += certificate_request_context_len;
2244 }
2245
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2246 /* ...
2247 * Extension extensions<2..2^16-1>;
2248 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2249 */
2250 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
2251 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2252 p += 2;
2253
2254 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2255 extensions_end = p + extensions_len;
2256
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2257 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2258
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2259 while( p < extensions_end )
2260 {
2261 unsigned int extension_type;
2262 size_t extension_data_len;
2263
2264 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
2265 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2266 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2267 p += 4;
2268
2269 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
2270
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2271 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2272 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
2273 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR );
2274 if( ret != 0 )
2275 return( ret );
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2276
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2277 switch( extension_type )
2278 {
2279 case MBEDTLS_TLS_EXT_SIG_ALG:
2280 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2281 ( "found signature algorithms extension" ) );
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]2282 ret = mbedtls_ssl_parse_sig_alg_ext( ssl, p,
Gabor Mezei696956d2022-05-13 16:27:29 +0200[diff] [blame]2283 p + extension_data_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2284 if( ret != 0 )
2285 return( ret );
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2286
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2287 break;
2288
2289 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2290 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2291 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2292 extension_type, "( ignored )" );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2293 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2294 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2295
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2296 p += extension_data_len;
2297 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2298
Jerry Yu7de2ff02022-11-08 21:43:46 +0800[diff] [blame]2299 MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
Jerry Yu97be6a92022-11-09 22:43:31 +0800[diff] [blame]2300 handshake->received_extensions );
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2301
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2302 /* Check that we consumed all the message. */
2303 if( p != end )
2304 {
2305 MBEDTLS_SSL_DEBUG_MSG( 1,
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2306 ( "CertificateRequest misaligned" ) );
2307 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2308 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2309
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2310 /* RFC 8446 section 4.3.2
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2311 *
2312 * The "signature_algorithms" extension MUST be specified
2313 */
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2314 if( ( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( SIG_ALG ) ) == 0 )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2315 {
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]2316 MBEDTLS_SSL_DEBUG_MSG( 3,
2317 ( "no signature algorithms extension found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2318 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2319 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2320
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]2321 ssl->handshake->client_auth = 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2322 return( 0 );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2323
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2324decode_error:
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2325 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2326 MBEDTLS_ERR_SSL_DECODE_ERROR );
2327 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2328}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2329
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2330/*
2331 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2332 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2333MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2334static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2335{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2336 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2337
2338 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2339
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2340 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
2341
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2342 if( ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST )
2343 {
2344 unsigned char *buf;
2345 size_t buf_len;
2346
2347 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
2348 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2349 &buf, &buf_len ) );
2350
2351 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_request( ssl,
2352 buf, buf + buf_len ) );
2353
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]2354 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2355 buf, buf_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2356 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2357 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2358 {
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]2359 ret = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2360 }
2361 else
2362 {
2363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2364 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2365 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2366 }
2367
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2368 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
2369
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2370cleanup:
2371
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2372 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
2373 return( ret );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2374}
2375
2376/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2377 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2378 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2379MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2380static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2381{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2382 int ret;
2383
2384 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]2385 if( ret != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2386 return( ret );
2387
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2388 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
2389 return( 0 );
2390}
2391
2392/*
2393 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2394 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2395MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2396static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2397{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2398 int ret;
2399
2400 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
2401 if( ret != 0 )
2402 return( ret );
2403
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2404 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2405 return( 0 );
2406}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2407#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]2408
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2409/*
2410 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2411 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2412MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2413static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2414{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2415 int ret;
2416
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]2417 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2418 if( ret != 0 )
2419 return( ret );
2420
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2421 ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
2422 if( ret != 0 )
2423 {
2424 MBEDTLS_SSL_PEND_FATAL_ALERT(
2425 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2426 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2427 return( ret );
2428 }
2429
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2430#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2431 mbedtls_ssl_handshake_set_state(
2432 ssl,
2433 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED );
2434#else
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]2435 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2436#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2437
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2438 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2439}
2440
2441/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2442 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2443 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2444MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2445static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
2446{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2447 int non_empty_certificate_msg = 0;
2448
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2449 MBEDTLS_SSL_DEBUG_MSG( 1,
2450 ( "Switch to handshake traffic keys for outbound traffic" ) );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2451 mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2452
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2453#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2454 if( ssl->handshake->client_auth )
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2455 {
2456 int ret = mbedtls_ssl_tls13_write_certificate( ssl );
2457 if( ret != 0 )
2458 return( ret );
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2459
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2460 if( mbedtls_ssl_own_cert( ssl ) != NULL )
2461 non_empty_certificate_msg = 1;
2462 }
2463 else
2464 {
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]2465 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2466 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2467#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2468
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2469 if( non_empty_certificate_msg )
2470 {
2471 mbedtls_ssl_handshake_set_state( ssl,
2472 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
2473 }
2474 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2475 {
2476 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate verify" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2477 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2478 }
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2479
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2480 return( 0 );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2481}
2482
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2483#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2484/*
2485 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2486 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2487MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2488static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
2489{
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2490 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
2491
2492 if( ret == 0 )
2493 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
2494
2495 return( ret );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2496}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2497#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2498
2499/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2500 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2501 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2502MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2503static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2504{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2505 int ret;
2506
2507 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
2508 if( ret != 0 )
2509 return( ret );
2510
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2511 ret = mbedtls_ssl_tls13_compute_resumption_master_secret( ssl );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2512 if( ret != 0 )
2513 {
2514 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2515 "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2516 return ( ret );
2517 }
2518
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2519 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
2520 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2521}
2522
2523/*
2524 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2525 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2526MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2527static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2528{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2529 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
Jerry Yuad8d0ba2021-09-28 17:58:26 +0800[diff] [blame]2530 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2531 return( 0 );
2532}
2533
2534/*
2535 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2536 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2537MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2538static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2539{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2540
2541 mbedtls_ssl_tls13_handshake_wrapup( ssl );
2542
2543 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2544 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2545}
2546
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2547#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2548
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2549MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2550static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
2551 const unsigned char *buf,
2552 const unsigned char *end )
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2553{
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2554 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2555 const unsigned char *p = buf;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2556
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2557
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2558 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2559
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2560 while( p < end )
2561 {
2562 unsigned int extension_type;
2563 size_t extension_data_len;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2564 int ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2565
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2566 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
2567 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2568 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2569 p += 4;
2570
2571 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2572
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2573 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2574 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
2575 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST );
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2576 if( ret != 0 )
2577 return( ret );
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2578
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2579 switch( extension_type )
2580 {
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2581#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2582 case MBEDTLS_TLS_EXT_EARLY_DATA:
Xiaokang Qian2d87a9e2022-11-09 07:55:48 +0000[diff] [blame]2583 if( extension_data_len != 4 )
2584 {
2585 MBEDTLS_SSL_PEND_FATAL_ALERT(
2586 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2587 MBEDTLS_ERR_SSL_DECODE_ERROR );
2588 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
2589 }
2590 if( ssl->session != NULL )
2591 {
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2592 ssl->session->ticket_flags |=
Xiaokang Qianfe3483f2022-11-09 10:45:23 +0000[diff] [blame]2593 MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
Xiaokang Qian2d87a9e2022-11-09 07:55:48 +0000[diff] [blame]2594 }
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2595 break;
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2596#endif /* MBEDTLS_SSL_EARLY_DATA */
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2597
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2598 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2599 MBEDTLS_SSL_PRINT_EXT(
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2600 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2601 extension_type, "( ignored )" );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2602 break;
2603 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2604
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2605 p += extension_data_len;
2606 }
2607
Jerry Yu7de2ff02022-11-08 21:43:46 +0800[diff] [blame]2608 MBEDTLS_SSL_PRINT_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
Jerry Yu97be6a92022-11-09 22:43:31 +0800[diff] [blame]2609 handshake->received_extensions );
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2610
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2611 return( 0 );
2612}
2613
2614/*
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2615 * From RFC8446, page 74
2616 *
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2617 * struct {
2618 * uint32 ticket_lifetime;
2619 * uint32 ticket_age_add;
2620 * opaque ticket_nonce<0..255>;
2621 * opaque ticket<1..2^16-1>;
2622 * Extension extensions<0..2^16-2>;
2623 * } NewSessionTicket;
2624 *
2625 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2626MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2627static int ssl_tls13_parse_new_session_ticket( mbedtls_ssl_context *ssl,
2628 unsigned char *buf,
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2629 unsigned char *end,
2630 unsigned char **ticket_nonce,
2631 size_t *ticket_nonce_len )
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2632{
2633 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2634 unsigned char *p = buf;
2635 mbedtls_ssl_session *session = ssl->session;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2636 size_t ticket_len;
2637 unsigned char *ticket;
2638 size_t extensions_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2639
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2640 *ticket_nonce = NULL;
2641 *ticket_nonce_len = 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2642 /*
2643 * ticket_lifetime 4 bytes
2644 * ticket_age_add 4 bytes
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2645 * ticket_nonce_len 1 byte
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2646 */
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2647 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 9 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2648
2649 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE( p, 0 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2650 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2651 ( "ticket_lifetime: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2652 ( unsigned int )session->ticket_lifetime ) );
2653
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2654 session->ticket_age_add = MBEDTLS_GET_UINT32_BE( p, 4 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2655 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2656 ( "ticket_age_add: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2657 ( unsigned int )session->ticket_age_add ) );
2658
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2659 *ticket_nonce_len = p[8];
2660 p += 9;
2661
2662 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, *ticket_nonce_len );
2663 *ticket_nonce = p;
2664 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len );
2665 p += *ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2666
2667 /* Ticket */
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2668 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2669 ticket_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2670 p += 2;
2671 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ticket_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2672 MBEDTLS_SSL_DEBUG_BUF( 3, "received ticket", p, ticket_len ) ;
2673
2674 /* Check if we previously received a ticket already. */
2675 if( session->ticket != NULL || session->ticket_len > 0 )
2676 {
2677 mbedtls_free( session->ticket );
2678 session->ticket = NULL;
2679 session->ticket_len = 0;
2680 }
2681
2682 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
2683 {
2684 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
2685 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2686 }
2687 memcpy( ticket, p, ticket_len );
2688 p += ticket_len;
2689 session->ticket = ticket;
2690 session->ticket_len = ticket_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2691
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2692 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2693 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2694 p += 2;
2695 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2696
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2697 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket extension", p, extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2698
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2699 ret = ssl_tls13_parse_new_session_ticket_exts( ssl, p, p + extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2700 if( ret != 0 )
2701 {
2702 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2703 "ssl_tls13_parse_new_session_ticket_exts",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2704 ret );
2705 return( ret );
2706 }
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2707
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]2708 /* session has been updated, allow export */
2709 session->exported = 0;
2710
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2711 return( 0 );
2712}
2713
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2714MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2715static int ssl_tls13_postprocess_new_session_ticket( mbedtls_ssl_context *ssl,
2716 unsigned char *ticket_nonce,
2717 size_t ticket_nonce_len )
2718{
2719 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2720 mbedtls_ssl_session *session = ssl->session;
2721 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2722 psa_algorithm_t psa_hash_alg;
2723 int hash_length;
2724
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2725#if defined(MBEDTLS_HAVE_TIME)
2726 /* Store ticket creation time */
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2727 session->ticket_received = mbedtls_time( NULL );
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2728#endif
2729
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2730 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( session->ciphersuite );
2731 if( ciphersuite_info == NULL )
2732 {
2733 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2734 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2735 }
2736
2737 psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
2738 hash_length = PSA_HASH_LENGTH( psa_hash_alg );
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2739 if( hash_length == -1 ||
2740 ( size_t )hash_length > sizeof( session->resumption_key ) )
2741 {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2742 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2743 }
2744
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2745
2746 MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
2747 session->app_secrets.resumption_master_secret,
2748 hash_length );
2749
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2750 /* Compute resumption key
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2751 *
2752 * HKDF-Expand-Label( resumption_master_secret,
2753 * "resumption", ticket_nonce, Hash.length )
2754 */
2755 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2756 psa_hash_alg,
2757 session->app_secrets.resumption_master_secret,
2758 hash_length,
2759 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
2760 ticket_nonce,
2761 ticket_nonce_len,
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2762 session->resumption_key,
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2763 hash_length );
2764
2765 if( ret != 0 )
2766 {
2767 MBEDTLS_SSL_DEBUG_RET( 2,
2768 "Creating the ticket-resumed PSK failed",
2769 ret );
2770 return( ret );
2771 }
2772
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2773 session->resumption_key_len = hash_length;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2774
2775 MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2776 session->resumption_key,
2777 session->resumption_key_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2778
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2779 return( 0 );
2780}
2781
2782/*
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2783 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2784 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2785MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2786static int ssl_tls13_process_new_session_ticket( mbedtls_ssl_context *ssl )
2787{
2788 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2789 unsigned char *buf;
2790 size_t buf_len;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2791 unsigned char *ticket_nonce;
2792 size_t ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2793
2794 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2795
2796 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
2797 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2798 &buf, &buf_len ) );
2799
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2800 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_new_session_ticket(
2801 ssl, buf, buf + buf_len,
2802 &ticket_nonce, &ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2803
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2804 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_new_session_ticket(
2805 ssl, ticket_nonce, ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2806
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2807 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2808
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2809cleanup:
2810
2811 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2812 return( ret );
2813}
2814#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2815
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2816int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]2817{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2818 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]2819
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2820 switch( ssl->state )
2821 {
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2822 case MBEDTLS_SSL_HELLO_REQUEST:
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]2823 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2824 break;
2825
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2826 case MBEDTLS_SSL_CLIENT_HELLO:
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]2827 ret = mbedtls_ssl_write_client_hello( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2828 break;
2829
2830 case MBEDTLS_SSL_SERVER_HELLO:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2831 ret = ssl_tls13_process_server_hello( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2832 break;
2833
2834 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2835 ret = ssl_tls13_process_encrypted_extensions( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2836 break;
2837
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2838#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2839 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
2840 ret = ssl_tls13_process_certificate_request( ssl );
2841 break;
2842
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2843 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2844 ret = ssl_tls13_process_server_certificate( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2845 break;
2846
2847 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2848 ret = ssl_tls13_process_certificate_verify( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2849 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2850#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2851
2852 case MBEDTLS_SSL_SERVER_FINISHED:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2853 ret = ssl_tls13_process_server_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2854 break;
2855
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2856 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2857 ret = ssl_tls13_write_client_certificate( ssl );
2858 break;
2859
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2860#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2861 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2862 ret = ssl_tls13_write_client_certificate_verify( ssl );
2863 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2864#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2865
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2866 case MBEDTLS_SSL_CLIENT_FINISHED:
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2867 ret = ssl_tls13_write_client_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2868 break;
2869
2870 case MBEDTLS_SSL_FLUSH_BUFFERS:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2871 ret = ssl_tls13_flush_buffers( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2872 break;
2873
2874 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2875 ret = ssl_tls13_handshake_wrapup( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2876 break;
2877
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2878 /*
2879 * Injection of dummy-CCS's for middlebox compatibility
2880 */
2881#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]2882 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]2883 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2884 if( ret == 0 )
2885 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2886 break;
2887
2888 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
2889 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2890 if( ret == 0 )
2891 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2892 break;
2893#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2894
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2895#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2896 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2897 ret = ssl_tls13_process_new_session_ticket( ssl );
2898 if( ret != 0 )
2899 break;
2900 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
2901 break;
2902#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2903
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2904 default:
2905 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2906 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2907 }
2908
2909 return( ret );
2910}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]2911
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2912#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]2913
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2914