TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 6183cc7470ff31a16cd2c92988c686d57fddd350 / . / library / ssl_tls13_client.c
blob: bca7f9e2988545ebfce064c55a885369ba1a4fe7 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS ( https://tls.mbed.org )
20 */
21
22#include "common.h"
23
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]24#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]25
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]26#include <string.h>
27
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]30#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]31
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]32#include "ssl_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]33#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]34#include "ssl_tls13_keys.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]35
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]36/* Write extensions */
37
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]38/*
39 * ssl_tls13_write_supported_versions_ext():
40 *
41 * struct {
42 * ProtocolVersion versions<2..254>;
43 * } SupportedVersions;
44 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]45MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]46static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]47 unsigned char *buf,
48 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]49 size_t *out_len )
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]50{
51 unsigned char *p = buf;
Glenn Strausscd78df62022-04-07 19:07:11 -0400[diff] [blame]52 unsigned char versions_len = ( ssl->handshake->min_tls_version <=
53 MBEDTLS_SSL_VERSION_TLS1_2 ) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]54
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]55 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]56
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]57 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported versions extension" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]58
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]59 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]60 * - extension_type (2 bytes)
61 * - extension_data_length (2 bytes)
62 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]63 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]64 */
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]65 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + versions_len );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]66
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]67 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]68 MBEDTLS_PUT_UINT16_BE( versions_len + 1, p, 2 );
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]69 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]70
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]71 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]72 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]73
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]74 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]76 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]77 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]78 mbedtls_ssl_write_version( p, MBEDTLS_SSL_TRANSPORT_STREAM,
79 MBEDTLS_SSL_VERSION_TLS1_3 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]80 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:4]" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]81
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Glenn Strausscd78df62022-04-07 19:07:11 -0400[diff] [blame]83 if( ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 )
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]84 {
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]85 mbedtls_ssl_write_version( p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
86 MBEDTLS_SSL_VERSION_TLS1_2 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]87 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:3]" ) );
88 }
89
90 *out_len = 5 + versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]91
92 return( 0 );
93}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]94
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]95MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]96static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
97 const unsigned char *buf,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]98 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]99{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]100 ((void) ssl);
101
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]102 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]103 if( mbedtls_ssl_read_version( buf, ssl->conf->transport ) !=
104 MBEDTLS_SSL_VERSION_TLS1_3 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]105 {
106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]107
108 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
109 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
110 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]111 }
112
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]113 if( &buf[2] != end )
114 {
115 MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions ext data length incorrect" ) );
116 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
117 MBEDTLS_ERR_SSL_DECODE_ERROR );
118 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
119 }
120
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]121 return( 0 );
122}
123
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]124#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]125MBEDTLS_CHECK_RETURN_CRITICAL
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]126static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl,
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]127 const unsigned char *buf, size_t len )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]128{
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]129 const unsigned char *p = buf;
130 const unsigned char *end = buf + len;
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]131 size_t protocol_name_list_len, protocol_name_len;
132 const unsigned char *protocol_name_list_end;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]133
134 /* If we didn't send it, the server shouldn't send it */
135 if( ssl->conf->alpn_list == NULL )
136 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
137
138 /*
139 * opaque ProtocolName<1..2^8-1>;
140 *
141 * struct {
142 * ProtocolName protocol_name_list<2..2^16-1>
143 * } ProtocolNameList;
144 *
145 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
146 */
147
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]148 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
149 protocol_name_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]150 p += 2;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]151
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]152 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, protocol_name_list_len );
153 protocol_name_list_end = p + protocol_name_list_len;
154
155 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, 1 );
156 protocol_name_len = *p++;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]157
158 /* Check that the server chosen protocol was in our list and save it */
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]159 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, protocol_name_len );
160 for( const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++ )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]161 {
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]162 if( protocol_name_len == strlen( *alpn ) &&
163 memcmp( p, *alpn, protocol_name_len ) == 0 )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]164 {
165 ssl->alpn_chosen = *alpn;
166 return( 0 );
167 }
168 }
169
170 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
171}
172#endif /* MBEDTLS_SSL_ALPN */
173
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]174MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]175static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]176{
177 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]178
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]179 if( group_id == 0 )
180 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
181
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]182#if defined(MBEDTLS_ECDH_C)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]183 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]184 {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]185 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
186 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
187
188 /* Destroy generated private key. */
189 status = psa_destroy_key( ssl->handshake->ecdh_psa_privkey );
190 if( status != PSA_SUCCESS )
191 {
192 ret = psa_ssl_status_to_mbedtls( status );
193 MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
194 return( ret );
195 }
196
197 ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]198 return( 0 );
199 }
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]200 else
201#endif /* MBEDTLS_ECDH_C */
202 if( 0 /* other KEMs? */ )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]203 {
204 /* Do something */
205 }
206
207 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
208}
209
210/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]211 * Functions for writing key_share extension.
212 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]213MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]214static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
215 uint16_t *group_id )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]216{
217 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
218
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]219
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]220#if defined(MBEDTLS_ECDH_C)
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]221 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]222 /* Pick first available ECDHE group compatible with TLS 1.3 */
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]223 if( group_list == NULL )
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]224 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
225
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]226 for ( ; *group_list != 0; group_list++ )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]227 {
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]228 const mbedtls_ecp_curve_info *curve_info;
229 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
230 if( curve_info != NULL &&
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]231 mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]232 {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]233 *group_id = *group_list;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]234 return( 0 );
235 }
236 }
237#else
238 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]239 ((void) group_id);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]240#endif /* MBEDTLS_ECDH_C */
241
242 /*
243 * Add DHE named groups here.
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]244 * Pick first available DHE group compatible with TLS 1.3
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]245 */
246
247 return( ret );
248}
249
250/*
251 * ssl_tls13_write_key_share_ext
252 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]253 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]254 *
255 * struct {
256 * NamedGroup group;
257 * opaque key_exchange<1..2^16-1>;
258 * } KeyShareEntry;
259 * struct {
260 * KeyShareEntry client_shares<0..2^16-1>;
261 * } KeyShareClientHello;
262 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]263MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]264static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
265 unsigned char *buf,
266 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]267 size_t *out_len )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]268{
269 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]270 unsigned char *client_shares; /* Start of client_shares */
271 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]272 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]273 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
274
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]275 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]276
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]277 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]278 * - extension_type (2 bytes)
279 * - extension_data_length (2 bytes)
280 * - client_shares_length (2 bytes)
281 */
282 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
283 p += 6;
284
285 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello: adding key share extension" ) );
286
287 /* HRR could already have requested something else. */
288 group_id = ssl->handshake->offered_group_id;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]289 if( !mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) &&
290 !mbedtls_ssl_tls13_named_group_is_dhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]291 {
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]292 MBEDTLS_SSL_PROC_CHK( ssl_tls13_get_default_group_id( ssl,
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]293 &group_id ) );
294 }
295
296 /*
297 * Dispatch to type-specific key generation function.
298 *
299 * So far, we're only supporting ECDHE. With the introduction
300 * of PQC KEMs, we'll want to have multiple branches, one per
301 * type of KEM, and dispatch to the corresponding crypto. And
302 * only one key share entry is allowed.
303 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]304 client_shares = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]305#if defined(MBEDTLS_ECDH_C)
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]306 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]307 {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]308 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]309 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]310 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]311 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]312
313 /* Check there is space for header of KeyShareEntry
314 * - group (2 bytes)
315 * - key_exchange_length (2 bytes)
316 */
317 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
318 p += 4;
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]319 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
320 ssl, group_id, p, end, &key_exchange_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]321 p += key_exchange_len;
322 if( ret != 0 )
323 return( ret );
324
325 /* Write group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]326 MBEDTLS_PUT_UINT16_BE( group_id, group, 0 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]327 /* Write key_exchange_length */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]328 MBEDTLS_PUT_UINT16_BE( key_exchange_len, group, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]329 }
330 else
331#endif /* MBEDTLS_ECDH_C */
332 if( 0 /* other KEMs? */ )
333 {
334 /* Do something */
335 }
336 else
337 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
338
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]339 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]340 client_shares_len = p - client_shares;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]341 if( client_shares_len == 0)
342 {
343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No key share defined." ) );
344 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]345 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]346 /* Write extension_type */
347 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
348 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]349 MBEDTLS_PUT_UINT16_BE( client_shares_len + 2, buf, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]350 /* Write client_shares_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]351 MBEDTLS_PUT_UINT16_BE( client_shares_len, buf, 4 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]352
353 /* Update offered_group_id field */
354 ssl->handshake->offered_group_id = group_id;
355
356 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]357 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]358
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]359 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]360
361 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
362
363cleanup:
364
365 return( ret );
366}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]367
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]368
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]369/*
370 * ssl_tls13_parse_hrr_key_share_ext()
371 * Parse key_share extension in Hello Retry Request
372 *
373 * struct {
374 * NamedGroup selected_group;
375 * } KeyShareHelloRetryRequest;
376 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]377MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]378static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]379 const unsigned char *buf,
380 const unsigned char *end )
381{
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]382 const mbedtls_ecp_curve_info *curve_info = NULL;
383 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]384 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]385 int found = 0;
386
387 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
388 if( group_list == NULL )
389 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
390
391 MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", p, end - buf );
392
393 /* Read selected_group */
XiaokangQianb48894e2022-01-17 02:05:52 +0000[diff] [blame]394 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]395 selected_group = MBEDTLS_GET_UINT16_BE( p, 0 );
396 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", selected_group ) );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]397
398 /* Upon receipt of this extension in a HelloRetryRequest, the client
399 * MUST first verify that the selected_group field corresponds to a
400 * group which was provided in the "supported_groups" extension in the
401 * original ClientHello.
402 * The supported_group was based on the info in ssl->conf->group_list.
403 *
404 * If the server provided a key share that was not sent in the ClientHello
405 * then the client MUST abort the handshake with an "illegal_parameter" alert.
406 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]407 for( ; *group_list != 0; group_list++ )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]408 {
409 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]410 if( curve_info == NULL || curve_info->tls_id != selected_group )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]411 continue;
412
413 /* We found a match */
414 found = 1;
415 break;
416 }
417
418 /* Client MUST verify that the selected_group field does not
419 * correspond to a group which was provided in the "key_share"
420 * extension in the original ClientHello. If the server sent an
421 * HRR message with a key share already provided in the
422 * ClientHello then the client MUST abort the handshake with
423 * an "illegal_parameter" alert.
424 */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]425 if( found == 0 || selected_group == ssl->handshake->offered_group_id )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]426 {
427 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) );
428 MBEDTLS_SSL_PEND_FATAL_ALERT(
429 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
430 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
431 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
432 }
433
434 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]435 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]436
437 return( 0 );
438}
439
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]440/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]441 * ssl_tls13_parse_key_share_ext()
442 * Parse key_share extension in Server Hello
443 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]444 * struct {
445 * KeyShareEntry server_share;
446 * } KeyShareServerHello;
447 * struct {
448 * NamedGroup group;
449 * opaque key_exchange<1..2^16-1>;
450 * } KeyShareEntry;
451 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]452MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]453static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]454 const unsigned char *buf,
455 const unsigned char *end )
456{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]457 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]458 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]459 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]460
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]461 /* ...
462 * NamedGroup group; (2 bytes)
463 * ...
464 */
465 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
466 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]467 p += 2;
468
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]469 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]470 offered_group = ssl->handshake->offered_group_id;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]471 if( offered_group != group )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]472 {
473 MBEDTLS_SSL_DEBUG_MSG( 1,
474 ( "Invalid server key share, our group %u, their group %u",
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]475 (unsigned) offered_group, (unsigned) group ) );
476 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
477 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
478 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]479 }
480
481#if defined(MBEDTLS_ECDH_C)
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]482 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]483 {
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]484 const mbedtls_ecp_curve_info *curve_info =
485 mbedtls_ecp_curve_info_from_tls_id( group );
486 if( curve_info == NULL )
487 {
488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
489 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
490 }
491
492 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
493
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]494 ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ssl, p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]495 if( ret != 0 )
496 return( ret );
497 }
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]498 else
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]499#endif /* MBEDTLS_ECDH_C */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]500 if( 0 /* other KEMs? */ )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]501 {
502 /* Do something */
503 }
504 else
505 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
506
507 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
508 return( ret );
509}
510
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]511/*
512 * ssl_tls13_parse_cookie_ext()
513 * Parse cookie extension in Hello Retry Request
514 *
515 * struct {
516 * opaque cookie<1..2^16-1>;
517 * } Cookie;
518 *
519 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
520 * extension to the client (this is an exception to the usual rule that
521 * the only extensions that may be sent are those that appear in the
522 * ClientHello). When sending the new ClientHello, the client MUST copy
523 * the contents of the extension received in the HelloRetryRequest into
524 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
525 * cookies in their initial ClientHello in subsequent connections.
526 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]527MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]528static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
529 const unsigned char *buf,
530 const unsigned char *end )
531{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]532 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]533 const unsigned char *p = buf;
534 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
535
536 /* Retrieve length field of cookie */
537 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
538 cookie_len = MBEDTLS_GET_UINT16_BE( p, 0 );
539 p += 2;
540
541 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
542 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
543
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]544 mbedtls_free( handshake->cookie );
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]545 handshake->hrr_cookie_len = 0;
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]546 handshake->cookie = mbedtls_calloc( 1, cookie_len );
547 if( handshake->cookie == NULL )
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]548 {
549 MBEDTLS_SSL_DEBUG_MSG( 1,
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]550 ( "alloc failed ( %ud bytes )",
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]551 cookie_len ) );
552 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
553 }
554
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]555 memcpy( handshake->cookie, p, cookie_len );
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]556 handshake->hrr_cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]557
558 return( 0 );
559}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]560
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]561MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]562static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]563 unsigned char *buf,
564 unsigned char *end,
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]565 size_t *out_len )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]566{
567 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]568 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]569 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]570
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]571 if( handshake->cookie == NULL )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]572 {
573 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) );
574 return( 0 );
575 }
576
577 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]578 handshake->cookie,
579 handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]580
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]581 MBEDTLS_SSL_CHK_BUF_PTR( p, end, handshake->hrr_cookie_len + 6 );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]582
583 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) );
584
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]585 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 );
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]586 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len + 2, p, 2 );
587 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len, p, 4 );
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]588 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]589
590 /* Cookie */
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]591 memcpy( p, handshake->cookie, handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]592
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]593 *out_len = handshake->hrr_cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]594
595 return( 0 );
596}
597
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]598#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
599/*
600 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
601 *
602 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
603 *
604 * struct {
605 * PskKeyExchangeMode ke_modes<1..255>;
606 * } PskKeyExchangeModes;
607 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]608MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]609static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
610 unsigned char *buf,
611 unsigned char *end,
612 size_t *out_len )
613{
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]614 unsigned char *p = buf;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]615 int ke_modes_len = 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]616
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]617 ((void) ke_modes_len );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]618 *out_len = 0;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]619
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]620 /* Skip writing extension if no PSK key exchange mode
XiaokangQian7c12d312022-07-20 07:25:43 +0000[diff] [blame]621 * is enabled in the config.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]622 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]623 if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]624 {
625 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip psk_key_exchange_modes extension" ) );
626 return( 0 );
627 }
628
629 /* Require 7 bytes of data, otherwise fail,
630 * even if extension might be shorter.
631 */
632 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 );
633 MBEDTLS_SSL_DEBUG_MSG(
634 3, ( "client hello, adding psk_key_exchange_modes extension" ) );
635
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]636 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0 );
637
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]638 /* Skip extension length (2 bytes) and
639 * ke_modes length (1 byte) for now.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]640 */
641 p += 5;
642
643 if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
644 {
645 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]646 ke_modes_len++;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]647
648 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
649 }
650
651 if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
652 {
653 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]654 ke_modes_len++;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]655
656 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
657 }
658
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]659 /* Now write the extension and ke_modes length */
660 MBEDTLS_PUT_UINT16_BE( ke_modes_len + 1, buf, 2 );
661 buf[4] = ke_modes_len;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]662
663 *out_len = p - buf;
664 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
665 return ( 0 );
666}
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]667
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]668static psa_algorithm_t ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl,
669 int ciphersuite )
670{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]671
Jerry Yu19ae6f62022-09-30 09:22:21 +0800[diff] [blame]672 psa_algorithm_t psa_alg;
673 if( mbedtls_ssl_tls13_ciphersuite_to_alg(
674 ssl, ciphersuite, &psa_alg ) != 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]675 {
Jerry Yu19ae6f62022-09-30 09:22:21 +0800[diff] [blame]676 /* ciphersuite is `ssl->session_negotiate->ciphersuite` or
677 * PSA_ALG_SHA256, both are validated before writting pre_shared_key.
678 */
679 MBEDTLS_SSL_DEBUG_MSG( 2, ( "should never happen" ) );
680 return( PSA_ALG_NONE );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]681 }
Jerry Yu19ae6f62022-09-30 09:22:21 +0800[diff] [blame]682
683 return( psa_alg );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]684}
685
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]686#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]687
688static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
689{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]690 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]691 return( session != NULL && session->ticket != NULL );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]692}
693
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]694MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]695static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
696 psa_algorithm_t *psa_alg,
697 const unsigned char **identity,
698 size_t *identity_len )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]699{
700 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]701
702 *psa_alg = PSA_ALG_NONE;
703 *identity = NULL;
704 *identity_len = 0;
705
706 if( !ssl_tls13_has_configured_ticket( ssl ) )
707 return( -1 );
708
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]709 *psa_alg = ssl_tls13_ciphersuite_to_alg( ssl, session->ciphersuite );
710 *identity = session->ticket;
711 *identity_len = session->ticket_len;
712 return( 0 );
713}
714
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]715MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]716static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl,
717 psa_algorithm_t *psa_alg,
718 const unsigned char **psk,
719 size_t *psk_len )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]720{
721
722 mbedtls_ssl_session *session = ssl->session_negotiate;
723
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]724 *psa_alg = PSA_ALG_NONE;
725 *psk = NULL;
726 *psk_len = 0;
727
728 if( !ssl_tls13_has_configured_ticket( ssl ) )
729 return( -1 );
730
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]731 *psa_alg = ssl_tls13_ciphersuite_to_alg( ssl, session->ciphersuite );
732 *psk = session->resumption_key;
733 *psk_len = session->resumption_key_len;
734
735 return( 0 );
736}
737
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]738#endif /* MBEDTLS_SSL_SESSION_TICKETS */
739
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]740static int ssl_tls13_has_configured_psk( mbedtls_ssl_context *ssl )
741{
742 return( ssl->conf->psk != NULL &&
743 ssl->conf->psk_len != 0 &&
744 ssl->conf->psk_identity != NULL &&
745 ssl->conf->psk_identity_len != 0 );
746}
747
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]748MBEDTLS_CHECK_RETURN_CRITICAL
749static int ssl_tls13_psk_get_identity( mbedtls_ssl_context *ssl,
750 psa_algorithm_t *psa_alg,
751 const unsigned char **identity,
752 size_t *identity_len )
753{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]754 *psa_alg = PSA_ALG_NONE;
755 *identity = NULL;
756 *identity_len = 0;
757
758 if( !ssl_tls13_has_configured_psk( ssl ) )
759 return( -1 );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]760
761 *psa_alg = PSA_ALG_SHA_256;
762 *identity = ssl->conf->psk_identity;
763 *identity_len = ssl->conf->psk_identity_len;
764 return( 0 );
765}
766
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]767MBEDTLS_CHECK_RETURN_CRITICAL
768static int ssl_tls13_psk_get_psk( mbedtls_ssl_context *ssl,
769 psa_algorithm_t *psa_alg,
770 const unsigned char **psk,
771 size_t *psk_len )
772{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]773 *psa_alg = PSA_ALG_NONE;
774 *psk = NULL;
775 *psk_len = 0;
776
777 if( !ssl_tls13_has_configured_psk( ssl ) )
778 return( -1 );
779
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]780 *psa_alg = PSA_ALG_SHA_256;
781 *psk = ssl->conf->psk;
782 *psk_len = ssl->conf->psk_len;
783 return( 0 );
784}
785
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]786static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl )
787{
788 int configured_psk_count = 0;
789#if defined(MBEDTLS_SSL_SESSION_TICKETS)
790 if( ssl_tls13_has_configured_ticket( ssl ) )
791 {
792 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket is configured" ) );
793 configured_psk_count++;
794 }
795#endif
796 if( ssl_tls13_has_configured_psk( ssl ) )
797 {
798 MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK is configured" ) );
799 configured_psk_count++;
800 }
801 return( configured_psk_count );
802}
803
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]804MBEDTLS_CHECK_RETURN_CRITICAL
805static int ssl_tls13_write_identity( mbedtls_ssl_context *ssl,
806 unsigned char *buf,
807 unsigned char *end,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]808 const unsigned char *identity,
809 size_t identity_len,
810 uint32_t obfuscated_ticket_age,
811 size_t *out_len )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]812{
813 unsigned char *p = buf;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]814
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]815 ((void) ssl);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]816 *out_len = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]817
818 /*
819 * - identity_len (2 bytes)
820 * - identity (psk_identity_len bytes)
821 * - obfuscated_ticket_age (4 bytes)
822 */
823 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + identity_len );
824
825 MBEDTLS_PUT_UINT16_BE( identity_len, p, 0 );
826 memcpy( p + 2, identity, identity_len );
827 MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, p, 2 + identity_len );
828
829 MBEDTLS_SSL_DEBUG_BUF( 4, "write identity", p, 6 + identity_len );
830
831 *out_len = 6 + identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]832
833 return( 0 );
834}
835
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]836MBEDTLS_CHECK_RETURN_CRITICAL
837static int ssl_tls13_write_binder( mbedtls_ssl_context *ssl,
838 unsigned char *buf,
839 unsigned char *end,
840 int psk_type,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]841 psa_algorithm_t hash_alg,
842 const unsigned char *psk,
843 size_t psk_len,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]844 size_t *out_len )
845{
846 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
847 unsigned char *p = buf;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]848 unsigned char binder_len;
849 unsigned char transcript[MBEDTLS_MD_MAX_SIZE];
850 size_t transcript_len = 0;
851
852 *out_len = 0;
853
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]854 binder_len = PSA_HASH_LENGTH( hash_alg );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]855 if( binder_len == 0 )
856 {
857 MBEDTLS_SSL_DEBUG_MSG( 3, ( "should never happen" ) );
858 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
859 }
860
861 /*
862 * - binder_len (1 bytes)
863 * - binder (binder_len bytes)
864 */
865 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 + binder_len );
866
867 p[0] = binder_len;
868
869 /* Get current state of handshake transcript. */
870 ret = mbedtls_ssl_get_handshake_transcript(
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]871 ssl, mbedtls_hash_info_md_from_psa( hash_alg ),
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]872 transcript, MBEDTLS_MD_MAX_SIZE, &transcript_len );
873 if( ret != 0 )
874 return( ret );
875
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]876 ret = mbedtls_ssl_tls13_create_psk_binder( ssl, hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]877 psk, psk_len, psk_type,
878 transcript, p + 1 );
879 if( ret != 0 )
880 {
881 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret );
882 return( ret );
883 }
884 MBEDTLS_SSL_DEBUG_BUF( 4, "write binder", p, 1 + binder_len );
885
886 *out_len = 1 + binder_len;
887
888 return( ret );
889}
890
891/*
892 * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
893 *
894 * struct {
895 * opaque identity<1..2^16-1>;
896 * uint32 obfuscated_ticket_age;
897 * } PskIdentity;
898 *
899 * opaque PskBinderEntry<32..255>;
900 *
901 * struct {
902 * PskIdentity identities<7..2^16-1>;
903 * PskBinderEntry binders<33..2^16-1>;
904 * } OfferedPsks;
905 *
906 * struct {
907 * select (Handshake.msg_type) {
908 * case client_hello: OfferedPsks;
909 * ...
910 * };
911 * } PreSharedKeyExtension;
912 *
913 */
XiaokangQian3ad67bf2022-07-21 02:26:21 +0000[diff] [blame]914int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]915 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
916 size_t *out_len, size_t *binders_len )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]917{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]918 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]919 int configured_psk_count = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]920 unsigned char *p = buf;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]921 psa_algorithm_t hash_alg;
922 const unsigned char *identity;
923 size_t identity_len;
924 uint32_t obfuscated_ticket_age = 0;
925 int hash_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]926 size_t l_binders_len = 0;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]927 size_t output_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]928
929 *out_len = 0;
930 *binders_len = 0;
931
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]932
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]933 /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]934 configured_psk_count = ssl_tls13_get_configured_psk_count( ssl );
935 if( configured_psk_count == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]936 {
937 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) );
938 return( 0 );
939 }
940
941 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Pre-configured PSK number = %d",
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]942 configured_psk_count ) );
943
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]944 /* Check if we have space to write the extension, binders included.
945 * - extension_type (2 bytes)
946 * - extension_data_len (2 bytes)
947 * - identities_len (2 bytes)
948 */
949 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
950 p += 6;
951
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]952#if defined(MBEDTLS_SSL_SESSION_TICKETS)
953 if( ssl_tls13_ticket_get_identity(
954 ssl, &hash_alg, &identity, &identity_len ) == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]955 {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]956#if defined(MBEDTLS_HAVE_TIME)
957 mbedtls_time_t now = mbedtls_time( NULL );
958 mbedtls_ssl_session *session = ssl->session_negotiate;
959 obfuscated_ticket_age = (uint32_t)( now - session->ticket_received );
960 obfuscated_ticket_age *= 1000;
961 obfuscated_ticket_age += session->ticket_age_add;
962#endif /* MBEDTLS_HAVE_TIME */
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]963 ret = ssl_tls13_write_identity( ssl, p, end,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]964 identity, identity_len,
965 obfuscated_ticket_age,
966 &output_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]967 if( ret != 0 )
968 return( ret );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]969
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]970 hash_len = PSA_HASH_LENGTH( hash_alg );
971 if( hash_len == 0 )
972 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
973
974 p += output_len;
975 l_binders_len += 1 + hash_len;
976 }
977#endif /* MBEDTLS_SSL_SESSION_TICKETS */
978
979 if( ssl_tls13_psk_get_identity(
980 ssl, &hash_alg, &identity, &identity_len ) == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]981 {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]982
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]983 ret = ssl_tls13_write_identity( ssl, p, end,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]984 identity, identity_len,
985 obfuscated_ticket_age,
986 &output_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]987 if( ret != 0 )
988 return( ret );
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]989
990 hash_len = PSA_HASH_LENGTH( hash_alg );
991 if( hash_len == 0 )
992 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
993
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]994 p += output_len;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]995 l_binders_len += 1 + hash_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]996 }
997
998 MBEDTLS_SSL_DEBUG_MSG( 3,
999 ( "client hello, adding pre_shared_key extension, "
1000 "omitting PSK binder list" ) );
1001 /*
1002 * - extension_type (2 bytes)
1003 * - extension_data_len (2 bytes)
1004 * - identities_len (2 bytes)
1005 */
1006 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0 );
1007 MBEDTLS_PUT_UINT16_BE( p - buf - 4 + 2 + l_binders_len , buf, 2 );
1008 MBEDTLS_PUT_UINT16_BE( p - buf - 6 , buf, 4 );
1009
1010 /* Check if there are enough space for binders */
1011 MBEDTLS_SSL_CHK_BUF_PTR( p, end, l_binders_len + 2 );
1012
1013 *out_len = ( p - buf ) + l_binders_len + 2;
1014 *binders_len = l_binders_len + 2;
1015
1016 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key identities", buf, p - buf );
1017
1018 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
1019
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1020 return( 0 );
1021}
1022
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1023int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1024 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1025{
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1026 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1027 unsigned char *p = buf;
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]1028 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1029 const unsigned char *psk;
1030 size_t psk_len;
1031 size_t output_len;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1032
1033 /* Check if we have space to write binders_len.
1034 * - binders_len (2 bytes)
1035 */
1036 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1037 p += 2;
1038
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]1039#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1040 if( ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1041 {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]1042
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1043 ret = ssl_tls13_write_binder( ssl, p, end,
1044 MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]1045 hash_alg, psk, psk_len,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1046 &output_len );
1047 if( ret != 0 )
1048 return( ret );
1049 p += output_len;
1050 }
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]1051#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1052
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]1053 if( ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1054 {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]1055
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1056 ret = ssl_tls13_write_binder( ssl, p, end,
1057 MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame^]1058 hash_alg, psk, psk_len,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1059 &output_len );
1060 if( ret != 0 )
1061 return( ret );
1062 p += output_len;
1063 }
1064
1065 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list." ) );
1066
1067 /*
1068 * - binders_len (2 bytes)
1069 */
1070 MBEDTLS_PUT_UINT16_BE( p - buf - 2, buf, 0 );
1071
1072 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key binders", buf, p - buf );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1073
1074 return( 0 );
1075}
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1076
1077/*
1078 * struct {
1079 * opaque identity<1..2^16-1>;
1080 * uint32 obfuscated_ticket_age;
1081 * } PskIdentity;
1082 *
1083 * opaque PskBinderEntry<32..255>;
1084 *
1085 * struct {
1086 *
1087 * select (Handshake.msg_type) {
1088 * ...
1089 * case server_hello: uint16 selected_identity;
1090 * };
1091 *
1092 * } PreSharedKeyExtension;
1093 *
1094 */
1095MBEDTLS_CHECK_RETURN_CRITICAL
1096static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
1097 const unsigned char *buf,
1098 const unsigned char *end )
1099{
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1100 int ret = 0;
1101 int selected_identity;
1102 int psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
1103 const unsigned char *psk;
1104 size_t psk_len;
1105 psa_algorithm_t psa_alg;
1106
1107 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 2 );
1108 selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 );
1109 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_identity = %d", selected_identity ) );
1110
1111 if( ssl_tls13_has_configured_psk( ssl ) &&
1112 ssl_tls13_has_configured_ticket( ssl ) )
1113 {
1114 if( selected_identity >= 2 )
1115 {
1116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Out of range" ) );
1117 goto exit;
1118 }
1119 switch( selected_identity )
1120 {
1121 case 0:
1122 psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
1123 break;
1124 case 1:
1125 psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
1126 break;
1127 }
1128 }
1129 else if( ssl_tls13_has_configured_psk( ssl ) ||
1130 ssl_tls13_has_configured_ticket( ssl ) )
1131 {
1132 if( selected_identity >= 1 )
1133 {
1134 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Out of range" ) );
1135 goto exit;
1136 }
1137
1138 if( ssl_tls13_has_configured_psk( ssl ) )
1139 psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
1140 else if( ssl_tls13_has_configured_ticket( ssl ) )
1141 psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
1142 }
1143 else
1144 {
1145 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1146 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1147 }
1148 switch( psk_type )
1149 {
1150#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1151 case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]1152 ret = ssl_tls13_ticket_get_psk( ssl, &psa_alg, &psk, &psk_len );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1153 break;
1154#endif
1155 case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
1156 ret = ssl_tls13_psk_get_psk(
1157 ssl, &psa_alg, &psk, &psk_len );
1158 break;
1159 default:
1160 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1161 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1162 }
1163 if( ret != 0 )
1164 return( ret );
1165
1166 ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len );
1167 if( ret != 0 )
1168 {
1169 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret );
1170 }
1171 else
1172 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
1173
1174 return( ret );
1175
1176exit:
1177 MBEDTLS_SSL_DEBUG_MSG(
1178 1, ( "Invalid chosen PSK identity." ) );
1179
1180 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1181 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1182 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1183}
1184
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1185#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1186
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]1187int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
1188 unsigned char *buf,
1189 unsigned char *end,
1190 size_t *out_len )
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1191{
1192 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1193 unsigned char *p = buf;
1194 size_t ext_len;
1195
1196 *out_len = 0;
1197
1198 /* Write supported_versions extension
1199 *
1200 * Supported Versions Extension is mandatory with TLS 1.3.
1201 */
1202 ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &ext_len );
1203 if( ret != 0 )
1204 return( ret );
1205 p += ext_len;
1206
1207 /* Echo the cookie if the server provided one in its preceding
1208 * HelloRetryRequest message.
1209 */
1210 ret = ssl_tls13_write_cookie_ext( ssl, p, end, &ext_len );
1211 if( ret != 0 )
1212 return( ret );
1213 p += ext_len;
1214
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1215 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1216 {
1217 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &ext_len );
1218 if( ret != 0 )
1219 return( ret );
1220 p += ext_len;
1221 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1222
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1223#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1224 /* For PSK-based key exchange we need the pre_shared_key extension
1225 * and the psk_key_exchange_modes extension.
1226 *
1227 * The pre_shared_key extension MUST be the last extension in the
1228 * ClientHello. Servers MUST check that it is the last extension and
1229 * otherwise fail the handshake with an "illegal_parameter" alert.
1230 *
1231 * Add the psk_key_exchange_modes extension.
1232 */
1233 ret = ssl_tls13_write_psk_key_exchange_modes_ext( ssl, p, end, &ext_len );
1234 if( ret != 0 )
1235 return( ret );
1236 p += ext_len;
1237#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1238
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1239 *out_len = p - buf;
1240
1241 return( 0 );
1242}
1243
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]1244/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1245 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1246 */
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1247
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1248/**
1249 * \brief Detect if the ServerHello contains a supported_versions extension
1250 * or not.
1251 *
1252 * \param[in] ssl SSL context
1253 * \param[in] buf Buffer containing the ServerHello message
1254 * \param[in] end End of the buffer containing the ServerHello message
1255 *
1256 * \return 0 if the ServerHello does not contain a supported_versions extension
1257 * \return 1 if the ServerHello contains a supported_versions extension
1258 * \return A negative value if an error occurred while parsing the ServerHello.
1259 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1260MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1261static int ssl_tls13_is_supported_versions_ext_present(
1262 mbedtls_ssl_context *ssl,
1263 const unsigned char *buf,
1264 const unsigned char *end )
1265{
1266 const unsigned char *p = buf;
1267 size_t legacy_session_id_echo_len;
1268 size_t extensions_len;
1269 const unsigned char *extensions_end;
1270
1271 /*
1272 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1273 * length:
1274 * - legacy_version 2 bytes
1275 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1276 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1277 */
1278 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3 );
1279 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1280 legacy_session_id_echo_len = *p;
1281
1282 /*
1283 * Jump to the extensions, jumping over:
1284 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1285 * - cipher_suite 2 bytes
1286 * - legacy_compression_method 1 byte
1287 */
Ronald Cron28271062022-06-10 14:43:55 +0200[diff] [blame]1288 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len + 4 );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1289 p += legacy_session_id_echo_len + 4;
1290
1291 /* Case of no extension */
1292 if( p == end )
1293 return( 0 );
1294
1295 /* ...
1296 * Extension extensions<6..2^16-1>;
1297 * ...
1298 * struct {
1299 * ExtensionType extension_type; (2 bytes)
1300 * opaque extension_data<0..2^16-1>;
1301 * } Extension;
1302 */
1303 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1304 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1305 p += 2;
1306
1307 /* Check extensions do not go beyond the buffer of data. */
1308 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1309 extensions_end = p + extensions_len;
1310
1311 while( p < extensions_end )
1312 {
1313 unsigned int extension_type;
1314 size_t extension_data_len;
1315
1316 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
1317 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1318 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1319 p += 4;
1320
1321 if( extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS )
1322 return( 1 );
1323
1324 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1325 p += extension_data_len;
1326 }
1327
1328 return( 0 );
1329}
1330
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]1331/* Returns a negative value on failure, and otherwise
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1332 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1333 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1334 * - 0 otherwise
1335 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1336MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1337static int ssl_tls13_is_downgrade_negotiation( mbedtls_ssl_context *ssl,
1338 const unsigned char *buf,
1339 const unsigned char *end )
1340{
1341 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1342 static const unsigned char magic_downgrade_string[] =
1343 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
1344 const unsigned char *last_eight_bytes_of_random;
1345 unsigned char last_byte_of_random;
1346
1347 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2 );
1348 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1349
1350 if( memcmp( last_eight_bytes_of_random,
1351 magic_downgrade_string,
1352 sizeof( magic_downgrade_string ) ) == 0 )
1353 {
1354 last_byte_of_random = last_eight_bytes_of_random[7];
1355 return( last_byte_of_random == 0 ||
1356 last_byte_of_random == 1 );
1357 }
1358
1359 return( 0 );
1360}
1361
1362/* Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1363 * - SSL_SERVER_HELLO or
1364 * - SSL_SERVER_HELLO_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1365 * to indicate which message is expected and to be parsed next.
1366 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1367#define SSL_SERVER_HELLO 0
1368#define SSL_SERVER_HELLO_HRR 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1369MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1370static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
1371 const unsigned char *buf,
1372 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1373{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1374
1375 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1376 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1377 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1378 * special value of the SHA-256 of "HelloRetryRequest".
1379 *
1380 * struct {
1381 * ProtocolVersion legacy_version = 0x0303;
1382 * Random random;
1383 * opaque legacy_session_id_echo<0..32>;
1384 * CipherSuite cipher_suite;
1385 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1386 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1387 * } ServerHello;
1388 *
1389 */
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]1390 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end,
1391 2 + sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1392
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]1393 if( memcmp( buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1394 sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) ) == 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1395 {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1396 return( SSL_SERVER_HELLO_HRR );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1397 }
1398
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1399 return( SSL_SERVER_HELLO );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1400}
1401
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1402/*
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1403 * Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1404 * - SSL_SERVER_HELLO or
1405 * - SSL_SERVER_HELLO_HRR or
1406 * - SSL_SERVER_HELLO_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1407 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1408#define SSL_SERVER_HELLO_TLS1_2 2
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1409MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1410static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl,
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1411 const unsigned char *buf,
1412 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1413{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1414 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1415 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1416
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1417 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_is_supported_versions_ext_present(
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1418 ssl, buf, end ) );
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1419
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1420 if( ret == 0 )
1421 {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1422 MBEDTLS_SSL_PROC_CHK_NEG(
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1423 ssl_tls13_is_downgrade_negotiation( ssl, buf, end ) );
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1424
1425 /* If the server is negotiating TLS 1.2 or below and:
1426 * . we did not propose TLS 1.2 or
1427 * . the server responded it is TLS 1.3 capable but negotiating a lower
1428 * version of the protocol and thus we are under downgrade attack
1429 * abort the handshake with an "illegal parameter" alert.
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1430 */
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1431 if( handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret )
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1432 {
1433 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1434 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1435 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1436 }
1437
1438 ssl->keep_current_message = 1;
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1439 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1440 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1441 buf, (size_t)(end - buf) );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1442
1443 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1444 {
1445 ret = ssl_tls13_reset_key_share( ssl );
1446 if( ret != 0 )
1447 return( ret );
1448 }
1449
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1450 return( SSL_SERVER_HELLO_TLS1_2 );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1451 }
1452
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1453#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1454 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1455 ssl->session_negotiate->tls_version = ssl->tls_version;
1456#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1457
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1458 handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
1459
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1460 ret = ssl_server_hello_is_hrr( ssl, buf, end );
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1461 switch( ret )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1462 {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1463 case SSL_SERVER_HELLO:
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1464 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) );
1465 break;
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1466 case SSL_SERVER_HELLO_HRR:
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1467 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1468 /* If a client receives a second
1469 * HelloRetryRequest in the same connection (i.e., where the ClientHello
1470 * was itself in response to a HelloRetryRequest), it MUST abort the
1471 * handshake with an "unexpected_message" alert.
1472 */
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1473 if( handshake->hello_retry_request_count > 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1474 {
1475 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) );
1476 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1477 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1478 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1479 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1480 /*
1481 * Clients must abort the handshake with an "illegal_parameter"
1482 * alert if the HelloRetryRequest would not result in any change
1483 * in the ClientHello.
1484 * In a PSK only key exchange that what we expect.
1485 */
1486 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1487 {
1488 MBEDTLS_SSL_DEBUG_MSG( 1,
1489 ( "Unexpected HRR in pure PSK key exchange." ) );
1490 MBEDTLS_SSL_PEND_FATAL_ALERT(
1491 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1492 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1493 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1494 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1495
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1496 handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1497
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1498 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1499 }
1500
1501cleanup:
1502
1503 return( ret );
1504}
1505
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1506MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1507static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl,
1508 const unsigned char **buf,
1509 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1510{
1511 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1512 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1513
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1514 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1515 legacy_session_id_echo_len = *p++ ;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1516
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1517 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1518
1519 /* legacy_session_id_echo */
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1520 if( ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1521 memcmp( ssl->session_negotiate->id, p , legacy_session_id_echo_len ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1522 {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1523 MBEDTLS_SSL_DEBUG_BUF( 3, "Expected Session ID",
1524 ssl->session_negotiate->id,
1525 ssl->session_negotiate->id_len );
1526 MBEDTLS_SSL_DEBUG_BUF( 3, "Received Session ID", p,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1527 legacy_session_id_echo_len );
1528
1529 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1530 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1531
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1532 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1533 }
1534
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1535 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1536 *buf = p;
1537
1538 MBEDTLS_SSL_DEBUG_BUF( 3, "Session ID", ssl->session_negotiate->id,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1539 ssl->session_negotiate->id_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1540 return( 0 );
1541}
1542
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1543/* Parse ServerHello message and configure context
1544 *
1545 * struct {
1546 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1547 * Random random;
1548 * opaque legacy_session_id_echo<0..32>;
1549 * CipherSuite cipher_suite;
1550 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1551 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1552 * } ServerHello;
1553 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1554MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1555static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
1556 const unsigned char *buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1557 const unsigned char *end,
1558 int is_hrr )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1559{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1560 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1561 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1562 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1563 size_t extensions_len;
1564 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1565 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1566 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1567 int fatal_alert = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1568
1569 /*
1570 * Check there is space for minimal fields
1571 *
1572 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1573 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1574 * - legacy_session_id_echo ( 1 byte ), minimum size
1575 * - cipher_suite ( 2 bytes)
1576 * - legacy_compression_method ( 1 byte )
1577 */
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1578 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1579
1580 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello", p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1581 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", p, 2 );
1582
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1583 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1584 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1585 * ...
1586 * with ProtocolVersion defined as:
1587 * uint16 ProtocolVersion;
1588 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]1589 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
1590 MBEDTLS_SSL_VERSION_TLS1_2 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1591 {
1592 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1593 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1594 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1595 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1596 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1597 }
1598 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1599
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1600 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1601 * Random random;
1602 * ...
1603 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1604 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1605 */
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1606 if( !is_hrr )
1607 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1608 memcpy( &handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1609 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1610 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
1611 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1612 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1613 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1614
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1615 /* ...
1616 * opaque legacy_session_id_echo<0..32>;
1617 * ...
1618 */
1619 if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1620 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1621 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1622 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1623 }
1624
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1625 /* ...
1626 * CipherSuite cipher_suite;
1627 * ...
1628 * with CipherSuite defined as:
1629 * uint8 CipherSuite[2];
1630 */
1631 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1632 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
1633 p += 2;
1634
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1635
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1636 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1637 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1638 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1639 */
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1640 if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
1641 ssl->tls_version,
1642 ssl->tls_version ) != 0 ) ||
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1643 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1644 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1645 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1646 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1647 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1648 * If we received an HRR before and that the proposed selected
1649 * ciphersuite in this server hello is not the same as the one
1650 * proposed in the HRR, we abort the handshake and send an
1651 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1652 */
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1653 else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
1654 ( cipher_suite != ssl->session_negotiate->ciphersuite ) )
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1655 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1656 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1657 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1658
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1659 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1660 {
1661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
1662 cipher_suite ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1663 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1664 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1665
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1666 /* Configure ciphersuites */
1667 mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info );
1668
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1669 handshake->ciphersuite_info = ciphersuite_info;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1670 ssl->session_negotiate->ciphersuite = cipher_suite;
1671
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1672 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s",
1673 cipher_suite, ciphersuite_info->name ) );
1674
1675#if defined(MBEDTLS_HAVE_TIME)
1676 ssl->session_negotiate->start = time( NULL );
1677#endif /* MBEDTLS_HAVE_TIME */
1678
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1679 /* ...
1680 * uint8 legacy_compression_method = 0;
1681 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1682 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1683 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Thomas Daubney31e03a82022-07-25 15:59:25 +0100[diff] [blame]1684 if( p[0] != MBEDTLS_SSL_COMPRESS_NULL )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1685 {
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1686 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1687 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1688 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1689 }
1690 p++;
1691
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1692 /* ...
1693 * Extension extensions<6..2^16-1>;
1694 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1695 * struct {
1696 * ExtensionType extension_type; (2 bytes)
1697 * opaque extension_data<0..2^16-1>;
1698 * } Extension;
1699 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1700 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1701 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1702 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1703
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1704 /* Check extensions do not go beyond the buffer of data. */
1705 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1706 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1707
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1708 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1709
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1710 while( p < extensions_end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1711 {
1712 unsigned int extension_type;
1713 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1714 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1715
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1716 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1717 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1718 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1719 p += 4;
1720
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1721 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1722 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1723
1724 switch( extension_type )
1725 {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1726 case MBEDTLS_TLS_EXT_COOKIE:
1727
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1728 if( !is_hrr )
1729 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1730 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1731 goto cleanup;
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1732 }
1733
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1734 ret = ssl_tls13_parse_cookie_ext( ssl,
1735 p, extension_data_end );
1736 if( ret != 0 )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1737 {
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1738 MBEDTLS_SSL_DEBUG_RET( 1,
1739 "ssl_tls13_parse_cookie_ext",
1740 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1741 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1742 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1743 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1744
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1745 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1746 ret = ssl_tls13_parse_supported_versions_ext( ssl,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1747 p,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1748 extension_data_end );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1749 if( ret != 0 )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1750 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1751 break;
1752
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1753#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1754 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1755 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
1756 if( is_hrr )
1757 {
1758 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
1759 goto cleanup;
1760 }
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1761
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1762 if( ( ret = ssl_tls13_parse_server_pre_shared_key_ext(
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]1763 ssl, p, extension_data_end ) ) != 0 )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1764 {
1765 MBEDTLS_SSL_DEBUG_RET(
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1766 1, ( "ssl_tls13_parse_server_pre_shared_key_ext" ), ret );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1767 return( ret );
1768 }
1769 break;
1770#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1771
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1772 case MBEDTLS_TLS_EXT_KEY_SHARE:
1773 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1774 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1775 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1776 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1777 goto cleanup;
1778 }
1779
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1780 if( is_hrr )
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1781 ret = ssl_tls13_parse_hrr_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1782 p, extension_data_end );
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1783 else
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1784 ret = ssl_tls13_parse_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1785 p, extension_data_end );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1786 if( ret != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1787 {
1788 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1789 "ssl_tls13_parse_key_share_ext",
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1790 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1791 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1792 }
1793 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1794
1795 default:
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1796 MBEDTLS_SSL_DEBUG_MSG(
1797 3,
1798 ( "unknown extension found: %u ( ignoring )",
1799 extension_type ) );
1800
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1801 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1802 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1803 }
1804
1805 p += extension_data_len;
1806 }
1807
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1808cleanup:
1809
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1810 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1811 {
1812 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1813 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1814 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1815 }
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1816 else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1817 {
1818 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1819 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1820 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1821 }
1822 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1823}
1824
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1825#if defined(MBEDTLS_DEBUG_C)
1826static const char *ssl_tls13_get_kex_mode_str(int mode)
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1827{
1828 switch( mode )
1829 {
1830 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1831 return "psk";
1832 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1833 return "ephemeral";
1834 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1835 return "psk_ephemeral";
1836 default:
1837 return "unknown mode";
1838 }
1839}
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1840#endif /* MBEDTLS_DEBUG_C */
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1841
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1842MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1843static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1844{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1845 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1846 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1847
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1848 /* Determine the key exchange mode:
1849 * 1) If both the pre_shared_key and key_share extensions were received
1850 * then the key exchange mode is PSK with EPHEMERAL.
1851 * 2) If only the pre_shared_key extension was received then the key
1852 * exchange mode is PSK-only.
1853 * 3) If only the key_share extension was received then the key
1854 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1855 */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1856 switch( handshake->extensions_present &
1857 ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) )
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1858 {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1859 /* Only the pre_shared_key extension was received */
1860 case MBEDTLS_SSL_EXT_PRE_SHARED_KEY:
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1861 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1862 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1863
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1864 /* Only the key_share extension was received */
1865 case MBEDTLS_SSL_EXT_KEY_SHARE:
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1866 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1867 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1868
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1869 /* Both the pre_shared_key and key_share extensions were received */
1870 case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ):
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1871 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1872 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1873
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1874 /* Neither pre_shared_key nor key_share extension was received */
1875 default:
1876 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) );
1877 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1878 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1879 }
1880
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1881 if( !mbedtls_ssl_conf_tls13_check_kex_modes( ssl, handshake->key_exchange_mode ) )
1882 {
1883 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1884 MBEDTLS_SSL_DEBUG_MSG( 2,
Xiaokang Qianca343ae2022-09-28 02:07:54 +0000[diff] [blame]1885 ( "Key exchange mode(%s) is not supported.",
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1886 ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1887 goto cleanup;
1888 }
1889
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1890 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaokang Qianca343ae2022-09-28 02:07:54 +0000[diff] [blame]1891 ( "Selected key exchange mode: %s",
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1892 ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1893
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1894 /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
1895 *
1896 * TODO: We don't have to do this in case we offered 0-RTT and the
1897 * server accepted it. In this case, we could skip generating
1898 * the early secret. */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1899 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1900 if( ret != 0 )
1901 {
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1902 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_key_schedule_stage_early",
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1903 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1904 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1905 }
1906
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1907 ret = mbedtls_ssl_tls13_compute_handshake_transform( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1908 if( ret != 0 )
1909 {
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1910 MBEDTLS_SSL_DEBUG_RET( 1,
1911 "mbedtls_ssl_tls13_compute_handshake_transform",
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1912 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1913 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1914 }
1915
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1916 mbedtls_ssl_set_inbound_transform( ssl, handshake->transform_handshake );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1917 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
1918 ssl->session_in = ssl->session_negotiate;
1919
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1920cleanup:
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1921 if( ret != 0 )
1922 {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1923 MBEDTLS_SSL_PEND_FATAL_ALERT(
1924 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1925 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1926 }
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1927
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1928 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1929}
1930
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1931MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1932static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1933{
1934 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1935
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1936 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1937
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1938 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1939 * We are going to re-generate a shared secret corresponding to the group
1940 * selected by the server, which is different from the group for which we
1941 * generated a shared secret in the first client hello.
1942 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1943 */
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1944 ret = ssl_tls13_reset_key_share( ssl );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1945 if( ret != 0 )
1946 return( ret );
1947
1948 return( 0 );
1949}
1950
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1951/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1952 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1953 * Handler for MBEDTLS_SSL_SERVER_HELLO
1954 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1955MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1956static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1957{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1958 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1959 unsigned char *buf = NULL;
1960 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1961 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1962
1963 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
1964
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1965 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
1966 MBEDTLS_SSL_HS_SERVER_HELLO,
1967 &buf, &buf_len ) );
1968
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1969 ret = ssl_tls13_preprocess_server_hello( ssl, buf, buf + buf_len );
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1970 if( ret < 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1971 goto cleanup;
1972 else
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1973 is_hrr = ( ret == SSL_SERVER_HELLO_HRR );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1974
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1975 if( ret == SSL_SERVER_HELLO_TLS1_2 )
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1976 {
1977 ret = 0;
1978 goto cleanup;
1979 }
1980
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1981 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1982 buf + buf_len,
1983 is_hrr ) );
1984 if( is_hrr )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1985 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) );
1986
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1987 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1988 buf, buf_len );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1989
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1990 if( is_hrr )
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1991 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1992 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1993#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1994 /* If not offering early data, the client sends a dummy CCS record
1995 * immediately before its second flight. This may either be before
1996 * its second ClientHello or before its encrypted handshake flight.
1997 */
1998 mbedtls_ssl_handshake_set_state( ssl,
1999 MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
2000#else
2001 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2002#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2003 }
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]2004 else
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2005 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]2006 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2007 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
2008 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]2009
2010cleanup:
XiaokangQiana9090612022-01-27 03:48:27 +0000[diff] [blame]2011 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__,
2012 is_hrr?"HelloRetryRequest":"ServerHello" ) );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]2013 return( ret );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2014}
2015
2016/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2017 *
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2018 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2019 *
2020 * The EncryptedExtensions message contains any extensions which
2021 * should be protected, i.e., any which are not needed to establish
2022 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2023 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2024
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2025/* Parse EncryptedExtensions message
2026 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2027 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2028 * } EncryptedExtensions;
2029 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2030MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2031static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
2032 const unsigned char *buf,
2033 const unsigned char *end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2034{
2035 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2036 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]2037 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2038 const unsigned char *extensions_end;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2039
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2040 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2041 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2042 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2043
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2044 MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len );
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2045 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
Ronald Cronc8083592022-05-31 16:24:05 +0200[diff] [blame]2046 extensions_end = p + extensions_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2047
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2048 while( p < extensions_end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2049 {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2050 unsigned int extension_type;
2051 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2052
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2053 /*
2054 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2055 * ExtensionType extension_type; (2 bytes)
2056 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2057 * } Extension;
2058 */
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2059 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2060 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2061 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2062 p += 4;
2063
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2064 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2065
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2066 /* The client MUST check EncryptedExtensions for the
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2067 * presence of any forbidden extensions and if any are found MUST abort
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2068 * the handshake with an "unsupported_extension" alert.
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2069 */
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2070 switch( extension_type )
2071 {
Jerry Yu661dd942022-08-03 14:50:01 +0800[diff] [blame]2072 case MBEDTLS_TLS_EXT_SERVERNAME:
2073 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found server_name extension" ) );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2074
Jerry Yu661dd942022-08-03 14:50:01 +0800[diff] [blame]2075 /* The server_name extension should be an empty extension */
2076
2077 break;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2078 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
2079 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extensions supported groups" ) );
2080 break;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2081
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2082#if defined(MBEDTLS_SSL_ALPN)
2083 case MBEDTLS_TLS_EXT_ALPN:
2084 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
2085
2086 if( ( ret = ssl_tls13_parse_alpn_ext( ssl, p, (size_t)extension_data_len ) ) != 0 )
2087 {
2088 return( ret );
2089 }
2090
2091 break;
2092#endif /* MBEDTLS_SSL_ALPN */
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2093 default:
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2094 MBEDTLS_SSL_DEBUG_MSG(
2095 3, ( "unsupported extension found: %u ", extension_type) );
2096 MBEDTLS_SSL_PEND_FATAL_ALERT(
Jerry Yu7aa71862021-10-28 21:41:30 +0800[diff] [blame]2097 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2098 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
2099 return ( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2100 }
2101
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2102 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2103 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2104
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2105 /* Check that we consumed all the message. */
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]2106 if( p != end )
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2107 {
2108 MBEDTLS_SSL_DEBUG_MSG( 1, ( "EncryptedExtension lengths misaligned" ) );
Jerry Yu7aa71862021-10-28 21:41:30 +0800[diff] [blame]2109 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]2110 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2111 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2112 }
2113
2114 return( ret );
2115}
2116
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2117MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2118static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
2119{
2120 int ret;
2121 unsigned char *buf;
2122 size_t buf_len;
2123
2124 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) );
2125
2126 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
2127 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2128 &buf, &buf_len ) );
2129
2130 /* Process the message contents */
2131 MBEDTLS_SSL_PROC_CHK(
2132 ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
2133
2134 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2135 buf, buf_len );
2136
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2137#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]2138 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2139 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2140 else
2141 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
2142#else
2143 ((void) ssl);
2144 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2145#endif
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2146
2147cleanup:
2148
2149 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) );
2150 return( ret );
2151
2152}
2153
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]2154#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2155/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2156 * STATE HANDLING: CertificateRequest
2157 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2158 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2159#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2160#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2161/* Coordination:
2162 * Deals with the ambiguity of not knowing if a CertificateRequest
2163 * will be sent. Returns a negative code on failure, or
2164 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2165 * - SSL_CERTIFICATE_REQUEST_SKIP
2166 * indicating if a Certificate Request is expected or not.
2167 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2168MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2169static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2170{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2171 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2172
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2173 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2174 {
2175 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2176 return( ret );
2177 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2178 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2179
2180 if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) &&
2181 ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) )
2182 {
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2183 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got a certificate request" ) );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2184 return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2185 }
2186
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2187 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got no certificate request" ) );
2188
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2189 return( SSL_CERTIFICATE_REQUEST_SKIP );
2190}
2191
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2192/*
2193 * ssl_tls13_parse_certificate_request()
2194 * Parse certificate request
2195 * struct {
2196 * opaque certificate_request_context<0..2^8-1>;
2197 * Extension extensions<2..2^16-1>;
2198 * } CertificateRequest;
2199 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2200MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2201static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
2202 const unsigned char *buf,
2203 const unsigned char *end )
2204{
2205 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2206 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2207 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2208 size_t extensions_len = 0;
2209 const unsigned char *extensions_end;
2210 unsigned char sig_alg_ext_found = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2211
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2212 /* ...
2213 * opaque certificate_request_context<0..2^8-1>
2214 * ...
2215 */
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2216 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
2217 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2218 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2219
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2220 if( certificate_request_context_len > 0 )
2221 {
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2222 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2223 MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context",
2224 p, certificate_request_context_len );
2225
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2226 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2227 handshake->certificate_request_context =
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]2228 mbedtls_calloc( 1, certificate_request_context_len );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2229 if( handshake->certificate_request_context == NULL )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2230 {
2231 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2232 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2233 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2234 memcpy( handshake->certificate_request_context, p,
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2235 certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2236 p += certificate_request_context_len;
2237 }
2238
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2239 /* ...
2240 * Extension extensions<2..2^16-1>;
2241 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2242 */
2243 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
2244 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2245 p += 2;
2246
2247 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2248 extensions_end = p + extensions_len;
2249
2250 while( p < extensions_end )
2251 {
2252 unsigned int extension_type;
2253 size_t extension_data_len;
2254
2255 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
2256 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2257 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2258 p += 4;
2259
2260 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
2261
2262 switch( extension_type )
2263 {
2264 case MBEDTLS_TLS_EXT_SIG_ALG:
2265 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2266 ( "found signature algorithms extension" ) );
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]2267 ret = mbedtls_ssl_parse_sig_alg_ext( ssl, p,
Gabor Mezei696956d2022-05-13 16:27:29 +0200[diff] [blame]2268 p + extension_data_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2269 if( ret != 0 )
2270 return( ret );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2271 if( ! sig_alg_ext_found )
2272 sig_alg_ext_found = 1;
2273 else
2274 {
2275 MBEDTLS_SSL_DEBUG_MSG( 3,
2276 ( "Duplicate signature algorithms extensions found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2277 goto decode_error;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2278 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2279 break;
2280
2281 default:
2282 MBEDTLS_SSL_DEBUG_MSG(
2283 3,
2284 ( "unknown extension found: %u ( ignoring )",
2285 extension_type ) );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2286 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2287 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2288 p += extension_data_len;
2289 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2290 /* Check that we consumed all the message. */
2291 if( p != end )
2292 {
2293 MBEDTLS_SSL_DEBUG_MSG( 1,
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2294 ( "CertificateRequest misaligned" ) );
2295 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2296 }
2297 /* Check that we found signature algorithms extension */
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2298 if( ! sig_alg_ext_found )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2299 {
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]2300 MBEDTLS_SSL_DEBUG_MSG( 3,
2301 ( "no signature algorithms extension found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2302 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2303 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2304
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]2305 ssl->handshake->client_auth = 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2306 return( 0 );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2307
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2308decode_error:
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2309 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2310 MBEDTLS_ERR_SSL_DECODE_ERROR );
2311 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2312}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2313
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2314/*
2315 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2316 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2317MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2318static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2319{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2320 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2321
2322 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2323
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2324 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
2325
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2326 if( ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST )
2327 {
2328 unsigned char *buf;
2329 size_t buf_len;
2330
2331 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
2332 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2333 &buf, &buf_len ) );
2334
2335 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_request( ssl,
2336 buf, buf + buf_len ) );
2337
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]2338 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2339 buf, buf_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2340 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2341 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2342 {
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]2343 ret = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2344 }
2345 else
2346 {
2347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2348 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2349 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2350 }
2351
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2352 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
2353
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2354cleanup:
2355
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2356 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
2357 return( ret );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2358}
2359
2360/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2361 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2362 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2363MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2364static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2365{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2366 int ret;
2367
2368 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]2369 if( ret != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2370 return( ret );
2371
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2372 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
2373 return( 0 );
2374}
2375
2376/*
2377 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2378 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2379MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2380static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2381{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2382 int ret;
2383
2384 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
2385 if( ret != 0 )
2386 return( ret );
2387
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2388 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2389 return( 0 );
2390}
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]2391#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]2392
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2393/*
2394 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2395 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2396MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2397static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2398{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2399 int ret;
2400
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]2401 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2402 if( ret != 0 )
2403 return( ret );
2404
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2405 ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
2406 if( ret != 0 )
2407 {
2408 MBEDTLS_SSL_PEND_FATAL_ALERT(
2409 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2410 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2411 return( ret );
2412 }
2413
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2414#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2415 mbedtls_ssl_handshake_set_state(
2416 ssl,
2417 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED );
2418#else
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]2419 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2420#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2421
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2422 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2423}
2424
2425/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2426 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2427 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2428MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2429static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
2430{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2431 int non_empty_certificate_msg = 0;
2432
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2433 MBEDTLS_SSL_DEBUG_MSG( 1,
2434 ( "Switch to handshake traffic keys for outbound traffic" ) );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2435 mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2436
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2437#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2438 if( ssl->handshake->client_auth )
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2439 {
2440 int ret = mbedtls_ssl_tls13_write_certificate( ssl );
2441 if( ret != 0 )
2442 return( ret );
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2443
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2444 if( mbedtls_ssl_own_cert( ssl ) != NULL )
2445 non_empty_certificate_msg = 1;
2446 }
2447 else
2448 {
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]2449 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2450 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2451#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2452
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2453 if( non_empty_certificate_msg )
2454 {
2455 mbedtls_ssl_handshake_set_state( ssl,
2456 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
2457 }
2458 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2459 {
2460 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate verify" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2461 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2462 }
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2463
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2464 return( 0 );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2465}
2466
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2467#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2468/*
2469 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2470 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2471MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2472static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
2473{
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2474 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
2475
2476 if( ret == 0 )
2477 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
2478
2479 return( ret );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2480}
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]2481#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2482
2483/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2484 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2485 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2486MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2487static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2488{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2489 int ret;
2490
2491 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
2492 if( ret != 0 )
2493 return( ret );
2494
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2495 ret = mbedtls_ssl_tls13_compute_resumption_master_secret( ssl );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2496 if( ret != 0 )
2497 {
2498 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2499 "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2500 return ( ret );
2501 }
2502
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2503 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
2504 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2505}
2506
2507/*
2508 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2509 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2510MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2511static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2512{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2513 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
Jerry Yuad8d0ba2021-09-28 17:58:26 +0800[diff] [blame]2514 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2515 return( 0 );
2516}
2517
2518/*
2519 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2520 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2521MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2522static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2523{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2524
2525 mbedtls_ssl_tls13_handshake_wrapup( ssl );
2526
2527 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2528 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2529}
2530
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2531#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2532
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2533MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2534static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
2535 const unsigned char *buf,
2536 const unsigned char *end )
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2537{
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2538 const unsigned char *p = buf;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2539
2540 ((void) ssl);
2541
2542 while( p < end )
2543 {
2544 unsigned int extension_type;
2545 size_t extension_data_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2546
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2547 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
2548 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2549 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2550 p += 4;
2551
2552 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2553
2554 switch( extension_type )
2555 {
2556 case MBEDTLS_TLS_EXT_EARLY_DATA:
2557 MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) );
2558 break;
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2559
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2560 default:
2561 break;
2562 }
2563 p += extension_data_len;
2564 }
2565
2566 return( 0 );
2567}
2568
2569/*
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2570 * From RFC8446, page 74
2571 *
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2572 * struct {
2573 * uint32 ticket_lifetime;
2574 * uint32 ticket_age_add;
2575 * opaque ticket_nonce<0..255>;
2576 * opaque ticket<1..2^16-1>;
2577 * Extension extensions<0..2^16-2>;
2578 * } NewSessionTicket;
2579 *
2580 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2581MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2582static int ssl_tls13_parse_new_session_ticket( mbedtls_ssl_context *ssl,
2583 unsigned char *buf,
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2584 unsigned char *end,
2585 unsigned char **ticket_nonce,
2586 size_t *ticket_nonce_len )
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2587{
2588 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2589 unsigned char *p = buf;
2590 mbedtls_ssl_session *session = ssl->session;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2591 size_t ticket_len;
2592 unsigned char *ticket;
2593 size_t extensions_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2594
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2595 *ticket_nonce = NULL;
2596 *ticket_nonce_len = 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2597 /*
2598 * ticket_lifetime 4 bytes
2599 * ticket_age_add 4 bytes
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2600 * ticket_nonce_len 1 byte
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2601 */
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2602 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 9 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2603
2604 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE( p, 0 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2605 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2606 ( "ticket_lifetime: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2607 ( unsigned int )session->ticket_lifetime ) );
2608
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2609 session->ticket_age_add = MBEDTLS_GET_UINT32_BE( p, 4 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2610 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2611 ( "ticket_age_add: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2612 ( unsigned int )session->ticket_age_add ) );
2613
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2614 *ticket_nonce_len = p[8];
2615 p += 9;
2616
2617 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, *ticket_nonce_len );
2618 *ticket_nonce = p;
2619 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len );
2620 p += *ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2621
2622 /* Ticket */
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2623 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2624 ticket_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2625 p += 2;
2626 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ticket_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2627 MBEDTLS_SSL_DEBUG_BUF( 3, "received ticket", p, ticket_len ) ;
2628
2629 /* Check if we previously received a ticket already. */
2630 if( session->ticket != NULL || session->ticket_len > 0 )
2631 {
2632 mbedtls_free( session->ticket );
2633 session->ticket = NULL;
2634 session->ticket_len = 0;
2635 }
2636
2637 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
2638 {
2639 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
2640 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2641 }
2642 memcpy( ticket, p, ticket_len );
2643 p += ticket_len;
2644 session->ticket = ticket;
2645 session->ticket_len = ticket_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2646
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2647 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2648 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2649 p += 2;
2650 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2651
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2652 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket extension", p, extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2653
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2654 ret = ssl_tls13_parse_new_session_ticket_exts( ssl, p, p + extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2655 if( ret != 0 )
2656 {
2657 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2658 "ssl_tls13_parse_new_session_ticket_exts",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2659 ret );
2660 return( ret );
2661 }
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2662
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]2663 /* session has been updated, allow export */
2664 session->exported = 0;
2665
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2666 return( 0 );
2667}
2668
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2669MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2670static int ssl_tls13_postprocess_new_session_ticket( mbedtls_ssl_context *ssl,
2671 unsigned char *ticket_nonce,
2672 size_t ticket_nonce_len )
2673{
2674 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2675 mbedtls_ssl_session *session = ssl->session;
2676 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2677 psa_algorithm_t psa_hash_alg;
2678 int hash_length;
2679
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2680#if defined(MBEDTLS_HAVE_TIME)
2681 /* Store ticket creation time */
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2682 session->ticket_received = mbedtls_time( NULL );
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2683#endif
2684
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2685 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( session->ciphersuite );
2686 if( ciphersuite_info == NULL )
2687 {
2688 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2689 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2690 }
2691
2692 psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
2693 hash_length = PSA_HASH_LENGTH( psa_hash_alg );
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2694 if( hash_length == -1 ||
2695 ( size_t )hash_length > sizeof( session->resumption_key ) )
2696 {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2697 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2698 }
2699
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2700
2701 MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
2702 session->app_secrets.resumption_master_secret,
2703 hash_length );
2704
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2705 /* Compute resumption key
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2706 *
2707 * HKDF-Expand-Label( resumption_master_secret,
2708 * "resumption", ticket_nonce, Hash.length )
2709 */
2710 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2711 psa_hash_alg,
2712 session->app_secrets.resumption_master_secret,
2713 hash_length,
2714 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
2715 ticket_nonce,
2716 ticket_nonce_len,
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2717 session->resumption_key,
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2718 hash_length );
2719
2720 if( ret != 0 )
2721 {
2722 MBEDTLS_SSL_DEBUG_RET( 2,
2723 "Creating the ticket-resumed PSK failed",
2724 ret );
2725 return( ret );
2726 }
2727
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2728 session->resumption_key_len = hash_length;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2729
2730 MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2731 session->resumption_key,
2732 session->resumption_key_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2733
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2734 return( 0 );
2735}
2736
2737/*
Jerry Yua357cf42022-07-12 05:36:45 +0000[diff] [blame]2738 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2739 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2740MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2741static int ssl_tls13_process_new_session_ticket( mbedtls_ssl_context *ssl )
2742{
2743 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2744 unsigned char *buf;
2745 size_t buf_len;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2746 unsigned char *ticket_nonce;
2747 size_t ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2748
2749 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2750
2751 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
2752 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2753 &buf, &buf_len ) );
2754
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2755 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_new_session_ticket(
2756 ssl, buf, buf + buf_len,
2757 &ticket_nonce, &ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2758
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2759 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_new_session_ticket(
2760 ssl, ticket_nonce, ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2761
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2762 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2763
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2764cleanup:
2765
2766 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2767 return( ret );
2768}
2769#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2770
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2771int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]2772{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2773 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]2774
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2775 switch( ssl->state )
2776 {
2777 /*
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]2778 * ssl->state is initialized as HELLO_REQUEST. It is the same
2779 * as CLIENT_HELLO state.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2780 */
2781 case MBEDTLS_SSL_HELLO_REQUEST:
2782 case MBEDTLS_SSL_CLIENT_HELLO:
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]2783 ret = mbedtls_ssl_write_client_hello( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2784 break;
2785
2786 case MBEDTLS_SSL_SERVER_HELLO:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2787 ret = ssl_tls13_process_server_hello( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2788 break;
2789
2790 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2791 ret = ssl_tls13_process_encrypted_extensions( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2792 break;
2793
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]2794#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2795 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
2796 ret = ssl_tls13_process_certificate_request( ssl );
2797 break;
2798
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2799 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2800 ret = ssl_tls13_process_server_certificate( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2801 break;
2802
2803 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2804 ret = ssl_tls13_process_certificate_verify( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2805 break;
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]2806#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2807
2808 case MBEDTLS_SSL_SERVER_FINISHED:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2809 ret = ssl_tls13_process_server_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2810 break;
2811
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2812 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2813 ret = ssl_tls13_write_client_certificate( ssl );
2814 break;
2815
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2816#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2817 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2818 ret = ssl_tls13_write_client_certificate_verify( ssl );
2819 break;
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]2820#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2821
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2822 case MBEDTLS_SSL_CLIENT_FINISHED:
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2823 ret = ssl_tls13_write_client_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2824 break;
2825
2826 case MBEDTLS_SSL_FLUSH_BUFFERS:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2827 ret = ssl_tls13_flush_buffers( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2828 break;
2829
2830 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2831 ret = ssl_tls13_handshake_wrapup( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2832 break;
2833
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2834 /*
2835 * Injection of dummy-CCS's for middlebox compatibility
2836 */
2837#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]2838 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]2839 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2840 if( ret == 0 )
2841 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2842 break;
2843
2844 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
2845 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2846 if( ret == 0 )
2847 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2848 break;
2849#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2850
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2851#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua357cf42022-07-12 05:36:45 +0000[diff] [blame]2852 case MBEDTLS_SSL_NEW_SESSION_TICKET:
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2853 ret = ssl_tls13_process_new_session_ticket( ssl );
2854 if( ret != 0 )
2855 break;
2856 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
2857 break;
2858#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2859
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2860 default:
2861 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2862 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2863 }
2864
2865 return( ret );
2866}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]2867
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2868#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]2869
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2870