TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 060d8675983645c1c207736c6b282645d29012a3 / . / library / ssl_tls13_server.c
blob: 1a96eaf74713b81ffdd7dad4b4fc2737e10a184c [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18*/
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]23
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]24#include "mbedtls/debug.h"
25
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]26#include "ssl_misc.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]27#include "ssl_tls13_keys.h"
Gilles Peskine923d5c92021-12-15 12:56:54 +0100[diff] [blame]28#include "ssl_debug_helpers.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]29#include <string.h>
30#if defined(MBEDTLS_ECP_C)
31#include "mbedtls/ecp.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]32#endif /* MBEDTLS_ECP_C */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]33
XiaokangQiana9c58412022-02-17 09:41:26 +0000[diff] [blame]34#if defined(MBEDTLS_PLATFORM_C)
35#include "mbedtls/platform.h"
36#else
37#include <stdlib.h>
38#define mbedtls_calloc calloc
39#define mbedtls_free free
40#endif /* MBEDTLS_PLATFORM_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]41
42/* From RFC 8446:
43 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]44 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]45 * } SupportedVersions;
46 */
47static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
48 const unsigned char *buf,
49 const unsigned char *end )
50{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]51 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]52 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]53 const unsigned char *versions_end;
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]54 uint16_t tls_version;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]55 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]56
57 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]58 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]59 p += 1;
60
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]61 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, versions_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]62 versions_end = p + versions_len;
63 while( p < versions_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]64 {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]65 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, versions_end, 2 );
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]66 tls_version = mbedtls_ssl_read_version( p, ssl->conf->transport );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]67 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]68
69 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]70 if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]71 {
72 tls13_supported = 1;
73 break;
74 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]75 }
76
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]77 if( !tls13_supported )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]78 {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]79 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 is not supported by the client" ) );
80
81 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
82 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
83 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
84 }
85
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]86 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%04x]",
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]87 (unsigned int)tls_version ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]88
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]89 return( 0 );
90}
91
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]92#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]93/* This function parses the TLS 1.3 supported_groups extension and
94 * stores the received groups in ssl->handshake->curves.
95 *
96 * From RFC 8446:
97 * enum {
98 * ... (0xFFFF)
99 * } NamedGroup;
100 * struct {
101 * NamedGroup named_group_list<2..2^16-1>;
102 * } NamedGroupList;
103 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]104static int ssl_tls13_parse_supported_groups_ext(
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]105 mbedtls_ssl_context *ssl,
106 const unsigned char *buf, const unsigned char *end )
107{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]108 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000[diff] [blame]109 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]110 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]111
112 MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", p, end - buf );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]113 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]114 named_group_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]115 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]116 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]117 named_group_list_end = p + named_group_list_len;
XiaokangQian75d40ef2022-04-20 11:05:24 +0000[diff] [blame]118 ssl->handshake->selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]119
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]120 while( p < named_group_list_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]121 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]122 uint16_t named_group;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]123 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, named_group_list_end, 2 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]124 named_group = MBEDTLS_GET_UINT16_BE( p, 0 );
125 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]126
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]127 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got named group: %d", named_group ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]128
129 if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
130 ! mbedtls_ssl_named_group_is_supported( named_group ) ||
XiaokangQian75d40ef2022-04-20 11:05:24 +0000[diff] [blame]131 ssl->handshake->selected_group != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]132 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]133 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]134 }
135
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]136 MBEDTLS_SSL_DEBUG_MSG(
137 2, ( "add named group (%04x) into received list.",
138 named_group ) );
XiaokangQian75d40ef2022-04-20 11:05:24 +0000[diff] [blame]139 ssl->handshake->selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]140 }
141
142 return( 0 );
143
144}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]145#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]146
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]147#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
148
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]149#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]150/*
151 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
152 * extension is correct and stores the provided key shares. Whether this is an
153 * acceptable key share depends on the selected ciphersuite.
154 *
155 * Possible return values are:
156 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]157 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]158 * does not match a group supported by the server. A HelloRetryRequest will
159 * be needed.
160 * - Another negative return value for fatal errors.
161*/
162
163static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
164 const unsigned char *buf,
165 const unsigned char *end )
166{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]167 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]168 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]169 unsigned char const *client_shares_end;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]170 size_t client_shares_len, key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]171 int match_found = 0;
172
173 /* From RFC 8446:
174 *
175 * struct {
176 * KeyShareEntry client_shares<0..2^16-1>;
177 * } KeyShareClientHello;
178 *
179 */
180
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]181 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]182 client_shares_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]183 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]184 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, client_shares_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]185
186 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]187 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]188
189 /* We try to find a suitable key share entry and copy it to the
190 * handshake context. Later, we have to find out whether we can do
191 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]192 * dismiss it and send a HelloRetryRequest message.
193 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]194
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]195 for( ; p < client_shares_end; p += key_exchange_len )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]196 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]197 uint16_t group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]198
199 /*
200 * struct {
201 * NamedGroup group;
202 * opaque key_exchange<1..2^16-1>;
203 * } KeyShareEntry;
204 */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]205 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, 4 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]206 group = MBEDTLS_GET_UINT16_BE( p, 0 );
207 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]208 key_exchange_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]209 p += 2;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]210 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, key_exchange_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]211
212 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]213 * for input validation purposes.
214 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]215 if( match_found == 1 )
216 continue;
217
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame^]218 if( ! mbedtls_ssl_named_group_is_offered( ssl, group ) ||
219 ! mbedtls_ssl_named_group_is_supported( group ) )
220 {
221 continue;
222 }
223 const mbedtls_ecp_curve_info *curve_info =
224 mbedtls_ecp_curve_info_from_tls_id( group );
225
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]226 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]227 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]228 */
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]229 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
230 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]231 match_found = 1;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]232 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]233 ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
234 ssl, p - 2, key_exchange_len + 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]235 if( ret != 0 )
236 return( ret );
237 }
238 else
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]239 {
240 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]241 (unsigned) group ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]242 continue;
243 }
244
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]245 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]246 }
247
248 if( match_found == 0 )
249 {
250 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching key share" ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]251 return( SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]252 }
253 return( 0 );
254}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]255#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]256
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]257#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]258static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]259{
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]260 ((void) ssl);
261
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]262 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]263 MBEDTLS_SSL_DEBUG_MSG( 3,
264 ( "- KEY_SHARE_EXTENSION ( %s )",
265 ( ( ssl->handshake->extensions_present
266 & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
267 MBEDTLS_SSL_DEBUG_MSG( 3,
268 ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
269 ( ( ssl->handshake->extensions_present
270 & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
271 "TRUE" : "FALSE" ) );
272 MBEDTLS_SSL_DEBUG_MSG( 3,
273 ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
274 ( ( ssl->handshake->extensions_present
275 & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
276 MBEDTLS_SSL_DEBUG_MSG( 3,
277 ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
278 ( ( ssl->handshake->extensions_present
279 & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
280 MBEDTLS_SSL_DEBUG_MSG( 3,
281 ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
282 ( ( ssl->handshake->extensions_present
283 & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
284 "TRUE" : "FALSE" ) );
285 MBEDTLS_SSL_DEBUG_MSG( 3,
286 ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
287 ( ( ssl->handshake->extensions_present
288 & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
289 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]290#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]291 MBEDTLS_SSL_DEBUG_MSG( 3,
292 ( "- SERVERNAME_EXTENSION ( %s )",
293 ( ( ssl->handshake->extensions_present
294 & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
295 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]296#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]297}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]298#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]299
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]300static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]301 int exts_mask )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]302{
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]303 int masked = ssl->handshake->extensions_present & exts_mask;
304 return( masked == exts_mask );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]305}
306
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]307static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
308 mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]309{
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]310 return( ssl_tls13_client_hello_has_exts( ssl,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]311 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
312 MBEDTLS_SSL_EXT_KEY_SHARE |
313 MBEDTLS_SSL_EXT_SIG_ALG ) );
314}
315
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]316static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]317{
318 if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) )
319 return( 0 );
320
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]321 if( !ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]322 return( 0 );
323
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]324 ssl->handshake->tls13_kex_modes =
325 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]326 return( 1 );
327}
328
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]329/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]330 *
331 * STATE HANDLING: ClientHello
332 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]333 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]334 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]335 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]336 *
337 * In this case, the server progresses to sending its ServerHello.
338 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]339 * 2) The ClientHello was well-formed but didn't match the server's
340 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]341 *
342 * For example, the client might not have offered a key share which
343 * the server supports, or the server might require a cookie.
344 *
345 * In this case, the server sends a HelloRetryRequest.
346 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]347 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]348 *
349 * In this case, we abort the handshake.
350 *
351 */
352
353/*
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]354 * Structure of this message:
355 *
356 * uint16 ProtocolVersion;
357 * opaque Random[32];
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]358 * uint8 CipherSuite[2]; // Cryptographic suite selector
359 *
360 * struct {
361 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
362 * Random random;
363 * opaque legacy_session_id<0..32>;
364 * CipherSuite cipher_suites<2..2^16-2>;
365 * opaque legacy_compression_methods<1..2^8-1>;
366 * Extension extensions<8..2^16-1>;
367 * } ClientHello;
368 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]369
370#define SSL_CLIENT_HELLO_OK 0
371#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
372
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]373static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
374 const unsigned char *buf,
375 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]376{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]377 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
378 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]379 size_t legacy_session_id_len;
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame^]380 const unsigned char *cipher_suites;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]381 size_t cipher_suites_len;
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame^]382 const unsigned char *cipher_suites_end;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]383 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]384 const unsigned char *extensions_end;
385
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]386 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]387
388 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
389
390 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]391 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]392 * 0 . 1 protocol version
393 * 2 . 33 random bytes ( starting with 4 bytes of Unix time )
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]394 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]395 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]396 * .. . .. ciphersuite list length ( 2 bytes )
397 * .. . .. ciphersuite list
398 * .. . .. compression alg. list length ( 1 byte )
399 * .. . .. compression alg. list
400 * .. . .. extensions length ( 2 bytes, optional )
401 * .. . .. extensions ( optional )
402 */
403
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]404 /*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]405 * Minimal length ( with everything empty and extensions ommitted ) is
406 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
407 * read at least up to session id length without worrying.
408 */
409 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 38 );
410
411 /* ...
412 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
413 * ...
414 * with ProtocolVersion defined as:
415 * uint16 ProtocolVersion;
416 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]417 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
418 MBEDTLS_SSL_VERSION_TLS1_2 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]419 {
420 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
421 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
422 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]423 return ( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]424 }
425 p += 2;
426
427 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]428 * Only support TLS 1.3 currently, temporarily set the version.
429 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]430 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]431
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]432 /* ---
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]433 * Random random;
434 * ---
435 * with Random defined as:
436 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]437 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]438 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]439 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]440
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]441 memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
442 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]443
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]444 /* ---
445 * opaque legacy_session_id<0..32>;
446 * ---
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]447 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]448 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]449 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]450
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]451 if( legacy_session_id_len > sizeof( ssl->session_negotiate->id ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]452 {
453 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
454 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
455 }
456
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]457 ssl->session_negotiate->id_len = legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]458 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
459 buf, legacy_session_id_len );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]460 /*
461 * Check we have enough data for the legacy session identifier
462 * and the ciphersuite list length.
463 */
464 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]465
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]466 memcpy( &ssl->session_negotiate->id[0], p, legacy_session_id_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]467 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]468
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]469 cipher_suites_len = MBEDTLS_GET_UINT16_BE( p, 0 );
470 p += 2;
471
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]472 /* Check we have enough data for the ciphersuite list, the legacy
473 * compression methods and the length of the extensions.
474 */
475 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]476
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]477 /* ---
478 * CipherSuite cipher_suites<2..2^16-2>;
479 * ---
480 * with CipherSuite defined as:
481 * uint8 CipherSuite[2];
482 */
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame^]483 cipher_suites = p;
484 cipher_suites_end = p + cipher_suites_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]485 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
486 p, cipher_suites_len );
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]487 /*
488 * Search for a matching ciphersuite
489 */
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]490 int ciphersuite_match = 0;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]491 ciphersuite_info = NULL;
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame^]492 for ( ; p < cipher_suites_end; p += 2 )
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]493 {
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]494 uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]495 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
496 cipher_suite );
497 /*
498 * Check whether this ciphersuite is valid and offered.
499 */
500 if( ( mbedtls_ssl_validate_ciphersuite(
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]501 ssl, ciphersuite_info, ssl->tls_version,
502 ssl->tls_version ) != 0 ) ||
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]503 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
504 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]505
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]506 ssl->session_negotiate->ciphersuite = cipher_suite;
507 ssl->handshake->ciphersuite_info = ciphersuite_info;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]508 ciphersuite_match = 1;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]509
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]510 break;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]511
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]512 }
513
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]514 if( !ciphersuite_match )
515 {
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]516 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
517 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
518 return ( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]519 }
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]520
521 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
522 ciphersuite_info->name ) );
523
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame^]524 p = cipher_suites + cipher_suites_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]525 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]526 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]527 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]528 */
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]529 if( p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]530 {
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]531 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
532 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
533 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
534 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]535 }
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]536 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]537
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]538 /* ---
539 * Extension extensions<8..2^16-1>;
540 * ---
541 * with Extension defined as:
542 * struct {
543 * ExtensionType extension_type;
544 * opaque extension_data<0..2^16-1>;
545 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]546 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]547 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]548 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]549 extensions_end = p + extensions_len;
550 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]551
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]552 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]553
554 while( p < extensions_end )
555 {
556 unsigned int extension_type;
557 size_t extension_data_len;
558 const unsigned char *extension_data_end;
559
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]560 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]561 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
562 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
563 p += 4;
564
565 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
566 extension_data_end = p + extension_data_len;
567
568 switch( extension_type )
569 {
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]570#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]571 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
572 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
573
574 /* Supported Groups Extension
575 *
576 * When sent by the client, the "supported_groups" extension
577 * indicates the named groups which the client supports,
578 * ordered from most preferred to least preferred.
579 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]580 ret = ssl_tls13_parse_supported_groups_ext( ssl, p,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]581 extension_data_end );
582 if( ret != 0 )
583 {
584 MBEDTLS_SSL_DEBUG_RET( 1,
585 "mbedtls_ssl_parse_supported_groups_ext", ret );
586 return( ret );
587 }
588
589 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
590 break;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]591#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]592
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]593#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]594 case MBEDTLS_TLS_EXT_KEY_SHARE:
595 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) );
596
597 /*
598 * Key Share Extension
599 *
600 * When sent by the client, the "key_share" extension
601 * contains the endpoint's cryptographic parameters for
602 * ECDHE/DHE key establishment methods.
603 */
604 ret = ssl_tls13_parse_key_shares_ext( ssl, p, extension_data_end );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]605 if( ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]606 {
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]607 MBEDTLS_SSL_DEBUG_MSG( 2, ( "HRR needed " ) );
608 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]609 }
610
611 if( ret != 0 )
612 return( ret );
613
614 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
615 break;
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]616#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]617
618 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
619 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) );
620
621 ret = ssl_tls13_parse_supported_versions_ext(
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]622 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]623 if( ret != 0 )
624 {
625 MBEDTLS_SSL_DEBUG_RET( 1,
626 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
627 return( ret );
628 }
629 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
630 break;
631
632#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
633 case MBEDTLS_TLS_EXT_SIG_ALG:
634 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
635
636 ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ssl, p,
637 extension_data_end );
638 if( ret != 0 )
639 {
640 MBEDTLS_SSL_DEBUG_MSG( 1,
641 ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
642 ret ) );
643 return( ret );
644 }
645 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
646 break;
647#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
648
649 default:
650 MBEDTLS_SSL_DEBUG_MSG( 3,
651 ( "unknown extension found: %ud ( ignoring )",
652 extension_type ) );
653 }
654
655 p += extension_data_len;
656 }
657
658 /* Update checksum with either
659 * - The entire content of the CH message, if no PSK extension is present
660 * - The content up to but excluding the PSK extension, if present.
661 */
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]662 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
XiaokangQianc4b8c992022-04-07 11:31:38 +0000[diff] [blame]663 buf, p - buf );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]664
665 /* List all the extensions we have received */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]666#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]667 ssl_tls13_debug_print_client_hello_exts( ssl );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]668#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]669
670 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]671 * Here we only support the ephemeral or (EC)DHE key echange mode
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]672 */
673
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]674 if( !ssl_tls13_check_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]675 {
676 MBEDTLS_SSL_DEBUG_MSG(
677 1,
678 ( "ClientHello message misses mandatory extensions." ) );
679 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ,
680 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
681 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
682 }
683
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]684 return( 0 );
685}
686
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]687/* Update the handshake state machine */
688
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]689static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]690{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]691 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]692
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]693 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
694 if( ret != 0 )
695 {
696 MBEDTLS_SSL_DEBUG_RET( 1,
697 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret );
698 return( ret );
699 }
700
701 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
702 return( 0 );
703
704}
705
706/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]707 * Main entry point from the state machine; orchestrates the otherfunctions.
708 */
709
710static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
711{
712
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]713 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]714 unsigned char* buf = NULL;
715 size_t buflen = 0;
716 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
717
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]718 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
719 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
720 &buf, &buflen ) );
721
722 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_parse_client_hello( ssl, buf,
723 buf + buflen ) );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]724 MBEDTLS_SSL_DEBUG_MSG( 1, ( "postprocess" ) );
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]725 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_client_hello( ssl ) );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]726
727cleanup:
728
729 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
730 return( ret );
731}
732
733/*
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame^]734 * TLS 1.3 State Maschine -- server side
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]735 */
Jerry Yu27561932021-08-27 17:07:38 +0800[diff] [blame]736int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]737{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]738 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]739
740 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
741 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
742
Jerry Yue3b34122021-09-28 17:53:35 +0800[diff] [blame]743 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)",
744 mbedtls_ssl_states_str( ssl->state ),
745 ssl->state ) );
Jerry Yu6e81b272021-09-27 11:16:17 +0800[diff] [blame]746
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]747 switch( ssl->state )
748 {
749 /* start state */
750 case MBEDTLS_SSL_HELLO_REQUEST:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]751 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
752
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]753 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]754 break;
755
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]756 case MBEDTLS_SSL_CLIENT_HELLO:
757
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]758 ret = ssl_tls13_process_client_hello( ssl );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]759 if( ret != 0 )
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]760 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_client_hello", ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]761
762 break;
763
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]764 default:
765 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame^]766 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]767 }
768
769 return( ret );
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]770}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]771
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]772#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */