Blame - library/ssl_tls13_server.c - mirror/mbed-tls

2021-08-06 16:29:08 +0800

[diff] [blame]

1

/*

Jerry Yu

b9930e7

2021-08-06 17:11:51 +0800

[diff] [blame]

2

* TLS 1.3 server-side functions

Jerry Yu

2021-08-06 16:29:08 +0800

[diff] [blame]

3

*

4

* Copyright The Mbed TLS Contributors

5

* SPDX-License-Identifier: Apache-2.0

6

*

7

* Licensed under the Apache License, Version 2.0 (the "License"); you may

8

* not use this file except in compliance with the License.

9

* You may obtain a copy of the License at

10

*

11

* http://www.apache.org/licenses/LICENSE-2.0

12

*

13

* Unless required by applicable law or agreed to in writing, software

14

* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

15

* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

16

* See the License for the specific language governing permissions and

17

* limitations under the License.

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

18

*/

Jerry Yu

2021-08-06 16:29:08 +0800

[diff] [blame]

#include "common.h"

Jerry Yu

2022-01-27 15:03:26 +0800

[diff] [blame]

22

#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)

Jerry Yu

2021-08-06 16:29:08 +0800

[diff] [blame]

23

Jerry Yu

687101b

2021-09-14 16:03:56 +0800

[diff] [blame]

24

#include "mbedtls/debug.h"

Xiaofei Bai

cba64af

2022-02-15 10:00:56 +0000

[diff] [blame]

25

#include "mbedtls/error.h"

26

#include "mbedtls/platform.h"

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

27

#include "mbedtls/constant_time.h"

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

28

Xiaofei Bai

2022-02-14 12:57:18 +0000

[diff] [blame]

29

#include "ssl_misc.h"

30

#include "ssl_tls13_keys.h"

31

#include "ssl_debug_helpers.h"

32

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

33

#if defined(MBEDTLS_ECP_C)

34

#include "mbedtls/ecp.h"

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

35

#endif /* MBEDTLS_ECP_C */

Jerry Yu

2021-08-06 16:29:08 +0800

[diff] [blame]

36

XiaokangQian

a9c5841

2022-02-17 09:41:26 +0000

[diff] [blame]

37

#include "mbedtls/platform.h"

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

38

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

39

#include "ssl_misc.h"

40

#include "ssl_tls13_keys.h"

41

#include "ssl_debug_helpers.h"

42

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

43

Jerry Yu

c5a23a0

2022-08-25 10:51:44 +0800

[diff] [blame]

44

static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

45

mbedtls_ssl_context *ssl,

46

unsigned int cipher_suite)

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

47

{

48

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

49

if (!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {

50

return NULL;

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

51

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

52

53

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);

54

if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,

55

ssl->tls_version,

56

ssl->tls_version) != 0)) {

57

return NULL;

58

}

59

return ciphersuite_info;

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

60

}

61

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

62

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

63

/* From RFC 8446:

64

*

65

* enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;

66

* struct {

67

* PskKeyExchangeMode ke_modes<1..255>;

68

* } PskKeyExchangeModes;

69

*/

Jerry Yu

2022-07-20 20:49:32 +0800

[diff] [blame]

70

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

71

static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,

72

const unsigned char *buf,

73

const unsigned char *end)

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

74

{

Jerry Yu

299e31f

2022-07-13 23:06:36 +0800

[diff] [blame]

75

const unsigned char *p = buf;

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

size_t ke_modes_len;

int ke_modes = 0;

Jerry Yu

2022-07-15 14:28:27 +0800

[diff] [blame]

79

/* Read ke_modes length (1 Byte) */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

80

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

Jerry Yu

299e31f

2022-07-13 23:06:36 +0800

[diff] [blame]

81

ke_modes_len = *p++;

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

82

/* Currently, there are only two PSK modes, so even without looking

83

* at the content, something's wrong if the list has more than 2 items. */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

84

if (ke_modes_len > 2) {

85

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

86

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

87

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

299e31f

2022-07-13 23:06:36 +0800

[diff] [blame]

88

}

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

89

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

90

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ke_modes_len);

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

91

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

92

while (ke_modes_len-- != 0) {

93

switch (*p++) {

94

case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:

95

ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;

96

MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK KEX MODE"));

97

break;

98

case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:

99

ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;

100

MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK_EPHEMERAL KEX MODE"));

101

break;

102

default:

103

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

104

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

105

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

}

}

ssl->handshake->tls13_kex_modes = ke_modes;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

110

return 0;

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

111

}

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

112

Jerry Yu

e9d4fc0

2022-08-20 19:21:15 +0800

[diff] [blame]

113

#define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1

114

#define SSL_TLS1_3_OFFERED_PSK_MATCH 0

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

115

116

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

117

118

MBEDTLS_CHECK_RETURN_CRITICAL

119

static int ssl_tls13_offered_psks_check_identity_match_ticket(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

120

mbedtls_ssl_context *ssl,

121

const unsigned char *identity,

122

size_t identity_len,

123

uint32_t obfuscated_ticket_age,

124

mbedtls_ssl_session *session)

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

125

{

Jerry Yu

fd310eb

2022-09-06 09:16:35 +0800

[diff] [blame]

126

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

127

unsigned char *ticket_buffer;

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

128

#if defined(MBEDTLS_HAVE_TIME)

129

mbedtls_time_t now;

Jerry Yu

acff823

2022-09-14 14:35:11 +0800

[diff] [blame]

130

uint64_t age_in_s;

Jerry Yu

f7dad3c

2022-09-14 22:31:39 +0800

[diff] [blame]

131

int64_t age_diff_in_ms;

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

132

#endif

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

133

134

((void) obfuscated_ticket_age);

135

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

136

MBEDTLS_SSL_DEBUG_MSG(2, ("=> check_identity_match_ticket"));

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

137

Jerry Yu

fd310eb

2022-09-06 09:16:35 +0800

[diff] [blame]

138

/* Ticket parser is not configured, Skip */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

139

if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) {

140

return 0;

141

}

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

142

Jerry Yu

2022-09-13 11:11:48 +0800

[diff] [blame]

143

/* We create a copy of the encrypted ticket since the ticket parsing

144

* function is allowed to use its input buffer as an output buffer

145

* (in-place decryption). We do, however, need the original buffer for

146

* computing the PSK binder value.

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

147

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

148

ticket_buffer = mbedtls_calloc(1, identity_len);

149

if (ticket_buffer == NULL) {

150

MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));

151

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

152

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

153

memcpy(ticket_buffer, identity, identity_len);

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

154

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

155

if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket,

156

session,

157

ticket_buffer, identity_len)) != 0) {

158

if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {

159

MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));

160

} else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {

161

MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));

162

} else {

163

MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret);

164

}

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

165

}

166

167

/* We delete the temporary buffer */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

168

mbedtls_free(ticket_buffer);

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

169

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

170

if (ret != 0) {

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

171

goto exit;

172

}

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

173

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

174

ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;

175

#if defined(MBEDTLS_HAVE_TIME)

176

now = mbedtls_time(NULL);

177

178

if (now < session->start) {

179

MBEDTLS_SSL_DEBUG_MSG(

180

3, ("Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG

181

", start=%" MBEDTLS_PRINTF_LONGLONG " )",

182

(long long) now, (long long) session->start));

goto exit;

}

age_in_s = (uint64_t) (now - session->start);

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

187

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

188

/* RFC 8446 section 4.6.1

189

*

190

* Servers MUST NOT use any value greater than 604800 seconds (7 days).

191

*

192

* RFC 8446 section 4.2.11.1

193

*

194

* Clients MUST NOT attempt to use tickets which have ages greater than

195

* the "ticket_lifetime" value which was provided with the ticket.

196

*

197

* For time being, the age MUST be less than 604800 seconds (7 days).

198

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

199

if (age_in_s > 604800) {

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

200

MBEDTLS_SSL_DEBUG_MSG(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

201

3, ("Ticket age exceeds limitation ticket_age=%lu",

202

(long unsigned int) age_in_s));

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

203

goto exit;

204

}

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

205

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

206

/* RFC 8446 section 4.2.10

207

*

208

* For PSKs provisioned via NewSessionTicket, a server MUST validate that

209

* the ticket age for the selected PSK identity (computed by subtracting

210

* ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is

211

* within a small tolerance of the time since the ticket was issued.

Jerry Yu

f7dad3c

2022-09-14 22:31:39 +0800

[diff] [blame]

212

*

Jerry Yu

0a55cc6

2022-09-15 16:15:06 +0800

[diff] [blame]

213

* NOTE: When `now == session->start`, `age_diff_in_ms` may be negative

214

* as the age units are different on the server (s) and in the

215

* client (ms) side. Add a -1000 ms tolerance window to take this

216

* into account.

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

217

*/

Jerry Yu

f7dad3c

2022-09-14 22:31:39 +0800

[diff] [blame]

218

age_diff_in_ms = age_in_s * 1000;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

219

age_diff_in_ms -= (obfuscated_ticket_age - session->ticket_age_add);

220

if (age_diff_in_ms <= -1000 ||

221

age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) {

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

222

MBEDTLS_SSL_DEBUG_MSG(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

223

3, ("Ticket age outside tolerance window ( diff=%d )",

224

(int) age_diff_in_ms));

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

goto exit;

}

ret = 0;

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

229

230

#endif /* MBEDTLS_HAVE_TIME */

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

231

232

exit:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

233

if (ret != 0) {

234

mbedtls_ssl_session_free(session);

235

}

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

236

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

237

MBEDTLS_SSL_DEBUG_MSG(2, ("<= check_identity_match_ticket"));

238

return ret;

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

239

}

240

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

241

Jerry Yu

2022-07-20 20:49:32 +0800

[diff] [blame]

242

MBEDTLS_CHECK_RETURN_CRITICAL

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

243

static int ssl_tls13_offered_psks_check_identity_match(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

244

mbedtls_ssl_context *ssl,

245

const unsigned char *identity,

246

size_t identity_len,

247

uint32_t obfuscated_ticket_age,

248

int *psk_type,

249

mbedtls_ssl_session *session)

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

250

{

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

251

((void) session);

252

((void) obfuscated_ticket_age);

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

253

*psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

254

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

255

MBEDTLS_SSL_DEBUG_BUF(4, "identity", identity, identity_len);

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

256

ssl->handshake->resume = 0;

257

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

258

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

259

if (ssl_tls13_offered_psks_check_identity_match_ticket(

Jerry Yu

2022-09-13 14:15:48 +0800

[diff] [blame]

260

ssl, identity, identity_len, obfuscated_ticket_age,

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

261

session) == SSL_TLS1_3_OFFERED_PSK_MATCH) {

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

262

ssl->handshake->resume = 1;

263

*psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

264

mbedtls_ssl_set_hs_psk(ssl,

Jerry Yu

0a55cc6

2022-09-15 16:15:06 +0800

[diff] [blame]

265

session->resumption_key,

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

266

session->resumption_key_len);

267

268

MBEDTLS_SSL_DEBUG_BUF(4, "Ticket-resumed PSK:",

269

session->resumption_key,

270

session->resumption_key_len);

271

MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u",

272

(unsigned) obfuscated_ticket_age));

273

return SSL_TLS1_3_OFFERED_PSK_MATCH;

Jerry Yu

2022-08-21 19:22:23 +0800

[diff] [blame]

274

}

275

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

276

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

277

/* Check identity with external configured function */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

278

if (ssl->conf->f_psk != NULL) {

279

if (ssl->conf->f_psk(

280

ssl->conf->p_psk, ssl, identity, identity_len) == 0) {

281

return SSL_TLS1_3_OFFERED_PSK_MATCH;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

282

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

283

return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

284

}

285

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

286

MBEDTLS_SSL_DEBUG_BUF(5, "identity", identity, identity_len);

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

287

/* Check identity with pre-configured psk */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

288

if (ssl->conf->psk_identity != NULL &&

Jerry Yu

2f0abc9

2022-07-22 19:34:48 +0800

[diff] [blame]

289

identity_len == ssl->conf->psk_identity_len &&

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

290

mbedtls_ct_memcmp(ssl->conf->psk_identity,

291

identity, identity_len) == 0) {

292

mbedtls_ssl_set_hs_psk(ssl, ssl->conf->psk, ssl->conf->psk_len);

293

return SSL_TLS1_3_OFFERED_PSK_MATCH;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

294

}

295

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

296

return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

297

}

298

Jerry Yu

2022-07-20 20:49:32 +0800

[diff] [blame]

299

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

300

static int ssl_tls13_offered_psks_check_binder_match(mbedtls_ssl_context *ssl,

301

const unsigned char *binder,

302

size_t binder_len,

303

int psk_type,

304

psa_algorithm_t psk_hash_alg)

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

305

{

306

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

307

Jerry Yu

daf375a

2022-07-20 21:31:43 +0800

[diff] [blame]

308

unsigned char transcript[PSA_HASH_MAX_SIZE];

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

309

size_t transcript_len;

Jerry Yu

2f0abc9

2022-07-22 19:34:48 +0800

[diff] [blame]

310

unsigned char *psk;

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

311

size_t psk_len;

Jerry Yu

daf375a

2022-07-20 21:31:43 +0800

[diff] [blame]

312

unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

313

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

314

/* Get current state of handshake transcript. */

Jerry Yu

2022-08-23 17:52:45 +0800

[diff] [blame]

315

ret = mbedtls_ssl_get_handshake_transcript(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

316

ssl, mbedtls_hash_info_md_from_psa(psk_hash_alg),

317

transcript, sizeof(transcript), &transcript_len);

318

if (ret != 0) {

319

return ret;

320

}

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

321

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

322

ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len);

323

if (ret != 0) {

324

return ret;

325

}

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

326

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

327

ret = mbedtls_ssl_tls13_create_psk_binder(ssl, psk_hash_alg,

328

psk, psk_len, psk_type,

329

transcript,

330

server_computed_binder);

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

331

#if defined(MBEDTLS_USE_PSA_CRYPTO)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

332

mbedtls_free((void *) psk);

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

333

#endif

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

334

if (ret != 0) {

335

MBEDTLS_SSL_DEBUG_MSG(1, ("PSK binder calculation failed."));

336

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

337

}

338

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

339

MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( computed ): ",

340

server_computed_binder, transcript_len);

341

MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len);

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

342

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

343

if (mbedtls_ct_memcmp(server_computed_binder, binder, binder_len) == 0) {

344

return SSL_TLS1_3_OFFERED_PSK_MATCH;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

345

}

346

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

347

mbedtls_platform_zeroize(server_computed_binder,

348

sizeof(server_computed_binder));

349

return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

350

}

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

351

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

352

MBEDTLS_CHECK_RETURN_CRITICAL

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

353

static int ssl_tls13_select_ciphersuite_for_psk(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

354

mbedtls_ssl_context *ssl,

355

const unsigned char *cipher_suites,

356

const unsigned char *cipher_suites_end,

357

uint16_t *selected_ciphersuite,

358

const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

359

{

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

360

psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256;

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

361

Jerry Yu

2022-08-25 11:21:04 +0800

[diff] [blame]

362

*selected_ciphersuite = 0;

363

*selected_ciphersuite_info = NULL;

364

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

365

/* RFC 8446, page 55.

366

*

367

* For externally established PSKs, the Hash algorithm MUST be set when the

368

* PSK is established or default to SHA-256 if no such algorithm is defined.

369

*

370

*/

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

371

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

372

/*

373

* Search for a matching ciphersuite

374

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

375

for (const unsigned char *p = cipher_suites;

376

p < cipher_suites_end; p += 2) {

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

377

uint16_t cipher_suite;

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

378

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

379

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

380

cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);

381

ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,

382

cipher_suite);

383

if (ciphersuite_info == NULL) {

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

384

continue;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

385

}

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

386

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

387

/* MAC of selected ciphersuite MUST be same with PSK binder if exist.

388

* Otherwise, client should reject.

389

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

390

if (psk_hash_alg == mbedtls_psa_translate_md(ciphersuite_info->mac)) {

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

391

*selected_ciphersuite = cipher_suite;

392

*selected_ciphersuite_info = ciphersuite_info;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

393

return 0;

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

394

}

395

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

396

MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite"));

397

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

398

}

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

399

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

400

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

401

MBEDTLS_CHECK_RETURN_CRITICAL

402

static int ssl_tls13_select_ciphersuite_for_resumption(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

403

mbedtls_ssl_context *ssl,

404

const unsigned char *cipher_suites,

405

const unsigned char *cipher_suites_end,

406

mbedtls_ssl_session *session,

407

uint16_t *selected_ciphersuite,

408

const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

409

{

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

410

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

411

*selected_ciphersuite = 0;

412

*selected_ciphersuite_info = NULL;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

413

for (const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2) {

414

uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

415

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

416

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

417

if (cipher_suite != session->ciphersuite) {

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

418

continue;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

419

}

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

420

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

421

ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,

422

cipher_suite);

423

if (ciphersuite_info == NULL) {

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

424

continue;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

425

}

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

426

Jerry Yu

2022-09-13 11:11:48 +0800

[diff] [blame]

427

*selected_ciphersuite = cipher_suite;

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

428

*selected_ciphersuite_info = ciphersuite_info;

429

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

430

return 0;

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

431

}

432

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

433

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

434

}

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

435

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

436

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

437

static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst,

438

const mbedtls_ssl_session *src)

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

439

{

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

440

dst->ticket_age_add = src->ticket_age_add;

441

dst->ticket_flags = src->ticket_flags;

442

dst->resumption_key_len = src->resumption_key_len;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

443

if (src->resumption_key_len == 0) {

444

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

445

}

446

memcpy(dst->resumption_key, src->resumption_key, src->resumption_key_len);

Jerry Yu

2022-09-13 11:11:48 +0800

[diff] [blame]

447

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

448

return 0;

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

449

}

450

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

451

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

452

/* Parser for pre_shared_key extension in client hello

453

* struct {

454

* opaque identity<1..2^16-1>;

455

* uint32 obfuscated_ticket_age;

456

* } PskIdentity;

457

*

458

* opaque PskBinderEntry<32..255>;

459

*

460

* struct {

461

* PskIdentity identities<7..2^16-1>;

462

* PskBinderEntry binders<33..2^16-1>;

* } OfferedPsks;

*

* struct {

* select (Handshake.msg_type) {

467

* case client_hello: OfferedPsks;

468

* ....

469

* };

470

* } PreSharedKeyExtension;

471

*/

Jerry Yu

2022-07-20 20:49:32 +0800

[diff] [blame]

472

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

473

static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl,

474

const unsigned char *pre_shared_key_ext,

475

const unsigned char *pre_shared_key_ext_end,

476

const unsigned char *ciphersuites,

477

const unsigned char *ciphersuites_end)

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

478

{

Jerry Yu

2022-08-23 17:52:45 +0800

[diff] [blame]

479

const unsigned char *identities = pre_shared_key_ext;

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

480

const unsigned char *p_identity_len;

481

size_t identities_len;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

482

const unsigned char *identities_end;

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

483

const unsigned char *binders;

484

const unsigned char *p_binder_len;

485

size_t binders_len;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

486

const unsigned char *binders_end;

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

487

int matched_identity = -1;

488

int identity_id = -1;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

489

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

490

MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key extension",

491

pre_shared_key_ext,

492

pre_shared_key_ext_end - pre_shared_key_ext);

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

493

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

494

/* identities_len 2 bytes

495

* identities_data >= 7 bytes

496

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

497

MBEDTLS_SSL_CHK_BUF_READ_PTR(identities, pre_shared_key_ext_end, 7 + 2);

498

identities_len = MBEDTLS_GET_UINT16_BE(identities, 0);

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

499

p_identity_len = identities + 2;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

500

MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, pre_shared_key_ext_end,

501

identities_len);

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

502

identities_end = p_identity_len + identities_len;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

503

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

504

/* binders_len 2 bytes

505

* binders >= 33 bytes

506

*/

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

507

binders = identities_end;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

508

MBEDTLS_SSL_CHK_BUF_READ_PTR(binders, pre_shared_key_ext_end, 33 + 2);

509

binders_len = MBEDTLS_GET_UINT16_BE(binders, 0);

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

510

p_binder_len = binders + 2;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

511

MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len);

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

512

binders_end = p_binder_len + binders_len;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

513

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

514

ssl->handshake->update_checksum(ssl, pre_shared_key_ext,

515

identities_end - pre_shared_key_ext);

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

516

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

517

while (p_identity_len < identities_end && p_binder_len < binders_end) {

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

518

const unsigned char *identity;

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

519

size_t identity_len;

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

520

uint32_t obfuscated_ticket_age;

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

521

const unsigned char *binder;

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

522

size_t binder_len;

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

523

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

524

int psk_type;

525

uint16_t cipher_suite;

Jerry Yu

2022-08-23 17:52:45 +0800

[diff] [blame]

526

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

527

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

528

mbedtls_ssl_session session;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

529

mbedtls_ssl_session_init(&session);

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

530

#endif

Jerry Yu

bb85202

2022-07-20 21:10:44 +0800

[diff] [blame]

531

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

532

MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4);

533

identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0);

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

534

identity = p_identity_len + 2;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

535

MBEDTLS_SSL_CHK_BUF_READ_PTR(identity, identities_end, identity_len + 4);

536

obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE(identity, identity_len);

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

537

p_identity_len += identity_len + 6;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

538

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

539

MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, binders_end, 1 + 32);

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

540

binder_len = *p_binder_len;

541

binder = p_binder_len + 1;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

542

MBEDTLS_SSL_CHK_BUF_READ_PTR(binder, binders_end, binder_len);

Jerry Yu

2022-07-22 21:27:34 +0800

[diff] [blame]

543

p_binder_len += binder_len + 1;

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

544

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

545

identity_id++;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

546

if (matched_identity != -1) {

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

547

continue;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

548

}

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

549

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

550

ret = ssl_tls13_offered_psks_check_identity_match(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

551

ssl, identity, identity_len, obfuscated_ticket_age,

552

&psk_type, &session);

553

if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

554

continue;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

555

}

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

556

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

557

MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity"));

558

switch (psk_type) {

Jerry Yu

2022-08-25 11:21:04 +0800

[diff] [blame]

559

case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:

560

ret = ssl_tls13_select_ciphersuite_for_psk(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

561

ssl, ciphersuites, ciphersuites_end,

562

&cipher_suite, &ciphersuite_info);

Jerry Yu

2022-08-25 11:21:04 +0800

[diff] [blame]

563

break;

564

case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

565

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Jerry Yu

2022-08-25 11:21:04 +0800

[diff] [blame]

566

ret = ssl_tls13_select_ciphersuite_for_resumption(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

567

ssl, ciphersuites, ciphersuites_end, &session,

568

&cipher_suite, &ciphersuite_info);

569

if (ret != 0) {

570

mbedtls_ssl_session_free(&session);

571

}

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

572

#else

573

ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

574

#endif

Jerry Yu

2022-08-25 11:21:04 +0800

[diff] [blame]

575

break;

576

default:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

577

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-08-25 11:21:04 +0800

[diff] [blame]

578

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

579

if (ret != 0) {

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

580

/* See below, no cipher_suite available, abort handshake */

581

MBEDTLS_SSL_PEND_FATAL_ALERT(

582

MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

583

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

Jerry Yu

2022-08-23 17:58:26 +0800

[diff] [blame]

584

MBEDTLS_SSL_DEBUG_RET(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

585

2, "ssl_tls13_select_ciphersuite", ret);

586

return ret;

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

587

}

588

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

589

ret = ssl_tls13_offered_psks_check_binder_match(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

590

ssl, binder, binder_len, psk_type,

591

mbedtls_psa_translate_md(ciphersuite_info->mac));

592

if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {

Jerry Yu

c5a23a0

2022-08-25 10:51:44 +0800

[diff] [blame]

593

/* For security reasons, the handshake should be aborted when we

594

* fail to validate a binder value. See RFC 8446 section 4.2.11.2

595

* and appendix E.6. */

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

596

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

597

mbedtls_ssl_session_free(&session);

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

598

#endif

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

599

MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder."));

600

MBEDTLS_SSL_DEBUG_RET(1,

601

"ssl_tls13_offered_psks_check_binder_match", ret);

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

602

MBEDTLS_SSL_PEND_FATAL_ALERT(

603

MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

604

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

605

return ret;

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

606

}

Jerry Yu

2022-07-21 15:11:34 +0800

[diff] [blame]

607

608

matched_identity = identity_id;

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

609

610

/* Update handshake parameters */

Jerry Yu

e5834fd

2022-08-29 20:16:09 +0800

[diff] [blame]

611

ssl->handshake->ciphersuite_info = ciphersuite_info;

Jerry Yu

2022-09-13 11:11:48 +0800

[diff] [blame]

612

ssl->session_negotiate->ciphersuite = cipher_suite;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

613

MBEDTLS_SSL_DEBUG_MSG(2, ("overwrite ciphersuite: %04x - %s",

614

cipher_suite, ciphersuite_info->name));

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

615

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

616

if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {

617

ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate,

618

&session);

619

mbedtls_ssl_session_free(&session);

620

if (ret != 0) {

621

return ret;

622

}

Jerry Yu

2022-08-30 10:42:33 +0800

[diff] [blame]

623

}

624

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

625

}

626

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

627

if (p_identity_len != identities_end || p_binder_len != binders_end) {

628

MBEDTLS_SSL_DEBUG_MSG(3, ("pre_shared_key extension decode error"));

629

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

630

MBEDTLS_ERR_SSL_DECODE_ERROR);

631

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

632

}

633

Jerry Yu

6f1db3f

2022-07-22 23:05:59 +0800

[diff] [blame]

634

/* Update the handshake transcript with the binder list. */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

635

ssl->handshake->update_checksum(ssl,

636

identities_end,

637

(size_t) (binders_end - identities_end));

638

if (matched_identity == -1) {

639

MBEDTLS_SSL_DEBUG_MSG(3, ("No matched PSK or ticket."));

640

return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

641

}

642

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

643

ssl->handshake->selected_identity = (uint16_t) matched_identity;

644

MBEDTLS_SSL_DEBUG_MSG(3, ("Pre shared key found"));

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

645

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

646

return 0;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

647

}

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

/*

* struct {

* select ( Handshake.msg_type ) {

652

* ....

653

* case server_hello:

654

* uint16 selected_identity;

655

* }

656

* } PreSharedKeyExtension;

657

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

658

static int ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,

659

unsigned char *buf,

660

unsigned char *end,

661

size_t *olen)

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

662

{

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

663

unsigned char *p = (unsigned char *) buf;

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

*olen = 0;

David Horstmann

2022-10-06 18:34:28 +0100

[diff] [blame]

667

int not_using_psk = 0;

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

668

#if defined(MBEDTLS_USE_PSA_CRYPTO)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

669

not_using_psk = (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque));

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

670

#else

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

671

not_using_psk = (ssl->handshake->psk == NULL);

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

672

#endif

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

673

if (not_using_psk) {

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

674

/* We shouldn't have called this extension writer unless we've

675

* chosen to use a PSK. */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

676

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

677

}

678

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

679

MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding pre_shared_key extension"));

680

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

681

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

682

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0);

683

MBEDTLS_PUT_UINT16_BE(2, p, 2);

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

684

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

685

MBEDTLS_PUT_UINT16_BE(ssl->handshake->selected_identity, p, 4);

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

*olen = 6;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

689

MBEDTLS_SSL_DEBUG_MSG(4, ("sent selected_identity: %u",

690

ssl->handshake->selected_identity));

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

691

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

692

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);

Jerry Yu

2022-11-08 21:19:34 +0800

[diff] [blame]

693

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

694

return 0;

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

695

}

696

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

697

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

698

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

699

/* From RFC 8446:

700

* struct {

XiaokangQian

cfd925f

2022-04-14 07:10:37 +0000

[diff] [blame]

701

* ProtocolVersion versions<2..254>;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

702

* } SupportedVersions;

703

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

704

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

705

static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,

706

const unsigned char *buf,

707

const unsigned char *end)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

708

{

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

709

const unsigned char *p = buf;

XiaokangQian

2022-04-15 02:52:39 +0000

[diff] [blame]

710

size_t versions_len;

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

711

const unsigned char *versions_end;

XiaokangQian

0a1b54e

2022-04-21 03:01:38 +0000

[diff] [blame]

712

uint16_t tls_version;

XiaokangQian

2022-04-15 02:52:39 +0000

[diff] [blame]

713

int tls13_supported = 0;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

714

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

715

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

716

versions_len = p[0];

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

717

p += 1;

718

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

719

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, versions_len);

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

720

versions_end = p + versions_len;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

721

while (p < versions_end) {

722

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, versions_end, 2);

723

tls_version = mbedtls_ssl_read_version(p, ssl->conf->transport);

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

724

p += 2;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

725

726

/* In this implementation we only support TLS 1.3 and DTLS 1.3. */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

727

if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

728

tls13_supported = 1;

729

break;

730

}

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

731

}

732

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

733

if (!tls13_supported) {

734

MBEDTLS_SSL_DEBUG_MSG(1, ("TLS 1.3 is not supported by the client"));

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

735

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

736

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,

737

MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);

738

return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

739

}

740

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

741

MBEDTLS_SSL_DEBUG_MSG(1, ("Negotiated version. Supported is [%04x]",

742

(unsigned int) tls_version));

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

743

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

744

return 0;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

745

}

746

XiaokangQian

2022-04-15 02:52:39 +0000

[diff] [blame]

747

#if defined(MBEDTLS_ECDH_C)

XiaokangQian

2022-04-22 02:34:40 +0000

[diff] [blame]

748

/*

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

*

* From RFC 8446:

* enum {

* ... (0xFFFF)

* } NamedGroup;

* struct {

* NamedGroup named_group_list<2..2^16-1>;

756

* } NamedGroupList;

757

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

758

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

759

static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,

760

const unsigned char *buf,

761

const unsigned char *end)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

762

{

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

763

const unsigned char *p = buf;

XiaokangQian

8482377

2022-04-19 07:57:30 +0000

[diff] [blame]

764

size_t named_group_list_len;

XiaokangQian

2022-04-15 02:52:39 +0000

[diff] [blame]

765

const unsigned char *named_group_list_end;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

766

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

767

MBEDTLS_SSL_DEBUG_BUF(3, "supported_groups extension", p, end - buf);

768

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

769

named_group_list_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

770

p += 2;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

771

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, named_group_list_len);

XiaokangQian

2022-04-15 02:52:39 +0000

[diff] [blame]

772

named_group_list_end = p + named_group_list_len;

XiaokangQian

4e8cd7b

2022-04-21 09:48:09 +0000

[diff] [blame]

773

ssl->handshake->hrr_selected_group = 0;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

774

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

775

while (p < named_group_list_end) {

XiaokangQian

2022-04-20 07:16:41 +0000

[diff] [blame]

776

uint16_t named_group;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

777

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, named_group_list_end, 2);

778

named_group = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2022-04-20 07:16:41 +0000

[diff] [blame]

779

p += 2;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

780

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

781

MBEDTLS_SSL_DEBUG_MSG(2,

782

("got named group: %s(%04x)",

783

mbedtls_ssl_named_group_to_str(named_group),

784

named_group));

XiaokangQian

2022-04-20 07:16:41 +0000

[diff] [blame]

785

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

786

if (!mbedtls_ssl_named_group_is_offered(ssl, named_group) ||

787

!mbedtls_ssl_named_group_is_supported(named_group) ||

788

ssl->handshake->hrr_selected_group != 0) {

XiaokangQian

2022-04-20 07:16:41 +0000

[diff] [blame]

789

continue;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

790

}

791

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

792

MBEDTLS_SSL_DEBUG_MSG(2,

793

("add named group %s(%04x) into received list.",

794

mbedtls_ssl_named_group_to_str(named_group),

795

named_group));

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

796

XiaokangQian

4e8cd7b

2022-04-21 09:48:09 +0000

[diff] [blame]

797

ssl->handshake->hrr_selected_group = named_group;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

798

}

799

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

800

return 0;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

801

802

}

XiaokangQian

2022-04-15 02:52:39 +0000

[diff] [blame]

803

#endif /* MBEDTLS_ECDH_C */

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

804

XiaokangQian

2022-04-20 07:16:41 +0000

[diff] [blame]

805

#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1

806

XiaokangQian

2022-04-02 10:15:03 +0000

[diff] [blame]

807

#if defined(MBEDTLS_ECDH_C)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

808

/*

809

* ssl_tls13_parse_key_shares_ext() verifies whether the information in the

XiaokangQian

2022-04-22 02:34:40 +0000

[diff] [blame]

810

* extension is correct and stores the first acceptable key share and its associated group.

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

811

*

812

* Possible return values are:

813

* - 0: Successful processing of the client provided key share extension.

XiaokangQian

2022-04-20 07:16:41 +0000

[diff] [blame]

814

* - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

815

* does not match a group supported by the server. A HelloRetryRequest will

816

* be needed.

XiaokangQian

2022-04-22 02:34:40 +0000

[diff] [blame]

817

* - A negative value for fatal errors.

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

818

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

819

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

820

static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl,

821

const unsigned char *buf,

822

const unsigned char *end)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

823

{

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

824

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

825

unsigned char const *p = buf;

XiaokangQian

2022-04-15 02:52:39 +0000

[diff] [blame]

826

unsigned char const *client_shares_end;

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

827

size_t client_shares_len;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

/* From RFC 8446:

*

* struct {

* KeyShareEntry client_shares<0..2^16-1>;

833

* } KeyShareClientHello;

*

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

837

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

838

client_shares_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

839

p += 2;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

840

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, client_shares_len);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

841

842

ssl->handshake->offered_group_id = 0;

XiaokangQian

2022-04-15 02:52:39 +0000

[diff] [blame]

843

client_shares_end = p + client_shares_len;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

844

845

/* We try to find a suitable key share entry and copy it to the

846

* handshake context. Later, we have to find out whether we can do

847

* something with the provided key share or whether we have to

XiaokangQian

2022-04-02 03:34:37 +0000

[diff] [blame]

848

* dismiss it and send a HelloRetryRequest message.

849

*/

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

850

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

851

while (p < client_shares_end) {

XiaokangQian

9b5d04b

2022-04-10 10:20:43 +0000

[diff] [blame]

852

uint16_t group;

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

853

size_t key_exchange_len;

Jerry Yu

086edc2

2022-05-05 10:50:38 +0800

[diff] [blame]

854

const unsigned char *key_exchange;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

/*

* struct {

* NamedGroup group;

* opaque key_exchange<1..2^16-1>;

860

* } KeyShareEntry;

861

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

862

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, 4);

863

group = MBEDTLS_GET_UINT16_BE(p, 0);

864

key_exchange_len = MBEDTLS_GET_UINT16_BE(p, 2);

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

865

p += 4;

Jerry Yu

086edc2

2022-05-05 10:50:38 +0800

[diff] [blame]

866

key_exchange = p;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

867

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, key_exchange_len);

Jerry Yu

086edc2

2022-05-05 10:50:38 +0800

[diff] [blame]

868

p += key_exchange_len;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

869

870

/* Continue parsing even if we have already found a match,

XiaokangQian

2022-04-02 03:34:37 +0000

[diff] [blame]

871

* for input validation purposes.

872

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

873

if (!mbedtls_ssl_named_group_is_offered(ssl, group) ||

874

!mbedtls_ssl_named_group_is_supported(group) ||

875

ssl->handshake->offered_group_id != 0) {

XiaokangQian

2022-04-21 09:24:56 +0000

[diff] [blame]

876

continue;

877

}

XiaokangQian

2022-04-21 09:24:56 +0000

[diff] [blame]

878

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

879

/*

XiaokangQian

2022-04-15 02:52:39 +0000

[diff] [blame]

880

* For now, we only support ECDHE groups.

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

881

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

882

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group)) {

883

MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH group: %s (%04x)",

884

mbedtls_ssl_named_group_to_str(group),

885

group));

XiaokangQian

318dc76

2022-04-20 09:43:51 +0000

[diff] [blame]

886

ret = mbedtls_ssl_tls13_read_public_ecdhe_share(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

887

ssl, key_exchange - 2, key_exchange_len + 2);

888

if (ret != 0) {

889

return ret;

890

}

XiaokangQian

4e8cd7b

2022-04-21 09:48:09 +0000

[diff] [blame]

891

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

892

} else {

893

MBEDTLS_SSL_DEBUG_MSG(4, ("Unrecognized NamedGroup %u",

894

(unsigned) group));

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

continue;

}

XiaokangQian

2022-04-10 10:20:43 +0000

[diff] [blame]

898

ssl->handshake->offered_group_id = group;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

899

}

900

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

901

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

902

if (ssl->handshake->offered_group_id == 0) {

903

MBEDTLS_SSL_DEBUG_MSG(1, ("no matching key share"));

904

return SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

905

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

906

return 0;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

907

}

XiaokangQian

2022-04-02 10:15:03 +0000

[diff] [blame]

908

#endif /* MBEDTLS_ECDH_C */

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

909

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

910

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

911

static int ssl_tls13_client_hello_has_exts(mbedtls_ssl_context *ssl,

912

int exts_mask)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

913

{

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

914

int masked = ssl->handshake->received_extensions & exts_mask;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

915

return masked == exts_mask;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

916

}

917

Jerry Yu

2022-11-07 14:03:44 +0800

[diff] [blame]

918

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

919

MBEDTLS_CHECK_RETURN_CRITICAL

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

920

static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

921

mbedtls_ssl_context *ssl)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

922

{

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

923

return ssl_tls13_client_hello_has_exts(

924

ssl,

925

MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |

926

MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |

927

MBEDTLS_SSL_EXT_MASK(SIG_ALG));

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

928

}

Jerry Yu

2022-11-07 14:03:44 +0800

[diff] [blame]

929

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

930

Jerry Yu

2022-11-07 14:03:44 +0800

[diff] [blame]

931

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

932

MBEDTLS_CHECK_RETURN_CRITICAL

933

static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

934

mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

935

{

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

936

return ssl_tls13_client_hello_has_exts(

937

ssl,

938

MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

939

MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

940

}

Jerry Yu

2022-11-07 14:03:44 +0800

[diff] [blame]

941

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

942

Jerry Yu

2022-11-07 14:03:44 +0800

[diff] [blame]

943

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

944

MBEDTLS_CHECK_RETURN_CRITICAL

945

static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

946

mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

947

{

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

948

return ssl_tls13_client_hello_has_exts(

949

ssl,

950

MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |

951

MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |

952

MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

953

MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

954

}

Jerry Yu

2022-11-07 14:03:44 +0800

[diff] [blame]

955

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

956

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

957

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

958

static int ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context *ssl)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

959

{

Jerry Yu

2022-11-07 14:03:44 +0800

[diff] [blame]

960

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

961

return mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) &&

962

ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);

Jerry Yu

2022-11-07 14:03:44 +0800

[diff] [blame]

963

#else

964

((void) ssl);

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

965

return 0;

Jerry Yu

2022-11-07 14:03:44 +0800

[diff] [blame]

966

#endif

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

967

}

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

968

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

969

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

970

static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

971

{

Jerry Yu

2022-11-07 14:03:44 +0800

[diff] [blame]

972

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

973

return mbedtls_ssl_conf_tls13_psk_enabled(ssl) &&

974

mbedtls_ssl_tls13_psk_enabled(ssl) &&

975

ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

976

#else

977

((void) ssl);

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

978

return 0;

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

979

#endif

980

}

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

981

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

982

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

983

static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

984

{

Jerry Yu

2022-11-07 14:03:44 +0800

[diff] [blame]

985

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

986

return mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) &&

987

mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) &&

988

ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

989

#else

990

((void) ssl);

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

991

return 0;

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

#endif

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

995

static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

996

{

997

/*

998

* Determine the key exchange algorithm to use.

999

* There are three types of key exchanges supported in TLS 1.3:

1000

* - (EC)DH with ECDSA,

* - (EC)DH with PSK,

* - plain PSK.

*

* The PSK-based key exchanges may additionally be used with 0-RTT.

1005

*

1006

* Our built-in order of preference is

Jerry Yu

ce6ed70

2022-07-22 21:49:53 +0800

[diff] [blame]

1007

* 1 ) (EC)DHE-PSK Mode ( psk_ephemeral )

1008

* 2 ) Certificate Mode ( ephemeral )

1009

* 3 ) Plain PSK Mode ( psk )

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

1010

*/

1011

1012

ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;

1013

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1014

if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

1015

ssl->handshake->key_exchange_mode =

1016

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1017

MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral"));

1018

} else

1019

if (ssl_tls13_check_ephemeral_key_exchange(ssl)) {

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

1020

ssl->handshake->key_exchange_mode =

1021

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1022

MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral"));

1023

} else

1024

if (ssl_tls13_check_psk_key_exchange(ssl)) {

Jerry Yu

ce6ed70

2022-07-22 21:49:53 +0800

[diff] [blame]

1025

ssl->handshake->key_exchange_mode =

1026

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1027

MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk"));

1028

} else {

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

1029

MBEDTLS_SSL_DEBUG_MSG(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1030

1,

1031

("ClientHello message misses mandatory extensions."));

1032

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION,

1033

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1034

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

1035

}

1036

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1037

return 0;

Jerry Yu

2022-07-11 07:03:24 +0000

[diff] [blame]

1038

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1039

}

1040

XiaokangQian

2022-06-10 13:25:22 +0000

[diff] [blame]

1041

#if defined(MBEDTLS_X509_CRT_PARSE_C) && \

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

1042

defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1043

1044

#if defined(MBEDTLS_USE_PSA_CRYPTO)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1045

static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1046

{

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1047

switch (sig_alg) {

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1048

case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1049

return PSA_ALG_ECDSA(PSA_ALG_SHA_256);

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1050

case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1051

return PSA_ALG_ECDSA(PSA_ALG_SHA_384);

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1052

case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1053

return PSA_ALG_ECDSA(PSA_ALG_SHA_512);

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1054

case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1055

return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1056

case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1057

return PSA_ALG_RSA_PSS(PSA_ALG_SHA_384);

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1058

case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1059

return PSA_ALG_RSA_PSS(PSA_ALG_SHA_512);

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1060

case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1061

return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1062

case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1063

return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384);

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1064

case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1065

return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_512);

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1066

default:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1067

return PSA_ALG_NONE;

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1068

}

1069

}

1070

#endif /* MBEDTLS_USE_PSA_CRYPTO */

1071

XiaokangQian

2022-06-07 02:04:34 +0000

[diff] [blame]

1072

/*

XiaokangQian

2022-06-15 03:57:21 +0000

[diff] [blame]

1073

* Pick best ( private key, certificate chain ) pair based on the signature

1074

* algorithms supported by the client.

XiaokangQian

2022-06-07 02:04:34 +0000

[diff] [blame]

1075

*/

Ronald Cron

ce7d76e

2022-07-08 18:56:49 +0200

[diff] [blame]

1076

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1077

static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)

XiaokangQian

2022-06-07 02:04:34 +0000

[diff] [blame]

1078

{

XiaokangQian

2022-06-15 03:57:21 +0000

[diff] [blame]

1079

mbedtls_ssl_key_cert *key_cert, *key_cert_list;

XiaokangQian

2022-06-10 13:25:22 +0000

[diff] [blame]

1080

const uint16_t *sig_alg = ssl->handshake->received_sig_algs;

XiaokangQian

2022-06-07 02:04:34 +0000

[diff] [blame]

1081

1082

#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1083

if (ssl->handshake->sni_key_cert != NULL) {

XiaokangQian

2022-06-15 03:57:21 +0000

[diff] [blame]

1084

key_cert_list = ssl->handshake->sni_key_cert;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1085

} else

XiaokangQian

2022-06-07 02:04:34 +0000

[diff] [blame]

1086

#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1087

key_cert_list = ssl->conf->key_cert;

XiaokangQian

2022-06-07 02:04:34 +0000

[diff] [blame]

1088

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1089

if (key_cert_list == NULL) {

1090

MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));

1091

return -1;

XiaokangQian

2022-06-07 02:04:34 +0000

[diff] [blame]

1092

}

1093

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1094

for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {

1095

if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1096

continue;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1097

}

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1098

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1099

if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1100

continue;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1101

}

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1102

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1103

for (key_cert = key_cert_list; key_cert != NULL;

1104

key_cert = key_cert->next) {

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1105

#if defined(MBEDTLS_USE_PSA_CRYPTO)

1106

psa_algorithm_t psa_alg = PSA_ALG_NONE;

1107

#endif /* MBEDTLS_USE_PSA_CRYPTO */

1108

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1109

MBEDTLS_SSL_DEBUG_CRT(3, "certificate (chain) candidate",

1110

key_cert->cert);

XiaokangQian

2022-06-10 13:25:22 +0000

[diff] [blame]

1111

1112

/*

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1113

* This avoids sending the client a cert it'll reject based on

1114

* keyUsage or other extensions.

1115

*/

1116

if (mbedtls_x509_crt_check_key_usage(

1117

key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0 ||

XiaokangQian

2022-06-10 13:25:22 +0000

[diff] [blame]

1118

mbedtls_x509_crt_check_extended_key_usage(

XiaokangQian

2022-06-15 03:57:21 +0000

[diff] [blame]

1119

key_cert->cert, MBEDTLS_OID_SERVER_AUTH,

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1120

MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) != 0) {

1121

MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "

1122

"(extended) key usage extension"));

XiaokangQian

2022-06-10 13:25:22 +0000

[diff] [blame]

1123

continue;

1124

}

XiaokangQian

2022-06-07 02:04:34 +0000

[diff] [blame]

1125

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1126

MBEDTLS_SSL_DEBUG_MSG(3,

1127

("ssl_tls13_pick_key_cert:"

1128

"check signature algorithm %s [%04x]",

1129

mbedtls_ssl_sig_alg_to_str(*sig_alg),

1130

*sig_alg));

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1131

#if defined(MBEDTLS_USE_PSA_CRYPTO)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1132

psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg(*sig_alg);

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1133

#endif /* MBEDTLS_USE_PSA_CRYPTO */

1134

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1135

if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(

1136

*sig_alg, &key_cert->cert->pk)

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1137

#if defined(MBEDTLS_USE_PSA_CRYPTO)

1138

&& psa_alg != PSA_ALG_NONE &&

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1139

mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,

1140

PSA_KEY_USAGE_SIGN_HASH) == 1

Ronald Cron

2022-09-15 17:34:42 +0200

[diff] [blame]

1141

#endif /* MBEDTLS_USE_PSA_CRYPTO */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1142

) {

XiaokangQian

2022-06-15 03:57:21 +0000

[diff] [blame]

1143

ssl->handshake->key_cert = key_cert;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1144

MBEDTLS_SSL_DEBUG_MSG(3,

1145

("ssl_tls13_pick_key_cert:"

1146

"selected signature algorithm"

1147

" %s [%04x]",

1148

mbedtls_ssl_sig_alg_to_str(*sig_alg),

1149

*sig_alg));

XiaokangQian

2022-06-15 03:57:21 +0000

[diff] [blame]

1150

MBEDTLS_SSL_DEBUG_CRT(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1151

3, "selected certificate (chain)",

1152

ssl->handshake->key_cert->cert);

1153

return 0;

XiaokangQian

2022-06-10 13:25:22 +0000

[diff] [blame]

1154

}

XiaokangQian

2022-06-10 13:25:22 +0000

[diff] [blame]

1155

}

XiaokangQian

2022-06-07 02:04:34 +0000

[diff] [blame]

1156

}

1157

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1158

MBEDTLS_SSL_DEBUG_MSG(2, ("ssl_tls13_pick_key_cert:"

1159

"no suitable certificate found"));

1160

return -1;

XiaokangQian

2022-06-07 02:04:34 +0000

[diff] [blame]

1161

}

XiaokangQian

2022-06-10 13:25:22 +0000

[diff] [blame]

1162

#endif /* MBEDTLS_X509_CRT_PARSE_C &&

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

1163

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

XiaokangQian

2022-06-07 02:04:34 +0000

[diff] [blame]

1164

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

1165

/*

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1166

*

1167

* STATE HANDLING: ClientHello

1168

*

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1169

* There are three possible classes of outcomes when parsing the ClientHello:

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1170

*

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1171

* 1) The ClientHello was well-formed and matched the server's configuration.

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1172

*

1173

* In this case, the server progresses to sending its ServerHello.

1174

*

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1175

* 2) The ClientHello was well-formed but didn't match the server's

1176

* configuration.

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1177

*

1178

* For example, the client might not have offered a key share which

1179

* the server supports, or the server might require a cookie.

1180

*

1181

* In this case, the server sends a HelloRetryRequest.

1182

*

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1183

* 3) The ClientHello was ill-formed

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1184

*

1185

* In this case, we abort the handshake.

*

*/

/*

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

1190

* Structure of this message:

1191

*

XiaokangQian

2022-04-22 02:34:40 +0000

[diff] [blame]

1192

* uint16 ProtocolVersion;

1193

* opaque Random[32];

1194

* uint8 CipherSuite[2]; // Cryptographic suite selector

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

1195

*

XiaokangQian

2022-04-22 02:34:40 +0000

[diff] [blame]

1196

* struct {

1197

* ProtocolVersion legacy_version = 0x0303; // TLS v1.2

1198

* Random random;

1199

* opaque legacy_session_id<0..32>;

1200

* CipherSuite cipher_suites<2..2^16-2>;

1201

* opaque legacy_compression_methods<1..2^8-1>;

1202

* Extension extensions<8..2^16-1>;

1203

* } ClientHello;

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

1204

*/

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1205

1206

#define SSL_CLIENT_HELLO_OK 0

1207

#define SSL_CLIENT_HELLO_HRR_REQUIRED 1

1208

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1209

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1210

static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,

1211

const unsigned char *buf,

1212

const unsigned char *end)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1213

{

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1214

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1215

const unsigned char *p = buf;

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

1216

size_t legacy_session_id_len;

XiaokangQian

318dc76

2022-04-20 09:43:51 +0000

[diff] [blame]

1217

size_t cipher_suites_len;

XiaokangQian

2022-04-21 09:24:56 +0000

[diff] [blame]

1218

const unsigned char *cipher_suites_end;

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1219

size_t extensions_len;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1220

const unsigned char *extensions_end;

Jerry Yu

c4bf5d6

2022-10-29 09:08:47 +0800

[diff] [blame]

1221

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

49ca928

2022-05-05 11:05:22 +0800

[diff] [blame]

1222

int hrr_required = 0;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1223

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1224

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

1225

const unsigned char *cipher_suites;

Jerry Yu

2022-08-23 17:52:45 +0800

[diff] [blame]

1226

const unsigned char *pre_shared_key_ext = NULL;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

1227

const unsigned char *pre_shared_key_ext_end = NULL;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1228

#endif

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1229

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1230

/*

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1231

* ClientHello layout:

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1232

* 0 . 1 protocol version

XiaokangQian

2022-04-22 02:34:40 +0000

[diff] [blame]

1233

* 2 . 33 random bytes

XiaokangQian

2022-04-02 03:34:37 +0000

[diff] [blame]

1234

* 34 . 34 session id length ( 1 byte )

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1235

* 35 . 34+x session id

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1236

* .. . .. ciphersuite list length ( 2 bytes )

1237

* .. . .. ciphersuite list

1238

* .. . .. compression alg. list length ( 1 byte )

1239

* .. . .. compression alg. list

1240

* .. . .. extensions length ( 2 bytes, optional )

1241

* .. . .. extensions ( optional )

1242

*/

1243

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1244

/*

bootstrap-prime

6dbbf44

2022-05-17 19:30:44 -0400

[diff] [blame]

1245

* Minimal length ( with everything empty and extensions omitted ) is

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1246

* 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can

1247

* read at least up to session id length without worrying.

1248

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1249

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 38);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1250

1251

/* ...

1252

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

1253

* ...

1254

* with ProtocolVersion defined as:

1255

* uint16 ProtocolVersion;

1256

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1257

if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=

1258

MBEDTLS_SSL_VERSION_TLS1_2) {

1259

MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));

1260

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,

1261

MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);

1262

return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

}

p += 2;

/*

XiaokangQian

f8ceb94

2022-04-15 11:43:27 +0000

[diff] [blame]

1267

* Only support TLS 1.3 currently, temporarily set the version.

1268

*/

XiaokangQian

de33391

2022-04-20 08:49:42 +0000

[diff] [blame]

1269

ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;

XiaokangQian

f8ceb94

2022-04-15 11:43:27 +0000

[diff] [blame]

1270

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

1271

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

1272

/* Store minor version for later use with ticket serialization. */

1273

ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1274

ssl->session_negotiate->endpoint = ssl->conf->endpoint;

Jerry Yu

2022-07-21 10:37:48 +0800

[diff] [blame]

1275

#endif

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

1276

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

1277

/* ...

1278

* Random random;

1279

* ...

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1280

* with Random defined as:

1281

* opaque Random[32];

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1282

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1283

MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes",

1284

p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1285

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1286

memcpy(&handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);

XiaokangQian

2022-04-20 07:16:41 +0000

[diff] [blame]

1287

p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1288

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

1289

/* ...

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1290

* opaque legacy_session_id<0..32>;

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

1291

* ...

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1292

*/

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

1293

legacy_session_id_len = p[0];

XiaokangQian

2022-04-02 03:34:37 +0000

[diff] [blame]

1294

p++;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1295

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1296

if (legacy_session_id_len > sizeof(ssl->session_negotiate->id)) {

1297

MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));

1298

return MBEDTLS_ERR_SSL_DECODE_ERROR;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1299

}

1300

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

1301

ssl->session_negotiate->id_len = legacy_session_id_len;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1302

MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id",

1303

p, legacy_session_id_len);

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1304

/*

1305

* Check we have enough data for the legacy session identifier

Jerry Yu

e95c8af

2022-07-26 15:48:20 +0800

[diff] [blame]

1306

* and the ciphersuite list length.

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1307

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1308

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_len + 2);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1309

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1310

memcpy(&ssl->session_negotiate->id[0], p, legacy_session_id_len);

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

1311

p += legacy_session_id_len;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1312

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1313

cipher_suites_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1314

p += 2;

1315

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1316

/* Check we have enough data for the ciphersuite list, the legacy

1317

* compression methods and the length of the extensions.

Jerry Yu

e95c8af

2022-07-26 15:48:20 +0800

[diff] [blame]

1318

*

1319

* cipher_suites cipher_suites_len bytes

1320

* legacy_compression_methods 2 bytes

1321

* extensions_len 2 bytes

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1322

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1323

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 2 + 2);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1324

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1325

/* ...

1326

* CipherSuite cipher_suites<2..2^16-2>;

1327

* ...

1328

* with CipherSuite defined as:

1329

* uint8 CipherSuite[2];

1330

*/

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1331

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-04-21 09:24:56 +0000

[diff] [blame]

1332

cipher_suites = p;

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

1333

#endif

XiaokangQian

2022-04-21 09:24:56 +0000

[diff] [blame]

1334

cipher_suites_end = p + cipher_suites_len;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1335

MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",

1336

p, cipher_suites_len);

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

1337

1338

/*

1339

* Search for a matching ciphersuite

1340

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1341

for (; p < cipher_suites_end; p += 2) {

XiaokangQian

2022-04-22 02:34:40 +0000

[diff] [blame]

1342

uint16_t cipher_suite;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1343

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

1344

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1345

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, cipher_suites_end, 2);

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

1346

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1347

cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

c5a23a0

2022-08-25 10:51:44 +0800

[diff] [blame]

1348

ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1349

ssl, cipher_suite);

1350

if (ciphersuite_info == NULL) {

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

1351

continue;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1352

}

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

1353

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

1354

ssl->session_negotiate->ciphersuite = cipher_suite;

Jerry Yu

c4bf5d6

2022-10-29 09:08:47 +0800

[diff] [blame]

1355

handshake->ciphersuite_info = ciphersuite_info;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1356

MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s",

1357

cipher_suite,

1358

ciphersuite_info->name));

XiaokangQian

17f974c

2022-04-19 09:57:41 +0000

[diff] [blame]

1359

}

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

1360

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1361

if (handshake->ciphersuite_info == NULL) {

1362

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

1363

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

1364

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

2022-08-21 17:27:16 +0800

[diff] [blame]

1365

}

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

1366

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

1367

/* ...

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1368

* opaque legacy_compression_methods<1..2^8-1>;

XiaokangQian

2022-04-11 09:55:18 +0000

[diff] [blame]

1369

* ...

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1370

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1371

if (p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL) {

1372

MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));

1373

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1374

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1375

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1376

}

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1377

p += 2;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1378

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

1379

/* ...

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1380

* Extension extensions<8..2^16-1>;

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

1381

* ...

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1382

* with Extension defined as:

1383

* struct {

1384

* ExtensionType extension_type;

1385

* opaque extension_data<0..2^16-1>;

1386

* } Extension;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1387

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1388

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1389

p += 2;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1390

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

XiaokangQian

2022-04-22 02:34:40 +0000

[diff] [blame]

1391

extensions_end = p + extensions_len;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1392

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1393

MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", p, extensions_len);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1394

Jerry Yu

63a459c

2022-10-31 13:38:40 +0800

[diff] [blame]

1395

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1396

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1397

while (p < extensions_end) {

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1398

unsigned int extension_type;

1399

size_t extension_data_len;

1400

const unsigned char *extension_data_end;

1401

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1402

/* RFC 8446, section 4.2.11

Jerry Yu

2022-07-21 12:37:39 +0800

[diff] [blame]

1403

*

1404

* The "pre_shared_key" extension MUST be the last extension in the

1405

* ClientHello (this facilitates implementation as described below).

1406

* Servers MUST check that it is the last extension and otherwise fail

1407

* the handshake with an "illegal_parameter" alert.

1408

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1409

if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) {

Jerry Yu

2022-07-21 12:37:39 +0800

[diff] [blame]

1410

MBEDTLS_SSL_DEBUG_MSG(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1411

3, ("pre_shared_key is not last extension."));

Jerry Yu

2022-07-21 12:37:39 +0800

[diff] [blame]

1412

MBEDTLS_SSL_PEND_FATAL_ALERT(

1413

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1414

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1415

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2022-07-21 12:37:39 +0800

[diff] [blame]

1416

}

1417

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1418

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

1419

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

1420

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1421

p += 4;

1422

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1423

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1424

extension_data_end = p + extension_data_len;

1425

Jerry Yu

c4bf5d6

2022-10-29 09:08:47 +0800

[diff] [blame]

1426

ret = mbedtls_ssl_tls13_check_received_extension(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1427

ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,

1428

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH);

1429

if (ret != 0) {

1430

return ret;

1431

}

Jerry Yu

e18dc7e

2022-08-04 16:29:22 +0800

[diff] [blame]

1432

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1433

switch (extension_type) {

XiaokangQian

2022-05-07 09:02:40 +0000

[diff] [blame]

1434

#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)

1435

case MBEDTLS_TLS_EXT_SERVERNAME:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1436

MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));

1437

ret = mbedtls_ssl_parse_server_name_ext(ssl, p,

1438

extension_data_end);

1439

if (ret != 0) {

XiaokangQian

2022-05-07 09:02:40 +0000

[diff] [blame]

1440

MBEDTLS_SSL_DEBUG_RET(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1441

1, "mbedtls_ssl_parse_servername_ext", ret);

1442

return ret;

XiaokangQian

2022-05-07 09:02:40 +0000

[diff] [blame]

1443

}

XiaokangQian

2022-05-07 09:02:40 +0000

[diff] [blame]

1444

break;

1445

#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */

1446

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1447

#if defined(MBEDTLS_ECDH_C)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1448

case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1449

MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension"));

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1450

1451

/* Supported Groups Extension

1452

*

1453

* When sent by the client, the "supported_groups" extension

1454

* indicates the named groups which the client supports,

1455

* ordered from most preferred to least preferred.

1456

*/

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

1457

ret = ssl_tls13_parse_supported_groups_ext(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1458

ssl, p, extension_data_end);

1459

if (ret != 0) {

1460

MBEDTLS_SSL_DEBUG_RET(1,

1461

"mbedtls_ssl_parse_supported_groups_ext", ret);

1462

return ret;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1463

}

1464

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1465

break;

XiaokangQian

2022-04-19 00:02:38 +0000

[diff] [blame]

1466

#endif /* MBEDTLS_ECDH_C */

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1467

XiaokangQian

2022-04-02 10:15:03 +0000

[diff] [blame]

1468

#if defined(MBEDTLS_ECDH_C)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1469

case MBEDTLS_TLS_EXT_KEY_SHARE:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1470

MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension"));

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1471

1472

/*

1473

* Key Share Extension

1474

*

1475

* When sent by the client, the "key_share" extension

1476

* contains the endpoint's cryptographic parameters for

1477

* ECDHE/DHE key establishment methods.

1478

*/

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

1479

ret = ssl_tls13_parse_key_shares_ext(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1480

ssl, p, extension_data_end);

1481

if (ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH) {

1482

MBEDTLS_SSL_DEBUG_MSG(2, ("HRR needed "));

Jerry Yu

49ca928

2022-05-05 11:05:22 +0800

[diff] [blame]

1483

hrr_required = 1;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1484

}

1485

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1486

if (ret < 0) {

Jerry Yu

582dd06

2022-04-22 21:59:01 +0800

[diff] [blame]

1487

MBEDTLS_SSL_DEBUG_RET(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1488

1, "ssl_tls13_parse_key_shares_ext", ret);

1489

return ret;

Jerry Yu

582dd06

2022-04-22 21:59:01 +0800

[diff] [blame]

1490

}

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1491

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1492

break;

XiaokangQian

2022-04-02 10:15:03 +0000

[diff] [blame]

1493

#endif /* MBEDTLS_ECDH_C */

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1494

1495

case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1496

MBEDTLS_SSL_DEBUG_MSG(3, ("found supported versions extension"));

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1497

1498

ret = ssl_tls13_parse_supported_versions_ext(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1499

ssl, p, extension_data_end);

1500

if (ret != 0) {

1501

MBEDTLS_SSL_DEBUG_RET(1,

1502

("ssl_tls13_parse_supported_versions_ext"), ret);

1503

return ret;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1504

}

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1505

break;

1506

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1507

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

1508

case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1509

MBEDTLS_SSL_DEBUG_MSG(3, ("found psk key exchange modes extension"));

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

1510

1511

ret = ssl_tls13_parse_key_exchange_modes_ext(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1512

ssl, p, extension_data_end);

1513

if (ret != 0) {

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

1514

MBEDTLS_SSL_DEBUG_RET(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1515

1, "ssl_tls13_parse_key_exchange_modes_ext", ret);

1516

return ret;

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

1517

}

1518

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

1519

break;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1520

#endif

Jerry Yu

2022-07-08 12:04:51 +0000

[diff] [blame]

1521

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

1522

case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1523

MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));

1524

if ((handshake->received_extensions &

1525

MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)) == 0) {

Jerry Yu

13ab81d

2022-07-22 23:17:11 +0800

[diff] [blame]

1526

MBEDTLS_SSL_PEND_FATAL_ALERT(

1527

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1528

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1529

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

13ab81d

2022-07-22 23:17:11 +0800

[diff] [blame]

1530

}

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1531

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

1532

/* Delay processing of the PSK identity once we have

1533

* found out which algorithms to use. We keep a pointer

1534

* to the buffer and the size for later processing.

1535

*/

Jerry Yu

2022-08-23 17:52:45 +0800

[diff] [blame]

1536

pre_shared_key_ext = p;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

1537

pre_shared_key_ext_end = extension_data_end;

Jerry Yu

e18dc7e

2022-08-04 16:29:22 +0800

[diff] [blame]

1538

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

1539

break;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

1540

XiaokangQian

2022-06-17 10:18:48 +0000

[diff] [blame]

1541

#if defined(MBEDTLS_SSL_ALPN)

1542

case MBEDTLS_TLS_EXT_ALPN:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1543

MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));

XiaokangQian

2022-06-17 10:18:48 +0000

[diff] [blame]

1544

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1545

ret = mbedtls_ssl_parse_alpn_ext(ssl, p, extension_data_end);

1546

if (ret != 0) {

XiaokangQian

2022-06-17 10:18:48 +0000

[diff] [blame]

1547

MBEDTLS_SSL_DEBUG_RET(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1548

1, ("mbedtls_ssl_parse_alpn_ext"), ret);

1549

return ret;

XiaokangQian

2022-06-17 10:18:48 +0000

[diff] [blame]

1550

}

XiaokangQian

2022-06-17 10:18:48 +0000

[diff] [blame]

1551

break;

1552

#endif /* MBEDTLS_SSL_ALPN */

1553

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

1554

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1555

case MBEDTLS_TLS_EXT_SIG_ALG:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1556

MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1557

Gabor Mezei

078e803

2022-04-27 21:17:56 +0200

[diff] [blame]

1558

ret = mbedtls_ssl_parse_sig_alg_ext(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1559

ssl, p, extension_data_end);

1560

if (ret != 0) {

1561

MBEDTLS_SSL_DEBUG_MSG(1,

1562

(

1563

"ssl_parse_supported_signature_algorithms_server_ext ( %d )",

1564

ret));

1565

return ret;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1566

}

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1567

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

1568

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1569

1570

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

1571

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

63a459c

2022-10-31 13:38:40 +0800

[diff] [blame]

1572

3, MBEDTLS_SSL_HS_CLIENT_HELLO,

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1573

extension_type, "( ignored )");

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1574

break;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1575

}

1576

1577

p += extension_data_len;

1578

}

1579

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1580

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO,

1581

handshake->received_extensions);

Jerry Yu

e18dc7e

2022-08-04 16:29:22 +0800

[diff] [blame]

1582

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1583

mbedtls_ssl_add_hs_hdr_to_checksum(ssl,

1584

MBEDTLS_SSL_HS_CLIENT_HELLO,

1585

p - buf);

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

1586

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1587

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1588

/* Update checksum with either

1589

* - The entire content of the CH message, if no PSK extension is present

1590

* - The content up to but excluding the PSK extension, if present.

1591

*/

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

1592

/* If we've settled on a PSK-based exchange, parse PSK identity ext */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1593

if (mbedtls_ssl_tls13_some_psk_enabled(ssl) &&

1594

mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&

1595

(handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY))) {

1596

handshake->update_checksum(ssl, buf,

1597

pre_shared_key_ext - buf);

1598

ret = ssl_tls13_parse_pre_shared_key_ext(ssl,

1599

pre_shared_key_ext,

1600

pre_shared_key_ext_end,

1601

cipher_suites,

1602

cipher_suites_end);

1603

if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {

1604

handshake->received_extensions &= ~MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY);

1605

} else if (ret != 0) {

Jerry Yu

63a459c

2022-10-31 13:38:40 +0800

[diff] [blame]

1606

MBEDTLS_SSL_DEBUG_RET(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1607

1, "ssl_tls13_parse_pre_shared_key_ext", ret);

1608

return ret;

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

1609

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1610

} else

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1611

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

1612

{

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1613

handshake->update_checksum(ssl, buf, p - buf);

Jerry Yu

2022-07-10 06:32:38 +0000

[diff] [blame]

1614

}

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1615

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1616

ret = ssl_tls13_determine_key_exchange_mode(ssl);

1617

if (ret < 0) {

1618

return ret;

1619

}

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1620

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1621

mbedtls_ssl_optimize_checksum(ssl, handshake->ciphersuite_info);

Jerry Yu

e5834fd

2022-08-29 20:16:09 +0800

[diff] [blame]

1622

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1623

return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK;

XiaokangQian

75fe8c7

2022-06-15 09:42:45 +0000

[diff] [blame]

1624

}

1625

1626

/* Update the handshake state machine */

1627

Ronald Cron

ce7d76e

2022-07-08 18:56:49 +0200

[diff] [blame]

1628

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1629

static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl)

XiaokangQian

75fe8c7

2022-06-15 09:42:45 +0000

[diff] [blame]

1630

{

1631

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1632

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1633

/*

XiaokangQian

2022-06-15 03:57:21 +0000

[diff] [blame]

1634

* Server certificate selection

1635

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1636

if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {

1637

MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);

1638

return ret;

XiaokangQian

2022-06-15 03:57:21 +0000

[diff] [blame]

1639

}

1640

#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)

1641

ssl->handshake->sni_name = NULL;

1642

ssl->handshake->sni_name_len = 0;

1643

#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1644

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1645

ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);

1646

if (ret != 0) {

1647

MBEDTLS_SSL_DEBUG_RET(1,

1648

"mbedtls_ssl_tls1_3_key_schedule_stage_early", ret);

1649

return ret;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

1650

}

1651

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1652

return 0;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

}

/*

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1657

* Main entry point from the state machine; orchestrates the otherfunctions.

1658

*/

1659

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1660

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1661

static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1662

{

1663

XiaokangQian

2022-04-20 07:16:41 +0000

[diff] [blame]

1664

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1665

unsigned char *buf = NULL;

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1666

size_t buflen = 0;

Jerry Yu

4ca9140

2022-05-09 15:50:57 +0800

[diff] [blame]

1667

int parse_client_hello_ret;

1668

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1669

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1670

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1671

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

1672

ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,

1673

&buf, &buflen));

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1674

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1675

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_parse_client_hello(ssl, buf,

1676

buf + buflen));

Jerry Yu

2022-05-09 22:20:30 +0800

[diff] [blame]

1677

parse_client_hello_ret = ret; /* Store return value of parse_client_hello,

1678

* only SSL_CLIENT_HELLO_OK or

1679

* SSL_CLIENT_HELLO_HRR_REQUIRED at this

1680

* stage as negative error codes are handled

1681

* by MBEDTLS_SSL_PROC_CHK_NEG. */

Jerry Yu

4ca9140

2022-05-09 15:50:57 +0800

[diff] [blame]

1682

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1683

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_client_hello(ssl));

Jerry Yu

582dd06

2022-04-22 21:59:01 +0800

[diff] [blame]

1684

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1685

if (parse_client_hello_ret == SSL_CLIENT_HELLO_OK) {

1686

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);

1687

} else {

1688

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST);

1689

}

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

cleanup:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1693

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));

1694

return ret;

XiaokangQian

2022-04-13 08:21:05 +0000

[diff] [blame]

1695

}

1696

1697

/*

Jerry Yu

2022-04-20 21:23:40 +0800

[diff] [blame]

1698

* Handler for MBEDTLS_SSL_SERVER_HELLO

Jerry Yu

2022-03-30 17:15:02 +0800

[diff] [blame]

1699

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1700

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1701

static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

1702

{

Jerry Yu

637a3f1

2022-04-20 21:37:58 +0800

[diff] [blame]

1703

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1704

unsigned char *server_randbytes =

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1705

ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;

1706

if (ssl->conf->f_rng == NULL) {

1707

MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));

1708

return MBEDTLS_ERR_SSL_NO_RNG;

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

1709

}

1710

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1711

if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes,

1712

MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {

1713

MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);

1714

return ret;

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

1715

}

1716

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1717

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", server_randbytes,

1718

MBEDTLS_SERVER_HELLO_RANDOM_LEN);

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

1719

1720

#if defined(MBEDTLS_HAVE_TIME)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1721

ssl->session_negotiate->start = time(NULL);

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

1722

#endif /* MBEDTLS_HAVE_TIME */

1723

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1724

return ret;

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

1725

}

1726

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1727

/*

Jerry Yu

e74e04a

2022-04-21 09:23:16 +0800

[diff] [blame]

1728

* ssl_tls13_write_server_hello_supported_versions_ext ():

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1729

*

1730

* struct {

Jerry Yu

fb9f54d

2022-04-06 10:08:34 +0800

[diff] [blame]

1731

* ProtocolVersion selected_version;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1732

* } SupportedVersions;

1733

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1734

MBEDTLS_CHECK_RETURN_CRITICAL

Jerry Yu

e74e04a

2022-04-21 09:23:16 +0800

[diff] [blame]

1735

static int ssl_tls13_write_server_hello_supported_versions_ext(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1736

mbedtls_ssl_context *ssl,

1737

unsigned char *buf,

1738

unsigned char *end,

1739

size_t *out_len)

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1740

{

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1741

*out_len = 0;

1742

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1743

MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, write selected version"));

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1744

1745

/* Check if we have space to write the extension:

1746

* - extension_type (2 bytes)

1747

* - extension_data_length (2 bytes)

Jerry Yu

349a613

2022-04-14 20:52:56 +0800

[diff] [blame]

1748

* - selected_version (2 bytes)

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1749

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1750

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1751

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1752

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1753

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1754

MBEDTLS_PUT_UINT16_BE(2, buf, 2);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1755

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1756

mbedtls_ssl_write_version(buf + 4,

1757

ssl->conf->transport,

1758

ssl->tls_version);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1759

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1760

MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [%04x]",

1761

ssl->tls_version));

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1762

Jerry Yu

349a613

2022-04-14 20:52:56 +0800

[diff] [blame]

1763

*out_len = 6;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1764

Jerry Yu

2022-11-08 21:19:34 +0800

[diff] [blame]

1765

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1766

ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);

Jerry Yu

2022-11-08 21:19:34 +0800

[diff] [blame]

1767

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1768

return 0;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1769

}

1770

Jerry Yu

2022-04-20 22:28:09 +0800

[diff] [blame]

1771

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1772

1773

/* Generate and export a single key share. For hybrid KEMs, this can

1774

* be called multiple times with the different components of the hybrid. */

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1775

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1776

static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl,

1777

uint16_t named_group,

1778

unsigned char *buf,

1779

unsigned char *end,

1780

size_t *out_len)

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1781

{

1782

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-04-22 22:27:33 +0800

[diff] [blame]

*out_len = 0;

Jerry Yu

2022-03-30 22:43:29 +0800

[diff] [blame]

1786

#if defined(MBEDTLS_ECDH_C)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1787

if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {

Jerry Yu

89e103c

2022-03-30 22:43:29 +0800

[diff] [blame]

1788

ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1789

ssl, named_group, buf, end, out_len);

1790

if (ret != 0) {

Jerry Yu

89e103c

2022-03-30 22:43:29 +0800

[diff] [blame]

1791

MBEDTLS_SSL_DEBUG_RET(

1792

1, "mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange",

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1793

ret);

1794

return ret;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1795

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1796

} else

Jerry Yu

89e103c

2022-03-30 22:43:29 +0800

[diff] [blame]

1797

#endif /* MBEDTLS_ECDH_C */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1798

if (0 /* Other kinds of KEMs */) {

1799

} else {

Jerry Yu

2022-04-22 22:27:33 +0800

[diff] [blame]

1800

((void) ssl);

1801

((void) named_group);

1802

((void) buf);

1803

((void) end);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1804

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

1805

}

1806

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1807

return ret;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

}

/*

* ssl_tls13_write_key_share_ext

1812

*

1813

* Structure of key_share extension in ServerHello:

1814

*

Jerry Yu

2022-04-20 21:23:40 +0800

[diff] [blame]

1815

* struct {

1816

* NamedGroup group;

1817

* opaque key_exchange<1..2^16-1>;

1818

* } KeyShareEntry;

1819

* struct {

1820

* KeyShareEntry server_share;

1821

* } KeyShareServerHello;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1822

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1823

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1824

static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,

1825

unsigned char *buf,

1826

unsigned char *end,

1827

size_t *out_len)

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1828

{

Jerry Yu

2022-04-22 22:27:33 +0800

[diff] [blame]

1829

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1830

unsigned char *p = buf;

Jerry Yu

57d4841

2022-04-20 21:50:42 +0800

[diff] [blame]

1831

uint16_t group = ssl->handshake->offered_group_id;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1832

unsigned char *server_share = buf + 4;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1833

size_t key_exchange_length;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

*out_len = 0;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1837

MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding key share extension"));

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1838

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1839

MBEDTLS_SSL_DEBUG_MSG(2, ("server hello, write selected_group: %s (%04x)",

1840

mbedtls_ssl_named_group_to_str(group),

1841

group));

Jerry Yu

58af233

2022-09-06 11:19:31 +0800

[diff] [blame]

1842

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1843

/* Check if we have space for header and length fields:

1844

* - extension_type (2 bytes)

1845

* - extension_data_length (2 bytes)

1846

* - group (2 bytes)

1847

* - key_exchange_length (2 bytes)

1848

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1849

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 8);

1850

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, p, 0);

1851

MBEDTLS_PUT_UINT16_BE(group, server_share, 0);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1852

p += 8;

Jerry Yu

57d4841

2022-04-20 21:50:42 +0800

[diff] [blame]

1853

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1854

/* When we introduce PQC-ECDHE hybrids, we'll want to call this

1855

* function multiple times. */

Jerry Yu

2022-04-22 22:27:33 +0800

[diff] [blame]

1856

ret = ssl_tls13_generate_and_write_key_share(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1857

ssl, group, server_share + 4, end, &key_exchange_length);

1858

if (ret != 0) {

1859

return ret;

1860

}

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1861

p += key_exchange_length;

Jerry Yu

2022-04-23 16:11:39 +0800

[diff] [blame]

1862

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1863

MBEDTLS_PUT_UINT16_BE(key_exchange_length, server_share + 2, 0);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1864

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1865

MBEDTLS_PUT_UINT16_BE(p - server_share, buf, 2);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1866

Jerry Yu

57d4841

2022-04-20 21:50:42 +0800

[diff] [blame]

1867

*out_len = p - buf;

Jerry Yu

2022-04-22 22:27:33 +0800

[diff] [blame]

1868

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1869

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);

Jerry Yu

2022-11-08 21:19:34 +0800

[diff] [blame]

1870

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1871

return 0;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1872

}

Jerry Yu

2022-04-20 22:28:09 +0800

[diff] [blame]

1873

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1874

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1875

static int ssl_tls13_write_hrr_key_share_ext(mbedtls_ssl_context *ssl,

1876

unsigned char *buf,

1877

unsigned char *end,

1878

size_t *out_len)

Jerry Yu

2022-04-23 15:16:45 +0800

[diff] [blame]

1879

{

1880

uint16_t selected_group = ssl->handshake->hrr_selected_group;

1881

/* key_share Extension

1882

*

1883

* struct {

1884

* select (Handshake.msg_type) {

1885

* ...

1886

* case hello_retry_request:

1887

* NamedGroup selected_group;

* ...

* };

* } KeyShare;

*/

*out_len = 0;

Jerry Yu

2022-05-05 11:10:08 +0800

[diff] [blame]

1895

/*

1896

* For a pure PSK key exchange, there is no group to agree upon. The purpose

1897

* of the HRR is then to transmit a cookie to force the client to demonstrate

1898

* reachability at their apparent network address (primarily useful for DTLS).

1899

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1900

if (!mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {

1901

return 0;

1902

}

Jerry Yu

2022-04-23 15:16:45 +0800

[diff] [blame]

1903

1904

/* We should only send the key_share extension if the client's initial

1905

* key share was not acceptable. */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1906

if (ssl->handshake->offered_group_id != 0) {

1907

MBEDTLS_SSL_DEBUG_MSG(4, ("Skip key_share extension in HRR"));

1908

return 0;

Jerry Yu

2022-04-23 15:16:45 +0800

[diff] [blame]

1909

}

1910

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1911

if (selected_group == 0) {

1912

MBEDTLS_SSL_DEBUG_MSG(1, ("no matching named group found"));

1913

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

2022-04-23 15:16:45 +0800

[diff] [blame]

1914

}

1915

Jerry Yu

b0ac10b

2022-05-05 11:10:08 +0800

[diff] [blame]

1916

/* Check if we have enough space:

1917

* - extension_type (2 bytes)

1918

* - extension_data_length (2 bytes)

1919

* - selected_group (2 bytes)

1920

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1921

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);

Jerry Yu

2022-04-23 15:16:45 +0800

[diff] [blame]

1922

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1923

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);

1924

MBEDTLS_PUT_UINT16_BE(2, buf, 2);

1925

MBEDTLS_PUT_UINT16_BE(selected_group, buf, 4);

Jerry Yu

2022-04-23 15:16:45 +0800

[diff] [blame]

1926

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1927

MBEDTLS_SSL_DEBUG_MSG(3,

1928

("HRR selected_group: %s (%x)",

1929

mbedtls_ssl_named_group_to_str(selected_group),

1930

selected_group));

Jerry Yu

2022-04-23 15:16:45 +0800

[diff] [blame]

1931

1932

*out_len = 6;

Jerry Yu

2022-04-23 15:16:45 +0800

[diff] [blame]

1933

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1934

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);

Jerry Yu

2022-11-08 21:19:34 +0800

[diff] [blame]

1935

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1936

return 0;

Jerry Yu

2022-04-23 15:16:45 +0800

[diff] [blame]

1937

}

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1938

1939

/*

1940

* Structure of ServerHello message:

1941

*

1942

* struct {

1943

* ProtocolVersion legacy_version = 0x0303; // TLS v1.2

1944

* Random random;

1945

* opaque legacy_session_id_echo<0..32>;

1946

* CipherSuite cipher_suite;

1947

* uint8 legacy_compression_method = 0;

1948

* Extension extensions<6..2^16-1>;

1949

* } ServerHello;

1950

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1951

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1952

static int ssl_tls13_write_server_hello_body(mbedtls_ssl_context *ssl,

unsigned char *buf,

unsigned char *end,

size_t *out_len,

int is_hrr)

Jerry Yu

56404d7

2022-03-30 17:36:13 +0800

[diff] [blame]

1957

{

Jerry Yu

2022-04-22 22:27:33 +0800

[diff] [blame]

1958

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1959

unsigned char *p = buf;

Jerry Yu

2022-04-20 22:28:09 +0800

[diff] [blame]

1960

unsigned char *p_extensions_len;

Jerry Yu

fbe3e64

2022-04-25 19:31:51 +0800

[diff] [blame]

1961

size_t output_len;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1962

1963

*out_len = 0;

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1964

ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1965

Jerry Yu

2022-04-21 09:31:58 +0800

[diff] [blame]

1966

/* ...

1967

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

1968

* ...

1969

* with ProtocolVersion defined as:

1970

* uint16 ProtocolVersion;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1971

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1972

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);

1973

MBEDTLS_PUT_UINT16_BE(0x0303, p, 0);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1974

p += 2;

1975

Jerry Yu

2022-04-20 21:23:40 +0800

[diff] [blame]

1976

/* ...

1977

* Random random;

1978

* ...

Jerry Yu

2022-04-21 09:31:58 +0800

[diff] [blame]

1979

* with Random defined as:

1980

* opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];

Jerry Yu

2022-04-20 21:23:40 +0800

[diff] [blame]

1981

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1982

MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN);

1983

if (is_hrr) {

1984

memcpy(p, mbedtls_ssl_tls13_hello_retry_request_magic,

1985

MBEDTLS_SERVER_HELLO_RANDOM_LEN);

1986

} else {

1987

memcpy(p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],

1988

MBEDTLS_SERVER_HELLO_RANDOM_LEN);

Jerry Yu

2022-04-23 15:16:45 +0800

[diff] [blame]

1989

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1990

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",

1991

p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1992

p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;

1993

Jerry Yu

2022-04-21 09:31:58 +0800

[diff] [blame]

1994

/* ...

1995

* opaque legacy_session_id_echo<0..32>;

1996

* ...

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

1997

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

1998

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + ssl->session_negotiate->id_len);

1999

*p++ = (unsigned char) ssl->session_negotiate->id_len;

2000

if (ssl->session_negotiate->id_len > 0) {

2001

memcpy(p, &ssl->session_negotiate->id[0],

2002

ssl->session_negotiate->id_len);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2003

p += ssl->session_negotiate->id_len;

Jerry Yu

2022-04-22 22:27:33 +0800

[diff] [blame]

2004

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2005

MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id,

2006

ssl->session_negotiate->id_len);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2007

}

2008

Jerry Yu

2022-04-21 09:31:58 +0800

[diff] [blame]

2009

/* ...

2010

* CipherSuite cipher_suite;

2011

* ...

2012

* with CipherSuite defined as:

2013

* uint8 CipherSuite[2];

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2014

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2015

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);

2016

MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2017

p += 2;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2018

MBEDTLS_SSL_DEBUG_MSG(3,

2019

("server hello, chosen ciphersuite: %s ( id=%d )",

2020

mbedtls_ssl_get_ciphersuite_name(

2021

ssl->session_negotiate->ciphersuite),

2022

ssl->session_negotiate->ciphersuite));

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2023

Jerry Yu

2022-04-21 09:31:58 +0800

[diff] [blame]

2024

/* ...

2025

* uint8 legacy_compression_method = 0;

2026

* ...

2027

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2028

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1);

Thomas Daubney

31e03a8

2022-07-25 15:59:25 +0100

[diff] [blame]

2029

*p++ = MBEDTLS_SSL_COMPRESS_NULL;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2030

Jerry Yu

2022-04-21 09:31:58 +0800

[diff] [blame]

2031

/* ...

2032

* Extension extensions<6..2^16-1>;

2033

* ...

2034

* struct {

2035

* ExtensionType extension_type; (2 bytes)

2036

* opaque extension_data<0..2^16-1>;

2037

* } Extension;

2038

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2039

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);

Jerry Yu

2022-04-20 22:28:09 +0800

[diff] [blame]

2040

p_extensions_len = p;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2041

p += 2;

2042

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2043

if ((ret = ssl_tls13_write_server_hello_supported_versions_ext(

2044

ssl, p, end, &output_len)) != 0) {

Jerry Yu

2022-04-22 22:27:33 +0800

[diff] [blame]

2045

MBEDTLS_SSL_DEBUG_RET(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2046

1, "ssl_tls13_write_server_hello_supported_versions_ext", ret);

2047

return ret;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

}

p += output_len;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2051

if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {

2052

if (is_hrr) {

2053

ret = ssl_tls13_write_hrr_key_share_ext(ssl, p, end, &output_len);

2054

} else {

2055

ret = ssl_tls13_write_key_share_ext(ssl, p, end, &output_len);

}

if (ret != 0) {

return ret;

}

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2060

p += output_len;

2061

}

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2062

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

2063

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2064

if (!is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {

2065

ret = ssl_tls13_write_server_pre_shared_key_ext(ssl, p, end, &output_len);

2066

if (ret != 0) {

2067

MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_server_pre_shared_key_ext",

2068

ret);

2069

return ret;

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

2070

}

2071

p += output_len;

2072

}

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

2073

#endif

Jerry Yu

2022-07-11 06:10:03 +0000

[diff] [blame]

2074

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2075

MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2076

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2077

MBEDTLS_SSL_DEBUG_BUF(4, "server hello extensions",

2078

p_extensions_len, p - p_extensions_len);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2079

Jerry Yu

2022-04-20 22:28:09 +0800

[diff] [blame]

2080

*out_len = p - buf;

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2081

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2082

MBEDTLS_SSL_DEBUG_BUF(3, "server hello", buf, *out_len);

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2083

Jerry Yu

7de2ff0

2022-11-08 21:43:46 +0800

[diff] [blame]

2084

MBEDTLS_SSL_PRINT_EXTS(

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

2085

3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2086

MBEDTLS_SSL_HS_SERVER_HELLO,

2087

ssl->handshake->sent_extensions);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

2088

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2089

return ret;

Jerry Yu

56404d7

2022-03-30 17:36:13 +0800

[diff] [blame]

2090

}

2091

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2092

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2093

static int ssl_tls13_finalize_write_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2022-05-05 10:19:22 +0800

[diff] [blame]

2094

{

2095

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2096

ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);

2097

if (ret != 0) {

2098

MBEDTLS_SSL_DEBUG_RET(1,

2099

"mbedtls_ssl_tls13_compute_handshake_transform",

2100

ret);

2101

return ret;

Jerry Yu

2022-05-05 10:19:22 +0800

[diff] [blame]

2102

}

2103

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2104

return ret;

Jerry Yu

2022-05-05 10:19:22 +0800

[diff] [blame]

2105

}

2106

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2107

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2108

static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2022-03-30 17:15:02 +0800

[diff] [blame]

2109

{

Jerry Yu

637a3f1

2022-04-20 21:37:58 +0800

[diff] [blame]

2110

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

2111

unsigned char *buf;

2112

size_t buf_len, msg_len;

2113

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2114

MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

2115

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2116

MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl));

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

2117

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2118

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,

2119

MBEDTLS_SSL_HS_SERVER_HELLO, &buf,

2120

&buf_len));

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

2121

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2122

MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,

2123

buf + buf_len,

2124

&msg_len,

2125

0));

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

2126

Jerry Yu

2022-03-30 22:02:12 +0800

[diff] [blame]

2127

mbedtls_ssl_add_hs_msg_to_checksum(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2128

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len);

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

2129

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2130

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(

2131

ssl, buf_len, msg_len));

Jerry Yu

637a3f1

2022-04-20 21:37:58 +0800

[diff] [blame]

2132

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2133

MBEDTLS_SSL_PROC_CHK(ssl_tls13_finalize_write_server_hello(ssl));

Jerry Yu

2022-05-05 10:19:22 +0800

[diff] [blame]

2134

Gabor Mezei

2022-05-24 16:04:14 +0200

[diff] [blame]

2135

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2136

/* The server sends a dummy change_cipher_spec record immediately

2137

* after its first handshake message. This may either be after

2138

* a ServerHello or a HelloRetryRequest.

2139

*/

Gabor Mezei

96ae926

2022-06-28 11:45:18 +0200

[diff] [blame]

2140

mbedtls_ssl_handshake_set_state(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2141

ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO);

Gabor Mezei

2022-05-24 16:04:14 +0200

[diff] [blame]

2142

#else

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2143

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);

Gabor Mezei

2022-05-24 16:04:14 +0200

[diff] [blame]

2144

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

Jerry Yu

2022-05-05 10:19:22 +0800

[diff] [blame]

2145

Jerry Yu

2022-03-30 17:32:21 +0800

[diff] [blame]

2146

cleanup:

2147

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2148

MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));

2149

return ret;

Jerry Yu

2022-03-30 17:15:02 +0800

[diff] [blame]

2150

}

2151

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2152

2153

/*

2154

* Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST

2155

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2156

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2157

static int ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context *ssl)

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2158

{

2159

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2160

if (ssl->handshake->hello_retry_request_count > 0) {

2161

MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs"));

2162

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

2163

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

2164

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

}

/*

* Create stateless transcript hash for HRR

2169

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2170

MBEDTLS_SSL_DEBUG_MSG(4, ("Reset transcript for HRR"));

2171

ret = mbedtls_ssl_reset_transcript_for_hrr(ssl);

2172

if (ret != 0) {

2173

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_transcript_for_hrr", ret);

2174

return ret;

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2175

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2176

mbedtls_ssl_session_reset_msg_layer(ssl, 0);

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2177

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2178

return 0;

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2179

}

2180

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2181

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2182

static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl)

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2183

{

2184

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2185

unsigned char *buf;

2186

size_t buf_len, msg_len;

2187

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2188

MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello retry request"));

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2189

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2190

MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_hello_retry_request(ssl));

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2191

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2192

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(

2193

ssl, MBEDTLS_SSL_HS_SERVER_HELLO,

2194

&buf, &buf_len));

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2195

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2196

MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,

2197

buf + buf_len,

2198

&msg_len,

2199

1));

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2200

mbedtls_ssl_add_hs_msg_to_checksum(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2201

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len);

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2202

2203

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2204

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len,

2205

msg_len));

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2206

2207

ssl->handshake->hello_retry_request_count++;

2208

Gabor Mezei

2022-05-24 16:04:14 +0200

[diff] [blame]

2209

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2210

/* The server sends a dummy change_cipher_spec record immediately

2211

* after its first handshake message. This may either be after

2212

* a ServerHello or a HelloRetryRequest.

2213

*/

Gabor Mezei

96ae926

2022-06-28 11:45:18 +0200

[diff] [blame]

2214

mbedtls_ssl_handshake_set_state(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2215

ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST);

Gabor Mezei

2022-05-24 16:04:14 +0200

[diff] [blame]

2216

#else

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2217

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

Gabor Mezei

2022-05-24 16:04:14 +0200

[diff] [blame]

2218

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2219

2220

cleanup:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2221

MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello retry request"));

2222

return ret;

Jerry Yu

2022-05-12 18:08:59 +0800

[diff] [blame]

2223

}

2224

Jerry Yu

2022-03-30 17:15:02 +0800

[diff] [blame]

2225

/*

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2226

* Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS

2227

*/

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

/*

* struct {

* Extension extensions<0..2 ^ 16 - 1>;

2232

* } EncryptedExtensions;

2233

*

2234

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2235

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2236

static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl,

2237

unsigned char *buf,

2238

unsigned char *end,

2239

size_t *out_len)

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2240

{

XiaokangQian

2022-06-17 10:18:48 +0000

[diff] [blame]

2241

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2242

unsigned char *p = buf;

2243

size_t extensions_len = 0;

Jerry Yu

2022-05-03 12:12:14 +0800

[diff] [blame]

2244

unsigned char *p_extensions_len;

XiaokangQian

2022-06-17 10:18:48 +0000

[diff] [blame]

2245

size_t output_len;

Jerry Yu

9da5e5a

2022-05-03 15:46:09 +0800

[diff] [blame]

2246

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2247

*out_len = 0;

2248

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2249

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);

Jerry Yu

2022-05-03 12:12:14 +0800

[diff] [blame]

2250

p_extensions_len = p;

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2251

p += 2;

2252

Jerry Yu

2022-05-03 12:12:14 +0800

[diff] [blame]

2253

((void) ssl);

XiaokangQian

2022-06-17 10:18:48 +0000

[diff] [blame]

((void) ret);

((void) output_len);

#if defined(MBEDTLS_SSL_ALPN)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2258

ret = mbedtls_ssl_write_alpn_ext(ssl, p, end, &output_len);

2259

if (ret != 0) {

2260

return ret;

2261

}

XiaokangQian

95d5f54

2022-06-24 02:29:26 +0000

[diff] [blame]

2262

p += output_len;

XiaokangQian

2022-06-17 10:18:48 +0000

[diff] [blame]

2263

#endif /* MBEDTLS_SSL_ALPN */

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2264

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2265

extensions_len = (p - p_extensions_len) - 2;

2266

MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);

Jerry Yu

2022-05-03 12:12:14 +0800

[diff] [blame]

2267

2268

*out_len = p - buf;

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2269

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2270

MBEDTLS_SSL_DEBUG_BUF(4, "encrypted extensions", buf, *out_len);

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2271

Jerry Yu

7de2ff0

2022-11-08 21:43:46 +0800

[diff] [blame]

2272

MBEDTLS_SSL_PRINT_EXTS(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2273

3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

2274

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2275

return 0;

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2276

}

2277

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2278

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2279

static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2280

{

2281

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2282

unsigned char *buf;

Jerry Yu

39730a7

2022-05-03 12:14:04 +0800

[diff] [blame]

2283

size_t buf_len, msg_len;

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2284

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2285

mbedtls_ssl_set_outbound_transform(ssl,

2286

ssl->handshake->transform_handshake);

Gabor Mezei

5471912

2022-06-28 11:34:56 +0200

[diff] [blame]

2287

MBEDTLS_SSL_DEBUG_MSG(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2288

3, ("switching to handshake transform for outbound data"));

Gabor Mezei

5471912

2022-06-28 11:34:56 +0200

[diff] [blame]

2289

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2290

MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions"));

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2291

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2292

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,

2293

MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf,

2294

&buf_len));

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2295

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2296

MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body(

2297

ssl, buf, buf + buf_len, &msg_len));

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2298

2299

mbedtls_ssl_add_hs_msg_to_checksum(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2300

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len);

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2301

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2302

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(

2303

ssl, buf_len, msg_len));

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2304

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2305

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2306

if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {

2307

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2308

} else {

2309

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);

2310

}

Jerry Yu

2022-05-03 12:12:14 +0800

[diff] [blame]

2311

#else

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2312

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

Jerry Yu

2022-05-03 12:12:14 +0800

[diff] [blame]

2313

#endif

2314

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2315

cleanup:

2316

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2317

MBEDTLS_SSL_DEBUG_MSG(2, ("<= write encrypted extensions"));

2318

return ret;

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2319

}

2320

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2321

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

XiaokangQian

2022-05-07 01:25:58 +0000

[diff] [blame]

2322

#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0

2323

#define SSL_CERTIFICATE_REQUEST_SKIP 1

2324

/* Coordination:

2325

* Check whether a CertificateRequest message should be written.

2326

* Returns a negative code on failure, or

2327

* - SSL_CERTIFICATE_REQUEST_SEND_REQUEST

2328

* - SSL_CERTIFICATE_REQUEST_SKIP

2329

* indicating if the writing of the CertificateRequest

2330

* should be skipped or not.

2331

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2332

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2333

static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)

XiaokangQian

2022-05-07 01:25:58 +0000

[diff] [blame]

{

int authmode;

XiaokangQian

2022-05-07 09:02:40 +0000

[diff] [blame]

2337

#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2338

if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {

XiaokangQian

2022-05-07 09:02:40 +0000

[diff] [blame]

2339

authmode = ssl->handshake->sni_authmode;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2340

} else

XiaokangQian

2022-05-07 09:02:40 +0000

[diff] [blame]

2341

#endif

XiaokangQian

2022-05-07 01:25:58 +0000

[diff] [blame]

2342

authmode = ssl->conf->authmode;

2343

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2344

if (authmode == MBEDTLS_SSL_VERIFY_NONE) {

Ronald Cron

eac00ad

2022-09-13 10:16:31 +0200

[diff] [blame]

2345

ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2346

return SSL_CERTIFICATE_REQUEST_SKIP;

Ronald Cron

eac00ad

2022-09-13 10:16:31 +0200

[diff] [blame]

2347

}

XiaokangQian

2022-05-07 01:25:58 +0000

[diff] [blame]

2348

XiaokangQian

c3017f6

2022-05-13 05:55:41 +0000

[diff] [blame]

2349

ssl->handshake->certificate_request_sent = 1;

XiaokangQian

189ded2

2022-05-10 08:12:17 +0000

[diff] [blame]

2350

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2351

return SSL_CERTIFICATE_REQUEST_SEND_REQUEST;

XiaokangQian

2022-05-07 01:25:58 +0000

[diff] [blame]

2352

}

2353

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2354

/*

2355

* struct {

2356

* opaque certificate_request_context<0..2^8-1>;

2357

* Extension extensions<2..2^16-1>;

2358

* } CertificateRequest;

2359

*

2360

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2361

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2362

static int ssl_tls13_write_certificate_request_body(mbedtls_ssl_context *ssl,

2363

unsigned char *buf,

2364

const unsigned char *end,

2365

size_t *out_len)

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2366

{

2367

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2368

unsigned char *p = buf;

XiaokangQian

ec6efb9

2022-05-06 09:53:10 +0000

[diff] [blame]

2369

size_t output_len = 0;

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2370

unsigned char *p_extensions_len;

*out_len = 0;

/* Check if we have enough space:

2375

* - certificate_request_context (1 byte)

2376

* - extensions length (2 bytes)

2377

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2378

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2379

2380

/*

2381

* Write certificate_request_context

2382

*/

2383

/*

2384

* We use a zero length context for the normal handshake

2385

* messages. For post-authentication handshake messages

2386

* this request context would be set to a non-zero value.

*/

*p++ = 0x0;

/*

* Write extensions

*/

/* The extensions must contain the signature_algorithms. */

2394

p_extensions_len = p;

2395

p += 2;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2396

ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len);

2397

if (ret != 0) {

2398

return ret;

2399

}

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2400

XiaokangQian

ec6efb9

2022-05-06 09:53:10 +0000

[diff] [blame]

2401

p += output_len;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2402

MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

*out_len = p - buf;

Jerry Yu

2022-11-08 21:43:46 +0800

[diff] [blame]

2406

MBEDTLS_SSL_PRINT_EXTS(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2407

3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

2408

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2409

return 0;

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2410

}

2411

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2412

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2413

static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl)

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2414

{

2415

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2416

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2417

MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2418

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2419

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2420

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2421

if (ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST) {

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2422

unsigned char *buf;

2423

size_t buf_len, msg_len;

2424

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2425

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,

2426

MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2427

&buf, &buf_len));

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2428

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2429

MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body(

2430

ssl, buf, buf + buf_len, &msg_len));

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2431

2432

mbedtls_ssl_add_hs_msg_to_checksum(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2433

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len);

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2434

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2435

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(

2436

ssl, buf_len, msg_len));

2437

} else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {

2438

MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2439

ret = 0;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2440

} else {

2441

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2442

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

goto cleanup;

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2446

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2447

cleanup:

2448

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2449

MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));

2450

return ret;

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2451

}

XiaokangQian

2022-05-06 07:28:50 +0000

[diff] [blame]

2452

Jerry Yu

2022-04-16 12:37:19 +0800

[diff] [blame]

2453

/*

Jerry Yu

c6e6dbf

2022-04-16 19:42:57 +0800

[diff] [blame]

2454

* Handler for MBEDTLS_SSL_SERVER_CERTIFICATE

Jerry Yu

2022-04-16 13:59:52 +0800

[diff] [blame]

2455

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2456

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2457

static int ssl_tls13_write_server_certificate(mbedtls_ssl_context *ssl)

Jerry Yu

2022-04-16 13:59:52 +0800

[diff] [blame]

2458

{

Jerry Yu

5a26f30

2022-05-10 20:46:40 +0800

[diff] [blame]

2459

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

XiaokangQian

2022-06-15 03:57:21 +0000

[diff] [blame]

2460

2461

#if defined(MBEDTLS_X509_CRT_PARSE_C)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2462

if ((ssl_tls13_pick_key_cert(ssl) != 0) ||

2463

mbedtls_ssl_own_cert(ssl) == NULL) {

2464

MBEDTLS_SSL_DEBUG_MSG(2, ("No certificate available."));

2465

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

2466

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

2467

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

5a26f30

2022-05-10 20:46:40 +0800

[diff] [blame]

2468

}

XiaokangQian

2022-06-15 03:57:21 +0000

[diff] [blame]

2469

#endif /* MBEDTLS_X509_CRT_PARSE_C */

Jerry Yu

5a26f30

2022-05-10 20:46:40 +0800

[diff] [blame]

2470

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2471

ret = mbedtls_ssl_tls13_write_certificate(ssl);

if (ret != 0) {

return ret;

}

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);

2476

return 0;

Jerry Yu

2022-04-16 13:59:52 +0800

[diff] [blame]

2477

}

2478

2479

/*

Jerry Yu

c6e6dbf

2022-04-16 19:42:57 +0800

[diff] [blame]

2480

* Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY

Jerry Yu

2022-04-16 13:59:52 +0800

[diff] [blame]

2481

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2482

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2483

static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)

Jerry Yu

2022-04-16 13:59:52 +0800

[diff] [blame]

2484

{

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2485

int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);

if (ret != 0) {

return ret;

}

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2490

return 0;

Jerry Yu

2022-04-16 13:59:52 +0800

[diff] [blame]

2491

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2492

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-04-16 13:59:52 +0800

[diff] [blame]

2493

2494

/*

Jerry Yu

2022-05-18 13:59:24 +0800

[diff] [blame]

2495

* Handler for MBEDTLS_SSL_SERVER_FINISHED

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2496

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2497

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2498

static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2499

{

Jerry Yu

2022-05-18 13:59:24 +0800

[diff] [blame]

2500

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

27bdc7c

2022-04-16 13:33:27 +0800

[diff] [blame]

2501

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2502

ret = mbedtls_ssl_tls13_write_finished_message(ssl);

2503

if (ret != 0) {

2504

return ret;

2505

}

Jerry Yu

27bdc7c

2022-04-16 13:33:27 +0800

[diff] [blame]

2506

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2507

ret = mbedtls_ssl_tls13_compute_application_transform(ssl);

2508

if (ret != 0) {

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2509

MBEDTLS_SSL_PEND_FATAL_ALERT(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2510

MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

2511

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

2512

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2513

}

XiaokangQian

c3017f6

2022-05-13 05:55:41 +0000

[diff] [blame]

2514

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2515

MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));

2516

mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake);

XiaokangQian

189ded2

2022-05-10 08:12:17 +0000

[diff] [blame]

2517

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2518

if (ssl->handshake->certificate_request_sent) {

2519

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

2520

} else {

2521

MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate"));

2522

MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));

2523

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);

Ronald Cron

1938588

2022-06-15 16:26:13 +0200

[diff] [blame]

2524

}

Ronald Cron

63dc463

2022-05-31 14:41:53 +0200

[diff] [blame]

2525

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2526

return 0;

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2527

}

2528

2529

/*

Jerry Yu

2022-05-18 13:59:24 +0800

[diff] [blame]

2530

* Handler for MBEDTLS_SSL_CLIENT_FINISHED

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2531

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2532

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2533

static int ssl_tls13_process_client_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2534

{

Jerry Yu

2022-05-18 13:59:24 +0800

[diff] [blame]

2535

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2536

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2537

ret = mbedtls_ssl_tls13_process_finished_message(ssl);

2538

if (ret != 0) {

2539

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2540

}

2541

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2542

ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);

2543

if (ret != 0) {

2544

MBEDTLS_SSL_DEBUG_RET(1,

2545

"mbedtls_ssl_tls13_compute_resumption_master_secret", ret);

2546

}

2547

2548

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);

2549

return 0;

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2550

}

2551

2552

/*

Jerry Yu

2022-05-18 13:59:24 +0800

[diff] [blame]

2553

* Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2554

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2555

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2556

static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2557

{

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2558

MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));

Jerry Yu

03ed50b

2022-04-16 17:13:30 +0800

[diff] [blame]

2559

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2560

mbedtls_ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2561

2562

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2563

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);

Jerry Yu

2022-07-21 10:37:48 +0800

[diff] [blame]

2564

#else

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2565

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

Jerry Yu

2022-07-21 10:37:48 +0800

[diff] [blame]

2566

#endif

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2567

return 0;

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2568

}

2569

2570

/*

Jerry Yu

2022-10-30 14:51:23 +0800

[diff] [blame]

2571

* Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2572

*/

2573

#define SSL_NEW_SESSION_TICKET_SKIP 0

2574

#define SSL_NEW_SESSION_TICKET_WRITE 1

2575

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2576

static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2577

{

2578

/* Check whether the use of session tickets is enabled */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2579

if (ssl->conf->f_ticket_write == NULL) {

2580

MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"

2581

" callback is not set"));

2582

return SSL_NEW_SESSION_TICKET_SKIP;

Jerry Yu

d0766ec

2022-09-22 10:46:57 +0800

[diff] [blame]

2583

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2584

if (ssl->conf->new_session_tickets_count == 0) {

2585

MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"

2586

" configured count is zero"));

2587

return SSL_NEW_SESSION_TICKET_SKIP;

Jerry Yu

d0766ec

2022-09-22 10:46:57 +0800

[diff] [blame]

2588

}

2589

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2590

if (ssl->handshake->new_session_tickets_count == 0) {

2591

MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: all tickets have "

2592

"been sent."));

2593

return SSL_NEW_SESSION_TICKET_SKIP;

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2594

}

2595

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2596

return SSL_NEW_SESSION_TICKET_WRITE;

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2597

}

2598

2599

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

2600

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2601

static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,

2602

unsigned char *ticket_nonce,

2603

size_t ticket_nonce_size)

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2604

{

2605

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2606

mbedtls_ssl_session *session = ssl->session;

2607

mbedtls_ssl_ciphersuite_t *ciphersuite_info;

2608

psa_algorithm_t psa_hash_alg;

2609

int hash_length;

2610

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2611

MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg"));

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2612

2613

#if defined(MBEDTLS_HAVE_TIME)

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2614

session->start = mbedtls_time(NULL);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2615

#endif

2616

2617

/* Generate ticket_age_add */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2618

if ((ret = ssl->conf->f_rng(ssl->conf->p_rng,

2619

(unsigned char *) &session->ticket_age_add,

2620

sizeof(session->ticket_age_add)) != 0)) {

2621

MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret);

2622

return ret;

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2623

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2624

MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",

2625

(unsigned int) session->ticket_age_add));

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2626

2627

/* Generate ticket_nonce */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2628

ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size);

2629

if (ret != 0) {

2630

MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret);

2631

return ret;

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2632

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2633

MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:",

2634

ticket_nonce, ticket_nonce_size);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2635

2636

ciphersuite_info =

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2637

(mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;

2638

psa_hash_alg = mbedtls_psa_translate_md(ciphersuite_info->mac);

2639

hash_length = PSA_HASH_LENGTH(psa_hash_alg);

2640

if (hash_length == -1 ||

2641

(size_t) hash_length > sizeof(session->resumption_key)) {

2642

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-07-21 10:37:48 +0800

[diff] [blame]

2643

}

2644

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2645

/* In this code the psk key length equals the length of the hash */

2646

session->resumption_key_len = hash_length;

2647

session->ciphersuite = ciphersuite_info->id;

2648

2649

/* Compute resumption key

2650

*

2651

* HKDF-Expand-Label( resumption_master_secret,

2652

* "resumption", ticket_nonce, Hash.length )

2653

*/

2654

ret = mbedtls_ssl_tls13_hkdf_expand_label(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2655

psa_hash_alg,

2656

session->app_secrets.resumption_master_secret,

2657

hash_length,

2658

MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),

2659

ticket_nonce,

2660

ticket_nonce_size,

2661

session->resumption_key,

2662

hash_length);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2663

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2664

if (ret != 0) {

2665

MBEDTLS_SSL_DEBUG_RET(2,

2666

"Creating the ticket-resumed PSK failed",

2667

ret);

2668

return ret;

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2669

}

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2670

MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",

2671

session->resumption_key,

2672

session->resumption_key_len);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2673

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2674

MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",

2675

session->app_secrets.resumption_master_secret,

2676

hash_length);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2677

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2678

return 0;

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2679

}

2680

2681

/* This function creates a NewSessionTicket message in the following format:

2682

*

2683

* struct {

2684

* uint32 ticket_lifetime;

2685

* uint32 ticket_age_add;

2686

* opaque ticket_nonce<0..255>;

2687

* opaque ticket<1..2^16-1>;

2688

* Extension extensions<0..2^16-2>;

2689

* } NewSessionTicket;

2690

*

2691

* The ticket inside the NewSessionTicket message is an encrypted container

2692

* carrying the necessary information so that the server is later able to

2693

* re-start the communication.

2694

*

2695

* The following fields are placed inside the ticket by the

2696

* f_ticket_write() function:

2697

*

2698

* - creation time (start)

2699

* - flags (flags)

2700

* - age add (ticket_age_add)

2701

* - key (key)

2702

* - key length (key_len)

2703

* - ciphersuite (ciphersuite)

2704

*/

2705

MBEDTLS_CHECK_RETURN_CRITICAL

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2706

static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,

unsigned char *buf,

unsigned char *end,

size_t *out_len,

unsigned char *ticket_nonce,

2711

size_t ticket_nonce_size)

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2712

{

2713

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2714

unsigned char *p = buf;

2715

mbedtls_ssl_session *session = ssl->session;

2716

size_t ticket_len;

2717

uint32_t ticket_lifetime;

2718

2719

*out_len = 0;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2720

MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg"));

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2721

2722

/*

2723

* ticket_lifetime 4 bytes

2724

* ticket_age_add 4 bytes

2725

* ticket_nonce 1 + ticket_nonce_size bytes

2726

* ticket >=2 bytes

2727

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2728

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + 4 + 1 + ticket_nonce_size + 2);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2729

2730

/* Generate ticket and ticket_lifetime */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2731

ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,

2732

session,

2733

p + 9 + ticket_nonce_size + 2,

end,

&ticket_len,

&ticket_lifetime);

if (ret != 0) {

MBEDTLS_SSL_DEBUG_RET(1, "write_ticket", ret);

2739

return ret;

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2740

}

2741

/* RFC 8446 4.6.1

2742

* ticket_lifetime: Indicates the lifetime in seconds as a 32-bit

2743

* unsigned integer in network byte order from the time of ticket

2744

* issuance. Servers MUST NOT use any value greater than

2745

* 604800 seconds (7 days). The value of zero indicates that the

2746

* ticket should be discarded immediately. Clients MUST NOT cache

2747

* tickets for longer than 7 days, regardless of the ticket_lifetime,

2748

* and MAY delete tickets earlier based on local policy. A server

2749

* MAY treat a ticket as valid for a shorter period of time than what

2750

* is stated in the ticket_lifetime.

2751

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2752

if (ticket_lifetime > 604800) {

Xiaokang Qian

28af501

2022-10-13 08:18:19 +0000

[diff] [blame]

2753

ticket_lifetime = 604800;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2754

}

2755

MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);

2756

MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",

2757

(unsigned int) ticket_lifetime));

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2758

2759

/* Write ticket_age_add */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2760

MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 4);

2761

MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",

2762

(unsigned int) session->ticket_age_add));

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2763

2764

/* Write ticket_nonce */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2765

p[8] = (unsigned char) ticket_nonce_size;

2766

if (ticket_nonce_size > 0) {

2767

memcpy(p + 9, ticket_nonce, ticket_nonce_size);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2768

}

2769

p += 9 + ticket_nonce_size;

2770

2771

/* Write ticket */

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2772

MBEDTLS_PUT_UINT16_BE(ticket_len, p, 0);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2773

p += 2;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2774

MBEDTLS_SSL_DEBUG_BUF(4, "ticket", p, ticket_len);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

p += ticket_len;

/* Ticket Extensions

*

* Note: We currently don't have any extensions.

2780

* Set length to zero.

2781

*/

Jerry Yu

edab637

2022-10-31 14:37:31 +0800

[diff] [blame]

2782

ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

2783

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2784

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);

2785

MBEDTLS_PUT_UINT16_BE(0, p, 0);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2786

p += 2;

2787

2788

*out_len = p - buf;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2789

MBEDTLS_SSL_DEBUG_BUF(4, "ticket", buf, *out_len);

2790

MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2791

Jerry Yu

7de2ff0

2022-11-08 21:43:46 +0800

[diff] [blame]

2792

MBEDTLS_SSL_PRINT_EXTS(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2793

3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

2794

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2795

return 0;

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2796

}

2797

2798

/*

Jerry Yu

2022-10-30 14:51:23 +0800

[diff] [blame]

2799

* Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2800

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2801

static int ssl_tls13_write_new_session_ticket(mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2802

{

2803

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2804

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2805

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_write_new_session_ticket_coordinate(ssl));

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2806

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2807

if (ret == SSL_NEW_SESSION_TICKET_WRITE) {

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2808

unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];

2809

unsigned char *buf;

2810

size_t buf_len, msg_len;

2811

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2812

MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket(

2813

ssl, ticket_nonce, sizeof(ticket_nonce)));

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2814

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2815

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,

2816

MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

2817

&buf, &buf_len));

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2818

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2819

MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body(

2820

ssl, buf, buf + buf_len, &msg_len,

2821

ticket_nonce, sizeof(ticket_nonce)));

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2822

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2823

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(

2824

ssl, buf_len, msg_len));

Jerry Yu

2022-07-21 10:37:48 +0800

[diff] [blame]

2825

Jerry Yu

359e65f

2022-09-22 23:47:43 +0800

[diff] [blame]

2826

/* Limit session tickets count to one when resumption connection.

2827

*

2828

* See document of mbedtls_ssl_conf_new_session_tickets.

2829

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2830

if (ssl->handshake->resume == 1) {

Jerry Yu

359e65f

2022-09-22 23:47:43 +0800

[diff] [blame]

2831

ssl->handshake->new_session_tickets_count = 0;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2832

} else {

Jerry Yu

359e65f

2022-09-22 23:47:43 +0800

[diff] [blame]

2833

ssl->handshake->new_session_tickets_count--;

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2834

}

Jerry Yu

b7e3fa7

2022-09-22 11:07:18 +0800

[diff] [blame]

2835

Jerry Yu

2022-10-30 14:51:23 +0800

[diff] [blame]

2836

mbedtls_ssl_handshake_set_state(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2837

ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH);

2838

} else {

2839

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2840

}

2841

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2842

cleanup:

2843

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2844

return ret;

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2845

}

2846

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

2847

2848

/*

XiaokangQian

2022-04-22 02:34:40 +0000

[diff] [blame]

2849

* TLS 1.3 State Machine -- server side

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

2850

*/

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2851

int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)

Jerry Yu

b9930e7

2021-08-06 17:11:51 +0800

[diff] [blame]

2852

{

XiaokangQian

2022-04-20 07:16:41 +0000

[diff] [blame]

2853

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

2854

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2855

if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) {

2856

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

2857

}

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

2858

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2859

MBEDTLS_SSL_DEBUG_MSG(2, ("tls13 server state: %s(%d)",

2860

mbedtls_ssl_states_str(ssl->state),

2861

ssl->state));

Jerry Yu

6e81b27

2021-09-27 11:16:17 +0800

[diff] [blame]

2862

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2863

switch (ssl->state) {

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

2864

/* start state */

2865

case MBEDTLS_SSL_HELLO_REQUEST:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2866

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

XiaokangQian

2022-04-20 07:16:41 +0000

[diff] [blame]

2867

ret = 0;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

2868

break;

2869

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

2870

case MBEDTLS_SSL_CLIENT_HELLO:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2871

ret = ssl_tls13_process_client_hello(ssl);

2872

if (ret != 0) {

2873

MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_process_client_hello", ret);

2874

}

Jerry Yu

2022-05-09 22:20:30 +0800

[diff] [blame]

2875

break;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

2876

Jerry Yu

2022-05-09 22:20:30 +0800

[diff] [blame]

2877

case MBEDTLS_SSL_HELLO_RETRY_REQUEST:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2878

ret = ssl_tls13_write_hello_retry_request(ssl);

2879

if (ret != 0) {

2880

MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_hello_retry_request", ret);

2881

return ret;

Jerry Yu

2022-05-09 22:20:30 +0800

[diff] [blame]

2882

}

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

2883

break;

2884

Jerry Yu

2022-03-30 17:15:02 +0800

[diff] [blame]

2885

case MBEDTLS_SSL_SERVER_HELLO:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2886

ret = ssl_tls13_write_server_hello(ssl);

Jerry Yu

2022-03-30 17:15:02 +0800

[diff] [blame]

2887

break;

2888

Xiaofei Bai

cba64af

2022-02-15 10:00:56 +0000

[diff] [blame]

2889

case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2890

ret = ssl_tls13_write_encrypted_extensions(ssl);

2891

if (ret != 0) {

2892

MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_encrypted_extensions", ret);

2893

return ret;

Xiaofei Bai

cba64af

2022-02-15 10:00:56 +0000

[diff] [blame]

2894

}

Jerry Yu

4833056

2022-05-06 21:35:44 +0800

[diff] [blame]

2895

break;

Jerry Yu

6a2cd9e

2022-05-05 11:14:19 +0800

[diff] [blame]

2896

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2897

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Xiaofei Bai

2022-02-14 12:57:18 +0000

[diff] [blame]

2898

case MBEDTLS_SSL_CERTIFICATE_REQUEST:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2899

ret = ssl_tls13_write_certificate_request(ssl);

Xiaofei Bai

2022-02-14 12:57:18 +0000

[diff] [blame]

2900

break;

Xiaofei Bai

2022-02-14 12:57:18 +0000

[diff] [blame]

2901

Jerry Yu

2022-04-16 13:59:52 +0800

[diff] [blame]

2902

case MBEDTLS_SSL_SERVER_CERTIFICATE:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2903

ret = ssl_tls13_write_server_certificate(ssl);

Jerry Yu

2022-04-16 13:59:52 +0800

[diff] [blame]

2904

break;

2905

2906

case MBEDTLS_SSL_CERTIFICATE_VERIFY:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2907

ret = ssl_tls13_write_certificate_verify(ssl);

Jerry Yu

2022-04-16 13:59:52 +0800

[diff] [blame]

2908

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2909

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-04-16 13:59:52 +0800

[diff] [blame]

2910

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2911

/*

2912

* Injection of dummy-CCS's for middlebox compatibility

2913

*/

Gabor Mezei

2022-05-24 16:04:14 +0200

[diff] [blame]

2914

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

Gabor Mezei

f7044ea

2022-06-28 16:01:49 +0200

[diff] [blame]

2915

case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2916

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

2917

if (ret == 0) {

2918

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

2919

}

Gabor Mezei

2022-05-24 16:04:14 +0200

[diff] [blame]

2920

break;

2921

2922

case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2923

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

2924

if (ret == 0) {

2925

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);

2926

}

Gabor Mezei

2022-05-24 16:04:14 +0200

[diff] [blame]

2927

break;

2928

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

2929

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2930

case MBEDTLS_SSL_SERVER_FINISHED:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2931

ret = ssl_tls13_write_server_finished(ssl);

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2932

break;

2933

2934

case MBEDTLS_SSL_CLIENT_FINISHED:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2935

ret = ssl_tls13_process_client_finished(ssl);

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2936

break;

2937

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2938

case MBEDTLS_SSL_HANDSHAKE_WRAPUP:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2939

ret = ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

2022-04-16 12:51:26 +0800

[diff] [blame]

2940

break;

2941

Ronald Cron

766c0cd

2022-10-18 12:17:11 +0200

[diff] [blame]

2942

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

XiaokangQian

2022-04-25 07:29:34 +0000

[diff] [blame]

2943

case MBEDTLS_SSL_CLIENT_CERTIFICATE:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2944

ret = mbedtls_ssl_tls13_process_certificate(ssl);

2945

if (ret == 0) {

2946

if (ssl->session_negotiate->peer_cert != NULL) {

Ronald Cron

209cae9

2022-06-07 10:30:19 +0200

[diff] [blame]

2947

mbedtls_ssl_handshake_set_state(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2948

ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);

2949

} else {

2950

MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));

Ronald Cron

209cae9

2022-06-07 10:30:19 +0200

[diff] [blame]

2951

mbedtls_ssl_handshake_set_state(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2952

ssl, MBEDTLS_SSL_CLIENT_FINISHED);

Ronald Cron

1938588

2022-06-15 16:26:13 +0200

[diff] [blame]

2953

}

XiaokangQian

2022-04-25 07:29:34 +0000

[diff] [blame]

}

break;

case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2958

ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);

2959

if (ret == 0) {

XiaokangQian

2022-04-25 07:29:34 +0000

[diff] [blame]

2960

mbedtls_ssl_handshake_set_state(

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2961

ssl, MBEDTLS_SSL_CLIENT_FINISHED);

XiaokangQian

2022-04-25 07:29:34 +0000

[diff] [blame]

2962

}

2963

break;

Ronald Cron

766c0cd

2022-10-18 12:17:11 +0200

[diff] [blame]

2964

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

XiaokangQian

2022-04-25 07:29:34 +0000

[diff] [blame]

2965

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2966

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Jerry Yu

2022-10-30 14:51:23 +0800

[diff] [blame]

2967

case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2968

ret = ssl_tls13_write_new_session_ticket(ssl);

2969

if (ret != 0) {

2970

MBEDTLS_SSL_DEBUG_RET(1,

2971

"ssl_tls13_write_new_session_ticket ",

2972

ret);

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2973

}

2974

break;

Jerry Yu

2022-10-30 14:51:23 +0800

[diff] [blame]

2975

case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH:

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2976

/* This state is necessary to do the flush of the New Session

Jerry Yu

2022-10-30 14:51:23 +0800

[diff] [blame]

2977

* Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2978

* as part of ssl_prepare_handshake_step.

2979

*/

2980

ret = 0;

Jerry Yu

d4e7500

2022-08-09 13:33:50 +0800

[diff] [blame]

2981

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2982

if (ssl->handshake->new_session_tickets_count == 0) {

2983

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

2984

} else {

2985

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);

2986

}

Jerry Yu

2022-07-07 07:29:42 +0000

[diff] [blame]

2987

break;

2988

2989

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

2990

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

2991

default:

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2992

MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));

2993

return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

XiaokangQian

2022-02-15 10:04:37 +0000

[diff] [blame]

2994

}

2995

David Horstmann

2023-01-03 12:51:59 +0000

[diff] [blame^]

2996

return ret;

Jerry Yu

b9930e7

2021-08-06 17:11:51 +0800

[diff] [blame]

2997

}

Jerry Yu