TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b7d50acb37deb632856d4e30efbbdeec9836064b / . / library / ssl_tls13_server.c
blob: 980c2255b01283e6601767de4fb4854cc37f8566 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]18 */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]23
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]24#include "mbedtls/debug.h"
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]25#include "mbedtls/error.h"
26#include "mbedtls/platform.h"
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]27#include "mbedtls/constant_time.h"
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]28
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]29#include "ssl_misc.h"
30#include "ssl_tls13_keys.h"
31#include "ssl_debug_helpers.h"
32
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]33
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]34static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]35 mbedtls_ssl_context *ssl,
36 unsigned int cipher_suite)
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]37{
38 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]39 if (!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
40 return NULL;
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]41 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]42
43 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
44 if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
45 ssl->tls_version,
46 ssl->tls_version) != 0)) {
47 return NULL;
48 }
49 return ciphersuite_info;
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]50}
51
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]52#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]53/* From RFC 8446:
54 *
55 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
56 * struct {
57 * PskKeyExchangeMode ke_modes<1..255>;
58 * } PskKeyExchangeModes;
59 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]60MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]61static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
62 const unsigned char *buf,
63 const unsigned char *end)
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]64{
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]65 const unsigned char *p = buf;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]66 size_t ke_modes_len;
67 int ke_modes = 0;
68
Jerry Yu854dd9e2022-07-15 14:28:27 +0800[diff] [blame]69 /* Read ke_modes length (1 Byte) */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]70 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]71 ke_modes_len = *p++;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]72 /* Currently, there are only two PSK modes, so even without looking
73 * at the content, something's wrong if the list has more than 2 items. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]74 if (ke_modes_len > 2) {
75 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
76 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
77 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]78 }
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]79
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]80 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ke_modes_len);
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]81
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]82 while (ke_modes_len-- != 0) {
83 switch (*p++) {
84 case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
85 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
86 MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK KEX MODE"));
87 break;
88 case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:
89 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
90 MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK_EPHEMERAL KEX MODE"));
91 break;
92 default:
93 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
94 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
95 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]96 }
97 }
98
99 ssl->handshake->tls13_kex_modes = ke_modes;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]100 return 0;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]101}
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]102
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]103#define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1
104#define SSL_TLS1_3_OFFERED_PSK_MATCH 0
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]105
106#if defined(MBEDTLS_SSL_SESSION_TICKETS)
107
108MBEDTLS_CHECK_RETURN_CRITICAL
109static int ssl_tls13_offered_psks_check_identity_match_ticket(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]110 mbedtls_ssl_context *ssl,
111 const unsigned char *identity,
112 size_t identity_len,
113 uint32_t obfuscated_ticket_age,
114 mbedtls_ssl_session *session)
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]115{
Jerry Yufd310eb2022-09-06 09:16:35 +0800[diff] [blame]116 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]117 unsigned char *ticket_buffer;
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]118#if defined(MBEDTLS_HAVE_TIME)
119 mbedtls_time_t now;
Jerry Yuacff8232022-09-14 14:35:11 +0800[diff] [blame]120 uint64_t age_in_s;
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800[diff] [blame]121 int64_t age_diff_in_ms;
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]122#endif
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]123
124 ((void) obfuscated_ticket_age);
125
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]126 MBEDTLS_SSL_DEBUG_MSG(2, ("=> check_identity_match_ticket"));
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]127
Jerry Yufd310eb2022-09-06 09:16:35 +0800[diff] [blame]128 /* Ticket parser is not configured, Skip */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]129 if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) {
130 return 0;
131 }
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]132
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]133 /* We create a copy of the encrypted ticket since the ticket parsing
134 * function is allowed to use its input buffer as an output buffer
135 * (in-place decryption). We do, however, need the original buffer for
136 * computing the PSK binder value.
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]137 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]138 ticket_buffer = mbedtls_calloc(1, identity_len);
139 if (ticket_buffer == NULL) {
140 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
141 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]142 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]143 memcpy(ticket_buffer, identity, identity_len);
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]145 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket,
146 session,
147 ticket_buffer, identity_len)) != 0) {
148 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
149 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
150 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
151 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
152 } else {
153 MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret);
154 }
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]155 }
156
157 /* We delete the temporary buffer */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]158 mbedtls_free(ticket_buffer);
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]159
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]160 if (ret != 0) {
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]161 goto exit;
162 }
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]163
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]164 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
165#if defined(MBEDTLS_HAVE_TIME)
166 now = mbedtls_time(NULL);
167
168 if (now < session->start) {
169 MBEDTLS_SSL_DEBUG_MSG(
170 3, ("Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG
171 ", start=%" MBEDTLS_PRINTF_LONGLONG " )",
172 (long long) now, (long long) session->start));
173 goto exit;
174 }
175
176 age_in_s = (uint64_t) (now - session->start);
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]177
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]178 /* RFC 8446 section 4.6.1
179 *
180 * Servers MUST NOT use any value greater than 604800 seconds (7 days).
181 *
182 * RFC 8446 section 4.2.11.1
183 *
184 * Clients MUST NOT attempt to use tickets which have ages greater than
185 * the "ticket_lifetime" value which was provided with the ticket.
186 *
187 * For time being, the age MUST be less than 604800 seconds (7 days).
188 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]189 if (age_in_s > 604800) {
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]190 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]191 3, ("Ticket age exceeds limitation ticket_age=%lu",
192 (long unsigned int) age_in_s));
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]193 goto exit;
194 }
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]195
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]196 /* RFC 8446 section 4.2.10
197 *
198 * For PSKs provisioned via NewSessionTicket, a server MUST validate that
199 * the ticket age for the selected PSK identity (computed by subtracting
200 * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
201 * within a small tolerance of the time since the ticket was issued.
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800[diff] [blame]202 *
Jerry Yu0a55cc62022-09-15 16:15:06 +0800[diff] [blame]203 * NOTE: When `now == session->start`, `age_diff_in_ms` may be negative
204 * as the age units are different on the server (s) and in the
205 * client (ms) side. Add a -1000 ms tolerance window to take this
206 * into account.
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]207 */
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800[diff] [blame]208 age_diff_in_ms = age_in_s * 1000;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]209 age_diff_in_ms -= (obfuscated_ticket_age - session->ticket_age_add);
210 if (age_diff_in_ms <= -1000 ||
211 age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) {
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]212 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]213 3, ("Ticket age outside tolerance window ( diff=%d )",
214 (int) age_diff_in_ms));
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]215 goto exit;
216 }
217
218 ret = 0;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]219
220#endif /* MBEDTLS_HAVE_TIME */
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]221
222exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]223 if (ret != 0) {
224 mbedtls_ssl_session_free(session);
225 }
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]226
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]227 MBEDTLS_SSL_DEBUG_MSG(2, ("<= check_identity_match_ticket"));
228 return ret;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]229}
230#endif /* MBEDTLS_SSL_SESSION_TICKETS */
231
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]232MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]233static int ssl_tls13_offered_psks_check_identity_match(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]234 mbedtls_ssl_context *ssl,
235 const unsigned char *identity,
236 size_t identity_len,
237 uint32_t obfuscated_ticket_age,
238 int *psk_type,
239 mbedtls_ssl_session *session)
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]240{
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]241 ((void) session);
242 ((void) obfuscated_ticket_age);
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]243 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]244
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]245 MBEDTLS_SSL_DEBUG_BUF(4, "identity", identity, identity_len);
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]246 ssl->handshake->resume = 0;
247
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]248#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]249 if (ssl_tls13_offered_psks_check_identity_match_ticket(
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]250 ssl, identity, identity_len, obfuscated_ticket_age,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]251 session) == SSL_TLS1_3_OFFERED_PSK_MATCH) {
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]252 ssl->handshake->resume = 1;
253 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]254 mbedtls_ssl_set_hs_psk(ssl,
Jerry Yu0a55cc62022-09-15 16:15:06 +0800[diff] [blame]255 session->resumption_key,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]256 session->resumption_key_len);
257
258 MBEDTLS_SSL_DEBUG_BUF(4, "Ticket-resumed PSK:",
259 session->resumption_key,
260 session->resumption_key_len);
261 MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u",
262 (unsigned) obfuscated_ticket_age));
263 return SSL_TLS1_3_OFFERED_PSK_MATCH;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]264 }
265#endif /* MBEDTLS_SSL_SESSION_TICKETS */
266
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]267 /* Check identity with external configured function */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]268 if (ssl->conf->f_psk != NULL) {
269 if (ssl->conf->f_psk(
270 ssl->conf->p_psk, ssl, identity, identity_len) == 0) {
271 return SSL_TLS1_3_OFFERED_PSK_MATCH;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]272 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]273 return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]274 }
275
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]276 MBEDTLS_SSL_DEBUG_BUF(5, "identity", identity, identity_len);
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]277 /* Check identity with pre-configured psk */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]278 if (ssl->conf->psk_identity != NULL &&
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]279 identity_len == ssl->conf->psk_identity_len &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]280 mbedtls_ct_memcmp(ssl->conf->psk_identity,
281 identity, identity_len) == 0) {
282 mbedtls_ssl_set_hs_psk(ssl, ssl->conf->psk, ssl->conf->psk_len);
283 return SSL_TLS1_3_OFFERED_PSK_MATCH;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]284 }
285
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]286 return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]287}
288
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]289MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]290static int ssl_tls13_offered_psks_check_binder_match(mbedtls_ssl_context *ssl,
291 const unsigned char *binder,
292 size_t binder_len,
293 int psk_type,
294 psa_algorithm_t psk_hash_alg)
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]295{
296 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]297
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]298 unsigned char transcript[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]299 size_t transcript_len;
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]300 unsigned char *psk;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]301 size_t psk_len;
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]302 unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]303
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]304 /* Get current state of handshake transcript. */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]305 ret = mbedtls_ssl_get_handshake_transcript(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]306 ssl, mbedtls_hash_info_md_from_psa(psk_hash_alg),
307 transcript, sizeof(transcript), &transcript_len);
308 if (ret != 0) {
309 return ret;
310 }
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]311
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]312 ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len);
313 if (ret != 0) {
314 return ret;
315 }
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]316
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]317 ret = mbedtls_ssl_tls13_create_psk_binder(ssl, psk_hash_alg,
318 psk, psk_len, psk_type,
319 transcript,
320 server_computed_binder);
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]321#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]322 mbedtls_free((void *) psk);
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]323#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]324 if (ret != 0) {
325 MBEDTLS_SSL_DEBUG_MSG(1, ("PSK binder calculation failed."));
326 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]327 }
328
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]329 MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( computed ): ",
330 server_computed_binder, transcript_len);
331 MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len);
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]332
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]333 if (mbedtls_ct_memcmp(server_computed_binder, binder, binder_len) == 0) {
334 return SSL_TLS1_3_OFFERED_PSK_MATCH;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]335 }
336
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]337 mbedtls_platform_zeroize(server_computed_binder,
338 sizeof(server_computed_binder));
339 return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]340}
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]341
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]342MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]343static int ssl_tls13_select_ciphersuite_for_psk(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 mbedtls_ssl_context *ssl,
345 const unsigned char *cipher_suites,
346 const unsigned char *cipher_suites_end,
347 uint16_t *selected_ciphersuite,
348 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]349{
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]350 psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]351
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]352 *selected_ciphersuite = 0;
353 *selected_ciphersuite_info = NULL;
354
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]355 /* RFC 8446, page 55.
356 *
357 * For externally established PSKs, the Hash algorithm MUST be set when the
358 * PSK is established or default to SHA-256 if no such algorithm is defined.
359 *
360 */
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]361
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]362 /*
363 * Search for a matching ciphersuite
364 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]365 for (const unsigned char *p = cipher_suites;
366 p < cipher_suites_end; p += 2) {
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]367 uint16_t cipher_suite;
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]368 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]369
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]370 cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
371 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,
372 cipher_suite);
373 if (ciphersuite_info == NULL) {
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]374 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]375 }
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]376
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]377 /* MAC of selected ciphersuite MUST be same with PSK binder if exist.
378 * Otherwise, client should reject.
379 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]380 if (psk_hash_alg == mbedtls_psa_translate_md(ciphersuite_info->mac)) {
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]381 *selected_ciphersuite = cipher_suite;
382 *selected_ciphersuite_info = ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]383 return 0;
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]384 }
385 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite"));
387 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]388}
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]389
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]390#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]391MBEDTLS_CHECK_RETURN_CRITICAL
392static int ssl_tls13_select_ciphersuite_for_resumption(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]393 mbedtls_ssl_context *ssl,
394 const unsigned char *cipher_suites,
395 const unsigned char *cipher_suites_end,
396 mbedtls_ssl_session *session,
397 uint16_t *selected_ciphersuite,
398 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]399{
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]400
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]401 *selected_ciphersuite = 0;
402 *selected_ciphersuite_info = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]403 for (const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2) {
404 uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]405 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
406
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]407 if (cipher_suite != session->ciphersuite) {
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]408 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]409 }
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]410
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]411 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,
412 cipher_suite);
413 if (ciphersuite_info == NULL) {
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]414 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 }
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]416
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]417 *selected_ciphersuite = cipher_suite;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]418 *selected_ciphersuite_info = ciphersuite_info;
419
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]420 return 0;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]421 }
422
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]423 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]424}
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]425
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]426MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]427static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst,
428 const mbedtls_ssl_session *src)
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]429{
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]430 dst->ticket_age_add = src->ticket_age_add;
431 dst->ticket_flags = src->ticket_flags;
432 dst->resumption_key_len = src->resumption_key_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]433 if (src->resumption_key_len == 0) {
434 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
435 }
436 memcpy(dst->resumption_key, src->resumption_key, src->resumption_key_len);
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]437
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]438 return 0;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]439}
440#endif /* MBEDTLS_SSL_SESSION_TICKETS */
441
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]442/* Parser for pre_shared_key extension in client hello
443 * struct {
444 * opaque identity<1..2^16-1>;
445 * uint32 obfuscated_ticket_age;
446 * } PskIdentity;
447 *
448 * opaque PskBinderEntry<32..255>;
449 *
450 * struct {
451 * PskIdentity identities<7..2^16-1>;
452 * PskBinderEntry binders<33..2^16-1>;
453 * } OfferedPsks;
454 *
455 * struct {
456 * select (Handshake.msg_type) {
457 * case client_hello: OfferedPsks;
458 * ....
459 * };
460 * } PreSharedKeyExtension;
461 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]462MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]463static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl,
464 const unsigned char *pre_shared_key_ext,
465 const unsigned char *pre_shared_key_ext_end,
466 const unsigned char *ciphersuites,
467 const unsigned char *ciphersuites_end)
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]468{
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]469 const unsigned char *identities = pre_shared_key_ext;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]470 const unsigned char *p_identity_len;
471 size_t identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]472 const unsigned char *identities_end;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]473 const unsigned char *binders;
474 const unsigned char *p_binder_len;
475 size_t binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]476 const unsigned char *binders_end;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]477 int matched_identity = -1;
478 int identity_id = -1;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]479
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]480 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key extension",
481 pre_shared_key_ext,
482 pre_shared_key_ext_end - pre_shared_key_ext);
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]483
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]484 /* identities_len 2 bytes
485 * identities_data >= 7 bytes
486 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 MBEDTLS_SSL_CHK_BUF_READ_PTR(identities, pre_shared_key_ext_end, 7 + 2);
488 identities_len = MBEDTLS_GET_UINT16_BE(identities, 0);
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]489 p_identity_len = identities + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]490 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, pre_shared_key_ext_end,
491 identities_len);
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]492 identities_end = p_identity_len + identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]493
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]494 /* binders_len 2 bytes
495 * binders >= 33 bytes
496 */
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]497 binders = identities_end;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 MBEDTLS_SSL_CHK_BUF_READ_PTR(binders, pre_shared_key_ext_end, 33 + 2);
499 binders_len = MBEDTLS_GET_UINT16_BE(binders, 0);
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]500 p_binder_len = binders + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]501 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len);
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]502 binders_end = p_binder_len + binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]503
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]504 ssl->handshake->update_checksum(ssl, pre_shared_key_ext,
505 identities_end - pre_shared_key_ext);
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]506
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]507 while (p_identity_len < identities_end && p_binder_len < binders_end) {
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]508 const unsigned char *identity;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]509 size_t identity_len;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]510 uint32_t obfuscated_ticket_age;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]511 const unsigned char *binder;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]512 size_t binder_len;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]513 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]514 int psk_type;
515 uint16_t cipher_suite;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]516 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]517#if defined(MBEDTLS_SSL_SESSION_TICKETS)
518 mbedtls_ssl_session session;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]519 mbedtls_ssl_session_init(&session);
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]520#endif
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]521
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]522 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4);
523 identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0);
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]524 identity = p_identity_len + 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]525 MBEDTLS_SSL_CHK_BUF_READ_PTR(identity, identities_end, identity_len + 4);
526 obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE(identity, identity_len);
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]527 p_identity_len += identity_len + 6;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]529 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, binders_end, 1 + 32);
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]530 binder_len = *p_binder_len;
531 binder = p_binder_len + 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]532 MBEDTLS_SSL_CHK_BUF_READ_PTR(binder, binders_end, binder_len);
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]533 p_binder_len += binder_len + 1;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]534
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]535 identity_id++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]536 if (matched_identity != -1) {
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]537 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]538 }
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]539
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]540 ret = ssl_tls13_offered_psks_check_identity_match(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]541 ssl, identity, identity_len, obfuscated_ticket_age,
542 &psk_type, &session);
543 if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]544 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]545 }
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]546
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]547 MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity"));
548 switch (psk_type) {
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]549 case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
550 ret = ssl_tls13_select_ciphersuite_for_psk(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]551 ssl, ciphersuites, ciphersuites_end,
552 &cipher_suite, &ciphersuite_info);
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]553 break;
554 case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]555#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]556 ret = ssl_tls13_select_ciphersuite_for_resumption(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]557 ssl, ciphersuites, ciphersuites_end, &session,
558 &cipher_suite, &ciphersuite_info);
559 if (ret != 0) {
560 mbedtls_ssl_session_free(&session);
561 }
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]562#else
563 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
564#endif
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]565 break;
566 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]567 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]568 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]569 if (ret != 0) {
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]570 /* See below, no cipher_suite available, abort handshake */
571 MBEDTLS_SSL_PEND_FATAL_ALERT(
572 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]573 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]574 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]575 2, "ssl_tls13_select_ciphersuite", ret);
576 return ret;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]577 }
578
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]579 ret = ssl_tls13_offered_psks_check_binder_match(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]580 ssl, binder, binder_len, psk_type,
581 mbedtls_psa_translate_md(ciphersuite_info->mac));
582 if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]583 /* For security reasons, the handshake should be aborted when we
584 * fail to validate a binder value. See RFC 8446 section 4.2.11.2
585 * and appendix E.6. */
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]586#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]587 mbedtls_ssl_session_free(&session);
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]588#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]589 MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder."));
590 MBEDTLS_SSL_DEBUG_RET(1,
591 "ssl_tls13_offered_psks_check_binder_match", ret);
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]592 MBEDTLS_SSL_PEND_FATAL_ALERT(
593 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
595 return ret;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]596 }
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]597
598 matched_identity = identity_id;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]599
600 /* Update handshake parameters */
Jerry Yue5834fd2022-08-29 20:16:09 +0800[diff] [blame]601 ssl->handshake->ciphersuite_info = ciphersuite_info;
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]602 ssl->session_negotiate->ciphersuite = cipher_suite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]603 MBEDTLS_SSL_DEBUG_MSG(2, ("overwrite ciphersuite: %04x - %s",
604 cipher_suite, ciphersuite_info->name));
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]605#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]606 if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
607 ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate,
608 &session);
609 mbedtls_ssl_session_free(&session);
610 if (ret != 0) {
611 return ret;
612 }
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]613 }
614#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]615 }
616
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]617 if (p_identity_len != identities_end || p_binder_len != binders_end) {
618 MBEDTLS_SSL_DEBUG_MSG(3, ("pre_shared_key extension decode error"));
619 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
620 MBEDTLS_ERR_SSL_DECODE_ERROR);
621 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]622 }
623
Jerry Yu6f1db3f2022-07-22 23:05:59 +0800[diff] [blame]624 /* Update the handshake transcript with the binder list. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625 ssl->handshake->update_checksum(ssl,
626 identities_end,
627 (size_t) (binders_end - identities_end));
628 if (matched_identity == -1) {
629 MBEDTLS_SSL_DEBUG_MSG(3, ("No matched PSK or ticket."));
630 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]631 }
632
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]633 ssl->handshake->selected_identity = (uint16_t) matched_identity;
634 MBEDTLS_SSL_DEBUG_MSG(3, ("Pre shared key found"));
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]635
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]636 return 0;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]637}
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]638
639/*
640 * struct {
641 * select ( Handshake.msg_type ) {
642 * ....
643 * case server_hello:
644 * uint16 selected_identity;
645 * }
646 * } PreSharedKeyExtension;
647 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]648static int ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
649 unsigned char *buf,
650 unsigned char *end,
651 size_t *olen)
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]652{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]653 unsigned char *p = (unsigned char *) buf;
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]654
655 *olen = 0;
656
David Horstmann21b89762022-10-06 18:34:28 +0100[diff] [blame]657 int not_using_psk = 0;
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]658#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]659 not_using_psk = (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque));
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]660#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]661 not_using_psk = (ssl->handshake->psk == NULL);
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]662#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]663 if (not_using_psk) {
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]664 /* We shouldn't have called this extension writer unless we've
665 * chosen to use a PSK. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]666 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]667 }
668
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]669 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding pre_shared_key extension"));
670 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]671
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]672 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0);
673 MBEDTLS_PUT_UINT16_BE(2, p, 2);
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]674
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]675 MBEDTLS_PUT_UINT16_BE(ssl->handshake->selected_identity, p, 4);
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]676
677 *olen = 6;
678
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]679 MBEDTLS_SSL_DEBUG_MSG(4, ("sent selected_identity: %u",
680 ssl->handshake->selected_identity));
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]681
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]682 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
Jerry Yub95dd362022-11-08 21:19:34 +0800[diff] [blame]683
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]684 return 0;
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]685}
686
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]687#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]688
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]689/* From RFC 8446:
690 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]691 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]692 * } SupportedVersions;
693 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]694MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]695static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
696 const unsigned char *buf,
697 const unsigned char *end)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]698{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]699 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]700 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]701 const unsigned char *versions_end;
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]702 uint16_t tls_version;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]703 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]704
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]705 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]706 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]707 p += 1;
708
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]709 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, versions_len);
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]710 versions_end = p + versions_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]711 while (p < versions_end) {
712 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, versions_end, 2);
713 tls_version = mbedtls_ssl_read_version(p, ssl->conf->transport);
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]714 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]715
716 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]717 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]718 tls13_supported = 1;
719 break;
720 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]721 }
722
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]723 if (!tls13_supported) {
724 MBEDTLS_SSL_DEBUG_MSG(1, ("TLS 1.3 is not supported by the client"));
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]725
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]726 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
727 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
728 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]729 }
730
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]731 MBEDTLS_SSL_DEBUG_MSG(1, ("Negotiated version. Supported is [%04x]",
732 (unsigned int) tls_version));
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]733
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]734 return 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]735}
736
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]737#if defined(MBEDTLS_ECDH_C)
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]738/*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]739 *
740 * From RFC 8446:
741 * enum {
742 * ... (0xFFFF)
743 * } NamedGroup;
744 * struct {
745 * NamedGroup named_group_list<2..2^16-1>;
746 * } NamedGroupList;
747 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]748MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]749static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
750 const unsigned char *buf,
751 const unsigned char *end)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]752{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]753 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000[diff] [blame]754 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]755 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]756
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]757 MBEDTLS_SSL_DEBUG_BUF(3, "supported_groups extension", p, end - buf);
758 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
759 named_group_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]760 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]761 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, named_group_list_len);
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]762 named_group_list_end = p + named_group_list_len;
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]763 ssl->handshake->hrr_selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]764
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]765 while (p < named_group_list_end) {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]766 uint16_t named_group;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]767 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, named_group_list_end, 2);
768 named_group = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]769 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]770
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]771 MBEDTLS_SSL_DEBUG_MSG(2,
772 ("got named group: %s(%04x)",
773 mbedtls_ssl_named_group_to_str(named_group),
774 named_group));
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]775
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]776 if (!mbedtls_ssl_named_group_is_offered(ssl, named_group) ||
777 !mbedtls_ssl_named_group_is_supported(named_group) ||
778 ssl->handshake->hrr_selected_group != 0) {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]779 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]780 }
781
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]782 MBEDTLS_SSL_DEBUG_MSG(2,
783 ("add named group %s(%04x) into received list.",
784 mbedtls_ssl_named_group_to_str(named_group),
785 named_group));
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]786
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]787 ssl->handshake->hrr_selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]788 }
789
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]790 return 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]791
792}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]793#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]794
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]795#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
796
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]797#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]798/*
799 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]800 * extension is correct and stores the first acceptable key share and its associated group.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]801 *
802 * Possible return values are:
803 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]804 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]805 * does not match a group supported by the server. A HelloRetryRequest will
806 * be needed.
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]807 * - A negative value for fatal errors.
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]808 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]809MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]810static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl,
811 const unsigned char *buf,
812 const unsigned char *end)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]813{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]814 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]815 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]816 unsigned char const *client_shares_end;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]817 size_t client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]818
819 /* From RFC 8446:
820 *
821 * struct {
822 * KeyShareEntry client_shares<0..2^16-1>;
823 * } KeyShareClientHello;
824 *
825 */
826
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]827 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
828 client_shares_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]829 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]830 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, client_shares_len);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]831
832 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]833 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]834
835 /* We try to find a suitable key share entry and copy it to the
836 * handshake context. Later, we have to find out whether we can do
837 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]838 * dismiss it and send a HelloRetryRequest message.
839 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]840
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]841 while (p < client_shares_end) {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]842 uint16_t group;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]843 size_t key_exchange_len;
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]844 const unsigned char *key_exchange;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]845
846 /*
847 * struct {
848 * NamedGroup group;
849 * opaque key_exchange<1..2^16-1>;
850 * } KeyShareEntry;
851 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]852 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, 4);
853 group = MBEDTLS_GET_UINT16_BE(p, 0);
854 key_exchange_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]855 p += 4;
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]856 key_exchange = p;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]857 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, key_exchange_len);
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]858 p += key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]859
860 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]861 * for input validation purposes.
862 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]863 if (!mbedtls_ssl_named_group_is_offered(ssl, group) ||
864 !mbedtls_ssl_named_group_is_supported(group) ||
865 ssl->handshake->offered_group_id != 0) {
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]866 continue;
867 }
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]868
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]869 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]870 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]871 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]872 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group)) {
873 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH group: %s (%04x)",
874 mbedtls_ssl_named_group_to_str(group),
875 group));
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]876 ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]877 ssl, key_exchange - 2, key_exchange_len + 2);
878 if (ret != 0) {
879 return ret;
880 }
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]881
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]882 } else {
883 MBEDTLS_SSL_DEBUG_MSG(4, ("Unrecognized NamedGroup %u",
884 (unsigned) group));
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]885 continue;
886 }
887
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]888 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]889 }
890
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]891
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]892 if (ssl->handshake->offered_group_id == 0) {
893 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching key share"));
894 return SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]895 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]896 return 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]897}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]898#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]899
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]900MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]901static int ssl_tls13_client_hello_has_exts(mbedtls_ssl_context *ssl,
902 int exts_mask)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]903{
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]904 int masked = ssl->handshake->received_extensions & exts_mask;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]905 return masked == exts_mask;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]906}
907
Jerry Yue5991322022-11-07 14:03:44 +0800[diff] [blame]908#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]909MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]910static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]911 mbedtls_ssl_context *ssl)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]912{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]913 return ssl_tls13_client_hello_has_exts(
914 ssl,
915 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |
916 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |
917 MBEDTLS_SSL_EXT_MASK(SIG_ALG));
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]918}
Jerry Yue5991322022-11-07 14:03:44 +0800[diff] [blame]919#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]920
Jerry Yue5991322022-11-07 14:03:44 +0800[diff] [blame]921#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]922MBEDTLS_CHECK_RETURN_CRITICAL
923static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]924 mbedtls_ssl_context *ssl)
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]925{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]926 return ssl_tls13_client_hello_has_exts(
927 ssl,
928 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
929 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]930}
Jerry Yue5991322022-11-07 14:03:44 +0800[diff] [blame]931#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]932
Jerry Yue5991322022-11-07 14:03:44 +0800[diff] [blame]933#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]934MBEDTLS_CHECK_RETURN_CRITICAL
935static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]936 mbedtls_ssl_context *ssl)
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]937{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]938 return ssl_tls13_client_hello_has_exts(
939 ssl,
940 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |
941 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |
942 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
943 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]944}
Jerry Yue5991322022-11-07 14:03:44 +0800[diff] [blame]945#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]946
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]947MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]948static int ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]949{
Jerry Yue5991322022-11-07 14:03:44 +0800[diff] [blame]950#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]951 return mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) &&
952 ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
Jerry Yue5991322022-11-07 14:03:44 +0800[diff] [blame]953#else
954 ((void) ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]955 return 0;
Jerry Yue5991322022-11-07 14:03:44 +0800[diff] [blame]956#endif
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]957}
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]958
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]959MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]960static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl)
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]961{
Jerry Yue5991322022-11-07 14:03:44 +0800[diff] [blame]962#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]963 return mbedtls_ssl_conf_tls13_psk_enabled(ssl) &&
964 mbedtls_ssl_tls13_psk_enabled(ssl) &&
965 ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]966#else
967 ((void) ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]968 return 0;
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]969#endif
970}
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]971
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]972MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]973static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]974{
Jerry Yue5991322022-11-07 14:03:44 +0800[diff] [blame]975#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]976 return mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) &&
977 mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) &&
978 ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]979#else
980 ((void) ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]981 return 0;
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]982#endif
983}
984
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]985static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl)
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]986{
987 /*
988 * Determine the key exchange algorithm to use.
989 * There are three types of key exchanges supported in TLS 1.3:
990 * - (EC)DH with ECDSA,
991 * - (EC)DH with PSK,
992 * - plain PSK.
993 *
994 * The PSK-based key exchanges may additionally be used with 0-RTT.
995 *
996 * Our built-in order of preference is
Jerry Yuce6ed702022-07-22 21:49:53 +0800[diff] [blame]997 * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
998 * 2 ) Certificate Mode ( ephemeral )
999 * 3 ) Plain PSK Mode ( psk )
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1000 */
1001
1002 ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
1003
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1004 if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1005 ssl->handshake->key_exchange_mode =
1006 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1007 MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral"));
1008 } else
1009 if (ssl_tls13_check_ephemeral_key_exchange(ssl)) {
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1010 ssl->handshake->key_exchange_mode =
1011 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1012 MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral"));
1013 } else
1014 if (ssl_tls13_check_psk_key_exchange(ssl)) {
Jerry Yuce6ed702022-07-22 21:49:53 +0800[diff] [blame]1015 ssl->handshake->key_exchange_mode =
1016 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1017 MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk"));
1018 } else {
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1019 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1020 1,
1021 ("ClientHello message misses mandatory extensions."));
1022 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION,
1023 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1024 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1025 }
1026
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1027 return 0;
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1028
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1029}
1030
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1031#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]1032 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1033
1034#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1035static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1036{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1037 switch (sig_alg) {
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1038 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1039 return PSA_ALG_ECDSA(PSA_ALG_SHA_256);
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1040 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1041 return PSA_ALG_ECDSA(PSA_ALG_SHA_384);
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1042 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1043 return PSA_ALG_ECDSA(PSA_ALG_SHA_512);
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1044 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1045 return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1046 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1047 return PSA_ALG_RSA_PSS(PSA_ALG_SHA_384);
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1048 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1049 return PSA_ALG_RSA_PSS(PSA_ALG_SHA_512);
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1050 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1051 return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1052 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1053 return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384);
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1054 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1055 return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_512);
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1056 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1057 return PSA_ALG_NONE;
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1058 }
1059}
1060#endif /* MBEDTLS_USE_PSA_CRYPTO */
1061
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1062/*
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1063 * Pick best ( private key, certificate chain ) pair based on the signature
1064 * algorithms supported by the client.
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1065 */
Ronald Cronce7d76e2022-07-08 18:56:49 +0200[diff] [blame]1066MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1067static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1068{
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1069 mbedtls_ssl_key_cert *key_cert, *key_cert_list;
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1070 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1071
1072#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1073 if (ssl->handshake->sni_key_cert != NULL) {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1074 key_cert_list = ssl->handshake->sni_key_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1075 } else
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1076#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1077 key_cert_list = ssl->conf->key_cert;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1078
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1079 if (key_cert_list == NULL) {
1080 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
1081 return -1;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1082 }
1083
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1084 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
1085 if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1086 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1087 }
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1088
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1089 if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1090 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1091 }
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1092
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1093 for (key_cert = key_cert_list; key_cert != NULL;
1094 key_cert = key_cert->next) {
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1095#if defined(MBEDTLS_USE_PSA_CRYPTO)
1096 psa_algorithm_t psa_alg = PSA_ALG_NONE;
1097#endif /* MBEDTLS_USE_PSA_CRYPTO */
1098
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1099 MBEDTLS_SSL_DEBUG_CRT(3, "certificate (chain) candidate",
1100 key_cert->cert);
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1101
1102 /*
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1103 * This avoids sending the client a cert it'll reject based on
1104 * keyUsage or other extensions.
1105 */
1106 if (mbedtls_x509_crt_check_key_usage(
1107 key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0 ||
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1108 mbedtls_x509_crt_check_extended_key_usage(
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1109 key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1110 MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) != 0) {
1111 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
1112 "(extended) key usage extension"));
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1113 continue;
1114 }
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1115
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1116 MBEDTLS_SSL_DEBUG_MSG(3,
1117 ("ssl_tls13_pick_key_cert:"
1118 "check signature algorithm %s [%04x]",
1119 mbedtls_ssl_sig_alg_to_str(*sig_alg),
1120 *sig_alg));
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1121#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1122 psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg(*sig_alg);
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1123#endif /* MBEDTLS_USE_PSA_CRYPTO */
1124
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1125 if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
1126 *sig_alg, &key_cert->cert->pk)
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1127#if defined(MBEDTLS_USE_PSA_CRYPTO)
1128 && psa_alg != PSA_ALG_NONE &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1129 mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
1130 PSA_KEY_USAGE_SIGN_HASH) == 1
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1131#endif /* MBEDTLS_USE_PSA_CRYPTO */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1132 ) {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1133 ssl->handshake->key_cert = key_cert;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1134 MBEDTLS_SSL_DEBUG_MSG(3,
1135 ("ssl_tls13_pick_key_cert:"
1136 "selected signature algorithm"
1137 " %s [%04x]",
1138 mbedtls_ssl_sig_alg_to_str(*sig_alg),
1139 *sig_alg));
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1140 MBEDTLS_SSL_DEBUG_CRT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1141 3, "selected certificate (chain)",
1142 ssl->handshake->key_cert->cert);
1143 return 0;
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1144 }
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1145 }
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1146 }
1147
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1148 MBEDTLS_SSL_DEBUG_MSG(2, ("ssl_tls13_pick_key_cert:"
1149 "no suitable certificate found"));
1150 return -1;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1151}
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1152#endif /* MBEDTLS_X509_CRT_PARSE_C &&
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]1153 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1154
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1155/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1156 *
1157 * STATE HANDLING: ClientHello
1158 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1159 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1160 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1161 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1162 *
1163 * In this case, the server progresses to sending its ServerHello.
1164 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1165 * 2) The ClientHello was well-formed but didn't match the server's
1166 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1167 *
1168 * For example, the client might not have offered a key share which
1169 * the server supports, or the server might require a cookie.
1170 *
1171 * In this case, the server sends a HelloRetryRequest.
1172 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1173 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1174 *
1175 * In this case, we abort the handshake.
1176 *
1177 */
1178
1179/*
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1180 * Structure of this message:
1181 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1182 * uint16 ProtocolVersion;
1183 * opaque Random[32];
1184 * uint8 CipherSuite[2]; // Cryptographic suite selector
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1185 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1186 * struct {
1187 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1188 * Random random;
1189 * opaque legacy_session_id<0..32>;
1190 * CipherSuite cipher_suites<2..2^16-2>;
1191 * opaque legacy_compression_methods<1..2^8-1>;
1192 * Extension extensions<8..2^16-1>;
1193 * } ClientHello;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1194 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1195
1196#define SSL_CLIENT_HELLO_OK 0
1197#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
1198
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1199MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1200static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
1201 const unsigned char *buf,
1202 const unsigned char *end)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1203{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1204 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1205 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1206 size_t legacy_session_id_len;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]1207 size_t cipher_suites_len;
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1208 const unsigned char *cipher_suites_end;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1209 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1210 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1211 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu49ca9282022-05-05 11:05:22 +0800[diff] [blame]1212 int hrr_required = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1213
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1214#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1215 const unsigned char *cipher_suites;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1216 const unsigned char *pre_shared_key_ext = NULL;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1217 const unsigned char *pre_shared_key_ext_end = NULL;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1218#endif
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1219
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1220 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1221 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1222 * 0 . 1 protocol version
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1223 * 2 . 33 random bytes
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]1224 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1225 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1226 * .. . .. ciphersuite list length ( 2 bytes )
1227 * .. . .. ciphersuite list
1228 * .. . .. compression alg. list length ( 1 byte )
1229 * .. . .. compression alg. list
1230 * .. . .. extensions length ( 2 bytes, optional )
1231 * .. . .. extensions ( optional )
1232 */
1233
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1234 /*
bootstrap-prime6dbbf442022-05-17 19:30:44 -0400[diff] [blame]1235 * Minimal length ( with everything empty and extensions omitted ) is
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1236 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1237 * read at least up to session id length without worrying.
1238 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1239 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 38);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1240
1241 /* ...
1242 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1243 * ...
1244 * with ProtocolVersion defined as:
1245 * uint16 ProtocolVersion;
1246 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1247 if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1248 MBEDTLS_SSL_VERSION_TLS1_2) {
1249 MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1250 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1251 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
1252 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1253 }
1254 p += 2;
1255
1256 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]1257 * Only support TLS 1.3 currently, temporarily set the version.
1258 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]1259 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]1260
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]1261#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1262 /* Store minor version for later use with ticket serialization. */
1263 ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1264 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]1265#endif
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]1266
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1267 /* ...
1268 * Random random;
1269 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1270 * with Random defined as:
1271 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1272 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1273 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes",
1274 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1275
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1276 memcpy(&handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1277 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1278
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1279 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1280 * opaque legacy_session_id<0..32>;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1281 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1282 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1283 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]1284 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1285
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1286 if (legacy_session_id_len > sizeof(ssl->session_negotiate->id)) {
1287 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1288 return MBEDTLS_ERR_SSL_DECODE_ERROR;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1289 }
1290
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1291 ssl->session_negotiate->id_len = legacy_session_id_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1292 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id",
1293 p, legacy_session_id_len);
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1294 /*
1295 * Check we have enough data for the legacy session identifier
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1296 * and the ciphersuite list length.
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1297 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1298 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_len + 2);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1299
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1300 memcpy(&ssl->session_negotiate->id[0], p, legacy_session_id_len);
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1301 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1302
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1303 cipher_suites_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1304 p += 2;
1305
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1306 /* Check we have enough data for the ciphersuite list, the legacy
1307 * compression methods and the length of the extensions.
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1308 *
1309 * cipher_suites cipher_suites_len bytes
1310 * legacy_compression_methods 2 bytes
1311 * extensions_len 2 bytes
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1312 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1313 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 2 + 2);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1314
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1315 /* ...
1316 * CipherSuite cipher_suites<2..2^16-2>;
1317 * ...
1318 * with CipherSuite defined as:
1319 * uint8 CipherSuite[2];
1320 */
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1321#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1322 cipher_suites = p;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1323#endif
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1324 cipher_suites_end = p + cipher_suites_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1325 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1326 p, cipher_suites_len);
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1327
1328 /*
1329 * Search for a matching ciphersuite
1330 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1331 for (; p < cipher_suites_end; p += 2) {
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1332 uint16_t cipher_suite;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1333 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1334
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1335 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, cipher_suites_end, 2);
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1336
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1337 cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]1338 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1339 ssl, cipher_suite);
1340 if (ciphersuite_info == NULL) {
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1341 continue;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1342 }
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1343
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1344 ssl->session_negotiate->ciphersuite = cipher_suite;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1345 handshake->ciphersuite_info = ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1346 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s",
1347 cipher_suite,
1348 ciphersuite_info->name));
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]1349 }
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1350
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1351 if (handshake->ciphersuite_info == NULL) {
1352 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1353 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1354 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1355 }
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1356
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1357 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1358 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1359 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1360 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1361 if (p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL) {
1362 MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
1363 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1364 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1365 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1366 }
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1367 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1368
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1369 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1370 * Extension extensions<8..2^16-1>;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1371 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1372 * with Extension defined as:
1373 * struct {
1374 * ExtensionType extension_type;
1375 * opaque extension_data<0..2^16-1>;
1376 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1377 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1378 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1379 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1380 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1381 extensions_end = p + extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1382
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1383 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", p, extensions_len);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1384
Jerry Yu63a459c2022-10-31 13:38:40 +0800[diff] [blame]1385 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1386
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1387 while (p < extensions_end) {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1388 unsigned int extension_type;
1389 size_t extension_data_len;
1390 const unsigned char *extension_data_end;
1391
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1392 /* RFC 8446, section 4.2.11
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1393 *
1394 * The "pre_shared_key" extension MUST be the last extension in the
1395 * ClientHello (this facilitates implementation as described below).
1396 * Servers MUST check that it is the last extension and otherwise fail
1397 * the handshake with an "illegal_parameter" alert.
1398 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1399 if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) {
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1400 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1401 3, ("pre_shared_key is not last extension."));
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1402 MBEDTLS_SSL_PEND_FATAL_ALERT(
1403 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1404 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1405 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1406 }
1407
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1408 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1409 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1410 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1411 p += 4;
1412
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1413 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1414 extension_data_end = p + extension_data_len;
1415
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1416 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1417 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
1418 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH);
1419 if (ret != 0) {
1420 return ret;
1421 }
Jerry Yue18dc7e2022-08-04 16:29:22 +0800[diff] [blame]1422
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1423 switch (extension_type) {
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1424#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1425 case MBEDTLS_TLS_EXT_SERVERNAME:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1426 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1427 ret = mbedtls_ssl_parse_server_name_ext(ssl, p,
1428 extension_data_end);
1429 if (ret != 0) {
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1430 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1431 1, "mbedtls_ssl_parse_servername_ext", ret);
1432 return ret;
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1433 }
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1434 break;
1435#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1436
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1437#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1438 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1439 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension"));
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1440
1441 /* Supported Groups Extension
1442 *
1443 * When sent by the client, the "supported_groups" extension
1444 * indicates the named groups which the client supports,
1445 * ordered from most preferred to least preferred.
1446 */
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1447 ret = ssl_tls13_parse_supported_groups_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1448 ssl, p, extension_data_end);
1449 if (ret != 0) {
1450 MBEDTLS_SSL_DEBUG_RET(1,
1451 "mbedtls_ssl_parse_supported_groups_ext", ret);
1452 return ret;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1453 }
1454
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1455 break;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1456#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1457
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1458#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1459 case MBEDTLS_TLS_EXT_KEY_SHARE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1460 MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension"));
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1461
1462 /*
1463 * Key Share Extension
1464 *
1465 * When sent by the client, the "key_share" extension
1466 * contains the endpoint's cryptographic parameters for
1467 * ECDHE/DHE key establishment methods.
1468 */
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1469 ret = ssl_tls13_parse_key_shares_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1470 ssl, p, extension_data_end);
1471 if (ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH) {
1472 MBEDTLS_SSL_DEBUG_MSG(2, ("HRR needed "));
Jerry Yu49ca9282022-05-05 11:05:22 +0800[diff] [blame]1473 hrr_required = 1;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1474 }
1475
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1476 if (ret < 0) {
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1477 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1478 1, "ssl_tls13_parse_key_shares_ext", ret);
1479 return ret;
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1480 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1481
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1482 break;
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1483#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1484
1485 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1486 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported versions extension"));
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1487
1488 ret = ssl_tls13_parse_supported_versions_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1489 ssl, p, extension_data_end);
1490 if (ret != 0) {
1491 MBEDTLS_SSL_DEBUG_RET(1,
1492 ("ssl_tls13_parse_supported_versions_ext"), ret);
1493 return ret;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1494 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1495 break;
1496
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1497#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]1498 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1499 MBEDTLS_SSL_DEBUG_MSG(3, ("found psk key exchange modes extension"));
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]1500
1501 ret = ssl_tls13_parse_key_exchange_modes_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1502 ssl, p, extension_data_end);
1503 if (ret != 0) {
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]1504 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1505 1, "ssl_tls13_parse_key_exchange_modes_ext", ret);
1506 return ret;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]1507 }
1508
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]1509 break;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1510#endif
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]1511
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1512 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1513 MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
1514 if ((handshake->received_extensions &
1515 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)) == 0) {
Jerry Yu13ab81d2022-07-22 23:17:11 +0800[diff] [blame]1516 MBEDTLS_SSL_PEND_FATAL_ALERT(
1517 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1518 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1519 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yu13ab81d2022-07-22 23:17:11 +0800[diff] [blame]1520 }
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1521#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1522 /* Delay processing of the PSK identity once we have
1523 * found out which algorithms to use. We keep a pointer
1524 * to the buffer and the size for later processing.
1525 */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1526 pre_shared_key_ext = p;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1527 pre_shared_key_ext_end = extension_data_end;
Jerry Yue18dc7e2022-08-04 16:29:22 +0800[diff] [blame]1528#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1529 break;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1530
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]1531#if defined(MBEDTLS_SSL_ALPN)
1532 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1533 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]1534
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1535 ret = mbedtls_ssl_parse_alpn_ext(ssl, p, extension_data_end);
1536 if (ret != 0) {
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]1537 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1538 1, ("mbedtls_ssl_parse_alpn_ext"), ret);
1539 return ret;
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]1540 }
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]1541 break;
1542#endif /* MBEDTLS_SSL_ALPN */
1543
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]1544#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1545 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1546 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1547
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1548 ret = mbedtls_ssl_parse_sig_alg_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1549 ssl, p, extension_data_end);
1550 if (ret != 0) {
1551 MBEDTLS_SSL_DEBUG_MSG(1,
1552 (
1553 "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
1554 ret));
1555 return ret;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1556 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1557 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]1558#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1559
1560 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]1561 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu63a459c2022-10-31 13:38:40 +0800[diff] [blame]1562 3, MBEDTLS_SSL_HS_CLIENT_HELLO,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1563 extension_type, "( ignored )");
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1564 break;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1565 }
1566
1567 p += extension_data_len;
1568 }
1569
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1570 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO,
1571 handshake->received_extensions);
Jerry Yue18dc7e2022-08-04 16:29:22 +0800[diff] [blame]1572
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1573 mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
1574 MBEDTLS_SSL_HS_CLIENT_HELLO,
1575 p - buf);
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]1576
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1577#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1578 /* Update checksum with either
1579 * - The entire content of the CH message, if no PSK extension is present
1580 * - The content up to but excluding the PSK extension, if present.
1581 */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1582 /* If we've settled on a PSK-based exchange, parse PSK identity ext */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1583 if (mbedtls_ssl_tls13_some_psk_enabled(ssl) &&
1584 mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
1585 (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY))) {
1586 handshake->update_checksum(ssl, buf,
1587 pre_shared_key_ext - buf);
1588 ret = ssl_tls13_parse_pre_shared_key_ext(ssl,
1589 pre_shared_key_ext,
1590 pre_shared_key_ext_end,
1591 cipher_suites,
1592 cipher_suites_end);
1593 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
1594 handshake->received_extensions &= ~MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY);
1595 } else if (ret != 0) {
Jerry Yu63a459c2022-10-31 13:38:40 +0800[diff] [blame]1596 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1597 1, "ssl_tls13_parse_pre_shared_key_ext", ret);
1598 return ret;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1599 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1600 } else
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1601#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1602 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1603 handshake->update_checksum(ssl, buf, p - buf);
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1604 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1605
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1606 ret = ssl_tls13_determine_key_exchange_mode(ssl);
1607 if (ret < 0) {
1608 return ret;
1609 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1610
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1611 mbedtls_ssl_optimize_checksum(ssl, handshake->ciphersuite_info);
Jerry Yue5834fd2022-08-29 20:16:09 +0800[diff] [blame]1612
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1613 return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK;
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1614}
1615
1616/* Update the handshake state machine */
1617
Ronald Cronce7d76e2022-07-08 18:56:49 +0200[diff] [blame]1618MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1619static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl)
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1620{
1621 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1622
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1623 /*
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1624 * Server certificate selection
1625 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1626 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1627 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1628 return ret;
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1629 }
1630#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1631 ssl->handshake->sni_name = NULL;
1632 ssl->handshake->sni_name_len = 0;
1633#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1634
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1635 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1636 if (ret != 0) {
1637 MBEDTLS_SSL_DEBUG_RET(1,
1638 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret);
1639 return ret;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1640 }
1641
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1642 return 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1643
1644}
1645
1646/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1647 * Main entry point from the state machine; orchestrates the otherfunctions.
1648 */
1649
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1650MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1651static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1652{
1653
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1654 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1655 unsigned char *buf = NULL;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1656 size_t buflen = 0;
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1657 int parse_client_hello_ret;
1658
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1659 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1660
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1661 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1662 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
1663 &buf, &buflen));
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1664
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1665 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_parse_client_hello(ssl, buf,
1666 buf + buflen));
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]1667 parse_client_hello_ret = ret; /* Store return value of parse_client_hello,
1668 * only SSL_CLIENT_HELLO_OK or
1669 * SSL_CLIENT_HELLO_HRR_REQUIRED at this
1670 * stage as negative error codes are handled
1671 * by MBEDTLS_SSL_PROC_CHK_NEG. */
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1672
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1673 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_client_hello(ssl));
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1674
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1675 if (parse_client_hello_ret == SSL_CLIENT_HELLO_OK) {
1676 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
1677 } else {
1678 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST);
1679 }
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1680
1681cleanup:
1682
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1683 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
1684 return ret;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1685}
1686
1687/*
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1688 * Handler for MBEDTLS_SSL_SERVER_HELLO
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]1689 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1690MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1691static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1692{
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1693 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1694 unsigned char *server_randbytes =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1695 ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
1696 if (ssl->conf->f_rng == NULL) {
1697 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
1698 return MBEDTLS_ERR_SSL_NO_RNG;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1699 }
1700
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1701 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes,
1702 MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {
1703 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
1704 return ret;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1705 }
1706
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1707 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", server_randbytes,
1708 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1709
1710#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1711 ssl->session_negotiate->start = time(NULL);
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1712#endif /* MBEDTLS_HAVE_TIME */
1713
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1714 return ret;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1715}
1716
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1717/*
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]1718 * ssl_tls13_write_server_hello_supported_versions_ext ():
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1719 *
1720 * struct {
Jerry Yufb9f54d2022-04-06 10:08:34 +0800[diff] [blame]1721 * ProtocolVersion selected_version;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1722 * } SupportedVersions;
1723 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1724MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]1725static int ssl_tls13_write_server_hello_supported_versions_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1726 mbedtls_ssl_context *ssl,
1727 unsigned char *buf,
1728 unsigned char *end,
1729 size_t *out_len)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1730{
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1731 *out_len = 0;
1732
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1733 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, write selected version"));
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1734
1735 /* Check if we have space to write the extension:
1736 * - extension_type (2 bytes)
1737 * - extension_data_length (2 bytes)
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1738 * - selected_version (2 bytes)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1739 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1740 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1741
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1742 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1743
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1744 MBEDTLS_PUT_UINT16_BE(2, buf, 2);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1745
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1746 mbedtls_ssl_write_version(buf + 4,
1747 ssl->conf->transport,
1748 ssl->tls_version);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1749
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1750 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [%04x]",
1751 ssl->tls_version));
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1752
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1753 *out_len = 6;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1754
Jerry Yub95dd362022-11-08 21:19:34 +0800[diff] [blame]1755 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1756 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
Jerry Yub95dd362022-11-08 21:19:34 +0800[diff] [blame]1757
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1758 return 0;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1759}
1760
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1761
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1762
1763/* Generate and export a single key share. For hybrid KEMs, this can
1764 * be called multiple times with the different components of the hybrid. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1765MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1766static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl,
1767 uint16_t named_group,
1768 unsigned char *buf,
1769 unsigned char *end,
1770 size_t *out_len)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1771{
1772 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1773
1774 *out_len = 0;
1775
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1776#if defined(MBEDTLS_ECDH_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1777 if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1778 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1779 ssl, named_group, buf, end, out_len);
1780 if (ret != 0) {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1781 MBEDTLS_SSL_DEBUG_RET(
1782 1, "mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange",
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1783 ret);
1784 return ret;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1785 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1786 } else
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1787#endif /* MBEDTLS_ECDH_C */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1788 if (0 /* Other kinds of KEMs */) {
1789 } else {
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1790 ((void) ssl);
1791 ((void) named_group);
1792 ((void) buf);
1793 ((void) end);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1794 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1795 }
1796
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1797 return ret;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1798}
1799
1800/*
1801 * ssl_tls13_write_key_share_ext
1802 *
1803 * Structure of key_share extension in ServerHello:
1804 *
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1805 * struct {
1806 * NamedGroup group;
1807 * opaque key_exchange<1..2^16-1>;
1808 * } KeyShareEntry;
1809 * struct {
1810 * KeyShareEntry server_share;
1811 * } KeyShareServerHello;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1812 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1813MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1814static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
1815 unsigned char *buf,
1816 unsigned char *end,
1817 size_t *out_len)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1818{
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1819 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1820 unsigned char *p = buf;
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1821 uint16_t group = ssl->handshake->offered_group_id;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1822 unsigned char *server_share = buf + 4;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1823 size_t key_exchange_length;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1824
1825 *out_len = 0;
1826
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1827 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding key share extension"));
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1828
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1829 MBEDTLS_SSL_DEBUG_MSG(2, ("server hello, write selected_group: %s (%04x)",
1830 mbedtls_ssl_named_group_to_str(group),
1831 group));
Jerry Yu58af2332022-09-06 11:19:31 +0800[diff] [blame]1832
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1833 /* Check if we have space for header and length fields:
1834 * - extension_type (2 bytes)
1835 * - extension_data_length (2 bytes)
1836 * - group (2 bytes)
1837 * - key_exchange_length (2 bytes)
1838 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1839 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 8);
1840 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, p, 0);
1841 MBEDTLS_PUT_UINT16_BE(group, server_share, 0);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1842 p += 8;
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1843
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1844 /* When we introduce PQC-ECDHE hybrids, we'll want to call this
1845 * function multiple times. */
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1846 ret = ssl_tls13_generate_and_write_key_share(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1847 ssl, group, server_share + 4, end, &key_exchange_length);
1848 if (ret != 0) {
1849 return ret;
1850 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1851 p += key_exchange_length;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1852
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1853 MBEDTLS_PUT_UINT16_BE(key_exchange_length, server_share + 2, 0);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1854
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1855 MBEDTLS_PUT_UINT16_BE(p - server_share, buf, 2);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1856
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1857 *out_len = p - buf;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1858
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1859 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
Jerry Yub95dd362022-11-08 21:19:34 +0800[diff] [blame]1860
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1861 return 0;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1862}
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1863
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1864MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1865static int ssl_tls13_write_hrr_key_share_ext(mbedtls_ssl_context *ssl,
1866 unsigned char *buf,
1867 unsigned char *end,
1868 size_t *out_len)
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1869{
1870 uint16_t selected_group = ssl->handshake->hrr_selected_group;
1871 /* key_share Extension
1872 *
1873 * struct {
1874 * select (Handshake.msg_type) {
1875 * ...
1876 * case hello_retry_request:
1877 * NamedGroup selected_group;
1878 * ...
1879 * };
1880 * } KeyShare;
1881 */
1882
1883 *out_len = 0;
1884
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]1885 /*
1886 * For a pure PSK key exchange, there is no group to agree upon. The purpose
1887 * of the HRR is then to transmit a cookie to force the client to demonstrate
1888 * reachability at their apparent network address (primarily useful for DTLS).
1889 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1890 if (!mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
1891 return 0;
1892 }
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1893
1894 /* We should only send the key_share extension if the client's initial
1895 * key share was not acceptable. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1896 if (ssl->handshake->offered_group_id != 0) {
1897 MBEDTLS_SSL_DEBUG_MSG(4, ("Skip key_share extension in HRR"));
1898 return 0;
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1899 }
1900
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1901 if (selected_group == 0) {
1902 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching named group found"));
1903 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1904 }
1905
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]1906 /* Check if we have enough space:
1907 * - extension_type (2 bytes)
1908 * - extension_data_length (2 bytes)
1909 * - selected_group (2 bytes)
1910 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1911 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1912
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1913 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
1914 MBEDTLS_PUT_UINT16_BE(2, buf, 2);
1915 MBEDTLS_PUT_UINT16_BE(selected_group, buf, 4);
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1916
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1917 MBEDTLS_SSL_DEBUG_MSG(3,
1918 ("HRR selected_group: %s (%x)",
1919 mbedtls_ssl_named_group_to_str(selected_group),
1920 selected_group));
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1921
1922 *out_len = 6;
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1923
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1924 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
Jerry Yub95dd362022-11-08 21:19:34 +0800[diff] [blame]1925
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1926 return 0;
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1927}
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1928
1929/*
1930 * Structure of ServerHello message:
1931 *
1932 * struct {
1933 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1934 * Random random;
1935 * opaque legacy_session_id_echo<0..32>;
1936 * CipherSuite cipher_suite;
1937 * uint8 legacy_compression_method = 0;
1938 * Extension extensions<6..2^16-1>;
1939 * } ServerHello;
1940 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1941MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1942static int ssl_tls13_write_server_hello_body(mbedtls_ssl_context *ssl,
1943 unsigned char *buf,
1944 unsigned char *end,
1945 size_t *out_len,
1946 int is_hrr)
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]1947{
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1948 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1949 unsigned char *p = buf;
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1950 unsigned char *p_extensions_len;
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]1951 size_t output_len;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1952
1953 *out_len = 0;
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1954 ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1955
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]1956 /* ...
1957 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1958 * ...
1959 * with ProtocolVersion defined as:
1960 * uint16 ProtocolVersion;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1961 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1962 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
1963 MBEDTLS_PUT_UINT16_BE(0x0303, p, 0);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1964 p += 2;
1965
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1966 /* ...
1967 * Random random;
1968 * ...
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]1969 * with Random defined as:
1970 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1971 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1972 MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1973 if (is_hrr) {
1974 memcpy(p, mbedtls_ssl_tls13_hello_retry_request_magic,
1975 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1976 } else {
1977 memcpy(p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],
1978 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1979 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1980 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
1981 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1982 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
1983
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]1984 /* ...
1985 * opaque legacy_session_id_echo<0..32>;
1986 * ...
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1987 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1988 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + ssl->session_negotiate->id_len);
1989 *p++ = (unsigned char) ssl->session_negotiate->id_len;
1990 if (ssl->session_negotiate->id_len > 0) {
1991 memcpy(p, &ssl->session_negotiate->id[0],
1992 ssl->session_negotiate->id_len);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1993 p += ssl->session_negotiate->id_len;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1994
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1995 MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id,
1996 ssl->session_negotiate->id_len);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1997 }
1998
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]1999 /* ...
2000 * CipherSuite cipher_suite;
2001 * ...
2002 * with CipherSuite defined as:
2003 * uint8 CipherSuite[2];
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2004 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2005 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2006 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2007 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2008 MBEDTLS_SSL_DEBUG_MSG(3,
2009 ("server hello, chosen ciphersuite: %s ( id=%d )",
2010 mbedtls_ssl_get_ciphersuite_name(
2011 ssl->session_negotiate->ciphersuite),
2012 ssl->session_negotiate->ciphersuite));
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2013
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2014 /* ...
2015 * uint8 legacy_compression_method = 0;
2016 * ...
2017 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2018 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1);
Thomas Daubney31e03a82022-07-25 15:59:25 +0100[diff] [blame]2019 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2020
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2021 /* ...
2022 * Extension extensions<6..2^16-1>;
2023 * ...
2024 * struct {
2025 * ExtensionType extension_type; (2 bytes)
2026 * opaque extension_data<0..2^16-1>;
2027 * } Extension;
2028 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2029 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2030 p_extensions_len = p;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2031 p += 2;
2032
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2033 if ((ret = ssl_tls13_write_server_hello_supported_versions_ext(
2034 ssl, p, end, &output_len)) != 0) {
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2035 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2036 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret);
2037 return ret;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2038 }
2039 p += output_len;
2040
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2041 if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
2042 if (is_hrr) {
2043 ret = ssl_tls13_write_hrr_key_share_ext(ssl, p, end, &output_len);
2044 } else {
2045 ret = ssl_tls13_write_key_share_ext(ssl, p, end, &output_len);
2046 }
2047 if (ret != 0) {
2048 return ret;
2049 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2050 p += output_len;
2051 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2052
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]2053#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2054 if (!is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2055 ret = ssl_tls13_write_server_pre_shared_key_ext(ssl, p, end, &output_len);
2056 if (ret != 0) {
2057 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_server_pre_shared_key_ext",
2058 ret);
2059 return ret;
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2060 }
2061 p += output_len;
2062 }
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]2063#endif
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2064
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2065 MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2066
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2067 MBEDTLS_SSL_DEBUG_BUF(4, "server hello extensions",
2068 p_extensions_len, p - p_extensions_len);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2069
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2070 *out_len = p - buf;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2071
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2072 MBEDTLS_SSL_DEBUG_BUF(3, "server hello", buf, *out_len);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2073
Jerry Yu7de2ff02022-11-08 21:43:46 +0800[diff] [blame]2074 MBEDTLS_SSL_PRINT_EXTS(
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]2075 3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2076 MBEDTLS_SSL_HS_SERVER_HELLO,
2077 ssl->handshake->sent_extensions);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]2078
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2079 return ret;
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]2080}
2081
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2082MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2083static int ssl_tls13_finalize_write_server_hello(mbedtls_ssl_context *ssl)
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2084{
2085 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2086 ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
2087 if (ret != 0) {
2088 MBEDTLS_SSL_DEBUG_RET(1,
2089 "mbedtls_ssl_tls13_compute_handshake_transform",
2090 ret);
2091 return ret;
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2092 }
2093
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2094 return ret;
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2095}
2096
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2097MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2098static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl)
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2099{
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]2100 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2101 unsigned char *buf;
2102 size_t buf_len, msg_len;
2103
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2104 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2105
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2106 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl));
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2107
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2108 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
2109 MBEDTLS_SSL_HS_SERVER_HELLO, &buf,
2110 &buf_len));
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2111
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2112 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
2113 buf + buf_len,
2114 &msg_len,
2115 0));
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2116
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2117 mbedtls_ssl_add_hs_msg_to_checksum(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2118 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len);
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2119
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2120 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2121 ssl, buf_len, msg_len));
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]2122
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2123 MBEDTLS_SSL_PROC_CHK(ssl_tls13_finalize_write_server_hello(ssl));
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2124
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2125#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2126 /* The server sends a dummy change_cipher_spec record immediately
2127 * after its first handshake message. This may either be after
2128 * a ServerHello or a HelloRetryRequest.
2129 */
Gabor Mezei96ae9262022-06-28 11:45:18 +0200[diff] [blame]2130 mbedtls_ssl_handshake_set_state(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2131 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO);
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2132#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2133 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2134#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2135
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2136cleanup:
2137
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2138 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2139 return ret;
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2140}
2141
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2142
2143/*
2144 * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
2145 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2146MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2147static int ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context *ssl)
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2148{
2149 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2150 if (ssl->handshake->hello_retry_request_count > 0) {
2151 MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs"));
2152 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2153 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2154 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2155 }
2156
2157 /*
2158 * Create stateless transcript hash for HRR
2159 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2160 MBEDTLS_SSL_DEBUG_MSG(4, ("Reset transcript for HRR"));
2161 ret = mbedtls_ssl_reset_transcript_for_hrr(ssl);
2162 if (ret != 0) {
2163 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_transcript_for_hrr", ret);
2164 return ret;
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2165 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2166 mbedtls_ssl_session_reset_msg_layer(ssl, 0);
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2167
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2168 return 0;
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2169}
2170
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2171MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2172static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl)
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2173{
2174 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2175 unsigned char *buf;
2176 size_t buf_len, msg_len;
2177
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2178 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello retry request"));
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2179
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2180 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_hello_retry_request(ssl));
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2181
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2182 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2183 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
2184 &buf, &buf_len));
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2185
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2186 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
2187 buf + buf_len,
2188 &msg_len,
2189 1));
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2190 mbedtls_ssl_add_hs_msg_to_checksum(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2191 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len);
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2192
2193
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2194 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len,
2195 msg_len));
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2196
2197 ssl->handshake->hello_retry_request_count++;
2198
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2199#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2200 /* The server sends a dummy change_cipher_spec record immediately
2201 * after its first handshake message. This may either be after
2202 * a ServerHello or a HelloRetryRequest.
2203 */
Gabor Mezei96ae9262022-06-28 11:45:18 +0200[diff] [blame]2204 mbedtls_ssl_handshake_set_state(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2205 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST);
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2206#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2207 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2208#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2209
2210cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2211 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello retry request"));
2212 return ret;
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2213}
2214
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2215/*
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2216 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2217 */
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2218
2219/*
2220 * struct {
2221 * Extension extensions<0..2 ^ 16 - 1>;
2222 * } EncryptedExtensions;
2223 *
2224 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2225MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2226static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl,
2227 unsigned char *buf,
2228 unsigned char *end,
2229 size_t *out_len)
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2230{
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2231 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2232 unsigned char *p = buf;
2233 size_t extensions_len = 0;
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2234 unsigned char *p_extensions_len;
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2235 size_t output_len;
Jerry Yu9da5e5a2022-05-03 15:46:09 +0800[diff] [blame]2236
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2237 *out_len = 0;
2238
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2239 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2240 p_extensions_len = p;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2241 p += 2;
2242
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2243 ((void) ssl);
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2244 ((void) ret);
2245 ((void) output_len);
2246
2247#if defined(MBEDTLS_SSL_ALPN)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2248 ret = mbedtls_ssl_write_alpn_ext(ssl, p, end, &output_len);
2249 if (ret != 0) {
2250 return ret;
2251 }
XiaokangQian95d5f542022-06-24 02:29:26 +0000[diff] [blame]2252 p += output_len;
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2253#endif /* MBEDTLS_SSL_ALPN */
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2254
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2255 extensions_len = (p - p_extensions_len) - 2;
2256 MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2257
2258 *out_len = p - buf;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2259
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2260 MBEDTLS_SSL_DEBUG_BUF(4, "encrypted extensions", buf, *out_len);
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2261
Jerry Yu7de2ff02022-11-08 21:43:46 +0800[diff] [blame]2262 MBEDTLS_SSL_PRINT_EXTS(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2263 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]2264
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2265 return 0;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2266}
2267
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2268MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2269static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2270{
2271 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2272 unsigned char *buf;
Jerry Yu39730a72022-05-03 12:14:04 +0800[diff] [blame]2273 size_t buf_len, msg_len;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2274
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2275 mbedtls_ssl_set_outbound_transform(ssl,
2276 ssl->handshake->transform_handshake);
Gabor Mezei54719122022-06-28 11:34:56 +0200[diff] [blame]2277 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2278 3, ("switching to handshake transform for outbound data"));
Gabor Mezei54719122022-06-28 11:34:56 +0200[diff] [blame]2279
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2280 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions"));
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2281
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2282 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
2283 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf,
2284 &buf_len));
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2285
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2286 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body(
2287 ssl, buf, buf + buf_len, &msg_len));
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2288
2289 mbedtls_ssl_add_hs_msg_to_checksum(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2290 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len);
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2291
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2292 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2293 ssl, buf_len, msg_len));
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2294
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2295#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2296 if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2297 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2298 } else {
2299 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2300 }
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2301#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2302 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2303#endif
2304
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2305cleanup:
2306
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2307 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write encrypted extensions"));
2308 return ret;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2309}
2310
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2311#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2312#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
2313#define SSL_CERTIFICATE_REQUEST_SKIP 1
2314/* Coordination:
2315 * Check whether a CertificateRequest message should be written.
2316 * Returns a negative code on failure, or
2317 * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
2318 * - SSL_CERTIFICATE_REQUEST_SKIP
2319 * indicating if the writing of the CertificateRequest
2320 * should be skipped or not.
2321 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2322MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2323static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2324{
2325 int authmode;
2326
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]2327#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2328 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]2329 authmode = ssl->handshake->sni_authmode;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2330 } else
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]2331#endif
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2332 authmode = ssl->conf->authmode;
2333
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2334 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
Ronald Croneac00ad2022-09-13 10:16:31 +0200[diff] [blame]2335 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2336 return SSL_CERTIFICATE_REQUEST_SKIP;
Ronald Croneac00ad2022-09-13 10:16:31 +0200[diff] [blame]2337 }
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2338
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]2339 ssl->handshake->certificate_request_sent = 1;
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2340
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2341 return SSL_CERTIFICATE_REQUEST_SEND_REQUEST;
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2342}
2343
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2344/*
2345 * struct {
2346 * opaque certificate_request_context<0..2^8-1>;
2347 * Extension extensions<2..2^16-1>;
2348 * } CertificateRequest;
2349 *
2350 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2351MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2352static int ssl_tls13_write_certificate_request_body(mbedtls_ssl_context *ssl,
2353 unsigned char *buf,
2354 const unsigned char *end,
2355 size_t *out_len)
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2356{
2357 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2358 unsigned char *p = buf;
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2359 size_t output_len = 0;
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2360 unsigned char *p_extensions_len;
2361
2362 *out_len = 0;
2363
2364 /* Check if we have enough space:
2365 * - certificate_request_context (1 byte)
2366 * - extensions length (2 bytes)
2367 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2368 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2369
2370 /*
2371 * Write certificate_request_context
2372 */
2373 /*
2374 * We use a zero length context for the normal handshake
2375 * messages. For post-authentication handshake messages
2376 * this request context would be set to a non-zero value.
2377 */
2378 *p++ = 0x0;
2379
2380 /*
2381 * Write extensions
2382 */
2383 /* The extensions must contain the signature_algorithms. */
2384 p_extensions_len = p;
2385 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2386 ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len);
2387 if (ret != 0) {
2388 return ret;
2389 }
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2390
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2391 p += output_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2392 MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2393
2394 *out_len = p - buf;
2395
Jerry Yu7de2ff02022-11-08 21:43:46 +0800[diff] [blame]2396 MBEDTLS_SSL_PRINT_EXTS(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2397 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]2398
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2399 return 0;
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2400}
2401
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2402MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2403static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl)
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2404{
2405 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2406
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2407 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2408
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2409 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2410
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2411 if (ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST) {
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2412 unsigned char *buf;
2413 size_t buf_len, msg_len;
2414
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2415 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
2416 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2417 &buf, &buf_len));
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2418
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2419 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body(
2420 ssl, buf, buf + buf_len, &msg_len));
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2421
2422 mbedtls_ssl_add_hs_msg_to_checksum(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2423 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len);
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2424
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2425 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2426 ssl, buf_len, msg_len));
2427 } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
2428 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2429 ret = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2430 } else {
2431 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2432 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2433 goto cleanup;
2434 }
2435
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2436 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2437cleanup:
2438
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2439 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
2440 return ret;
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2441}
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2442
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2443/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2444 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2445 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2446MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2447static int ssl_tls13_write_server_certificate(mbedtls_ssl_context *ssl)
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2448{
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2449 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]2450
2451#if defined(MBEDTLS_X509_CRT_PARSE_C)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2452 if ((ssl_tls13_pick_key_cert(ssl) != 0) ||
2453 mbedtls_ssl_own_cert(ssl) == NULL) {
2454 MBEDTLS_SSL_DEBUG_MSG(2, ("No certificate available."));
2455 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2456 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2457 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2458 }
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]2459#endif /* MBEDTLS_X509_CRT_PARSE_C */
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2460
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2461 ret = mbedtls_ssl_tls13_write_certificate(ssl);
2462 if (ret != 0) {
2463 return ret;
2464 }
2465 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2466 return 0;
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2467}
2468
2469/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2470 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2471 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2472MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2473static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2474{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2475 int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
2476 if (ret != 0) {
2477 return ret;
2478 }
2479 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2480 return 0;
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2481}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2482#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2483
2484/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2485 * Handler for MBEDTLS_SSL_SERVER_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2486 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2487MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2488static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl)
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2489{
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2490 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu27bdc7c2022-04-16 13:33:27 +0800[diff] [blame]2491
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2492 ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2493 if (ret != 0) {
2494 return ret;
2495 }
Jerry Yu27bdc7c2022-04-16 13:33:27 +0800[diff] [blame]2496
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2497 ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2498 if (ret != 0) {
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2499 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2500 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2501 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2502 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2503 }
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]2504
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2505 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
2506 mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake);
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2507
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2508 if (ssl->handshake->certificate_request_sent) {
2509 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2510 } else {
2511 MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate"));
2512 MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
2513 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2514 }
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2515
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2516 return 0;
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2517}
2518
2519/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2520 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2521 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2522MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2523static int ssl_tls13_process_client_finished(mbedtls_ssl_context *ssl)
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2524{
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2525 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2526
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2527 ret = mbedtls_ssl_tls13_process_finished_message(ssl);
2528 if (ret != 0) {
2529 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2530 }
2531
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2532 ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
2533 if (ret != 0) {
2534 MBEDTLS_SSL_DEBUG_RET(1,
2535 "mbedtls_ssl_tls13_compute_resumption_master_secret", ret);
2536 }
2537
2538 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
2539 return 0;
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2540}
2541
2542/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2543 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2544 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2545MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2546static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2547{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2548 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2549
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2550 mbedtls_ssl_tls13_handshake_wrapup(ssl);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2551
2552#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2553 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2554#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2555 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2556#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2557 return 0;
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2558}
2559
2560/*
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2561 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2562 */
2563#define SSL_NEW_SESSION_TICKET_SKIP 0
2564#define SSL_NEW_SESSION_TICKET_WRITE 1
2565MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2566static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ssl)
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2567{
2568 /* Check whether the use of session tickets is enabled */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2569 if (ssl->conf->f_ticket_write == NULL) {
2570 MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
2571 " callback is not set"));
2572 return SSL_NEW_SESSION_TICKET_SKIP;
Jerry Yud0766ec2022-09-22 10:46:57 +0800[diff] [blame]2573 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2574 if (ssl->conf->new_session_tickets_count == 0) {
2575 MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
2576 " configured count is zero"));
2577 return SSL_NEW_SESSION_TICKET_SKIP;
Jerry Yud0766ec2022-09-22 10:46:57 +0800[diff] [blame]2578 }
2579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2580 if (ssl->handshake->new_session_tickets_count == 0) {
2581 MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: all tickets have "
2582 "been sent."));
2583 return SSL_NEW_SESSION_TICKET_SKIP;
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2584 }
2585
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2586 return SSL_NEW_SESSION_TICKET_WRITE;
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2587}
2588
2589#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2590MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2591static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
2592 unsigned char *ticket_nonce,
2593 size_t ticket_nonce_size)
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2594{
2595 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2596 mbedtls_ssl_session *session = ssl->session;
2597 mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2598 psa_algorithm_t psa_hash_alg;
2599 int hash_length;
2600
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2601 MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg"));
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2602
2603#if defined(MBEDTLS_HAVE_TIME)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2604 session->start = mbedtls_time(NULL);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2605#endif
2606
2607 /* Generate ticket_age_add */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2608 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng,
2609 (unsigned char *) &session->ticket_age_add,
2610 sizeof(session->ticket_age_add)) != 0)) {
2611 MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret);
2612 return ret;
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2613 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2614 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
2615 (unsigned int) session->ticket_age_add));
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2616
2617 /* Generate ticket_nonce */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2618 ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size);
2619 if (ret != 0) {
2620 MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret);
2621 return ret;
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2622 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2623 MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:",
2624 ticket_nonce, ticket_nonce_size);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2625
2626 ciphersuite_info =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2627 (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
2628 psa_hash_alg = mbedtls_psa_translate_md(ciphersuite_info->mac);
2629 hash_length = PSA_HASH_LENGTH(psa_hash_alg);
2630 if (hash_length == -1 ||
2631 (size_t) hash_length > sizeof(session->resumption_key)) {
2632 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2633 }
2634
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2635 /* In this code the psk key length equals the length of the hash */
2636 session->resumption_key_len = hash_length;
2637 session->ciphersuite = ciphersuite_info->id;
2638
2639 /* Compute resumption key
2640 *
2641 * HKDF-Expand-Label( resumption_master_secret,
2642 * "resumption", ticket_nonce, Hash.length )
2643 */
2644 ret = mbedtls_ssl_tls13_hkdf_expand_label(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2645 psa_hash_alg,
2646 session->app_secrets.resumption_master_secret,
2647 hash_length,
2648 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
2649 ticket_nonce,
2650 ticket_nonce_size,
2651 session->resumption_key,
2652 hash_length);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2654 if (ret != 0) {
2655 MBEDTLS_SSL_DEBUG_RET(2,
2656 "Creating the ticket-resumed PSK failed",
2657 ret);
2658 return ret;
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2659 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2660 MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
2661 session->resumption_key,
2662 session->resumption_key_len);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2663
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2664 MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
2665 session->app_secrets.resumption_master_secret,
2666 hash_length);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2667
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2668 return 0;
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2669}
2670
2671/* This function creates a NewSessionTicket message in the following format:
2672 *
2673 * struct {
2674 * uint32 ticket_lifetime;
2675 * uint32 ticket_age_add;
2676 * opaque ticket_nonce<0..255>;
2677 * opaque ticket<1..2^16-1>;
2678 * Extension extensions<0..2^16-2>;
2679 * } NewSessionTicket;
2680 *
2681 * The ticket inside the NewSessionTicket message is an encrypted container
2682 * carrying the necessary information so that the server is later able to
2683 * re-start the communication.
2684 *
2685 * The following fields are placed inside the ticket by the
2686 * f_ticket_write() function:
2687 *
2688 * - creation time (start)
2689 * - flags (flags)
2690 * - age add (ticket_age_add)
2691 * - key (key)
2692 * - key length (key_len)
2693 * - ciphersuite (ciphersuite)
2694 */
2695MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2696static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
2697 unsigned char *buf,
2698 unsigned char *end,
2699 size_t *out_len,
2700 unsigned char *ticket_nonce,
2701 size_t ticket_nonce_size)
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2702{
2703 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2704 unsigned char *p = buf;
2705 mbedtls_ssl_session *session = ssl->session;
2706 size_t ticket_len;
2707 uint32_t ticket_lifetime;
2708
2709 *out_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2710 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg"));
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2711
2712 /*
2713 * ticket_lifetime 4 bytes
2714 * ticket_age_add 4 bytes
2715 * ticket_nonce 1 + ticket_nonce_size bytes
2716 * ticket >=2 bytes
2717 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2718 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + 4 + 1 + ticket_nonce_size + 2);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2719
2720 /* Generate ticket and ticket_lifetime */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2721 ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
2722 session,
2723 p + 9 + ticket_nonce_size + 2,
2724 end,
2725 &ticket_len,
2726 &ticket_lifetime);
2727 if (ret != 0) {
2728 MBEDTLS_SSL_DEBUG_RET(1, "write_ticket", ret);
2729 return ret;
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2730 }
2731 /* RFC 8446 4.6.1
2732 * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
2733 * unsigned integer in network byte order from the time of ticket
2734 * issuance. Servers MUST NOT use any value greater than
2735 * 604800 seconds (7 days). The value of zero indicates that the
2736 * ticket should be discarded immediately. Clients MUST NOT cache
2737 * tickets for longer than 7 days, regardless of the ticket_lifetime,
2738 * and MAY delete tickets earlier based on local policy. A server
2739 * MAY treat a ticket as valid for a shorter period of time than what
2740 * is stated in the ticket_lifetime.
2741 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2742 if (ticket_lifetime > 604800) {
Xiaokang Qian28af5012022-10-13 08:18:19 +0000[diff] [blame]2743 ticket_lifetime = 604800;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2744 }
2745 MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);
2746 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",
2747 (unsigned int) ticket_lifetime));
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2748
2749 /* Write ticket_age_add */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2750 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 4);
2751 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
2752 (unsigned int) session->ticket_age_add));
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2753
2754 /* Write ticket_nonce */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2755 p[8] = (unsigned char) ticket_nonce_size;
2756 if (ticket_nonce_size > 0) {
2757 memcpy(p + 9, ticket_nonce, ticket_nonce_size);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2758 }
2759 p += 9 + ticket_nonce_size;
2760
2761 /* Write ticket */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2762 MBEDTLS_PUT_UINT16_BE(ticket_len, p, 0);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2763 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2764 MBEDTLS_SSL_DEBUG_BUF(4, "ticket", p, ticket_len);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2765 p += ticket_len;
2766
2767 /* Ticket Extensions
2768 *
2769 * Note: We currently don't have any extensions.
2770 * Set length to zero.
2771 */
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2772 ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2773
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2774 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2775 MBEDTLS_PUT_UINT16_BE(0, p, 0);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2776 p += 2;
2777
2778 *out_len = p - buf;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2779 MBEDTLS_SSL_DEBUG_BUF(4, "ticket", buf, *out_len);
2780 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2781
Jerry Yu7de2ff02022-11-08 21:43:46 +0800[diff] [blame]2782 MBEDTLS_SSL_PRINT_EXTS(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2783 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]2784
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2785 return 0;
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2786}
2787
2788/*
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2789 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2790 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2791static int ssl_tls13_write_new_session_ticket(mbedtls_ssl_context *ssl)
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2792{
2793 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2794
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2795 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_write_new_session_ticket_coordinate(ssl));
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2796
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2797 if (ret == SSL_NEW_SESSION_TICKET_WRITE) {
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2798 unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
2799 unsigned char *buf;
2800 size_t buf_len, msg_len;
2801
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2802 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket(
2803 ssl, ticket_nonce, sizeof(ticket_nonce)));
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2804
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2805 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
2806 MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2807 &buf, &buf_len));
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2808
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2809 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body(
2810 ssl, buf, buf + buf_len, &msg_len,
2811 ticket_nonce, sizeof(ticket_nonce)));
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2812
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2813 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2814 ssl, buf_len, msg_len));
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2815
Jerry Yu359e65f2022-09-22 23:47:43 +0800[diff] [blame]2816 /* Limit session tickets count to one when resumption connection.
2817 *
2818 * See document of mbedtls_ssl_conf_new_session_tickets.
2819 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2820 if (ssl->handshake->resume == 1) {
Jerry Yu359e65f2022-09-22 23:47:43 +0800[diff] [blame]2821 ssl->handshake->new_session_tickets_count = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2822 } else {
Jerry Yu359e65f2022-09-22 23:47:43 +0800[diff] [blame]2823 ssl->handshake->new_session_tickets_count--;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2824 }
Jerry Yub7e3fa72022-09-22 11:07:18 +0800[diff] [blame]2825
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2826 mbedtls_ssl_handshake_set_state(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2827 ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH);
2828 } else {
2829 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2830 }
2831
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2832cleanup:
2833
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2834 return ret;
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2835}
2836#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2837
2838/*
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]2839 * TLS 1.3 State Machine -- server side
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2840 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2841int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2842{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]2843 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2844
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2845 if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) {
2846 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2847 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2848
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2849 MBEDTLS_SSL_DEBUG_MSG(2, ("tls13 server state: %s(%d)",
2850 mbedtls_ssl_states_str(ssl->state),
2851 ssl->state));
Jerry Yu6e81b272021-09-27 11:16:17 +0800[diff] [blame]2852
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2853 switch (ssl->state) {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2854 /* start state */
2855 case MBEDTLS_SSL_HELLO_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2856 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]2857 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2858 break;
2859
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2860 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2861 ret = ssl_tls13_process_client_hello(ssl);
2862 if (ret != 0) {
2863 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_process_client_hello", ret);
2864 }
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]2865 break;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2866
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]2867 case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2868 ret = ssl_tls13_write_hello_retry_request(ssl);
2869 if (ret != 0) {
2870 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_hello_retry_request", ret);
2871 return ret;
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]2872 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2873 break;
2874
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2875 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2876 ret = ssl_tls13_write_server_hello(ssl);
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2877 break;
2878
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2879 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2880 ret = ssl_tls13_write_encrypted_extensions(ssl);
2881 if (ret != 0) {
2882 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_encrypted_extensions", ret);
2883 return ret;
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2884 }
Jerry Yu48330562022-05-06 21:35:44 +0800[diff] [blame]2885 break;
Jerry Yu6a2cd9e2022-05-05 11:14:19 +0800[diff] [blame]2886
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2887#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2888 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2889 ret = ssl_tls13_write_certificate_request(ssl);
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2890 break;
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2891
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2892 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2893 ret = ssl_tls13_write_server_certificate(ssl);
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2894 break;
2895
2896 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2897 ret = ssl_tls13_write_certificate_verify(ssl);
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2898 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2899#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2900
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2901 /*
2902 * Injection of dummy-CCS's for middlebox compatibility
2903 */
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2904#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]2905 case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2906 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
2907 if (ret == 0) {
2908 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2909 }
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2910 break;
2911
2912 case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2913 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
2914 if (ret == 0) {
2915 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
2916 }
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2917 break;
2918#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2919
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2920 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2921 ret = ssl_tls13_write_server_finished(ssl);
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2922 break;
2923
2924 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2925 ret = ssl_tls13_process_client_finished(ssl);
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2926 break;
2927
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2928 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2929 ret = ssl_tls13_handshake_wrapup(ssl);
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2930 break;
2931
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]2932#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2933 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2934 ret = mbedtls_ssl_tls13_process_certificate(ssl);
2935 if (ret == 0) {
2936 if (ssl->session_negotiate->peer_cert != NULL) {
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]2937 mbedtls_ssl_handshake_set_state(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2938 ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
2939 } else {
2940 MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]2941 mbedtls_ssl_handshake_set_state(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2942 ssl, MBEDTLS_SSL_CLIENT_FINISHED);
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2943 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2944 }
2945 break;
2946
2947 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2948 ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
2949 if (ret == 0) {
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2950 mbedtls_ssl_handshake_set_state(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2951 ssl, MBEDTLS_SSL_CLIENT_FINISHED);
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2952 }
2953 break;
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]2954#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2955
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2956#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2957 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2958 ret = ssl_tls13_write_new_session_ticket(ssl);
2959 if (ret != 0) {
2960 MBEDTLS_SSL_DEBUG_RET(1,
2961 "ssl_tls13_write_new_session_ticket ",
2962 ret);
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2963 }
2964 break;
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2965 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH:
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2966 /* This state is necessary to do the flush of the New Session
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2967 * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2968 * as part of ssl_prepare_handshake_step.
2969 */
2970 ret = 0;
Jerry Yud4e75002022-08-09 13:33:50 +0800[diff] [blame]2971
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2972 if (ssl->handshake->new_session_tickets_count == 0) {
2973 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2974 } else {
2975 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
2976 }
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2977 break;
2978
2979#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2980
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2981 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2982 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
2983 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2984 }
2985
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2986 return ret;
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2987}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]2988
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2989#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */