Blame - library/ssl_tls13_client.c - mirror/mbed-tls

2021-08-24 15:59:48 +0800

[diff] [blame]

26

#include <string.h>

27

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

28

#include "mbedtls/debug.h"

29

#include "mbedtls/error.h"

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

30

#include "mbedtls/platform.h"

Jerry Yu

a13c7e7

2021-08-17 10:44:40 +0800

[diff] [blame]

31

Jerry Yu

bdc7188

2021-09-14 19:30:36 +0800

[diff] [blame]

32

#include "ssl_misc.h"

Ronald Cron

3d580bf

2022-02-18 17:24:56 +0100

[diff] [blame]

33

#include "ssl_client.h"

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

34

#include "ssl_tls13_keys.h"

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

35

#include "ssl_debug_helpers.h"

Jerry Yu

bdc7188

2021-09-14 19:30:36 +0800

[diff] [blame]

36

Andrzej Kurek

8a045ce

2022-12-23 11:00:06 -0500

[diff] [blame]

37

#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \

38

psa_to_ssl_errors, \

39

psa_generic_status_to_mbedtls)

40

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

41

/* Write extensions */

42

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

43

/*

44

* ssl_tls13_write_supported_versions_ext():

45

*

46

* struct {

47

* ProtocolVersion versions<2..254>;

48

* } SupportedVersions;

49

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

50

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

51

static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,

52

unsigned char *buf,

53

unsigned char *end,

54

size_t *out_len)

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

55

{

56

unsigned char *p = buf;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

57

unsigned char versions_len = (ssl->handshake->min_tls_version <=

58

MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

59

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

60

*out_len = 0;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

61

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

62

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

63

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

64

/* Check if we have space to write the extension:

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

65

* - extension_type (2 bytes)

66

* - extension_data_length (2 bytes)

67

* - versions_length (1 byte )

Ronald Cron

a77fc27

2022-03-30 17:20:47 +0200

[diff] [blame]

68

* - versions (2 or 4 bytes)

Jerry Yu

159c5a0

2021-08-31 12:51:25 +0800

[diff] [blame]

69

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

70

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

71

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

72

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);

73

MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);

Jerry Yu

eecfbf0

2021-08-30 18:32:07 +0800

[diff] [blame]

74

p += 4;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

75

Jerry Yu

1bc2c1f

2021-09-01 12:57:29 +0800

[diff] [blame]

76

/* Length of versions */

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

77

*p++ = versions_len;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

78

Jerry Yu

0c63af6

2021-09-02 12:59:12 +0800

[diff] [blame]

79

/* Write values of supported versions.

Jerry Yu

0c63af6

2021-09-02 12:59:12 +0800

[diff] [blame]

80

* They are defined by the configuration.

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

81

* Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

82

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

83

mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,

84

MBEDTLS_SSL_VERSION_TLS1_3);

85

MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

86

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

87

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

88

if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {

89

mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,

90

MBEDTLS_SSL_VERSION_TLS1_2);

91

MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

92

}

93

94

*out_len = 5 + versions_len;

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

95

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

96

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

97

ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

98

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

99

return 0;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

100

}

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

101

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

102

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

103

static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,

104

const unsigned char *buf,

105

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

106

{

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

107

((void) ssl);

108

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

109

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);

110

if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=

111

MBEDTLS_SSL_VERSION_TLS1_3) {

112

MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

113

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

114

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

115

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

116

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

117

}

118

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

119

if (&buf[2] != end) {

Xiaokang Qian

91bb3f0

2023-04-03 09:07:03 +0000

[diff] [blame]

120

MBEDTLS_SSL_DEBUG_MSG(

121

1, ("supported_versions ext data length incorrect"));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

122

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

123

MBEDTLS_ERR_SSL_DECODE_ERROR);

124

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Ronald Cron

9847338

2022-03-30 20:04:10 +0200

[diff] [blame]

125

}

126

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

127

return 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

128

}

129

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

130

#if defined(MBEDTLS_SSL_ALPN)

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

131

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

132

static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,

133

const unsigned char *buf, size_t len)

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

134

{

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

135

const unsigned char *p = buf;

136

const unsigned char *end = buf + len;

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

137

size_t protocol_name_list_len, protocol_name_len;

138

const unsigned char *protocol_name_list_end;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

139

140

/* If we didn't send it, the server shouldn't send it */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

141

if (ssl->conf->alpn_list == NULL) {

142

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

143

}

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

144

145

/*

146

* opaque ProtocolName<1..2^8-1>;

147

*

148

* struct {

149

* ProtocolName protocol_name_list<2..2^16-1>

150

* } ProtocolNameList;

151

*

152

* the "ProtocolNameList" MUST contain exactly one "ProtocolName"

153

*/

154

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

155

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

156

protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

157

p += 2;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

158

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

159

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

160

protocol_name_list_end = p + protocol_name_list_len;

161

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

162

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

163

protocol_name_len = *p++;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

164

165

/* Check that the server chosen protocol was in our list and save it */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

166

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);

167

for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {

168

if (protocol_name_len == strlen(*alpn) &&

169

memcmp(p, *alpn, protocol_name_len) == 0) {

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

170

ssl->alpn_chosen = *alpn;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

171

return 0;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

}

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

175

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

176

}

177

#endif /* MBEDTLS_SSL_ALPN */

178

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

179

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

180

static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

181

{

182

uint16_t group_id = ssl->handshake->offered_group_id;

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

183

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

184

if (group_id == 0) {

185

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

186

}

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

187

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

188

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

189

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||

190

mbedtls_ssl_tls13_named_group_is_dhe(group_id)) {

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

191

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

192

psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;

193

194

/* Destroy generated private key. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

195

status = psa_destroy_key(ssl->handshake->ecdh_psa_privkey);

196

if (status != PSA_SUCCESS) {

Andrzej Kurek

8a045ce

2022-12-23 11:00:06 -0500

[diff] [blame]

197

ret = PSA_TO_MBEDTLS_ERR(status);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

198

MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);

199

return ret;

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

200

}

201

202

ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

203

return 0;

204

} else

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

205

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

206

if (0 /* other KEMs? */) {

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

/* Do something */

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

210

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

211

}

212

213

/*

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

214

* Functions for writing key_share extension.

215

*/

Ronald Cron

2022-10-18 12:17:11 +0200

[diff] [blame]

216

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

217

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

218

static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,

219

uint16_t *group_id)

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

220

{

221

int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

222

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

223

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

224

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

225

const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

226

/* Pick first available ECDHE group compatible with TLS 1.3 */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

227

if (group_list == NULL) {

228

return MBEDTLS_ERR_SSL_BAD_CONFIG;

229

}

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

230

#if defined(PSA_WANT_ALG_FFDH)

Przemek Stekiel

29c219c

2023-05-31 15:21:04 +0200

[diff] [blame]

231

if (mbedtls_ssl_tls13_named_group_is_dhe(*group_list)) {

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

232

*group_id = *group_list;

233

return 0;

234

}

235

#endif /* PSA_WANT_ALG_FFDH */

236

#if defined(PSA_WANT_ALG_ECDH)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

237

for (; *group_list != 0; group_list++) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

238

if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(

239

*group_list, NULL, NULL) == PSA_SUCCESS) &&

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

240

mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {

Brett Warren

14efd33

2021-10-06 09:32:11 +0100

[diff] [blame]

241

*group_id = *group_list;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

242

return 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

243

}

244

}

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

245

#endif /* PSA_WANT_ALG_ECDH */

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

246

#else

247

((void) ssl);

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

248

((void) group_id);

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

249

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

250

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

251

return ret;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

}

/*

* ssl_tls13_write_key_share_ext

256

*

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

257

* Structure of key_share extension in ClientHello:

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

*

* struct {

* NamedGroup group;

* opaque key_exchange<1..2^16-1>;

262

* } KeyShareEntry;

263

* struct {

264

* KeyShareEntry client_shares<0..2^16-1>;

265

* } KeyShareClientHello;

266

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

267

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

268

static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,

269

unsigned char *buf,

270

unsigned char *end,

271

size_t *out_len)

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

272

{

273

unsigned char *p = buf;

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

274

unsigned char *client_shares; /* Start of client_shares */

275

size_t client_shares_len; /* Length of client_shares */

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

276

uint16_t group_id;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

277

int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

278

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

279

*out_len = 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

280

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

281

/* Check if we have space for header and length fields:

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

282

* - extension_type (2 bytes)

283

* - extension_data_length (2 bytes)

284

* - client_shares_length (2 bytes)

285

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

286

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

287

p += 6;

288

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

289

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

290

291

/* HRR could already have requested something else. */

292

group_id = ssl->handshake->offered_group_id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

293

if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&

294

!mbedtls_ssl_tls13_named_group_is_dhe(group_id)) {

295

MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,

296

&group_id));

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

}

/*

* Dispatch to type-specific key generation function.

301

*

302

* So far, we're only supporting ECDHE. With the introduction

303

* of PQC KEMs, we'll want to have multiple branches, one per

304

* type of KEM, and dispatch to the corresponding crypto. And

305

* only one key share entry is allowed.

306

*/

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

307

client_shares = p;

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

308

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

309

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||

310

mbedtls_ssl_tls13_named_group_is_dhe(group_id)) {

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

311

/* Pointer to group */

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

312

unsigned char *group = p;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

313

/* Length of key_exchange */

Przemyslaw Stekiel

4f419e5

2022-02-10 15:56:26 +0100

[diff] [blame]

314

size_t key_exchange_len = 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

315

316

/* Check there is space for header of KeyShareEntry

317

* - group (2 bytes)

318

* - key_exchange_length (2 bytes)

319

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

320

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

321

p += 4;

Przemek Stekiel

29c219c

2023-05-31 15:21:04 +0200

[diff] [blame]

322

ret = mbedtls_ssl_tls13_generate_and_write_dh_key_exchange(

323

ssl, group_id, p, end, &key_exchange_len);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

324

p += key_exchange_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

325

if (ret != 0) {

326

return ret;

327

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

328

329

/* Write group */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

330

MBEDTLS_PUT_UINT16_BE(group_id, group, 0);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

331

/* Write key_exchange_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

332

MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);

333

} else

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

334

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

335

if (0 /* other KEMs? */) {

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

336

/* Do something */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

337

} else {

338

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

339

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

340

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

341

/* Length of client_shares */

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

342

client_shares_len = p - client_shares;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

343

if (client_shares_len == 0) {

344

MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));

345

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

7c522d4

2021-09-08 17:55:09 +0800

[diff] [blame]

346

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

347

/* Write extension_type */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

348

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

349

/* Write extension_data_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

350

MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

351

/* Write client_shares_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

352

MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

353

354

/* Update offered_group_id field */

355

ssl->handshake->offered_group_id = group_id;

356

357

/* Output the total length of key_share extension. */

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

358

*out_len = p - buf;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

359

Xiaokang Qian

91bb3f0

2023-04-03 09:07:03 +0000

[diff] [blame]

360

MBEDTLS_SSL_DEBUG_BUF(

361

3, "client hello, key_share extension", buf, *out_len);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

362

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

363

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

367

return ret;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

368

}

Ronald Cron

2022-10-18 12:17:11 +0200

[diff] [blame]

369

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

370

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

371

/*

372

* ssl_tls13_parse_hrr_key_share_ext()

373

* Parse key_share extension in Hello Retry Request

374

*

375

* struct {

376

* NamedGroup selected_group;

377

* } KeyShareHelloRetryRequest;

378

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

379

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

380

static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,

381

const unsigned char *buf,

382

const unsigned char *end)

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

383

{

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

384

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

385

const unsigned char *p = buf;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

386

int selected_group;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

387

int found = 0;

388

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

389

const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);

390

if (group_list == NULL) {

391

return MBEDTLS_ERR_SSL_BAD_CONFIG;

392

}

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

393

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

394

MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

395

396

/* Read selected_group */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

397

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

398

selected_group = MBEDTLS_GET_UINT16_BE(p, 0);

399

MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

400

401

/* Upon receipt of this extension in a HelloRetryRequest, the client

402

* MUST first verify that the selected_group field corresponds to a

403

* group which was provided in the "supported_groups" extension in the

404

* original ClientHello.

405

* The supported_group was based on the info in ssl->conf->group_list.

406

*

407

* If the server provided a key share that was not sent in the ClientHello

408

* then the client MUST abort the handshake with an "illegal_parameter" alert.

409

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

410

for (; *group_list != 0; group_list++) {

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

411

#if defined(PSA_WANT_ALG_ECDH)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

412

if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {

413

if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(

414

*group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||

415

*group_list != selected_group) {

416

found = 1;

417

break;

418

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

419

}

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

420

#endif /* PSA_WANT_ALG_ECDH */

421

#if defined(PSA_WANT_ALG_FFDH)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

422

if (mbedtls_ssl_tls13_named_group_is_dhe(*group_list)) {

423

found = 1;

424

break;

425

}

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

426

#endif /* PSA_WANT_ALG_FFDH */

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

427

}

428

429

/* Client MUST verify that the selected_group field does not

430

* correspond to a group which was provided in the "key_share"

431

* extension in the original ClientHello. If the server sent an

432

* HRR message with a key share already provided in the

433

* ClientHello then the client MUST abort the handshake with

434

* an "illegal_parameter" alert.

435

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

436

if (found == 0 || selected_group == ssl->handshake->offered_group_id) {

437

MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

438

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

439

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

440

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

441

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

442

}

443

444

/* Remember server's preference for next ClientHello */

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

445

ssl->handshake->offered_group_id = selected_group;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

446

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

447

return 0;

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

448

#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Andrzej Kurek

c19fb08

2022-10-03 10:52:24 -0400

[diff] [blame]

449

(void) ssl;

450

(void) buf;

451

(void) end;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

452

return MBEDTLS_ERR_SSL_BAD_CONFIG;

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

453

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

454

}

455

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

456

/*

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

457

* ssl_tls13_parse_key_share_ext()

458

* Parse key_share extension in Server Hello

459

*

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

460

* struct {

461

* KeyShareEntry server_share;

462

* } KeyShareServerHello;

463

* struct {

464

* NamedGroup group;

465

* opaque key_exchange<1..2^16-1>;

466

* } KeyShareEntry;

467

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

468

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

469

static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,

470

const unsigned char *buf,

471

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

472

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

473

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

474

const unsigned char *p = buf;

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

475

uint16_t group, offered_group;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

476

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

477

/* ...

478

* NamedGroup group; (2 bytes)

479

* ...

480

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

481

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

482

group = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

483

p += 2;

484

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

485

/* Check that the chosen group matches the one we offered. */

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

486

offered_group = ssl->handshake->offered_group_id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

487

if (offered_group != group) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

488

MBEDTLS_SSL_DEBUG_MSG(

489

1, ("Invalid server key share, our group %u, their group %u",

490

(unsigned) offered_group, (unsigned) group));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

491

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

492

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

493

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

494

}

495

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

496

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

497

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||

498

mbedtls_ssl_tls13_named_group_is_dhe(group)) {

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

499

MBEDTLS_SSL_DEBUG_MSG(2,

500

("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

501

ret = mbedtls_ssl_tls13_read_public_ecdhe_share(ssl, p, end - p);

if (ret != 0) {

return ret;

}

} else

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

506

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

507

if (0 /* other KEMs? */) {

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

508

/* Do something */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

509

} else {

510

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

511

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

512

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

513

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

514

}

515

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

516

/*

517

* ssl_tls13_parse_cookie_ext()

518

* Parse cookie extension in Hello Retry Request

519

*

520

* struct {

521

* opaque cookie<1..2^16-1>;

522

* } Cookie;

523

*

524

* When sending a HelloRetryRequest, the server MAY provide a "cookie"

525

* extension to the client (this is an exception to the usual rule that

526

* the only extensions that may be sent are those that appear in the

527

* ClientHello). When sending the new ClientHello, the client MUST copy

528

* the contents of the extension received in the HelloRetryRequest into

529

* a "cookie" extension in the new ClientHello. Clients MUST NOT use

530

* cookies in their initial ClientHello in subsequent connections.

531

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

532

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

533

static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,

534

const unsigned char *buf,

535

const unsigned char *end)

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

536

{

XiaokangQian

25c9c90

2022-02-08 10:49:53 +0000

[diff] [blame]

537

uint16_t cookie_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

538

const unsigned char *p = buf;

539

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

540

541

/* Retrieve length field of cookie */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

542

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

543

cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

544

p += 2;

545

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

546

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);

547

MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

548

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

549

mbedtls_free(handshake->cookie);

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

550

handshake->cookie_len = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

551

handshake->cookie = mbedtls_calloc(1, cookie_len);

552

if (handshake->cookie == NULL) {

553

MBEDTLS_SSL_DEBUG_MSG(1,

554

("alloc failed ( %ud bytes )",

555

cookie_len));

556

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

557

}

558

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

559

memcpy(handshake->cookie, p, cookie_len);

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

560

handshake->cookie_len = cookie_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

561

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

562

return 0;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

563

}

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

564

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

565

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

566

static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,

567

unsigned char *buf,

568

unsigned char *end,

569

size_t *out_len)

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

570

{

571

unsigned char *p = buf;

XiaokangQian

9deb90f

2022-02-08 10:31:07 +0000

[diff] [blame]

572

*out_len = 0;

XiaokangQian

c02768a

2022-02-10 07:31:25 +0000

[diff] [blame]

573

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

574

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

575

if (handshake->cookie == NULL) {

576

MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));

577

return 0;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

578

}

579

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

580

MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",

581

handshake->cookie,

582

handshake->cookie_len);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

583

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

584

MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

585

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

586

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

587

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

588

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);

589

MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);

590

MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);

XiaokangQian

233397e

2022-02-07 08:32:16 +0000

[diff] [blame]

591

p += 6;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

592

593

/* Cookie */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

594

memcpy(p, handshake->cookie, handshake->cookie_len);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

595

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

596

*out_len = handshake->cookie_len + 6;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

597

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

598

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

599

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

600

return 0;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

601

}

602

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

603

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

604

/*

605

* ssl_tls13_write_psk_key_exchange_modes_ext() structure:

606

*

607

* enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;

608

*

609

* struct {

610

* PskKeyExchangeMode ke_modes<1..255>;

611

* } PskKeyExchangeModes;

612

*/

XiaokangQian

8698195

2022-07-19 09:51:50 +0000

[diff] [blame]

613

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

614

static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,

615

unsigned char *buf,

616

unsigned char *end,

617

size_t *out_len)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

618

{

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

619

unsigned char *p = buf;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

620

int ke_modes_len = 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

621

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

622

((void) ke_modes_len);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

623

*out_len = 0;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

624

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

625

/* Skip writing extension if no PSK key exchange mode

XiaokangQian

7c12d31

2022-07-20 07:25:43 +0000

[diff] [blame]

626

* is enabled in the config.

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

627

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

628

if (!mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) {

629

MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));

630

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

631

}

632

633

/* Require 7 bytes of data, otherwise fail,

634

* even if extension might be shorter.

635

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

636

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

637

MBEDTLS_SSL_DEBUG_MSG(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

638

3, ("client hello, adding psk_key_exchange_modes extension"));

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

639

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

640

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

641

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

642

/* Skip extension length (2 bytes) and

643

* ke_modes length (1 byte) for now.

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

*/

p += 5;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

647

if (mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl)) {

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

648

*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

649

ke_modes_len++;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

650

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

651

MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

652

}

653

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

654

if (mbedtls_ssl_conf_tls13_psk_enabled(ssl)) {

Ronald Cron

a709a0f

2022-09-27 16:46:11 +0200

[diff] [blame]

655

*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;

656

ke_modes_len++;

657

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

658

MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));

Ronald Cron

a709a0f

2022-09-27 16:46:11 +0200

[diff] [blame]

659

}

660

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

661

/* Now write the extension and ke_modes length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

662

MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

663

buf[4] = ke_modes_len;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

664

665

*out_len = p - buf;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

666

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

667

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

668

ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

669

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

670

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

671

}

Jerry Yu

db8c5fa

2022-08-03 12:10:13 +0800

[diff] [blame]

672

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

673

static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

674

{

Jerry Yu

21f9095

2022-10-08 10:30:53 +0800

[diff] [blame]

675

const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

676

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

677

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

678

if (ciphersuite_info != NULL) {

679

return mbedtls_psa_translate_md(ciphersuite_info->mac);

680

}

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

681

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

682

return PSA_ALG_NONE;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

683

}

684

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

685

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

686

static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)

Xiaokang Qian

b781a23

2022-11-01 07:39:46 +0000

[diff] [blame]

687

{

688

mbedtls_ssl_session *session = ssl->session_negotiate;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

689

return ssl->handshake->resume &&

Pengyu Lv

9356678

2022-12-07 12:10:05 +0800

[diff] [blame]

690

session != NULL && session->ticket != NULL &&

Pengyu Lv

9b84ea7

2023-01-16 14:08:23 +0800

[diff] [blame]

691

mbedtls_ssl_conf_tls13_check_kex_modes(

692

ssl, mbedtls_ssl_session_get_ticket_flags(

693

session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));

Xiaokang Qian

b781a23

2022-11-01 07:39:46 +0000

[diff] [blame]

694

}

695

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

696

#if defined(MBEDTLS_SSL_EARLY_DATA)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

697

static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

698

{

699

mbedtls_ssl_session *session = ssl->session_negotiate;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

700

return ssl->handshake->resume &&

701

session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&

702

(session->ticket_flags &

703

MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA) &&

704

mbedtls_ssl_tls13_cipher_suite_is_offered(

705

ssl, session->ciphersuite);

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

}

#endif

Xiaokang Qian

2022-11-01 07:39:46 +0000

[diff] [blame]

709

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

710

static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,

711

psa_algorithm_t *hash_alg,

712

const unsigned char **identity,

713

size_t *identity_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

714

{

715

mbedtls_ssl_session *session = ssl->session_negotiate;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

716

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

717

if (!ssl_tls13_has_configured_ticket(ssl)) {

718

return -1;

719

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

720

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

721

*hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

722

*identity = session->ticket;

723

*identity_len = session->ticket_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

724

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

725

}

726

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

727

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

728

static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,

729

psa_algorithm_t *hash_alg,

730

const unsigned char **psk,

731

size_t *psk_len)

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

732

{

733

734

mbedtls_ssl_session *session = ssl->session_negotiate;

735

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

736

if (!ssl_tls13_has_configured_ticket(ssl)) {

737

return -1;

738

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

739

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

740

*hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

741

*psk = session->resumption_key;

742

*psk_len = session->resumption_key_len;

743

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

744

return 0;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

745

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

746

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

747

748

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

749

static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,

750

psa_algorithm_t *hash_alg,

751

const unsigned char **identity,

752

size_t *identity_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

753

{

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

754

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

755

if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

756

return -1;

757

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

758

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

759

*hash_alg = PSA_ALG_SHA_256;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

760

*identity = ssl->conf->psk_identity;

761

*identity_len = ssl->conf->psk_identity_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

762

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

763

}

764

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

765

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

766

static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,

767

psa_algorithm_t *hash_alg,

768

const unsigned char **psk,

769

size_t *psk_len)

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

770

{

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

771

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

772

if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

773

return -1;

774

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

775

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

776

*hash_alg = PSA_ALG_SHA_256;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

777

*psk = ssl->conf->psk;

778

*psk_len = ssl->conf->psk_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

779

return 0;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

780

}

781

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

782

static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

783

{

784

int configured_psk_count = 0;

785

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

786

if (ssl_tls13_has_configured_ticket(ssl)) {

787

MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

788

configured_psk_count++;

789

}

790

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

791

if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

792

MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

793

configured_psk_count++;

794

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

795

return configured_psk_count;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

796

}

797

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

798

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

799

static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,

800

unsigned char *buf,

801

unsigned char *end,

802

const unsigned char *identity,

803

size_t identity_len,

804

uint32_t obfuscated_ticket_age,

805

size_t *out_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

806

{

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

807

((void) ssl);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

808

*out_len = 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

809

810

/*

811

* - identity_len (2 bytes)

812

* - identity (psk_identity_len bytes)

813

* - obfuscated_ticket_age (4 bytes)

814

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

815

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

816

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

817

MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);

818

memcpy(buf + 2, identity, identity_len);

819

MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

820

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

821

MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

822

823

*out_len = 6 + identity_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

824

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

825

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

826

}

827

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

828

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

829

static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,

unsigned char *buf,

unsigned char *end,

int psk_type,

psa_algorithm_t hash_alg,

834

const unsigned char *psk,

835

size_t psk_len,

836

size_t *out_len)

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

837

{

838

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

839

unsigned char binder_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

840

unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

841

size_t transcript_len = 0;

*out_len = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

845

binder_len = PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

846

847

/*

848

* - binder_len (1 bytes)

849

* - binder (binder_len bytes)

850

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

851

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

852

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

853

buf[0] = binder_len;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

854

855

/* Get current state of handshake transcript. */

856

ret = mbedtls_ssl_get_handshake_transcript(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

857

ssl, mbedtls_hash_info_md_from_psa(hash_alg),

858

transcript, sizeof(transcript), &transcript_len);

859

if (ret != 0) {

860

return ret;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

861

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

862

863

ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,

864

psk, psk_len, psk_type,

865

transcript, buf + 1);

866

if (ret != 0) {

867

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);

868

return ret;

869

}

870

MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

871

872

*out_len = 1 + binder_len;

873

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

874

return 0;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

}

/*

* mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:

879

*

880

* struct {

881

* opaque identity<1..2^16-1>;

882

* uint32 obfuscated_ticket_age;

883

* } PskIdentity;

884

*

885

* opaque PskBinderEntry<32..255>;

886

*

887

* struct {

888

* PskIdentity identities<7..2^16-1>;

889

* PskBinderEntry binders<33..2^16-1>;

* } OfferedPsks;

*

* struct {

* select (Handshake.msg_type) {

894

* case client_hello: OfferedPsks;

895

* ...

896

* };

897

* } PreSharedKeyExtension;

898

*

899

*/

XiaokangQian

3ad67bf

2022-07-21 02:26:21 +0000

[diff] [blame]

900

int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

901

mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,

902

size_t *out_len, size_t *binders_len)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

903

{

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

904

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

905

int configured_psk_count = 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

906

unsigned char *p = buf;

Xiaokang Qian

854db28

2022-12-19 07:31:27 +0000

[diff] [blame]

907

psa_algorithm_t hash_alg = PSA_ALG_NONE;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

908

const unsigned char *identity;

909

size_t identity_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

910

size_t l_binders_len = 0;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

911

size_t output_len;

Xiaokang Qian

7179f81

2023-02-03 03:38:44 +0000

[diff] [blame]

912

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

*out_len = 0;

*binders_len = 0;

/* Check if we have any PSKs to offer. If no, skip pre_shared_key */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

917

configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);

918

if (configured_psk_count == 0) {

919

MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));

920

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

921

}

922

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

923

MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",

924

configured_psk_count));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

925

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

926

/* Check if we have space to write the extension, binders included.

927

* - extension_type (2 bytes)

928

* - extension_data_len (2 bytes)

929

* - identities_len (2 bytes)

930

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

931

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

932

p += 6;

933

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

934

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

935

if (ssl_tls13_ticket_get_identity(

936

ssl, &hash_alg, &identity, &identity_len) == 0) {

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

937

#if defined(MBEDTLS_HAVE_TIME)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

938

mbedtls_time_t now = mbedtls_time(NULL);

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

939

mbedtls_ssl_session *session = ssl->session_negotiate;

Jerry Yu

6916e70

2022-10-10 21:33:51 +0800

[diff] [blame]

940

uint32_t obfuscated_ticket_age =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

941

(uint32_t) (now - session->ticket_received);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

942

Jerry Yu

3e60cad

2023-01-10 14:58:08 +0800

[diff] [blame]

943

/*

944

* The ticket timestamp is in seconds but the ticket age is in

945

* milliseconds. If the ticket was received at the end of a second and

946

* re-used here just at the beginning of the next second, the computed

947

* age `now - session->ticket_received` is equal to 1s thus 1000 ms

948

* while the actual age could be just a few milliseconds or tens of

949

* milliseconds. If the server has more accurate ticket timestamps

950

* (typically timestamps in milliseconds), as part of the processing of

951

* the ClientHello, it may compute a ticket lifetime smaller than the

952

* one computed here and potentially reject the ticket. To avoid that,

953

* remove one second to the ticket age if possible.

Jerry Yu

bdb936b

2023-01-07 16:07:46 +0800

[diff] [blame]

954

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

955

if (obfuscated_ticket_age > 0) {

Jerry Yu

bdb936b

2023-01-07 16:07:46 +0800

[diff] [blame]

956

obfuscated_ticket_age -= 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

957

}

Jerry Yu

bdb936b

2023-01-07 16:07:46 +0800

[diff] [blame]

958

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

959

obfuscated_ticket_age *= 1000;

960

obfuscated_ticket_age += session->ticket_age_add;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

961

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

962

ret = ssl_tls13_write_identity(ssl, p, end,

963

identity, identity_len,

964

obfuscated_ticket_age,

965

&output_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

966

#else

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

967

ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,

968

0, &output_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

969

#endif /* MBEDTLS_HAVE_TIME */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

970

if (ret != 0) {

971

return ret;

972

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

973

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

974

p += output_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

975

l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

976

}

977

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

978

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

979

if (ssl_tls13_psk_get_identity(

980

ssl, &hash_alg, &identity, &identity_len) == 0) {

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

981

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

982

ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

987

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

988

p += output_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

989

l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

990

}

991

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

992

MBEDTLS_SSL_DEBUG_MSG(3,

993

("client hello, adding pre_shared_key extension, "

994

"omitting PSK binder list"));

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

995

996

/* Take into account the two bytes for the length of the binders. */

997

l_binders_len += 2;

Jerry Yu

6916e70

2022-10-10 21:33:51 +0800

[diff] [blame]

998

/* Check if there is enough space for binders */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

999

MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1000

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

1001

/*

1002

* - extension_type (2 bytes)

1003

* - extension_data_len (2 bytes)

1004

* - identities_len (2 bytes)

1005

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1006

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);

1007

MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);

1008

MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

1009

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1010

*out_len = (p - buf) + l_binders_len;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1011

*binders_len = l_binders_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

1012

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1013

MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

1014

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1015

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1016

}

1017

XiaokangQian

8698195

2022-07-19 09:51:50 +0000

[diff] [blame]

1018

int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1019

mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1020

{

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1021

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1022

unsigned char *p = buf;

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1023

psa_algorithm_t hash_alg = PSA_ALG_NONE;

1024

const unsigned char *psk;

1025

size_t psk_len;

1026

size_t output_len;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1027

1028

/* Check if we have space to write binders_len.

1029

* - binders_len (2 bytes)

1030

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1031

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1032

p += 2;

1033

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1034

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1035

if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1036

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1037

ret = ssl_tls13_write_binder(ssl, p, end,

1038

MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,

1039

hash_alg, psk, psk_len,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1044

p += output_len;

1045

}

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1046

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1047

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1048

if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1049

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1050

ret = ssl_tls13_write_binder(ssl, p, end,

1051

MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,

1052

hash_alg, psk, psk_len,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

p += output_len;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1060

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1061

1062

/*

1063

* - binders_len (2 bytes)

1064

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1065

MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1066

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1067

MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1068

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

1069

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1070

ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1071

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1072

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1073

}

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

/*

* struct {

* opaque identity<1..2^16-1>;

1078

* uint32 obfuscated_ticket_age;

1079

* } PskIdentity;

1080

*

1081

* opaque PskBinderEntry<32..255>;

*

* struct {

*

* select (Handshake.msg_type) {

1086

* ...

1087

* case server_hello: uint16 selected_identity;

1088

* };

1089

*

1090

* } PreSharedKeyExtension;

1091

*

1092

*/

1093

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1094

static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,

1095

const unsigned char *buf,

1096

const unsigned char *end)

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

1097

{

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1098

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1099

int selected_identity;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1100

const unsigned char *psk;

1101

size_t psk_len;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1102

psa_algorithm_t hash_alg;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1103

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1104

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);

1105

selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);

Xiaokang Qian

2a67493

2023-01-04 03:15:09 +0000

[diff] [blame]

1106

ssl->handshake->selected_identity = (uint16_t) selected_identity;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1107

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1108

MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1109

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1110

if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {

1111

MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1112

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1113

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1114

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1115

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1116

}

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1117

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1118

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1119

if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {

1120

ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);

1121

} else

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1122

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1123

if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

1124

ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);

1125

} else {

1126

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

1127

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1128

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1129

if (ret != 0) {

1130

return ret;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1131

}

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1132

Xiaokang Qian

eb31cbc

2023-02-07 02:08:56 +0000

[diff] [blame]

1133

if (mbedtls_psa_translate_md(ssl->handshake->ciphersuite_info->mac)

1134

!= hash_alg) {

1135

MBEDTLS_SSL_DEBUG_MSG(

1136

1, ("Invalid ciphersuite for external psk."));

1137

1138

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1139

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1140

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1141

}

1142

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1143

ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);

1144

if (ret != 0) {

1145

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);

return ret;

}

return 0;

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

1150

}

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1151

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1152

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1153

int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,

1154

unsigned char *buf,

1155

unsigned char *end,

1156

size_t *out_len)

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1157

{

1158

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1159

unsigned char *p = buf;

size_t ext_len;

*out_len = 0;

/* Write supported_versions extension

1165

*

1166

* Supported Versions Extension is mandatory with TLS 1.3.

1167

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1168

ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);

1169

if (ret != 0) {

1170

return ret;

1171

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1172

p += ext_len;

1173

1174

/* Echo the cookie if the server provided one in its preceding

1175

* HelloRetryRequest message.

1176

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1177

ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);

1178

if (ret != 0) {

1179

return ret;

1180

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1181

p += ext_len;

1182

Ronald Cron

2022-10-18 12:17:11 +0200

[diff] [blame]

1183

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1184

if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {

1185

ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);

1186

if (ret != 0) {

1187

return ret;

1188

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1189

p += ext_len;

1190

}

Ronald Cron

2022-10-18 12:17:11 +0200

[diff] [blame]

1191

#endif

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1192

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1193

#if defined(MBEDTLS_SSL_EARLY_DATA)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1194

if (mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&

1195

ssl_tls13_early_data_has_valid_ticket(ssl) &&

1196

ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {

1197

ret = mbedtls_ssl_tls13_write_early_data_ext(ssl, p, end, &ext_len);

1198

if (ret != 0) {

1199

return ret;

1200

}

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1201

p += ext_len;

1202

Ronald Cron

4a8c9e2

2022-10-26 18:49:09 +0200

[diff] [blame]

1203

/* Initializes the status to `rejected`. It will be updated to

1204

* `accepted` if the EncryptedExtension message contain an early data

1205

* indication extension.

Xiaokang Qian

a042b84

2022-11-09 01:59:33 +0000

[diff] [blame]

1206

*/

Ronald Cron

4a8c9e2

2022-10-26 18:49:09 +0200

[diff] [blame]

1207

ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1208

} else {

1209

MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension"));

Xiaokang Qian

2022-11-08 07:02:27 +0000

[diff] [blame]

1210

ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1211

}

1212

#endif /* MBEDTLS_SSL_EARLY_DATA */

1213

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1214

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1215

/* For PSK-based key exchange we need the pre_shared_key extension

1216

* and the psk_key_exchange_modes extension.

1217

*

1218

* The pre_shared_key extension MUST be the last extension in the

1219

* ClientHello. Servers MUST check that it is the last extension and

1220

* otherwise fail the handshake with an "illegal_parameter" alert.

1221

*

1222

* Add the psk_key_exchange_modes extension.

1223

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1224

ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);

1225

if (ret != 0) {

1226

return ret;

1227

}

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1228

p += ext_len;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1229

#endif

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1230

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1231

*out_len = p - buf;

1232

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1233

return 0;

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1234

}

1235

Xiaokang Qian

934ce6f

2023-02-06 10:23:04 +0000

[diff] [blame]

1236

int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1237

{

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1238

((void) ssl);

Xiaokang Qian

79f7752

2023-01-28 10:35:29 +0000

[diff] [blame]

1239

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1240

#if defined(MBEDTLS_SSL_EARLY_DATA)

1241

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1242

psa_algorithm_t hash_alg = PSA_ALG_NONE;

1243

const unsigned char *psk;

1244

size_t psk_len;

1245

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

Xiaokang Qian

2023-01-04 10:47:05 +0000

[diff] [blame]

1246

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1247

if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {

Xiaokang Qian

6be8290

2023-02-03 06:04:43 +0000

[diff] [blame]

1248

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

1249

mbedtls_ssl_handshake_set_state(

1250

ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);

1251

#endif

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1252

MBEDTLS_SSL_DEBUG_MSG(

1253

1, ("Set hs psk for early data when writing the first psk"));

1254

1255

ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);

1256

if (ret != 0) {

1257

MBEDTLS_SSL_DEBUG_RET(

1258

1, "ssl_tls13_ticket_get_psk", ret);

return ret;

}

ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);

1263

if (ret != 0) {

1264

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);

return ret;

}

Xiaokang Qian

2023-02-07 02:32:23 +0000

[diff] [blame]

1268

/*

1269

* Early data are going to be encrypted using the ciphersuite

1270

* associated with the pre-shared key used for the handshake.

1271

* Note that if the server rejects early data, the handshake

1272

* based on the pre-shared key may complete successfully

1273

* with a selected ciphersuite different from the ciphersuite

1274

* associated with the pre-shared key. Only the hashes of the

1275

* two ciphersuites have to be the same. In that case, the

1276

* encrypted handshake data and application data are

1277

* encrypted using a different ciphersuite than the one used for

1278

* the rejected early data.

1279

*/

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1280

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(

1281

ssl->session_negotiate->ciphersuite);

1282

ssl->handshake->ciphersuite_info = ciphersuite_info;

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1283

Tom Cosgrove

5c8505f

2023-03-07 11:39:52 +0000

[diff] [blame]

1284

/* Enable psk and psk_ephemeral to make stage early happy */

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1285

ssl->handshake->key_exchange_mode =

1286

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;

1287

1288

/* Start the TLS 1.3 key schedule:

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1289

* Set the PSK and derive early secret.

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1290

*/

1291

ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);

1292

if (ret != 0) {

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1293

MBEDTLS_SSL_DEBUG_RET(

1294

1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

return ret;

}

/* Derive early data key material */

1299

ret = mbedtls_ssl_tls13_compute_early_transform(ssl);

1300

if (ret != 0) {

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1301

MBEDTLS_SSL_DEBUG_RET(

1302

1, "mbedtls_ssl_tls13_compute_early_transform", ret);

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

return ret;

}

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1306

}

1307

#endif /* MBEDTLS_SSL_EARLY_DATA */

1308

return 0;

1309

}

Jerry Yu

1bc2c1f

2021-09-01 12:57:29 +0800

[diff] [blame]

1310

/*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1311

* Functions for parsing and processing Server Hello

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1312

*/

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1313

Ronald Cron

da41b38

2022-03-30 09:57:11 +0200

[diff] [blame]

1314

/**

1315

* \brief Detect if the ServerHello contains a supported_versions extension

1316

* or not.

1317

*

1318

* \param[in] ssl SSL context

1319

* \param[in] buf Buffer containing the ServerHello message

1320

* \param[in] end End of the buffer containing the ServerHello message

1321

*

1322

* \return 0 if the ServerHello does not contain a supported_versions extension

1323

* \return 1 if the ServerHello contains a supported_versions extension

1324

* \return A negative value if an error occurred while parsing the ServerHello.

1325

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1326

MBEDTLS_CHECK_RETURN_CRITICAL

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1327

static int ssl_tls13_is_supported_versions_ext_present(

1328

mbedtls_ssl_context *ssl,

1329

const unsigned char *buf,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1330

const unsigned char *end)

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1331

{

1332

const unsigned char *p = buf;

1333

size_t legacy_session_id_echo_len;

Ronald Cron

eff5673

2023-04-03 17:36:31 +0200

[diff] [blame]

1334

const unsigned char *supported_versions_data;

1335

const unsigned char *supported_versions_data_end;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1336

1337

/*

1338

* Check there is enough data to access the legacy_session_id_echo vector

Ronald Cron

da41b38

2022-03-30 09:57:11 +0200

[diff] [blame]

1339

* length:

1340

* - legacy_version 2 bytes

1341

* - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes

1342

* - legacy_session_id_echo length 1 byte

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1343

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1344

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1345

p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;

1346

legacy_session_id_echo_len = *p;

1347

1348

/*

1349

* Jump to the extensions, jumping over:

1350

* - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes

1351

* - cipher_suite 2 bytes

1352

* - legacy_compression_method 1 byte

1353

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1354

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);

1355

p += legacy_session_id_echo_len + 4;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1356

Ronald Cron

47dce63

2023-02-08 17:38:29 +0100

[diff] [blame]

1357

return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(

1358

ssl, p, end,

Ronald Cron

eff5673

2023-04-03 17:36:31 +0200

[diff] [blame]

1359

&supported_versions_data, &supported_versions_data_end);

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1360

}

1361

Jerry Yu

7a186a0

2021-10-15 18:46:14 +0800

[diff] [blame]

1362

/* Returns a negative value on failure, and otherwise

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1363

* - 1 if the last eight bytes of the ServerHello random bytes indicate that

1364

* the server is TLS 1.3 capable but negotiating TLS 1.2 or below.

1365

* - 0 otherwise

1366

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1367

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1368

static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,

1369

const unsigned char *buf,

1370

const unsigned char *end)

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1371

{

1372

/* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */

1373

static const unsigned char magic_downgrade_string[] =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1374

{ 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1375

const unsigned char *last_eight_bytes_of_random;

1376

unsigned char last_byte_of_random;

1377

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1378

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1379

last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;

1380

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1381

if (memcmp(last_eight_bytes_of_random,

1382

magic_downgrade_string,

1383

sizeof(magic_downgrade_string)) == 0) {

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1384

last_byte_of_random = last_eight_bytes_of_random[7];

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1385

return last_byte_of_random == 0 ||

1386

last_byte_of_random == 1;

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1387

}

1388

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1389

return 0;

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1390

}

1391

1392

/* Returns a negative value on failure, and otherwise

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1393

* - SSL_SERVER_HELLO or

1394

* - SSL_SERVER_HELLO_HRR

XiaokangQian

51eff22

2021-12-10 10:33:56 +0000

[diff] [blame]

1395

* to indicate which message is expected and to be parsed next.

1396

*/

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1397

#define SSL_SERVER_HELLO 0

1398

#define SSL_SERVER_HELLO_HRR 1

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1399

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1400

static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,

1401

const unsigned char *buf,

1402

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1403

{

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1404

1405

/* Check whether this message is a HelloRetryRequest ( HRR ) message.

1406

*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1407

* Server Hello and HRR are only distinguished by Random set to the

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1408

* special value of the SHA-256 of "HelloRetryRequest".

1409

*

1410

* struct {

1411

* ProtocolVersion legacy_version = 0x0303;

1412

* Random random;

1413

* opaque legacy_session_id_echo<0..32>;

1414

* CipherSuite cipher_suite;

1415

* uint8 legacy_compression_method = 0;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1416

* Extension extensions<6..2^16-1>;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1417

* } ServerHello;

1418

*

1419

*/

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1420

MBEDTLS_SSL_CHK_BUF_READ_PTR(

1421

buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1422

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1423

if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,

1424

sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {

1425

return SSL_SERVER_HELLO_HRR;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1426

}

1427

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1428

return SSL_SERVER_HELLO;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1429

}

1430

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1431

/*

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1432

* Returns a negative value on failure, and otherwise

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1433

* - SSL_SERVER_HELLO or

1434

* - SSL_SERVER_HELLO_HRR or

1435

* - SSL_SERVER_HELLO_TLS1_2

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1436

*/

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1437

#define SSL_SERVER_HELLO_TLS1_2 2

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1438

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1439

static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,

1440

const unsigned char *buf,

1441

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1442

{

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1443

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1444

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1445

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1446

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(

1447

ssl, buf, end));

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1448

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1449

if (ret == 0) {

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1450

MBEDTLS_SSL_PROC_CHK_NEG(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1451

ssl_tls13_is_downgrade_negotiation(ssl, buf, end));

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1452

1453

/* If the server is negotiating TLS 1.2 or below and:

1454

* . we did not propose TLS 1.2 or

1455

* . the server responded it is TLS 1.3 capable but negotiating a lower

1456

* version of the protocol and thus we are under downgrade attack

1457

* abort the handshake with an "illegal parameter" alert.

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1458

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1459

if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {

1460

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1461

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1462

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1463

}

1464

Ronald Cron

b828c7d

2023-04-03 16:37:22 +0200

[diff] [blame]

1465

/*

1466

* Version 1.2 of the protocol has been negotiated, set the

1467

* ssl->keep_current_message flag for the ServerHello to be kept and

1468

* parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to

1469

* MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()

1470

* will dispatch to the TLS 1.2 state machine.

1471

*/

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1472

ssl->keep_current_message = 1;

Glenn Strauss

60bfe60

2022-03-14 19:04:24 -0400

[diff] [blame]

1473

ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1474

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

1475

ssl, MBEDTLS_SSL_HS_SERVER_HELLO,

1476

buf, (size_t) (end - buf)));

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1477

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1478

if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {

1479

ret = ssl_tls13_reset_key_share(ssl);

1480

if (ret != 0) {

1481

return ret;

1482

}

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1483

}

1484

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1485

return SSL_SERVER_HELLO_TLS1_2;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1486

}

1487

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1488

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

1489

ssl->session_negotiate->endpoint = ssl->conf->endpoint;

1490

ssl->session_negotiate->tls_version = ssl->tls_version;

1491

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

1492

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1493

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1494

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1495

ret = ssl_server_hello_is_hrr(ssl, buf, end);

1496

switch (ret) {

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1497

case SSL_SERVER_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1498

MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1499

break;

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1500

case SSL_SERVER_HELLO_HRR:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1501

MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1502

/* If a client receives a second HelloRetryRequest in the same

1503

* connection (i.e., where the ClientHello was itself in response

1504

* to a HelloRetryRequest), it MUST abort the handshake with an

1505

* "unexpected_message" alert.

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1506

*/

1507

if (handshake->hello_retry_request_count > 0) {

1508

MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1509

MBEDTLS_SSL_PEND_FATAL_ALERT(

1510

MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,

1511

MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1512

return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1513

}

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1514

/*

1515

* Clients must abort the handshake with an "illegal_parameter"

1516

* alert if the HelloRetryRequest would not result in any change

1517

* in the ClientHello.

1518

* In a PSK only key exchange that what we expect.

1519

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1520

if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {

1521

MBEDTLS_SSL_DEBUG_MSG(1,

1522

("Unexpected HRR in pure PSK key exchange."));

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1523

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1524

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1525

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1526

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1527

}

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1528

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1529

handshake->hello_retry_request_count++;

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1530

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1531

break;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

}

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1536

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1537

}

1538

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1539

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1540

static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,

1541

const unsigned char **buf,

1542

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1543

{

1544

const unsigned char *p = *buf;

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1545

size_t legacy_session_id_echo_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1546

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1547

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

1548

legacy_session_id_echo_len = *p++;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1549

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1550

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1551

1552

/* legacy_session_id_echo */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1553

if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||

1554

memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {

1555

MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",

1556

ssl->session_negotiate->id,

1557

ssl->session_negotiate->id_len);

1558

MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,

1559

legacy_session_id_echo_len);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1560

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1561

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1562

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1563

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1564

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1565

}

1566

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1567

p += legacy_session_id_echo_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1568

*buf = p;

1569

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1570

MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,

1571

ssl->session_negotiate->id_len);

1572

return 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1573

}

1574

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1575

/* Parse ServerHello message and configure context

1576

*

1577

* struct {

1578

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

1579

* Random random;

1580

* opaque legacy_session_id_echo<0..32>;

1581

* CipherSuite cipher_suite;

1582

* uint8 legacy_compression_method = 0;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1583

* Extension extensions<6..2^16-1>;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1584

* } ServerHello;

1585

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1586

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1587

static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,

1588

const unsigned char *buf,

1589

const unsigned char *end,

1590

int is_hrr)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1591

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1592

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1593

const unsigned char *p = buf;

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1594

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1595

size_t extensions_len;

1596

const unsigned char *extensions_end;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1597

uint16_t cipher_suite;

Jerry Yu

de4fb2c

2021-09-19 18:05:08 +0800

[diff] [blame]

1598

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

XiaokangQian

b119a35

2022-01-26 03:29:10 +0000

[diff] [blame]

1599

int fatal_alert = 0;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1600

uint32_t allowed_extensions_mask;

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1601

int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1602

MBEDTLS_SSL_HS_SERVER_HELLO;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1603

1604

/*

1605

* Check there is space for minimal fields

1606

*

1607

* - legacy_version ( 2 bytes)

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1608

* - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1609

* - legacy_session_id_echo ( 1 byte ), minimum size

1610

* - cipher_suite ( 2 bytes)

1611

* - legacy_compression_method ( 1 byte )

1612

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1613

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1614

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1615

MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);

1616

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1617

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1618

/* ...

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1619

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1620

* ...

1621

* with ProtocolVersion defined as:

1622

* uint16 ProtocolVersion;

1623

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1624

if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=

1625

MBEDTLS_SSL_VERSION_TLS1_2) {

1626

MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));

1627

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,

1628

MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1629

ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;

1630

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1631

}

1632

p += 2;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1633

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1634

/* ...

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1635

* Random random;

1636

* ...

1637

* with Random defined as:

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1638

* opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1639

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1640

if (!is_hrr) {

1641

memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,

1642

MBEDTLS_SERVER_HELLO_RANDOM_LEN);

1643

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",

1644

p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1645

}

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1646

p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1647

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1648

/* ...

1649

* opaque legacy_session_id_echo<0..32>;

1650

* ...

1651

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1652

if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1653

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1654

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1655

}

1656

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1657

/* ...

1658

* CipherSuite cipher_suite;

1659

* ...

1660

* with CipherSuite defined as:

1661

* uint8 CipherSuite[2];

1662

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1663

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

1664

cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1665

p += 2;

1666

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1667

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1668

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1669

/*

Ronald Cron

ba120bb

2022-03-30 22:09:48 +0200

[diff] [blame]

1670

* Check whether this ciphersuite is valid and offered.

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1671

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1672

if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,

1673

ssl->tls_version,

1674

ssl->tls_version) != 0) ||

1675

!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1676

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1677

}

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1678

/*

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1679

* If we received an HRR before and that the proposed selected

1680

* ciphersuite in this server hello is not the same as the one

1681

* proposed in the HRR, we abort the handshake and send an

1682

* "illegal_parameter" alert.

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1683

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1684

else if ((!is_hrr) && (handshake->hello_retry_request_count > 0) &&

1685

(cipher_suite != ssl->session_negotiate->ciphersuite)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1686

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1687

}

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1688

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1689

if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {

1690

MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",

1691

cipher_suite));

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1692

goto cleanup;

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1693

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1694

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1695

/* Configure ciphersuites */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1696

mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1697

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1698

handshake->ciphersuite_info = ciphersuite_info;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1699

MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",

1700

cipher_suite, ciphersuite_info->name));

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1701

1702

#if defined(MBEDTLS_HAVE_TIME)

YxC

da60913

2023-05-22 12:08:12 -0700

[diff] [blame]

1703

ssl->session_negotiate->start = mbedtls_time(NULL);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1704

#endif /* MBEDTLS_HAVE_TIME */

1705

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1706

/* ...

1707

* uint8 legacy_compression_method = 0;

1708

* ...

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1709

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1710

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

1711

if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {

1712

MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1713

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1714

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

}

p++;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1718

/* ...

1719

* Extension extensions<6..2^16-1>;

1720

* ...

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1721

* struct {

1722

* ExtensionType extension_type; (2 bytes)

1723

* opaque extension_data<0..2^16-1>;

1724

* } Extension;

1725

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1726

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

1727

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1728

p += 2;

Jerry Yu

de4fb2c

2021-09-19 18:05:08 +0800

[diff] [blame]

1729

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1730

/* Check extensions do not go beyond the buffer of data. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1731

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1732

extensions_end = p + extensions_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1733

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1734

MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1735

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1736

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1737

allowed_extensions_mask = is_hrr ?

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1738

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :

1739

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1740

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1741

while (p < extensions_end) {

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1742

unsigned int extension_type;

1743

size_t extension_data_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

1744

const unsigned char *extension_data_end;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1745

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1746

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

1747

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

1748

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1749

p += 4;

1750

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1751

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

1752

extension_data_end = p + extension_data_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1753

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

1754

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1755

ssl, hs_msg_type, extension_type, allowed_extensions_mask);

1756

if (ret != 0) {

1757

return ret;

1758

}

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1759

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1760

switch (extension_type) {

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1761

case MBEDTLS_TLS_EXT_COOKIE:

1762

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1763

ret = ssl_tls13_parse_cookie_ext(ssl,

1764

p, extension_data_end);

1765

if (ret != 0) {

1766

MBEDTLS_SSL_DEBUG_RET(1,

1767

"ssl_tls13_parse_cookie_ext",

1768

ret);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1769

goto cleanup;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1770

}

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1771

break;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1772

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1773

case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1774

ret = ssl_tls13_parse_supported_versions_ext(ssl,

1775

p,

1776

extension_data_end);

1777

if (ret != 0) {

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1778

goto cleanup;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1779

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1780

break;

1781

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1782

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1783

case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1784

MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1785

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1786

if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(

1787

ssl, p, extension_data_end)) != 0) {

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1788

MBEDTLS_SSL_DEBUG_RET(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1789

1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);

1790

return ret;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1791

}

1792

break;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1793

#endif

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1794

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1795

case MBEDTLS_TLS_EXT_KEY_SHARE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1796

MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));

1797

if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1798

fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

goto cleanup;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1802

if (is_hrr) {

1803

ret = ssl_tls13_parse_hrr_key_share_ext(ssl,

1804

p, extension_data_end);

1805

} else {

1806

ret = ssl_tls13_parse_key_share_ext(ssl,

1807

p, extension_data_end);

1808

}

1809

if (ret != 0) {

1810

MBEDTLS_SSL_DEBUG_RET(1,

1811

"ssl_tls13_parse_key_share_ext",

1812

ret);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1813

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1814

}

1815

break;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1816

1817

default:

Jerry Yu

9872eb2

2022-08-29 13:42:01 +0800

[diff] [blame]

1818

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

1819

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1820

}

1821

1822

p += extension_data_len;

1823

}

1824

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1825

MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1826

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1827

cleanup:

1828

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1829

if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {

1830

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,

1831

MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1832

ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1833

} else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {

1834

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1835

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1836

ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1837

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1838

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1839

}

1840

Xiaokang Qian

cb6e963

2022-09-26 11:59:32 +0000

[diff] [blame]

1841

#if defined(MBEDTLS_DEBUG_C)

1842

static const char *ssl_tls13_get_kex_mode_str(int mode)

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1843

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1844

switch (mode) {

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1845

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:

1846

return "psk";

1847

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:

1848

return "ephemeral";

1849

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:

1850

return "psk_ephemeral";

1851

default:

1852

return "unknown mode";

1853

}

1854

}

Xiaokang Qian

cb6e963

2022-09-26 11:59:32 +0000

[diff] [blame]

1855

#endif /* MBEDTLS_DEBUG_C */

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1856

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1857

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1858

static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1859

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1860

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1861

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1862

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1863

/* Determine the key exchange mode:

1864

* 1) If both the pre_shared_key and key_share extensions were received

1865

* then the key exchange mode is PSK with EPHEMERAL.

1866

* 2) If only the pre_shared_key extension was received then the key

1867

* exchange mode is PSK-only.

1868

* 3) If only the key_share extension was received then the key

1869

* exchange mode is EPHEMERAL-only.

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1870

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1871

switch (handshake->received_extensions &

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1872

(MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

1873

MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1874

/* Only the pre_shared_key extension was received */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1875

case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1876

handshake->key_exchange_mode =

1877

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1878

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1879

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1880

/* Only the key_share extension was received */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1881

case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1882

handshake->key_exchange_mode =

1883

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1884

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1885

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1886

/* Both the pre_shared_key and key_share extensions were received */

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1887

case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

1888

MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):

1889

handshake->key_exchange_mode =

1890

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1891

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1892

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1893

/* Neither pre_shared_key nor key_share extension was received */

1894

default:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1895

MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1896

ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

1897

goto cleanup;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1898

}

Xiaokang Qian

3f616c2

2023-01-12 03:36:31 +0000

[diff] [blame]

1899

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

02f5e14

2023-02-06 10:44:17 +0000

[diff] [blame]

1900

if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA) &&

1901

(handshake->selected_identity != 0 ||

1902

handshake->ciphersuite_info->id !=

1903

ssl->session_negotiate->ciphersuite)) {

Xiaokang Qian

3f616c2

2023-01-12 03:36:31 +0000

[diff] [blame]

1904

/* RFC8446 4.2.11

1905

* If the server supplies an "early_data" extension, the

1906

* client MUST verify that the server's selected_identity

1907

* is 0. If any other value is returned, the client MUST

1908

* abort the handshake with an "illegal_parameter" alert.

Xiaokang Qian

02f5e14

2023-02-06 10:44:17 +0000

[diff] [blame]

1909

*

Xiaokang Qian

53c4c27

2023-02-07 02:42:01 +0000

[diff] [blame]

1910

* RFC 8446 4.2.10

1911

* In order to accept early data, the server MUST have accepted a PSK

1912

* cipher suite and selected the first key offered in the client's

1913

* "pre_shared_key" extension. In addition, it MUST verify that the

1914

* following values are the same as those associated with the

1915

* selected PSK:

1916

* - The TLS version number

1917

* - The selected cipher suite

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1918

* - The selected ALPN [RFC7301] protocol, if any

1919

*

1920

* We check here that when early data is involved the server

1921

* selected the cipher suite associated to the pre-shared key

1922

* as it must have.

Xiaokang Qian

3f616c2

2023-01-12 03:36:31 +0000

[diff] [blame]

1923

*/

1924

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1925

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1926

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1927

}

1928

#endif

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1929

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1930

if (!mbedtls_ssl_conf_tls13_check_kex_modes(

1931

ssl, handshake->key_exchange_mode)) {

Xiaokang Qian

ac8195f

2022-09-26 04:01:06 +0000

[diff] [blame]

1932

ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1933

MBEDTLS_SSL_DEBUG_MSG(

1934

2, ("Key exchange mode(%s) is not supported.",

1935

ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));

Xiaokang Qian

ac8195f

2022-09-26 04:01:06 +0000

[diff] [blame]

goto cleanup;

}

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1939

MBEDTLS_SSL_DEBUG_MSG(

1940

3, ("Selected key exchange mode: %s",

1941

ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1942

Xiaokang Qian

7892b6c

2023-02-02 06:05:48 +0000

[diff] [blame]

1943

/* Start the TLS 1.3 key scheduling if not already done.

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1944

*

Xiaokang Qian

7892b6c

2023-02-02 06:05:48 +0000

[diff] [blame]

1945

* If we proposed early data then we have already derived an

1946

* early secret using the selected PSK and its associated hash.

1947

* It means that if the negotiated key exchange mode is psk or

1948

* psk_ephemeral, we have already correctly computed the

1949

* early secret and thus we do not do it again. In all other

1950

* cases we compute it here.

Xiaokang Qian

303f82c5

2023-01-04 08:43:46 +0000

[diff] [blame]

1951

*/

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1952

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

e04afdc

2023-02-07 02:19:42 +0000

[diff] [blame]

1953

if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT ||

1954

handshake->key_exchange_mode ==

1955

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1956

#endif

1957

{

Xiaokang Qian

303f82c5

2023-01-04 08:43:46 +0000

[diff] [blame]

1958

ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);

1959

if (ret != 0) {

1960

MBEDTLS_SSL_DEBUG_RET(

1961

1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);

1962

goto cleanup;

1963

}

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1964

}

1965

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1966

ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);

1967

if (ret != 0) {

1968

MBEDTLS_SSL_DEBUG_RET(1,

1969

"mbedtls_ssl_tls13_compute_handshake_transform",

1970

ret);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1971

goto cleanup;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1972

}

1973

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1974

mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);

1975

MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));

Xiaokang Qian

4ef8ba2

2023-02-06 11:06:16 +0000

[diff] [blame]

1976

ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1977

ssl->session_in = ssl->session_negotiate;

1978

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1979

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1980

if (ret != 0) {

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1981

MBEDTLS_SSL_PEND_FATAL_ALERT(

1982

MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1983

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1984

}

Jerry Yu

e110d25

2022-05-05 10:19:22 +0800

[diff] [blame]

1985

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1986

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1987

}

1988

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1989

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1990

static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1991

{

1992

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1993

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1994

mbedtls_ssl_session_reset_msg_layer(ssl, 0);

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1995

XiaokangQian

78b1fa7

2022-01-19 06:56:30 +0000

[diff] [blame]

1996

/*

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1997

* We are going to re-generate a shared secret corresponding to the group

1998

* selected by the server, which is different from the group for which we

1999

* generated a shared secret in the first client hello.

2000

* Thus, reset the shared secret.

XiaokangQian

51eff22

2021-12-10 10:33:56 +0000

[diff] [blame]

2001

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2002

ret = ssl_tls13_reset_key_share(ssl);

2003

if (ret != 0) {

2004

return ret;

2005

}

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

2006

Xiaokang Qian

4ef8ba2

2023-02-06 11:06:16 +0000

[diff] [blame]

2007

ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2008

return 0;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

2009

}

2010

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2011

/*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

2012

* Wait and parse ServerHello handshake message.

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2013

* Handler for MBEDTLS_SSL_SERVER_HELLO

2014

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2015

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2016

static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2017

{

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

2018

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

2019

unsigned char *buf = NULL;

2020

size_t buf_len = 0;

XiaokangQian

78b1fa7

2022-01-19 06:56:30 +0000

[diff] [blame]

2021

int is_hrr = 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2022

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2023

MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2024

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2025

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2026

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));

Ronald Cron

db5dfa1

2022-05-31 11:44:38 +0200

[diff] [blame]

2027

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2028

ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);

2029

if (ret < 0) {

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

2030

goto cleanup;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2031

} else {

2032

is_hrr = (ret == SSL_SERVER_HELLO_HRR);

2033

}

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

2034

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2035

if (ret == SSL_SERVER_HELLO_TLS1_2) {

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

ret = 0;

goto cleanup;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2040

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,

buf + buf_len,

is_hrr));

if (is_hrr) {

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2045

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2046

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2047

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2048

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2049

2050

if (is_hrr) {

2051

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));

2052

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2053

/* If not offering early data, the client sends a dummy CCS record

2054

* immediately before its second flight. This may either be before

2055

* its second ClientHello or before its encrypted handshake flight.

2056

*/

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2057

mbedtls_ssl_handshake_set_state(

2058

ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2059

#else

2060

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

2061

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

2062

} else {

2063

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));

2064

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2065

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2066

2067

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2068

MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,

2069

is_hrr ? "HelloRetryRequest" : "ServerHello"));

2070

return ret;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2071

}

2072

2073

/*

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2074

*

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2075

* Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2076

*

2077

* The EncryptedExtensions message contains any extensions which

2078

* should be protected, i.e., any which are not needed to establish

2079

* the cryptographic context.

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2080

*/

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2081

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2082

/* Parse EncryptedExtensions message

2083

* struct {

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2084

* Extension extensions<0..2^16-1>;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2085

* } EncryptedExtensions;

2086

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2087

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2088

static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,

2089

const unsigned char *buf,

2090

const unsigned char *end)

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2091

{

2092

int ret = 0;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2093

size_t extensions_len;

XiaokangQian

140f045

2021-10-08 08:05:53 +0000

[diff] [blame]

2094

const unsigned char *p = buf;

XiaokangQian

8db25ff

2021-10-13 05:56:18 +0000

[diff] [blame]

2095

const unsigned char *extensions_end;

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2096

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2097

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2098

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2099

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2100

p += 2;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2101

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2102

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Ronald Cron

c808359

2022-05-31 16:24:05 +0200

[diff] [blame]

2103

extensions_end = p + extensions_len;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2104

Jan Bruckner

5a3629b

2023-02-23 12:08:09 +0100

[diff] [blame]

2105

MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);

2106

Jerry Yu

9eba750

2022-10-31 13:46:16 +0800

[diff] [blame]

2107

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2108

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2109

while (p < extensions_end) {

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2110

unsigned int extension_type;

2111

size_t extension_data_len;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2112

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2113

/*

2114

* struct {

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2115

* ExtensionType extension_type; (2 bytes)

2116

* opaque extension_data<0..2^16-1>;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2117

* } Extension;

2118

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2119

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

2120

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2121

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2122

p += 4;

2123

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2124

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2125

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2126

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2127

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,

2128

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);

2129

if (ret != 0) {

2130

return ret;

2131

}

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2132

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2133

switch (extension_type) {

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

2134

#if defined(MBEDTLS_SSL_ALPN)

2135

case MBEDTLS_TLS_EXT_ALPN:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2136

MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

2137

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2138

if ((ret = ssl_tls13_parse_alpn_ext(

2139

ssl, p, (size_t) extension_data_len)) != 0) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2140

return ret;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

}

break;

#endif /* MBEDTLS_SSL_ALPN */

Xiaokang Qian

8bee899

2022-10-27 10:21:05 +0000

[diff] [blame]

2145

2146

#if defined(MBEDTLS_SSL_EARLY_DATA)

2147

case MBEDTLS_TLS_EXT_EARLY_DATA:

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2148

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2149

if (extension_data_len != 0) {

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2150

/* The message must be empty. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2151

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2152

MBEDTLS_ERR_SSL_DECODE_ERROR);

2153

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2154

}

2155

Xiaokang Qian

8bee899

2022-10-27 10:21:05 +0000

[diff] [blame]

2156

break;

2157

#endif /* MBEDTLS_SSL_EARLY_DATA */

2158

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

2159

#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)

2160

case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:

2161

MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));

2162

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2163

ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(

2164

ssl, p, p + extension_data_len);

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

2165

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2166

/* TODO: Return unconditionally here until we handle the record

2167

* size limit correctly. Once handled correctly, only return in

2168

* case of errors. */

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

return ret;

break;

#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */

2173

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2174

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2175

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

9eba750

2022-10-31 13:46:16 +0800

[diff] [blame]

2176

3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2177

extension_type, "( ignored )");

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2178

break;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2179

}

2180

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2181

p += extension_data_len;

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2182

}

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2183

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2184

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2185

handshake->received_extensions);

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2186

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2187

/* Check that we consumed all the message. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2188

if (p != end) {

2189

MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));

2190

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2191

MBEDTLS_ERR_SSL_DECODE_ERROR);

2192

return MBEDTLS_ERR_SSL_DECODE_ERROR;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2193

}

2194

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2195

return ret;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2196

}

2197

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2198

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2199

static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

{

int ret;

unsigned char *buf;

size_t buf_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2205

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2206

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2207

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2208

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2209

&buf, &buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2210

2211

/* Process the message contents */

2212

MBEDTLS_SSL_PROC_CHK(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2213

ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2214

Xiaokang Qian

b157e91

2022-11-23 08:12:26 +0000

[diff] [blame]

2215

#if defined(MBEDTLS_SSL_EARLY_DATA)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2216

if (ssl->handshake->received_extensions &

2217

MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {

Xiaokang Qian

b157e91

2022-11-23 08:12:26 +0000

[diff] [blame]

2218

ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;

}

#endif

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2222

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2223

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2224

buf, buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2225

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2226

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2227

if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {

2228

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2229

} else {

2230

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);

2231

}

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2232

#else

2233

((void) ssl);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2234

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2235

#endif

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2239

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));

2240

return ret;

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

}

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2244

/*

2245

* Handler for MBEDTLS_SSL_END_OF_EARLY_DATA

2246

*

Xiaokang Qian

c81a15a

2022-12-19 02:43:33 +0000

[diff] [blame]

2247

* RFC 8446 section 4.5

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2248

*

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2249

* struct {} EndOfEarlyData;

Xiaokang Qian

c81a15a

2022-12-19 02:43:33 +0000

[diff] [blame]

2250

*

2251

* If the server sent an "early_data" extension in EncryptedExtensions, the

2252

* client MUST send an EndOfEarlyData message after receiving the server

2253

* Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2254

*/

2255

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2256

MBEDTLS_CHECK_RETURN_CRITICAL

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2257

static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)

2258

{

2259

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2260

unsigned char *buf = NULL;

2261

size_t buf_len;

Xiaokang Qian

57a138d

2022-12-19 06:40:47 +0000

[diff] [blame]

2262

MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2263

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2264

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

2265

ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,

2266

&buf, &buf_len));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2267

Manuel Pégourié-Gonnard

63e33dd

2023-02-21 15:45:15 +0100

[diff] [blame]

2268

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(

2269

ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2270

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2271

MBEDTLS_SSL_PROC_CHK(

2272

mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));

Xiaokang Qian

da8402d

2022-12-15 14:55:35 +0000

[diff] [blame]

2273

Xiaokang Qian

19d4416

2023-01-03 03:39:50 +0000

[diff] [blame]

2274

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

cleanup:

MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));

return ret;

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2282

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2283

/*

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2284

* STATE HANDLING: CertificateRequest

2285

*

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2286

*/

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2287

#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0

2288

#define SSL_CERTIFICATE_REQUEST_SKIP 1

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2289

/* Coordination:

2290

* Deals with the ambiguity of not knowing if a CertificateRequest

2291

* will be sent. Returns a negative code on failure, or

2292

* - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST

2293

* - SSL_CERTIFICATE_REQUEST_SKIP

2294

* indicating if a Certificate Request is expected or not.

2295

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2296

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2297

static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2298

{

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2299

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2300

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2301

if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {

2302

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);

2303

return ret;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2304

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2305

ssl->keep_current_message = 1;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2306

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2307

if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&

2308

(ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {

2309

MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));

2310

return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2311

}

2312

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2313

MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));

Ronald Cron

1938588

2022-06-15 16:26:13 +0200

[diff] [blame]

2314

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2315

return SSL_CERTIFICATE_REQUEST_SKIP;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2316

}

2317

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2318

/*

2319

* ssl_tls13_parse_certificate_request()

2320

* Parse certificate request

2321

* struct {

2322

* opaque certificate_request_context<0..2^8-1>;

2323

* Extension extensions<2..2^16-1>;

2324

* } CertificateRequest;

2325

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2326

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2327

static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,

2328

const unsigned char *buf,

2329

const unsigned char *end)

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2330

{

2331

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2332

const unsigned char *p = buf;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2333

size_t certificate_request_context_len = 0;

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2334

size_t extensions_len = 0;

2335

const unsigned char *extensions_end;

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2336

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2337

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2338

/* ...

2339

* opaque certificate_request_context<0..2^8-1>

2340

* ...

2341

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2342

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2343

certificate_request_context_len = (size_t) p[0];

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2344

p += 1;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2345

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2346

if (certificate_request_context_len > 0) {

2347

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);

2348

MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",

2349

p, certificate_request_context_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2350

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2351

handshake->certificate_request_context =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2352

mbedtls_calloc(1, certificate_request_context_len);

2353

if (handshake->certificate_request_context == NULL) {

2354

MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));

2355

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2356

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2357

memcpy(handshake->certificate_request_context, p,

2358

certificate_request_context_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2359

p += certificate_request_context_len;

2360

}

2361

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2362

/* ...

2363

* Extension extensions<2..2^16-1>;

2364

* ...

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2365

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2366

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2367

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2368

p += 2;

2369

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2370

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2371

extensions_end = p + extensions_len;

2372

Jerry Yu

6d0e78b

2022-10-31 14:13:25 +0800

[diff] [blame]

2373

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2374

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2375

while (p < extensions_end) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2376

unsigned int extension_type;

2377

size_t extension_data_len;

2378

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2379

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

2380

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2381

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2382

p += 4;

2383

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2384

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2385

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2386

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2387

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,

2388

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);

2389

if (ret != 0) {

2390

return ret;

2391

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2392

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2393

switch (extension_type) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2394

case MBEDTLS_TLS_EXT_SIG_ALG:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2395

MBEDTLS_SSL_DEBUG_MSG(3,

2396

("found signature algorithms extension"));

2397

ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,

2398

p + extension_data_len);

2399

if (ret != 0) {

2400

return ret;

2401

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2402

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2403

break;

2404

2405

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2406

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

6d0e78b

2022-10-31 14:13:25 +0800

[diff] [blame]

2407

3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2408

extension_type, "( ignored )");

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2409

break;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2410

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2411

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2412

p += extension_data_len;

2413

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2414

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2415

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2416

handshake->received_extensions);

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2417

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2418

/* Check that we consumed all the message. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2419

if (p != end) {

2420

MBEDTLS_SSL_DEBUG_MSG(1,

2421

("CertificateRequest misaligned"));

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2422

goto decode_error;

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2423

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2424

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

2425

/* RFC 8446 section 4.3.2

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2426

*

2427

* The "signature_algorithms" extension MUST be specified

2428

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2429

if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {

2430

MBEDTLS_SSL_DEBUG_MSG(3,

2431

("no signature algorithms extension found"));

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2432

goto decode_error;

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2433

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2434

Jerry Yu

7840f81

2022-01-29 10:26:51 +0800

[diff] [blame]

2435

ssl->handshake->client_auth = 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2436

return 0;

Xiaofei Bai

51f515a

2022-02-08 07:28:04 +0000

[diff] [blame]

2437

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2438

decode_error:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2439

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2440

MBEDTLS_ERR_SSL_DECODE_ERROR);

2441

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2442

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2443

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2444

/*

2445

* Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST

2446

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2447

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2448

static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2449

{

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2450

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2451

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2452

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2453

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2454

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2455

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2456

if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

unsigned char *buf;

size_t buf_len;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2460

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2461

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2462

&buf, &buf_len));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2463

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2464

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(

2465

ssl, buf, buf + buf_len));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2466

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2467

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2468

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2469

buf, buf_len));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2470

} else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {

Xiaofei Bai

f6d3696

2022-01-16 14:54:35 +0000

[diff] [blame]

2471

ret = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2472

} else {

2473

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

Xiaofei Bai

51f515a

2022-02-08 07:28:04 +0000

[diff] [blame]

2474

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

2475

goto cleanup;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2476

}

2477

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2478

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2479

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2480

cleanup:

2481

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2482

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));

2483

return ret;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2484

}

2485

2486

/*

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2487

* Handler for MBEDTLS_SSL_SERVER_CERTIFICATE

2488

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2489

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2490

static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2491

{

Xiaofei Bai

947571e

2021-09-29 09:12:03 +0000

[diff] [blame]

2492

int ret;

2493

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2494

ret = mbedtls_ssl_tls13_process_certificate(ssl);

2495

if (ret != 0) {

2496

return ret;

2497

}

Xiaofei Bai

947571e

2021-09-29 09:12:03 +0000

[diff] [blame]

2498

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2499

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);

2500

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY

2505

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2506

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2507

static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2508

{

Jerry Yu

30b071c

2021-09-12 20:16:03 +0800

[diff] [blame]

2509

int ret;

2510

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2511

ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);

2512

if (ret != 0) {

2513

return ret;

2514

}

Jerry Yu

30b071c

2021-09-12 20:16:03 +0800

[diff] [blame]

2515

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2516

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2517

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2518

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2519

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Ronald Cron

d4c6402

2021-12-06 09:06:46 +0100

[diff] [blame]

2520

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2521

/*

2522

* Handler for MBEDTLS_SSL_SERVER_FINISHED

2523

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2524

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2525

static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2526

{

XiaokangQian

ac0385c

2021-11-03 06:40:11 +0000

[diff] [blame]

2527

int ret;

2528

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2529

ret = mbedtls_ssl_tls13_process_finished_message(ssl);

2530

if (ret != 0) {

2531

return ret;

2532

}

XiaokangQian

ac0385c

2021-11-03 06:40:11 +0000

[diff] [blame]

2533

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2534

ret = mbedtls_ssl_tls13_compute_application_transform(ssl);

2535

if (ret != 0) {

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2536

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2537

MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

2538

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

2539

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2540

}

2541

Xiaokang Qian

bc75bc0

2022-12-19 06:16:42 +0000

[diff] [blame]

2542

#if defined(MBEDTLS_SSL_EARLY_DATA)

2543

if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {

2544

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);

Xiaokang Qian

bd0ab06

2023-02-02 05:56:30 +0000

[diff] [blame]

2545

} else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {

2546

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Xiaokang Qian

bc75bc0

2022-12-19 06:16:42 +0000

[diff] [blame]

2547

} else

2548

#endif /* MBEDTLS_SSL_EARLY_DATA */

2549

{

2550

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2551

mbedtls_ssl_handshake_set_state(

2552

ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);

2553

#else

2554

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

2555

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

2556

}

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

2557

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2558

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2559

}

2560

2561

/*

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2562

* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE

2563

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2564

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2565

static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2566

{

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2567

int non_empty_certificate_msg = 0;

2568

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2569

MBEDTLS_SSL_DEBUG_MSG(1,

2570

("Switch to handshake traffic keys for outbound traffic"));

2571

mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);

Jerry Yu

5cc3506

2022-01-28 16:16:08 +0800

[diff] [blame]

2572

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2573

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2574

if (ssl->handshake->client_auth) {

2575

int ret = mbedtls_ssl_tls13_write_certificate(ssl);

2576

if (ret != 0) {

2577

return ret;

2578

}

Ronald Cron

5bb8fc8

2022-03-09 07:00:13 +0100

[diff] [blame]

2579

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2580

if (mbedtls_ssl_own_cert(ssl) != NULL) {

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2581

non_empty_certificate_msg = 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2582

}

2583

} else {

2584

MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2585

}

Ronald Cron

9df7c80

2022-03-08 18:38:54 +0100

[diff] [blame]

2586

#endif

Ronald Cron

5bb8fc8

2022-03-09 07:00:13 +0100

[diff] [blame]

2587

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2588

if (non_empty_certificate_msg) {

2589

mbedtls_ssl_handshake_set_state(ssl,

2590

MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);

2591

} else {

2592

MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));

2593

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);

2594

}

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2595

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2596

return 0;

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2597

}

2598

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2599

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2600

/*

2601

* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY

2602

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2603

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2604

static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2605

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2606

int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);

Ronald Cron

a8b3887

2022-03-09 07:59:25 +0100

[diff] [blame]

2607

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2608

if (ret == 0) {

2609

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);

2610

}

Ronald Cron

a8b3887

2022-03-09 07:59:25 +0100

[diff] [blame]

2611

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2612

return ret;

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2613

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2614

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2615

2616

/*

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2617

* Handler for MBEDTLS_SSL_CLIENT_FINISHED

2618

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2619

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2620

static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2621

{

XiaokangQian

0fa6643

2021-11-15 03:33:57 +0000

[diff] [blame]

2622

int ret;

2623

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2624

ret = mbedtls_ssl_tls13_write_finished_message(ssl);

2625

if (ret != 0) {

2626

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2627

}

2628

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2629

ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);

2630

if (ret != 0) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2631

MBEDTLS_SSL_DEBUG_RET(

2632

1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

return ret;

}

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);

2637

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_FLUSH_BUFFERS

2642

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2643

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2644

static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2645

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2646

MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));

2647

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);

2648

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP

2653

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2654

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2655

static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2656

{

Jerry Yu

378254d

2021-10-30 21:44:47 +0800

[diff] [blame]

2657

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2658

mbedtls_ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

378254d

2021-10-30 21:44:47 +0800

[diff] [blame]

2659

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2660

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

2661

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2662

}

2663

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2664

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

2665

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2666

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2667

static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,

2668

const unsigned char *buf,

2669

const unsigned char *end)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2670

{

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2671

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

af2c0c8

2022-07-12 05:47:21 +0000

[diff] [blame]

2672

const unsigned char *p = buf;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2673

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2674

Jerry Yu

edab637

2022-10-31 14:37:31 +0800

[diff] [blame]

2675

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2676

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2677

while (p < end) {

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2678

unsigned int extension_type;

2679

size_t extension_data_len;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

2680

int ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2681

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2682

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);

2683

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2684

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2685

p += 4;

2686

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2687

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2688

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2689

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2690

ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,

2691

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);

2692

if (ret != 0) {

2693

return ret;

2694

}

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2695

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2696

switch (extension_type) {

Xiaokang Qian

0cc4320

2022-11-16 08:43:50 +0000

[diff] [blame]

2697

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

2022-11-08 07:02:27 +0000

[diff] [blame]

2698

case MBEDTLS_TLS_EXT_EARLY_DATA:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2699

if (extension_data_len != 4) {

Xiaokang Qian

2d87a9e

2022-11-09 07:55:48 +0000

[diff] [blame]

2700

MBEDTLS_SSL_PEND_FATAL_ALERT(

2701

MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2702

MBEDTLS_ERR_SSL_DECODE_ERROR);

2703

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaokang Qian

2d87a9e

2022-11-09 07:55:48 +0000

[diff] [blame]

2704

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2705

if (ssl->session != NULL) {

Xiaokang Qian

2022-11-08 07:02:27 +0000

[diff] [blame]

2706

ssl->session->ticket_flags |=

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2707

MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;

Xiaokang Qian

2d87a9e

2022-11-09 07:55:48 +0000

[diff] [blame]

2708

}

Xiaokang Qian

2022-11-08 07:02:27 +0000

[diff] [blame]

2709

break;

Xiaokang Qian

0cc4320

2022-11-16 08:43:50 +0000

[diff] [blame]

2710

#endif /* MBEDTLS_SSL_EARLY_DATA */

Xiaokang Qian

2022-11-08 07:02:27 +0000

[diff] [blame]

2711

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2712

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2713

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

edab637

2022-10-31 14:37:31 +0800

[diff] [blame]

2714

3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2715

extension_type, "( ignored )");

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2716

break;

2717

}

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2718

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2719

p += extension_data_len;

2720

}

2721

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2722

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

2723

handshake->received_extensions);

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2724

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2725

return 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2726

}

2727

2728

/*

Jerry Yu

08aed4d

2022-07-20 10:36:12 +0800

[diff] [blame]

2729

* From RFC8446, page 74

2730

*

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2731

* struct {

2732

* uint32 ticket_lifetime;

2733

* uint32 ticket_age_add;

2734

* opaque ticket_nonce<0..255>;

2735

* opaque ticket<1..2^16-1>;

2736

* Extension extensions<0..2^16-2>;

2737

* } NewSessionTicket;

2738

*

2739

*/

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2740

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2741

static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,

2742

unsigned char *buf,

2743

unsigned char *end,

2744

unsigned char **ticket_nonce,

2745

size_t *ticket_nonce_len)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2746

{

2747

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2748

unsigned char *p = buf;

2749

mbedtls_ssl_session *session = ssl->session;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2750

size_t ticket_len;

2751

unsigned char *ticket;

2752

size_t extensions_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2753

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2754

*ticket_nonce = NULL;

2755

*ticket_nonce_len = 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2756

/*

2757

* ticket_lifetime 4 bytes

2758

* ticket_age_add 4 bytes

Jerry Yu

08aed4d

2022-07-20 10:36:12 +0800

[diff] [blame]

2759

* ticket_nonce_len 1 byte

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2760

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2761

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2762

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2763

session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);

2764

MBEDTLS_SSL_DEBUG_MSG(3,

2765

("ticket_lifetime: %u",

2766

(unsigned int) session->ticket_lifetime));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2767

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2768

session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);

2769

MBEDTLS_SSL_DEBUG_MSG(3,

2770

("ticket_age_add: %u",

2771

(unsigned int) session->ticket_age_add));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2772

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2773

*ticket_nonce_len = p[8];

2774

p += 9;

2775

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2776

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2777

*ticket_nonce = p;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2778

MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2779

p += *ticket_nonce_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2780

2781

/* Ticket */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2782

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2783

ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2784

p += 2;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2785

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);

2786

MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2787

2788

/* Check if we previously received a ticket already. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2789

if (session->ticket != NULL || session->ticket_len > 0) {

2790

mbedtls_free(session->ticket);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2791

session->ticket = NULL;

2792

session->ticket_len = 0;

2793

}

2794

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2795

if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {

2796

MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));

2797

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2798

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2799

memcpy(ticket, p, ticket_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2800

p += ticket_len;

2801

session->ticket = ticket;

2802

session->ticket_len = ticket_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2803

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2804

/* Clear all flags in ticket_flags */

Pengyu Lv

80270b2

2023-01-12 11:54:04 +0800

[diff] [blame]

2805

mbedtls_ssl_session_clear_ticket_flags(

Pengyu Lv

9eacb44

2022-12-09 14:39:19 +0800

[diff] [blame]

2806

session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2807

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2808

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2809

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2810

p += 2;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2811

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2812

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2813

MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2814

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2815

ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);

2816

if (ret != 0) {

2817

MBEDTLS_SSL_DEBUG_RET(1,

2818

"ssl_tls13_parse_new_session_ticket_exts",

2819

ret);

2820

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2821

}

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2822

Jerry Yu

db8c5fa

2022-08-03 12:10:13 +0800

[diff] [blame]

2823

/* session has been updated, allow export */

2824

session->exported = 0;

2825

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2826

return 0;

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2827

}

2828

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2829

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2830

static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,

2831

unsigned char *ticket_nonce,

2832

size_t ticket_nonce_len)

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2833

{

2834

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2835

mbedtls_ssl_session *session = ssl->session;

2836

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

2837

psa_algorithm_t psa_hash_alg;

2838

int hash_length;

2839

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2840

#if defined(MBEDTLS_HAVE_TIME)

2841

/* Store ticket creation time */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2842

session->ticket_received = mbedtls_time(NULL);

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2843

#endif

2844

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2845

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);

2846

if (ciphersuite_info == NULL) {

2847

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

2848

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2849

}

2850

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2851

psa_hash_alg = mbedtls_psa_translate_md(ciphersuite_info->mac);

2852

hash_length = PSA_HASH_LENGTH(psa_hash_alg);

2853

if (hash_length == -1 ||

2854

(size_t) hash_length > sizeof(session->resumption_key)) {

2855

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

3afdf36

2022-07-20 17:34:14 +0800

[diff] [blame]

2856

}

2857

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2858

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2859

MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",

2860

session->app_secrets.resumption_master_secret,

2861

hash_length);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2862

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2863

/* Compute resumption key

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2864

*

2865

* HKDF-Expand-Label( resumption_master_secret,

2866

* "resumption", ticket_nonce, Hash.length )

2867

*/

2868

ret = mbedtls_ssl_tls13_hkdf_expand_label(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2869

psa_hash_alg,

2870

session->app_secrets.resumption_master_secret,

2871

hash_length,

2872

MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),

2873

ticket_nonce,

2874

ticket_nonce_len,

2875

session->resumption_key,

2876

hash_length);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2877

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2878

if (ret != 0) {

2879

MBEDTLS_SSL_DEBUG_RET(2,

2880

"Creating the ticket-resumed PSK failed",

2881

ret);

2882

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2883

}

2884

Jerry Yu

0a430c8

2022-07-20 11:02:48 +0800

[diff] [blame]

2885

session->resumption_key_len = hash_length;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2886

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2887

MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",

2888

session->resumption_key,

2889

session->resumption_key_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2890

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2891

/* Set ticket_flags depends on the selected key exchange modes */

Pengyu Lv

80270b2

2023-01-12 11:54:04 +0800

[diff] [blame]

2892

mbedtls_ssl_session_set_ticket_flags(

Pengyu Lv

9eacb44

2022-12-09 14:39:19 +0800

[diff] [blame]

2893

session, ssl->conf->tls13_kex_modes);

Pengyu Lv

4938a56

2023-01-16 11:28:49 +0800

[diff] [blame]

2894

MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2895

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2896

return 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2897

}

2898

2899

/*

Jerry Yu

a8d3c50

2022-10-30 14:51:23 +0800

[diff] [blame]

2900

* Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2901

*/

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2902

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2903

static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2904

{

2905

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2906

unsigned char *buf;

2907

size_t buf_len;

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2908

unsigned char *ticket_nonce;

2909

size_t ticket_nonce_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2910

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2911

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2912

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2913

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2914

ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

2915

&buf, &buf_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2916

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2917

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(

2918

ssl, buf, buf + buf_len,

2919

&ticket_nonce, &ticket_nonce_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2920

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2921

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_new_session_ticket(

2922

ssl, ticket_nonce, ticket_nonce_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2923

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2924

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2925

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2926

cleanup:

2927

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2928

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));

2929

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2930

}

2931

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

2932

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2933

int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

2934

{

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

2935

int ret = 0;

Jerry Yu

c8a392c

2021-08-18 16:46:28 +0800

[diff] [blame]

2936

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2937

switch (ssl->state) {

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

2938

case MBEDTLS_SSL_HELLO_REQUEST:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2939

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

Jerry Yu

ddda050

2022-12-01 19:43:12 +0800

[diff] [blame]

2940

break;

2941

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

2942

case MBEDTLS_SSL_CLIENT_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2943

ret = mbedtls_ssl_write_client_hello(ssl);

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

2944

break;

2945

2946

case MBEDTLS_SSL_SERVER_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2947

ret = ssl_tls13_process_server_hello(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2948

break;

2949

2950

case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2951

ret = ssl_tls13_process_encrypted_extensions(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2952

break;

2953

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2954

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2955

case MBEDTLS_SSL_CERTIFICATE_REQUEST:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2956

ret = ssl_tls13_process_certificate_request(ssl);

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2957

break;

2958

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2959

case MBEDTLS_SSL_SERVER_CERTIFICATE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2960

ret = ssl_tls13_process_server_certificate(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2961

break;

2962

2963

case MBEDTLS_SSL_CERTIFICATE_VERIFY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2964

ret = ssl_tls13_process_certificate_verify(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2965

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2966

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2967

2968

case MBEDTLS_SSL_SERVER_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2969

ret = ssl_tls13_process_server_finished(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2970

break;

2971

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2972

case MBEDTLS_SSL_END_OF_EARLY_DATA:

2973

ret = ssl_tls13_write_end_of_early_data(ssl);

2974

break;

2975

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2976

case MBEDTLS_SSL_CLIENT_CERTIFICATE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2977

ret = ssl_tls13_write_client_certificate(ssl);

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2978

break;

2979

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2980

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2981

case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2982

ret = ssl_tls13_write_client_certificate_verify(ssl);

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2983

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2984

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2985

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2986

case MBEDTLS_SSL_CLIENT_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2987

ret = ssl_tls13_write_client_finished(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2988

break;

2989

2990

case MBEDTLS_SSL_FLUSH_BUFFERS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2991

ret = ssl_tls13_flush_buffers(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2992

break;

2993

2994

case MBEDTLS_SSL_HANDSHAKE_WRAPUP:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2995

ret = ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

2996

break;

2997

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2998

/*

2999

* Injection of dummy-CCS's for middlebox compatibility

3000

*/

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3001

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

XiaokangQian

0b56a8f

2021-12-22 02:39:32 +0000

[diff] [blame]

3002

case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3003

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3004

if (ret == 0) {

3005

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

3006

}

Ronald Cron

9f55f63

2022-02-02 16:02:47 +0100

[diff] [blame]

3007

break;

3008

3009

case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3010

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3011

if (ret == 0) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

3012

mbedtls_ssl_handshake_set_state(

3013

ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3014

}

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3015

break;

Xiaokang Qian

f6d8fd3

2023-02-02 02:46:26 +0000

[diff] [blame]

3016

Xiaokang Qian

2023-01-04 10:47:05 +0000

[diff] [blame]

3017

case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:

3018

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3019

if (ret == 0) {

3020

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);

3021

Xiaokang Qian

33ff868

2023-01-10 06:32:12 +0000

[diff] [blame]

3022

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

2023-01-04 10:47:05 +0000

[diff] [blame]

3023

MBEDTLS_SSL_DEBUG_MSG(

3024

1, ("Switch to early data keys for outbound traffic"));

3025

mbedtls_ssl_set_outbound_transform(

3026

ssl, ssl->handshake->transform_earlydata);

Xiaokang Qian

33ff868

2023-01-10 06:32:12 +0000

[diff] [blame]

3027

#endif

Xiaokang Qian

2023-01-04 10:47:05 +0000

[diff] [blame]

3028

}

3029

break;

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3030

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

3031

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3032

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Jerry Yu

a8d3c50

2022-10-30 14:51:23 +0800

[diff] [blame]

3033

case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3034

ret = ssl_tls13_process_new_session_ticket(ssl);

3035

if (ret != 0) {

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3036

break;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3037

}

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3038

ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;

3039

break;

3040

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

3041

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3042

default:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3043

MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));

3044

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3045

}

3046

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3047

return ret;

Jerry Yu