| Jerry Yu | 3cc4c2a | 2021-08-06 16:29:08 +0800 | [diff] [blame] | 1 | /* |
| 2 | * TLS 1.3 client-side functions |
| 3 | * |
| 4 | * Copyright The Mbed TLS Contributors |
| 5 | * SPDX-License-Identifier: Apache-2.0 |
| 6 | * |
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 8 | * not use this file except in compliance with the License. |
| 9 | * You may obtain a copy of the License at |
| 10 | * |
| 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | * |
| 13 | * Unless required by applicable law or agreed to in writing, software |
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | * See the License for the specific language governing permissions and |
| 17 | * limitations under the License. |
| 18 | * |
| 19 | * This file is part of mbed TLS ( https://tls.mbed.org ) |
| 20 | */ |
| 21 | |
| 22 | #include "common.h" |
| 23 | |
| Jerry Yu | cc43c6b | 2022-01-28 10:24:45 +0800 | [diff] [blame] | 24 | #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) |
| Jerry Yu | 3cc4c2a | 2021-08-06 16:29:08 +0800 | [diff] [blame] | 25 | |
| Jerry Yu | bc20bdd | 2021-08-24 15:59:48 +0800 | [diff] [blame] | 26 | #include <string.h> |
| 27 | |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 28 | #include "mbedtls/debug.h" |
| 29 | #include "mbedtls/error.h" |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 30 | #include "mbedtls/platform.h" |
| Jerry Yu | a13c7e7 | 2021-08-17 10:44:40 +0800 | [diff] [blame] | 31 | |
| Jerry Yu | bdc7188 | 2021-09-14 19:30:36 +0800 | [diff] [blame] | 32 | #include "ssl_misc.h" |
| Ronald Cron | 3d580bf | 2022-02-18 17:24:56 +0100 | [diff] [blame] | 33 | #include "ssl_client.h" |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 34 | #include "ssl_tls13_keys.h" |
| Jerry Yu | cbd082f | 2022-08-04 16:55:10 +0800 | [diff] [blame] | 35 | #include "ssl_debug_helpers.h" |
| Jerry Yu | bdc7188 | 2021-09-14 19:30:36 +0800 | [diff] [blame] | 36 | |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 37 | #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ |
| 38 | psa_to_ssl_errors, \ |
| 39 | psa_generic_status_to_mbedtls) |
| 40 | |
| Jerry Yu | bc20bdd | 2021-08-24 15:59:48 +0800 | [diff] [blame] | 41 | /* Write extensions */ |
| 42 | |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 43 | /* |
| 44 | * ssl_tls13_write_supported_versions_ext(): |
| 45 | * |
| 46 | * struct { |
| 47 | * ProtocolVersion versions<2..254>; |
| 48 | * } SupportedVersions; |
| 49 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 50 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 51 | static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl, |
| 52 | unsigned char *buf, |
| 53 | unsigned char *end, |
| 54 | size_t *out_len) |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 55 | { |
| 56 | unsigned char *p = buf; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 57 | unsigned char versions_len = (ssl->handshake->min_tls_version <= |
| 58 | MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2; |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 59 | |
| Xiaofei Bai | d25fab6 | 2021-12-02 06:36:27 +0000 | [diff] [blame] | 60 | *out_len = 0; |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 61 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 62 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension")); |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 63 | |
| Jerry Yu | 388bd0d | 2021-09-15 18:41:02 +0800 | [diff] [blame] | 64 | /* Check if we have space to write the extension: |
| Jerry Yu | b60e3cf | 2021-09-08 16:41:02 +0800 | [diff] [blame] | 65 | * - extension_type (2 bytes) |
| 66 | * - extension_data_length (2 bytes) |
| 67 | * - versions_length (1 byte ) |
| Ronald Cron | a77fc27 | 2022-03-30 17:20:47 +0200 | [diff] [blame] | 68 | * - versions (2 or 4 bytes) |
| Jerry Yu | 159c5a0 | 2021-08-31 12:51:25 +0800 | [diff] [blame] | 69 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 70 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len); |
| Ronald Cron | dbe87f0 | 2022-02-10 14:35:27 +0100 | [diff] [blame] | 71 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 72 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0); |
| 73 | MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2); |
| Jerry Yu | eecfbf0 | 2021-08-30 18:32:07 +0800 | [diff] [blame] | 74 | p += 4; |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 75 | |
| Jerry Yu | 1bc2c1f | 2021-09-01 12:57:29 +0800 | [diff] [blame] | 76 | /* Length of versions */ |
| Ronald Cron | dbe87f0 | 2022-02-10 14:35:27 +0100 | [diff] [blame] | 77 | *p++ = versions_len; |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 78 | |
| Jerry Yu | 0c63af6 | 2021-09-02 12:59:12 +0800 | [diff] [blame] | 79 | /* Write values of supported versions. |
| Jerry Yu | 0c63af6 | 2021-09-02 12:59:12 +0800 | [diff] [blame] | 80 | * They are defined by the configuration. |
| Ronald Cron | dbe87f0 | 2022-02-10 14:35:27 +0100 | [diff] [blame] | 81 | * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2. |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 82 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 83 | mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM, |
| 84 | MBEDTLS_SSL_VERSION_TLS1_3); |
| 85 | MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]")); |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 86 | |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 87 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 88 | if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) { |
| 89 | mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM, |
| 90 | MBEDTLS_SSL_VERSION_TLS1_2); |
| 91 | MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]")); |
| Ronald Cron | dbe87f0 | 2022-02-10 14:35:27 +0100 | [diff] [blame] | 92 | } |
| 93 | |
| 94 | *out_len = 5 + versions_len; |
| Jerry Yu | 4b8f2f7 | 2022-10-31 13:31:22 +0800 | [diff] [blame] | 95 | |
| Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 96 | mbedtls_ssl_tls13_set_hs_sent_ext_mask( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 97 | ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS); |
| Jerry Yu | 4b8f2f7 | 2022-10-31 13:31:22 +0800 | [diff] [blame] | 98 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 99 | return 0; |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 100 | } |
| Jerry Yu | bc20bdd | 2021-08-24 15:59:48 +0800 | [diff] [blame] | 101 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 102 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 103 | static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl, |
| 104 | const unsigned char *buf, |
| 105 | const unsigned char *end) |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 106 | { |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 107 | ((void) ssl); |
| 108 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 109 | MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2); |
| 110 | if (mbedtls_ssl_read_version(buf, ssl->conf->transport) != |
| 111 | MBEDTLS_SSL_VERSION_TLS1_3) { |
| 112 | MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version")); |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 113 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 114 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
| 115 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
| 116 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 117 | } |
| 118 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 119 | if (&buf[2] != end) { |
| Xiaokang Qian | 91bb3f0 | 2023-04-03 09:07:03 +0000 | [diff] [blame] | 120 | MBEDTLS_SSL_DEBUG_MSG( |
| 121 | 1, ("supported_versions ext data length incorrect")); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 122 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
| 123 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
| 124 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Ronald Cron | 9847338 | 2022-03-30 20:04:10 +0200 | [diff] [blame] | 125 | } |
| 126 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 127 | return 0; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 128 | } |
| 129 | |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 130 | #if defined(MBEDTLS_SSL_ALPN) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 131 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 132 | static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl, |
| 133 | const unsigned char *buf, size_t len) |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 134 | { |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 135 | const unsigned char *p = buf; |
| 136 | const unsigned char *end = buf + len; |
| Ronald Cron | 81a334f | 2022-05-31 16:04:11 +0200 | [diff] [blame] | 137 | size_t protocol_name_list_len, protocol_name_len; |
| 138 | const unsigned char *protocol_name_list_end; |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 139 | |
| 140 | /* If we didn't send it, the server shouldn't send it */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 141 | if (ssl->conf->alpn_list == NULL) { |
| 142 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| 143 | } |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 144 | |
| 145 | /* |
| 146 | * opaque ProtocolName<1..2^8-1>; |
| 147 | * |
| 148 | * struct { |
| 149 | * ProtocolName protocol_name_list<2..2^16-1> |
| 150 | * } ProtocolNameList; |
| 151 | * |
| 152 | * the "ProtocolNameList" MUST contain exactly one "ProtocolName" |
| 153 | */ |
| 154 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 155 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 156 | protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0); |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 157 | p += 2; |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 158 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 159 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len); |
| Ronald Cron | 81a334f | 2022-05-31 16:04:11 +0200 | [diff] [blame] | 160 | protocol_name_list_end = p + protocol_name_list_len; |
| 161 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 162 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1); |
| Ronald Cron | 81a334f | 2022-05-31 16:04:11 +0200 | [diff] [blame] | 163 | protocol_name_len = *p++; |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 164 | |
| 165 | /* Check that the server chosen protocol was in our list and save it */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 166 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len); |
| 167 | for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) { |
| 168 | if (protocol_name_len == strlen(*alpn) && |
| 169 | memcmp(p, *alpn, protocol_name_len) == 0) { |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 170 | ssl->alpn_chosen = *alpn; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 171 | return 0; |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 172 | } |
| 173 | } |
| 174 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 175 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 176 | } |
| 177 | #endif /* MBEDTLS_SSL_ALPN */ |
| 178 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 179 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 180 | static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl) |
| XiaokangQian | 647719a | 2021-12-07 09:16:29 +0000 | [diff] [blame] | 181 | { |
| 182 | uint16_t group_id = ssl->handshake->offered_group_id; |
| Ronald Cron | 5b98ac9 | 2022-03-15 10:19:18 +0100 | [diff] [blame] | 183 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 184 | if (group_id == 0) { |
| 185 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 186 | } |
| XiaokangQian | 647719a | 2021-12-07 09:16:29 +0000 | [diff] [blame] | 187 | |
| Przemek Stekiel | c89f3ea | 2023-05-18 15:45:53 +0200 | [diff] [blame] | 188 | #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) |
| 189 | if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) || |
| 190 | mbedtls_ssl_tls13_named_group_is_dhe(group_id)) { |
| Ronald Cron | 5b98ac9 | 2022-03-15 10:19:18 +0100 | [diff] [blame] | 191 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 192 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
| 193 | |
| 194 | /* Destroy generated private key. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 195 | status = psa_destroy_key(ssl->handshake->ecdh_psa_privkey); |
| 196 | if (status != PSA_SUCCESS) { |
| Andrzej Kurek | 8a045ce | 2022-12-23 11:00:06 -0500 | [diff] [blame] | 197 | ret = PSA_TO_MBEDTLS_ERR(status); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 198 | MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); |
| 199 | return ret; |
| Ronald Cron | 5b98ac9 | 2022-03-15 10:19:18 +0100 | [diff] [blame] | 200 | } |
| 201 | |
| 202 | ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 203 | return 0; |
| 204 | } else |
| Przemek Stekiel | c89f3ea | 2023-05-18 15:45:53 +0200 | [diff] [blame] | 205 | #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 206 | if (0 /* other KEMs? */) { |
| XiaokangQian | 647719a | 2021-12-07 09:16:29 +0000 | [diff] [blame] | 207 | /* Do something */ |
| 208 | } |
| 209 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 210 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| XiaokangQian | 647719a | 2021-12-07 09:16:29 +0000 | [diff] [blame] | 211 | } |
| 212 | |
| 213 | /* |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 214 | * Functions for writing key_share extension. |
| 215 | */ |
| Ronald Cron | 766c0cd | 2022-10-18 12:17:11 +0200 | [diff] [blame] | 216 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 217 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 218 | static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl, |
| 219 | uint16_t *group_id) |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 220 | { |
| 221 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| 222 | |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 223 | |
| Przemek Stekiel | c89f3ea | 2023-05-18 15:45:53 +0200 | [diff] [blame] | 224 | #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 225 | const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); |
| Jerry Yu | 388bd0d | 2021-09-15 18:41:02 +0800 | [diff] [blame] | 226 | /* Pick first available ECDHE group compatible with TLS 1.3 */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 227 | if (group_list == NULL) { |
| 228 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
| 229 | } |
| Przemek Stekiel | a05e9c1 | 2023-06-15 16:58:51 +0200 | [diff] [blame^] | 230 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 231 | for (; *group_list != 0; group_list++) { |
| Przemek Stekiel | a05e9c1 | 2023-06-15 16:58:51 +0200 | [diff] [blame^] | 232 | #if defined(PSA_WANT_ALG_ECDH) |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 233 | if ((mbedtls_ssl_get_psa_curve_info_from_tls_id( |
| 234 | *group_list, NULL, NULL) == PSA_SUCCESS) && |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 235 | mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) { |
| Brett Warren | 14efd33 | 2021-10-06 09:32:11 +0100 | [diff] [blame] | 236 | *group_id = *group_list; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 237 | return 0; |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 238 | } |
| Przemek Stekiel | a05e9c1 | 2023-06-15 16:58:51 +0200 | [diff] [blame^] | 239 | #endif |
| 240 | #if defined(PSA_WANT_ALG_FFDH) |
| 241 | if (mbedtls_ssl_tls13_named_group_is_dhe(*group_list)) { |
| 242 | *group_id = *group_list; |
| 243 | return 0; |
| 244 | } |
| 245 | #endif |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 246 | } |
| 247 | #else |
| 248 | ((void) ssl); |
| Jerry Yu | b60e3cf | 2021-09-08 16:41:02 +0800 | [diff] [blame] | 249 | ((void) group_id); |
| Przemek Stekiel | c89f3ea | 2023-05-18 15:45:53 +0200 | [diff] [blame] | 250 | #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 251 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 252 | return ret; |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 253 | } |
| 254 | |
| 255 | /* |
| 256 | * ssl_tls13_write_key_share_ext |
| 257 | * |
| Jerry Yu | 388bd0d | 2021-09-15 18:41:02 +0800 | [diff] [blame] | 258 | * Structure of key_share extension in ClientHello: |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 259 | * |
| 260 | * struct { |
| 261 | * NamedGroup group; |
| 262 | * opaque key_exchange<1..2^16-1>; |
| 263 | * } KeyShareEntry; |
| 264 | * struct { |
| 265 | * KeyShareEntry client_shares<0..2^16-1>; |
| 266 | * } KeyShareClientHello; |
| 267 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 268 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 269 | static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl, |
| 270 | unsigned char *buf, |
| 271 | unsigned char *end, |
| 272 | size_t *out_len) |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 273 | { |
| 274 | unsigned char *p = buf; |
| Xiaofei Bai | eef1504 | 2021-11-18 07:29:56 +0000 | [diff] [blame] | 275 | unsigned char *client_shares; /* Start of client_shares */ |
| 276 | size_t client_shares_len; /* Length of client_shares */ |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 277 | uint16_t group_id; |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 278 | int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
| 279 | |
| Xiaofei Bai | d25fab6 | 2021-12-02 06:36:27 +0000 | [diff] [blame] | 280 | *out_len = 0; |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 281 | |
| Jerry Yu | b60e3cf | 2021-09-08 16:41:02 +0800 | [diff] [blame] | 282 | /* Check if we have space for header and length fields: |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 283 | * - extension_type (2 bytes) |
| 284 | * - extension_data_length (2 bytes) |
| 285 | * - client_shares_length (2 bytes) |
| 286 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 287 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 288 | p += 6; |
| 289 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 290 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension")); |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 291 | |
| 292 | /* HRR could already have requested something else. */ |
| 293 | group_id = ssl->handshake->offered_group_id; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 294 | if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) && |
| 295 | !mbedtls_ssl_tls13_named_group_is_dhe(group_id)) { |
| 296 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl, |
| 297 | &group_id)); |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 298 | } |
| 299 | |
| 300 | /* |
| 301 | * Dispatch to type-specific key generation function. |
| 302 | * |
| 303 | * So far, we're only supporting ECDHE. With the introduction |
| 304 | * of PQC KEMs, we'll want to have multiple branches, one per |
| 305 | * type of KEM, and dispatch to the corresponding crypto. And |
| 306 | * only one key share entry is allowed. |
| 307 | */ |
| Xiaofei Bai | eef1504 | 2021-11-18 07:29:56 +0000 | [diff] [blame] | 308 | client_shares = p; |
| Przemek Stekiel | c89f3ea | 2023-05-18 15:45:53 +0200 | [diff] [blame] | 309 | #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) |
| 310 | if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) || |
| 311 | mbedtls_ssl_tls13_named_group_is_dhe(group_id)) { |
| Jerry Yu | 388bd0d | 2021-09-15 18:41:02 +0800 | [diff] [blame] | 312 | /* Pointer to group */ |
| Xiaofei Bai | eef1504 | 2021-11-18 07:29:56 +0000 | [diff] [blame] | 313 | unsigned char *group = p; |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 314 | /* Length of key_exchange */ |
| Przemyslaw Stekiel | 4f419e5 | 2022-02-10 15:56:26 +0100 | [diff] [blame] | 315 | size_t key_exchange_len = 0; |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 316 | |
| 317 | /* Check there is space for header of KeyShareEntry |
| 318 | * - group (2 bytes) |
| 319 | * - key_exchange_length (2 bytes) |
| 320 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 321 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4); |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 322 | p += 4; |
| Przemek Stekiel | 29c219c | 2023-05-31 15:21:04 +0200 | [diff] [blame] | 323 | ret = mbedtls_ssl_tls13_generate_and_write_dh_key_exchange( |
| 324 | ssl, group_id, p, end, &key_exchange_len); |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 325 | p += key_exchange_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 326 | if (ret != 0) { |
| 327 | return ret; |
| 328 | } |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 329 | |
| 330 | /* Write group */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 331 | MBEDTLS_PUT_UINT16_BE(group_id, group, 0); |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 332 | /* Write key_exchange_length */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 333 | MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2); |
| 334 | } else |
| Przemek Stekiel | c89f3ea | 2023-05-18 15:45:53 +0200 | [diff] [blame] | 335 | #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 336 | if (0 /* other KEMs? */) { |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 337 | /* Do something */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 338 | } else { |
| 339 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 340 | } |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 341 | |
| Jerry Yu | b60e3cf | 2021-09-08 16:41:02 +0800 | [diff] [blame] | 342 | /* Length of client_shares */ |
| Xiaofei Bai | eef1504 | 2021-11-18 07:29:56 +0000 | [diff] [blame] | 343 | client_shares_len = p - client_shares; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 344 | if (client_shares_len == 0) { |
| 345 | MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined.")); |
| 346 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Jerry Yu | 7c522d4 | 2021-09-08 17:55:09 +0800 | [diff] [blame] | 347 | } |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 348 | /* Write extension_type */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 349 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0); |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 350 | /* Write extension_data_length */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 351 | MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2); |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 352 | /* Write client_shares_length */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 353 | MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4); |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 354 | |
| 355 | /* Update offered_group_id field */ |
| 356 | ssl->handshake->offered_group_id = group_id; |
| 357 | |
| 358 | /* Output the total length of key_share extension. */ |
| Xiaofei Bai | d25fab6 | 2021-12-02 06:36:27 +0000 | [diff] [blame] | 359 | *out_len = p - buf; |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 360 | |
| Xiaokang Qian | 91bb3f0 | 2023-04-03 09:07:03 +0000 | [diff] [blame] | 361 | MBEDTLS_SSL_DEBUG_BUF( |
| 362 | 3, "client hello, key_share extension", buf, *out_len); |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 363 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 364 | mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE); |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 365 | |
| 366 | cleanup: |
| 367 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 368 | return ret; |
| Jerry Yu | 56fc07f | 2021-09-01 17:48:49 +0800 | [diff] [blame] | 369 | } |
| Ronald Cron | 766c0cd | 2022-10-18 12:17:11 +0200 | [diff] [blame] | 370 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */ |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 371 | |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 372 | /* |
| 373 | * ssl_tls13_parse_hrr_key_share_ext() |
| 374 | * Parse key_share extension in Hello Retry Request |
| 375 | * |
| 376 | * struct { |
| 377 | * NamedGroup selected_group; |
| 378 | * } KeyShareHelloRetryRequest; |
| 379 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 380 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 381 | static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl, |
| 382 | const unsigned char *buf, |
| 383 | const unsigned char *end) |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 384 | { |
| Przemek Stekiel | 75a5a9c | 2023-06-12 11:21:18 +0200 | [diff] [blame] | 385 | #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 386 | const unsigned char *p = buf; |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 387 | int selected_group; |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 388 | int found = 0; |
| 389 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 390 | const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); |
| 391 | if (group_list == NULL) { |
| 392 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
| 393 | } |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 394 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 395 | MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf); |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 396 | |
| 397 | /* Read selected_group */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 398 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 399 | selected_group = MBEDTLS_GET_UINT16_BE(p, 0); |
| 400 | MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group)); |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 401 | |
| 402 | /* Upon receipt of this extension in a HelloRetryRequest, the client |
| 403 | * MUST first verify that the selected_group field corresponds to a |
| 404 | * group which was provided in the "supported_groups" extension in the |
| 405 | * original ClientHello. |
| 406 | * The supported_group was based on the info in ssl->conf->group_list. |
| 407 | * |
| 408 | * If the server provided a key share that was not sent in the ClientHello |
| 409 | * then the client MUST abort the handshake with an "illegal_parameter" alert. |
| 410 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 411 | for (; *group_list != 0; group_list++) { |
| Przemek Stekiel | 75a5a9c | 2023-06-12 11:21:18 +0200 | [diff] [blame] | 412 | #if defined(PSA_WANT_ALG_ECDH) |
| Przemek Stekiel | c89f3ea | 2023-05-18 15:45:53 +0200 | [diff] [blame] | 413 | if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) { |
| 414 | if ((mbedtls_ssl_get_psa_curve_info_from_tls_id( |
| 415 | *group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) || |
| 416 | *group_list != selected_group) { |
| 417 | found = 1; |
| 418 | break; |
| 419 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 420 | } |
| Przemek Stekiel | 75a5a9c | 2023-06-12 11:21:18 +0200 | [diff] [blame] | 421 | #endif /* PSA_WANT_ALG_ECDH */ |
| 422 | #if defined(PSA_WANT_ALG_FFDH) |
| Przemek Stekiel | c89f3ea | 2023-05-18 15:45:53 +0200 | [diff] [blame] | 423 | if (mbedtls_ssl_tls13_named_group_is_dhe(*group_list)) { |
| 424 | found = 1; |
| 425 | break; |
| 426 | } |
| Przemek Stekiel | 75a5a9c | 2023-06-12 11:21:18 +0200 | [diff] [blame] | 427 | #endif /* PSA_WANT_ALG_FFDH */ |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 428 | } |
| 429 | |
| 430 | /* Client MUST verify that the selected_group field does not |
| 431 | * correspond to a group which was provided in the "key_share" |
| 432 | * extension in the original ClientHello. If the server sent an |
| 433 | * HRR message with a key share already provided in the |
| 434 | * ClientHello then the client MUST abort the handshake with |
| 435 | * an "illegal_parameter" alert. |
| 436 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 437 | if (found == 0 || selected_group == ssl->handshake->offered_group_id) { |
| 438 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR")); |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 439 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 440 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
| 441 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
| 442 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 443 | } |
| 444 | |
| 445 | /* Remember server's preference for next ClientHello */ |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 446 | ssl->handshake->offered_group_id = selected_group; |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 447 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 448 | return 0; |
| Przemek Stekiel | 75a5a9c | 2023-06-12 11:21:18 +0200 | [diff] [blame] | 449 | #else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ |
| Andrzej Kurek | c19fb08 | 2022-10-03 10:52:24 -0400 | [diff] [blame] | 450 | (void) ssl; |
| 451 | (void) buf; |
| 452 | (void) end; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 453 | return MBEDTLS_ERR_SSL_BAD_CONFIG; |
| Przemek Stekiel | 75a5a9c | 2023-06-12 11:21:18 +0200 | [diff] [blame] | 454 | #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 455 | } |
| 456 | |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 457 | /* |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 458 | * ssl_tls13_parse_key_share_ext() |
| 459 | * Parse key_share extension in Server Hello |
| 460 | * |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 461 | * struct { |
| 462 | * KeyShareEntry server_share; |
| 463 | * } KeyShareServerHello; |
| 464 | * struct { |
| 465 | * NamedGroup group; |
| 466 | * opaque key_exchange<1..2^16-1>; |
| 467 | * } KeyShareEntry; |
| 468 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 469 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 470 | static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl, |
| 471 | const unsigned char *buf, |
| 472 | const unsigned char *end) |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 473 | { |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 474 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 475 | const unsigned char *p = buf; |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 476 | uint16_t group, offered_group; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 477 | |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 478 | /* ... |
| 479 | * NamedGroup group; (2 bytes) |
| 480 | * ... |
| 481 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 482 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 483 | group = MBEDTLS_GET_UINT16_BE(p, 0); |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 484 | p += 2; |
| 485 | |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 486 | /* Check that the chosen group matches the one we offered. */ |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 487 | offered_group = ssl->handshake->offered_group_id; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 488 | if (offered_group != group) { |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 489 | MBEDTLS_SSL_DEBUG_MSG( |
| 490 | 1, ("Invalid server key share, our group %u, their group %u", |
| 491 | (unsigned) offered_group, (unsigned) group)); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 492 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, |
| 493 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
| 494 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 495 | } |
| 496 | |
| Przemek Stekiel | c89f3ea | 2023-05-18 15:45:53 +0200 | [diff] [blame] | 497 | #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) |
| 498 | if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) || |
| 499 | mbedtls_ssl_tls13_named_group_is_dhe(group)) { |
| Przemek Stekiel | 75a5a9c | 2023-06-12 11:21:18 +0200 | [diff] [blame] | 500 | MBEDTLS_SSL_DEBUG_MSG(2, |
| 501 | ("DHE group name: %s", mbedtls_ssl_named_group_to_str(group))); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 502 | ret = mbedtls_ssl_tls13_read_public_ecdhe_share(ssl, p, end - p); |
| 503 | if (ret != 0) { |
| 504 | return ret; |
| 505 | } |
| 506 | } else |
| Przemek Stekiel | c89f3ea | 2023-05-18 15:45:53 +0200 | [diff] [blame] | 507 | #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 508 | if (0 /* other KEMs? */) { |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 509 | /* Do something */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 510 | } else { |
| 511 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 512 | } |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 513 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 514 | return ret; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 515 | } |
| 516 | |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 517 | /* |
| 518 | * ssl_tls13_parse_cookie_ext() |
| 519 | * Parse cookie extension in Hello Retry Request |
| 520 | * |
| 521 | * struct { |
| 522 | * opaque cookie<1..2^16-1>; |
| 523 | * } Cookie; |
| 524 | * |
| 525 | * When sending a HelloRetryRequest, the server MAY provide a "cookie" |
| 526 | * extension to the client (this is an exception to the usual rule that |
| 527 | * the only extensions that may be sent are those that appear in the |
| 528 | * ClientHello). When sending the new ClientHello, the client MUST copy |
| 529 | * the contents of the extension received in the HelloRetryRequest into |
| 530 | * a "cookie" extension in the new ClientHello. Clients MUST NOT use |
| 531 | * cookies in their initial ClientHello in subsequent connections. |
| 532 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 533 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 534 | static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl, |
| 535 | const unsigned char *buf, |
| 536 | const unsigned char *end) |
| XiaokangQian | 43550bd | 2022-01-21 04:32:58 +0000 | [diff] [blame] | 537 | { |
| XiaokangQian | 25c9c90 | 2022-02-08 10:49:53 +0000 | [diff] [blame] | 538 | uint16_t cookie_len; |
| XiaokangQian | 43550bd | 2022-01-21 04:32:58 +0000 | [diff] [blame] | 539 | const unsigned char *p = buf; |
| 540 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| 541 | |
| 542 | /* Retrieve length field of cookie */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 543 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 544 | cookie_len = MBEDTLS_GET_UINT16_BE(p, 0); |
| XiaokangQian | 43550bd | 2022-01-21 04:32:58 +0000 | [diff] [blame] | 545 | p += 2; |
| 546 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 547 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len); |
| 548 | MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len); |
| XiaokangQian | 43550bd | 2022-01-21 04:32:58 +0000 | [diff] [blame] | 549 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 550 | mbedtls_free(handshake->cookie); |
| Jerry Yu | ac5ca5a | 2022-03-04 12:50:46 +0800 | [diff] [blame] | 551 | handshake->cookie_len = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 552 | handshake->cookie = mbedtls_calloc(1, cookie_len); |
| 553 | if (handshake->cookie == NULL) { |
| 554 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 555 | ("alloc failed ( %ud bytes )", |
| 556 | cookie_len)); |
| 557 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| XiaokangQian | 43550bd | 2022-01-21 04:32:58 +0000 | [diff] [blame] | 558 | } |
| 559 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 560 | memcpy(handshake->cookie, p, cookie_len); |
| Jerry Yu | ac5ca5a | 2022-03-04 12:50:46 +0800 | [diff] [blame] | 561 | handshake->cookie_len = cookie_len; |
| XiaokangQian | 43550bd | 2022-01-21 04:32:58 +0000 | [diff] [blame] | 562 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 563 | return 0; |
| XiaokangQian | 43550bd | 2022-01-21 04:32:58 +0000 | [diff] [blame] | 564 | } |
| XiaokangQian | 43550bd | 2022-01-21 04:32:58 +0000 | [diff] [blame] | 565 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 566 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 567 | static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl, |
| 568 | unsigned char *buf, |
| 569 | unsigned char *end, |
| 570 | size_t *out_len) |
| XiaokangQian | 0b64eed | 2022-01-27 10:36:51 +0000 | [diff] [blame] | 571 | { |
| 572 | unsigned char *p = buf; |
| XiaokangQian | 9deb90f | 2022-02-08 10:31:07 +0000 | [diff] [blame] | 573 | *out_len = 0; |
| XiaokangQian | c02768a | 2022-02-10 07:31:25 +0000 | [diff] [blame] | 574 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| XiaokangQian | 0b64eed | 2022-01-27 10:36:51 +0000 | [diff] [blame] | 575 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 576 | if (handshake->cookie == NULL) { |
| 577 | MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension")); |
| 578 | return 0; |
| XiaokangQian | 0b64eed | 2022-01-27 10:36:51 +0000 | [diff] [blame] | 579 | } |
| 580 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 581 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie", |
| 582 | handshake->cookie, |
| 583 | handshake->cookie_len); |
| XiaokangQian | 0b64eed | 2022-01-27 10:36:51 +0000 | [diff] [blame] | 584 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 585 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6); |
| XiaokangQian | 0b64eed | 2022-01-27 10:36:51 +0000 | [diff] [blame] | 586 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 587 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension")); |
| XiaokangQian | 0b64eed | 2022-01-27 10:36:51 +0000 | [diff] [blame] | 588 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 589 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0); |
| 590 | MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2); |
| 591 | MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4); |
| XiaokangQian | 233397e | 2022-02-07 08:32:16 +0000 | [diff] [blame] | 592 | p += 6; |
| XiaokangQian | 0b64eed | 2022-01-27 10:36:51 +0000 | [diff] [blame] | 593 | |
| 594 | /* Cookie */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 595 | memcpy(p, handshake->cookie, handshake->cookie_len); |
| XiaokangQian | 0b64eed | 2022-01-27 10:36:51 +0000 | [diff] [blame] | 596 | |
| Jerry Yu | ac5ca5a | 2022-03-04 12:50:46 +0800 | [diff] [blame] | 597 | *out_len = handshake->cookie_len + 6; |
| XiaokangQian | 0b64eed | 2022-01-27 10:36:51 +0000 | [diff] [blame] | 598 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 599 | mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE); |
| Jerry Yu | 4b8f2f7 | 2022-10-31 13:31:22 +0800 | [diff] [blame] | 600 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 601 | return 0; |
| XiaokangQian | 0b64eed | 2022-01-27 10:36:51 +0000 | [diff] [blame] | 602 | } |
| 603 | |
| Ronald Cron | 41a443a | 2022-10-04 16:38:25 +0200 | [diff] [blame] | 604 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 605 | /* |
| 606 | * ssl_tls13_write_psk_key_exchange_modes_ext() structure: |
| 607 | * |
| 608 | * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode; |
| 609 | * |
| 610 | * struct { |
| 611 | * PskKeyExchangeMode ke_modes<1..255>; |
| 612 | * } PskKeyExchangeModes; |
| 613 | */ |
| XiaokangQian | 8698195 | 2022-07-19 09:51:50 +0000 | [diff] [blame] | 614 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 615 | static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl, |
| 616 | unsigned char *buf, |
| 617 | unsigned char *end, |
| 618 | size_t *out_len) |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 619 | { |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 620 | unsigned char *p = buf; |
| XiaokangQian | 008d2bf | 2022-07-14 07:54:01 +0000 | [diff] [blame] | 621 | int ke_modes_len = 0; |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 622 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 623 | ((void) ke_modes_len); |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 624 | *out_len = 0; |
| XiaokangQian | 008d2bf | 2022-07-14 07:54:01 +0000 | [diff] [blame] | 625 | |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 626 | /* Skip writing extension if no PSK key exchange mode |
| XiaokangQian | 7c12d31 | 2022-07-20 07:25:43 +0000 | [diff] [blame] | 627 | * is enabled in the config. |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 628 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 629 | if (!mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) { |
| 630 | MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension")); |
| 631 | return 0; |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 632 | } |
| 633 | |
| 634 | /* Require 7 bytes of data, otherwise fail, |
| 635 | * even if extension might be shorter. |
| 636 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 637 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7); |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 638 | MBEDTLS_SSL_DEBUG_MSG( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 639 | 3, ("client hello, adding psk_key_exchange_modes extension")); |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 640 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 641 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0); |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 642 | |
| XiaokangQian | 008d2bf | 2022-07-14 07:54:01 +0000 | [diff] [blame] | 643 | /* Skip extension length (2 bytes) and |
| 644 | * ke_modes length (1 byte) for now. |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 645 | */ |
| 646 | p += 5; |
| 647 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 648 | if (mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl)) { |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 649 | *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE; |
| XiaokangQian | 008d2bf | 2022-07-14 07:54:01 +0000 | [diff] [blame] | 650 | ke_modes_len++; |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 651 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 652 | MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode")); |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 653 | } |
| 654 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 655 | if (mbedtls_ssl_conf_tls13_psk_enabled(ssl)) { |
| Ronald Cron | a709a0f | 2022-09-27 16:46:11 +0200 | [diff] [blame] | 656 | *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE; |
| 657 | ke_modes_len++; |
| 658 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 659 | MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode")); |
| Ronald Cron | a709a0f | 2022-09-27 16:46:11 +0200 | [diff] [blame] | 660 | } |
| 661 | |
| XiaokangQian | 008d2bf | 2022-07-14 07:54:01 +0000 | [diff] [blame] | 662 | /* Now write the extension and ke_modes length */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 663 | MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2); |
| XiaokangQian | 008d2bf | 2022-07-14 07:54:01 +0000 | [diff] [blame] | 664 | buf[4] = ke_modes_len; |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 665 | |
| 666 | *out_len = p - buf; |
| Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 667 | |
| Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 668 | mbedtls_ssl_tls13_set_hs_sent_ext_mask( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 669 | ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES); |
| Jerry Yu | 4b8f2f7 | 2022-10-31 13:31:22 +0800 | [diff] [blame] | 670 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 671 | return 0; |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 672 | } |
| Jerry Yu | db8c5fa | 2022-08-03 12:10:13 +0800 | [diff] [blame] | 673 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 674 | static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite) |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 675 | { |
| Jerry Yu | 21f9095 | 2022-10-08 10:30:53 +0800 | [diff] [blame] | 676 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 677 | ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite); |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 678 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 679 | if (ciphersuite_info != NULL) { |
| 680 | return mbedtls_psa_translate_md(ciphersuite_info->mac); |
| 681 | } |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 682 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 683 | return PSA_ALG_NONE; |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 684 | } |
| 685 | |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 686 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 687 | static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl) |
| Xiaokang Qian | b781a23 | 2022-11-01 07:39:46 +0000 | [diff] [blame] | 688 | { |
| 689 | mbedtls_ssl_session *session = ssl->session_negotiate; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 690 | return ssl->handshake->resume && |
| Pengyu Lv | 9356678 | 2022-12-07 12:10:05 +0800 | [diff] [blame] | 691 | session != NULL && session->ticket != NULL && |
| Pengyu Lv | 9b84ea7 | 2023-01-16 14:08:23 +0800 | [diff] [blame] | 692 | mbedtls_ssl_conf_tls13_check_kex_modes( |
| 693 | ssl, mbedtls_ssl_session_get_ticket_flags( |
| 694 | session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL)); |
| Xiaokang Qian | b781a23 | 2022-11-01 07:39:46 +0000 | [diff] [blame] | 695 | } |
| 696 | |
| Xiaokang Qian | 01323a4 | 2022-11-03 02:27:35 +0000 | [diff] [blame] | 697 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 698 | static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl) |
| Xiaokang Qian | 01323a4 | 2022-11-03 02:27:35 +0000 | [diff] [blame] | 699 | { |
| 700 | mbedtls_ssl_session *session = ssl->session_negotiate; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 701 | return ssl->handshake->resume && |
| 702 | session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && |
| 703 | (session->ticket_flags & |
| 704 | MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA) && |
| 705 | mbedtls_ssl_tls13_cipher_suite_is_offered( |
| 706 | ssl, session->ciphersuite); |
| Xiaokang Qian | 01323a4 | 2022-11-03 02:27:35 +0000 | [diff] [blame] | 707 | } |
| 708 | #endif |
| 709 | |
| Xiaokang Qian | b781a23 | 2022-11-01 07:39:46 +0000 | [diff] [blame] | 710 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 711 | static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl, |
| 712 | psa_algorithm_t *hash_alg, |
| 713 | const unsigned char **identity, |
| 714 | size_t *identity_len) |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 715 | { |
| 716 | mbedtls_ssl_session *session = ssl->session_negotiate; |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 717 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 718 | if (!ssl_tls13_has_configured_ticket(ssl)) { |
| 719 | return -1; |
| 720 | } |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 721 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 722 | *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite); |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 723 | *identity = session->ticket; |
| 724 | *identity_len = session->ticket_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 725 | return 0; |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 726 | } |
| 727 | |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 728 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 729 | static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl, |
| 730 | psa_algorithm_t *hash_alg, |
| 731 | const unsigned char **psk, |
| 732 | size_t *psk_len) |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 733 | { |
| 734 | |
| 735 | mbedtls_ssl_session *session = ssl->session_negotiate; |
| 736 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 737 | if (!ssl_tls13_has_configured_ticket(ssl)) { |
| 738 | return -1; |
| 739 | } |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 740 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 741 | *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite); |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 742 | *psk = session->resumption_key; |
| 743 | *psk_len = session->resumption_key_len; |
| 744 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 745 | return 0; |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 746 | } |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 747 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 748 | |
| 749 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 750 | static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl, |
| 751 | psa_algorithm_t *hash_alg, |
| 752 | const unsigned char **identity, |
| 753 | size_t *identity_len) |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 754 | { |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 755 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 756 | if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) { |
| 757 | return -1; |
| 758 | } |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 759 | |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 760 | *hash_alg = PSA_ALG_SHA_256; |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 761 | *identity = ssl->conf->psk_identity; |
| 762 | *identity_len = ssl->conf->psk_identity_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 763 | return 0; |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 764 | } |
| 765 | |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 766 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 767 | static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl, |
| 768 | psa_algorithm_t *hash_alg, |
| 769 | const unsigned char **psk, |
| 770 | size_t *psk_len) |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 771 | { |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 772 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 773 | if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) { |
| 774 | return -1; |
| 775 | } |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 776 | |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 777 | *hash_alg = PSA_ALG_SHA_256; |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 778 | *psk = ssl->conf->psk; |
| 779 | *psk_len = ssl->conf->psk_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 780 | return 0; |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 781 | } |
| 782 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 783 | static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl) |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 784 | { |
| 785 | int configured_psk_count = 0; |
| 786 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 787 | if (ssl_tls13_has_configured_ticket(ssl)) { |
| 788 | MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured")); |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 789 | configured_psk_count++; |
| 790 | } |
| 791 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 792 | if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) { |
| 793 | MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured")); |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 794 | configured_psk_count++; |
| 795 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 796 | return configured_psk_count; |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 797 | } |
| 798 | |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 799 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 800 | static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl, |
| 801 | unsigned char *buf, |
| 802 | unsigned char *end, |
| 803 | const unsigned char *identity, |
| 804 | size_t identity_len, |
| 805 | uint32_t obfuscated_ticket_age, |
| 806 | size_t *out_len) |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 807 | { |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 808 | ((void) ssl); |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 809 | *out_len = 0; |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 810 | |
| 811 | /* |
| 812 | * - identity_len (2 bytes) |
| 813 | * - identity (psk_identity_len bytes) |
| 814 | * - obfuscated_ticket_age (4 bytes) |
| 815 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 816 | MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len); |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 817 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 818 | MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0); |
| 819 | memcpy(buf + 2, identity, identity_len); |
| 820 | MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len); |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 821 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 822 | MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len); |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 823 | |
| 824 | *out_len = 6 + identity_len; |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 825 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 826 | return 0; |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 827 | } |
| 828 | |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 829 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 830 | static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl, |
| 831 | unsigned char *buf, |
| 832 | unsigned char *end, |
| 833 | int psk_type, |
| 834 | psa_algorithm_t hash_alg, |
| 835 | const unsigned char *psk, |
| 836 | size_t psk_len, |
| 837 | size_t *out_len) |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 838 | { |
| 839 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 840 | unsigned char binder_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 841 | unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 842 | size_t transcript_len = 0; |
| 843 | |
| 844 | *out_len = 0; |
| 845 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 846 | binder_len = PSA_HASH_LENGTH(hash_alg); |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 847 | |
| 848 | /* |
| 849 | * - binder_len (1 bytes) |
| 850 | * - binder (binder_len bytes) |
| 851 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 852 | MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len); |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 853 | |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 854 | buf[0] = binder_len; |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 855 | |
| 856 | /* Get current state of handshake transcript. */ |
| 857 | ret = mbedtls_ssl_get_handshake_transcript( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 858 | ssl, mbedtls_hash_info_md_from_psa(hash_alg), |
| 859 | transcript, sizeof(transcript), &transcript_len); |
| 860 | if (ret != 0) { |
| 861 | return ret; |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 862 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 863 | |
| 864 | ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg, |
| 865 | psk, psk_len, psk_type, |
| 866 | transcript, buf + 1); |
| 867 | if (ret != 0) { |
| 868 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret); |
| 869 | return ret; |
| 870 | } |
| 871 | MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len); |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 872 | |
| 873 | *out_len = 1 + binder_len; |
| 874 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 875 | return 0; |
| Jerry Yu | 8b41e89 | 2022-09-30 10:00:20 +0800 | [diff] [blame] | 876 | } |
| 877 | |
| 878 | /* |
| 879 | * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure: |
| 880 | * |
| 881 | * struct { |
| 882 | * opaque identity<1..2^16-1>; |
| 883 | * uint32 obfuscated_ticket_age; |
| 884 | * } PskIdentity; |
| 885 | * |
| 886 | * opaque PskBinderEntry<32..255>; |
| 887 | * |
| 888 | * struct { |
| 889 | * PskIdentity identities<7..2^16-1>; |
| 890 | * PskBinderEntry binders<33..2^16-1>; |
| 891 | * } OfferedPsks; |
| 892 | * |
| 893 | * struct { |
| 894 | * select (Handshake.msg_type) { |
| 895 | * case client_hello: OfferedPsks; |
| 896 | * ... |
| 897 | * }; |
| 898 | * } PreSharedKeyExtension; |
| 899 | * |
| 900 | */ |
| XiaokangQian | 3ad67bf | 2022-07-21 02:26:21 +0000 | [diff] [blame] | 901 | int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 902 | mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, |
| 903 | size_t *out_len, size_t *binders_len) |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 904 | { |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 905 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 906 | int configured_psk_count = 0; |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 907 | unsigned char *p = buf; |
| Xiaokang Qian | 854db28 | 2022-12-19 07:31:27 +0000 | [diff] [blame] | 908 | psa_algorithm_t hash_alg = PSA_ALG_NONE; |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 909 | const unsigned char *identity; |
| 910 | size_t identity_len; |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 911 | size_t l_binders_len = 0; |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 912 | size_t output_len; |
| Xiaokang Qian | 7179f81 | 2023-02-03 03:38:44 +0000 | [diff] [blame] | 913 | |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 914 | *out_len = 0; |
| 915 | *binders_len = 0; |
| 916 | |
| 917 | /* Check if we have any PSKs to offer. If no, skip pre_shared_key */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 918 | configured_psk_count = ssl_tls13_get_configured_psk_count(ssl); |
| 919 | if (configured_psk_count == 0) { |
| 920 | MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions")); |
| 921 | return 0; |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 922 | } |
| 923 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 924 | MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d", |
| 925 | configured_psk_count)); |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 926 | |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 927 | /* Check if we have space to write the extension, binders included. |
| 928 | * - extension_type (2 bytes) |
| 929 | * - extension_data_len (2 bytes) |
| 930 | * - identities_len (2 bytes) |
| 931 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 932 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 933 | p += 6; |
| 934 | |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 935 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 936 | if (ssl_tls13_ticket_get_identity( |
| 937 | ssl, &hash_alg, &identity, &identity_len) == 0) { |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 938 | #if defined(MBEDTLS_HAVE_TIME) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 939 | mbedtls_time_t now = mbedtls_time(NULL); |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 940 | mbedtls_ssl_session *session = ssl->session_negotiate; |
| Jerry Yu | 6916e70 | 2022-10-10 21:33:51 +0800 | [diff] [blame] | 941 | uint32_t obfuscated_ticket_age = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 942 | (uint32_t) (now - session->ticket_received); |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 943 | |
| Jerry Yu | 3e60cad | 2023-01-10 14:58:08 +0800 | [diff] [blame] | 944 | /* |
| 945 | * The ticket timestamp is in seconds but the ticket age is in |
| 946 | * milliseconds. If the ticket was received at the end of a second and |
| 947 | * re-used here just at the beginning of the next second, the computed |
| 948 | * age `now - session->ticket_received` is equal to 1s thus 1000 ms |
| 949 | * while the actual age could be just a few milliseconds or tens of |
| 950 | * milliseconds. If the server has more accurate ticket timestamps |
| 951 | * (typically timestamps in milliseconds), as part of the processing of |
| 952 | * the ClientHello, it may compute a ticket lifetime smaller than the |
| 953 | * one computed here and potentially reject the ticket. To avoid that, |
| 954 | * remove one second to the ticket age if possible. |
| Jerry Yu | bdb936b | 2023-01-07 16:07:46 +0800 | [diff] [blame] | 955 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 956 | if (obfuscated_ticket_age > 0) { |
| Jerry Yu | bdb936b | 2023-01-07 16:07:46 +0800 | [diff] [blame] | 957 | obfuscated_ticket_age -= 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 958 | } |
| Jerry Yu | bdb936b | 2023-01-07 16:07:46 +0800 | [diff] [blame] | 959 | |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 960 | obfuscated_ticket_age *= 1000; |
| 961 | obfuscated_ticket_age += session->ticket_age_add; |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 962 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 963 | ret = ssl_tls13_write_identity(ssl, p, end, |
| 964 | identity, identity_len, |
| 965 | obfuscated_ticket_age, |
| 966 | &output_len); |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 967 | #else |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 968 | ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, |
| 969 | 0, &output_len); |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 970 | #endif /* MBEDTLS_HAVE_TIME */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 971 | if (ret != 0) { |
| 972 | return ret; |
| 973 | } |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 974 | |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 975 | p += output_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 976 | l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg); |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 977 | } |
| 978 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 979 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 980 | if (ssl_tls13_psk_get_identity( |
| 981 | ssl, &hash_alg, &identity, &identity_len) == 0) { |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 982 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 983 | ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0, |
| 984 | &output_len); |
| 985 | if (ret != 0) { |
| 986 | return ret; |
| 987 | } |
| Jerry Yu | f75364b | 2022-09-30 10:30:31 +0800 | [diff] [blame] | 988 | |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 989 | p += output_len; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 990 | l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg); |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 991 | } |
| 992 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 993 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 994 | ("client hello, adding pre_shared_key extension, " |
| 995 | "omitting PSK binder list")); |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 996 | |
| 997 | /* Take into account the two bytes for the length of the binders. */ |
| 998 | l_binders_len += 2; |
| Jerry Yu | 6916e70 | 2022-10-10 21:33:51 +0800 | [diff] [blame] | 999 | /* Check if there is enough space for binders */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1000 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len); |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 1001 | |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 1002 | /* |
| 1003 | * - extension_type (2 bytes) |
| 1004 | * - extension_data_len (2 bytes) |
| 1005 | * - identities_len (2 bytes) |
| 1006 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1007 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0); |
| 1008 | MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2); |
| 1009 | MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4); |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 1010 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1011 | *out_len = (p - buf) + l_binders_len; |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 1012 | *binders_len = l_binders_len; |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 1013 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1014 | MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf); |
| Jerry Yu | f7c1259 | 2022-09-28 22:09:38 +0800 | [diff] [blame] | 1015 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1016 | return 0; |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 1017 | } |
| 1018 | |
| XiaokangQian | 8698195 | 2022-07-19 09:51:50 +0000 | [diff] [blame] | 1019 | int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1020 | mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end) |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 1021 | { |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 1022 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 1023 | unsigned char *p = buf; |
| Jerry Yu | 6183cc7 | 2022-09-30 11:08:57 +0800 | [diff] [blame] | 1024 | psa_algorithm_t hash_alg = PSA_ALG_NONE; |
| 1025 | const unsigned char *psk; |
| 1026 | size_t psk_len; |
| 1027 | size_t output_len; |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 1028 | |
| 1029 | /* Check if we have space to write binders_len. |
| 1030 | * - binders_len (2 bytes) |
| 1031 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1032 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 1033 | p += 2; |
| 1034 | |
| Jerry Yu | 6183cc7 | 2022-09-30 11:08:57 +0800 | [diff] [blame] | 1035 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1036 | if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) { |
| Jerry Yu | 6183cc7 | 2022-09-30 11:08:57 +0800 | [diff] [blame] | 1037 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1038 | ret = ssl_tls13_write_binder(ssl, p, end, |
| 1039 | MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION, |
| 1040 | hash_alg, psk, psk_len, |
| 1041 | &output_len); |
| 1042 | if (ret != 0) { |
| 1043 | return ret; |
| 1044 | } |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 1045 | p += output_len; |
| 1046 | } |
| Jerry Yu | 6183cc7 | 2022-09-30 11:08:57 +0800 | [diff] [blame] | 1047 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 1048 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1049 | if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) { |
| Jerry Yu | 6183cc7 | 2022-09-30 11:08:57 +0800 | [diff] [blame] | 1050 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1051 | ret = ssl_tls13_write_binder(ssl, p, end, |
| 1052 | MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL, |
| 1053 | hash_alg, psk, psk_len, |
| 1054 | &output_len); |
| 1055 | if (ret != 0) { |
| 1056 | return ret; |
| 1057 | } |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 1058 | p += output_len; |
| 1059 | } |
| 1060 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1061 | MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list.")); |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 1062 | |
| 1063 | /* |
| 1064 | * - binders_len (2 bytes) |
| 1065 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1066 | MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0); |
| Jerry Yu | 1a0a0f4 | 2022-09-28 22:11:02 +0800 | [diff] [blame] | 1067 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1068 | MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf); |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 1069 | |
| Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 1070 | mbedtls_ssl_tls13_set_hs_sent_ext_mask( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1071 | ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY); |
| Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1072 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1073 | return 0; |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 1074 | } |
| Jerry Yu | 0c6105b | 2022-08-12 17:26:40 +0800 | [diff] [blame] | 1075 | |
| 1076 | /* |
| 1077 | * struct { |
| 1078 | * opaque identity<1..2^16-1>; |
| 1079 | * uint32 obfuscated_ticket_age; |
| 1080 | * } PskIdentity; |
| 1081 | * |
| 1082 | * opaque PskBinderEntry<32..255>; |
| 1083 | * |
| 1084 | * struct { |
| 1085 | * |
| 1086 | * select (Handshake.msg_type) { |
| 1087 | * ... |
| 1088 | * case server_hello: uint16 selected_identity; |
| 1089 | * }; |
| 1090 | * |
| 1091 | * } PreSharedKeyExtension; |
| 1092 | * |
| 1093 | */ |
| 1094 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1095 | static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, |
| 1096 | const unsigned char *buf, |
| 1097 | const unsigned char *end) |
| Jerry Yu | 0c6105b | 2022-08-12 17:26:40 +0800 | [diff] [blame] | 1098 | { |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 1099 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Jerry Yu | b300e3c | 2022-09-28 22:12:07 +0800 | [diff] [blame] | 1100 | int selected_identity; |
| Jerry Yu | b300e3c | 2022-09-28 22:12:07 +0800 | [diff] [blame] | 1101 | const unsigned char *psk; |
| 1102 | size_t psk_len; |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 1103 | psa_algorithm_t hash_alg; |
| Jerry Yu | b300e3c | 2022-09-28 22:12:07 +0800 | [diff] [blame] | 1104 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1105 | MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2); |
| 1106 | selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0); |
| Xiaokang Qian | 2a67493 | 2023-01-04 03:15:09 +0000 | [diff] [blame] | 1107 | ssl->handshake->selected_identity = (uint16_t) selected_identity; |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 1108 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1109 | MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity)); |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 1110 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1111 | if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) { |
| 1112 | MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity.")); |
| Jerry Yu | 4a69834 | 2022-09-30 12:22:01 +0800 | [diff] [blame] | 1113 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1114 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
| 1115 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
| 1116 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Jerry Yu | b300e3c | 2022-09-28 22:12:07 +0800 | [diff] [blame] | 1117 | } |
| Jerry Yu | a99cbfa | 2022-10-08 11:17:14 +0800 | [diff] [blame] | 1118 | |
| Jerry Yu | 4a69834 | 2022-09-30 12:22:01 +0800 | [diff] [blame] | 1119 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1120 | if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) { |
| 1121 | ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len); |
| 1122 | } else |
| Jerry Yu | 4a69834 | 2022-09-30 12:22:01 +0800 | [diff] [blame] | 1123 | #endif |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1124 | if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) { |
| 1125 | ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len); |
| 1126 | } else { |
| 1127 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 1128 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Jerry Yu | b300e3c | 2022-09-28 22:12:07 +0800 | [diff] [blame] | 1129 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1130 | if (ret != 0) { |
| 1131 | return ret; |
| Jerry Yu | b300e3c | 2022-09-28 22:12:07 +0800 | [diff] [blame] | 1132 | } |
| Jerry Yu | b300e3c | 2022-09-28 22:12:07 +0800 | [diff] [blame] | 1133 | |
| Xiaokang Qian | eb31cbc | 2023-02-07 02:08:56 +0000 | [diff] [blame] | 1134 | if (mbedtls_psa_translate_md(ssl->handshake->ciphersuite_info->mac) |
| 1135 | != hash_alg) { |
| 1136 | MBEDTLS_SSL_DEBUG_MSG( |
| 1137 | 1, ("Invalid ciphersuite for external psk.")); |
| 1138 | |
| 1139 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
| 1140 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
| 1141 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 1142 | } |
| 1143 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1144 | ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len); |
| 1145 | if (ret != 0) { |
| 1146 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); |
| 1147 | return ret; |
| 1148 | } |
| 1149 | |
| 1150 | return 0; |
| Jerry Yu | 0c6105b | 2022-08-12 17:26:40 +0800 | [diff] [blame] | 1151 | } |
| Ronald Cron | 41a443a | 2022-10-04 16:38:25 +0200 | [diff] [blame] | 1152 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 1153 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1154 | int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, |
| 1155 | unsigned char *buf, |
| 1156 | unsigned char *end, |
| 1157 | size_t *out_len) |
| Ronald Cron | 04fbd2b | 2022-02-18 12:06:07 +0100 | [diff] [blame] | 1158 | { |
| 1159 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 1160 | unsigned char *p = buf; |
| 1161 | size_t ext_len; |
| 1162 | |
| 1163 | *out_len = 0; |
| 1164 | |
| 1165 | /* Write supported_versions extension |
| 1166 | * |
| 1167 | * Supported Versions Extension is mandatory with TLS 1.3. |
| 1168 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1169 | ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len); |
| 1170 | if (ret != 0) { |
| 1171 | return ret; |
| 1172 | } |
| Ronald Cron | 04fbd2b | 2022-02-18 12:06:07 +0100 | [diff] [blame] | 1173 | p += ext_len; |
| 1174 | |
| 1175 | /* Echo the cookie if the server provided one in its preceding |
| 1176 | * HelloRetryRequest message. |
| 1177 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1178 | ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len); |
| 1179 | if (ret != 0) { |
| 1180 | return ret; |
| 1181 | } |
| Ronald Cron | 04fbd2b | 2022-02-18 12:06:07 +0100 | [diff] [blame] | 1182 | p += ext_len; |
| 1183 | |
| Ronald Cron | 766c0cd | 2022-10-18 12:17:11 +0200 | [diff] [blame] | 1184 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1185 | if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { |
| 1186 | ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len); |
| 1187 | if (ret != 0) { |
| 1188 | return ret; |
| 1189 | } |
| Ronald Cron | 04fbd2b | 2022-02-18 12:06:07 +0100 | [diff] [blame] | 1190 | p += ext_len; |
| 1191 | } |
| Ronald Cron | 766c0cd | 2022-10-18 12:17:11 +0200 | [diff] [blame] | 1192 | #endif |
| Ronald Cron | 04fbd2b | 2022-02-18 12:06:07 +0100 | [diff] [blame] | 1193 | |
| Xiaokang Qian | 0e97d4d | 2022-10-24 11:12:51 +0000 | [diff] [blame] | 1194 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1195 | if (mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) && |
| 1196 | ssl_tls13_early_data_has_valid_ticket(ssl) && |
| 1197 | ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) { |
| 1198 | ret = mbedtls_ssl_tls13_write_early_data_ext(ssl, p, end, &ext_len); |
| 1199 | if (ret != 0) { |
| 1200 | return ret; |
| 1201 | } |
| Xiaokang Qian | 0e97d4d | 2022-10-24 11:12:51 +0000 | [diff] [blame] | 1202 | p += ext_len; |
| 1203 | |
| Ronald Cron | 4a8c9e2 | 2022-10-26 18:49:09 +0200 | [diff] [blame] | 1204 | /* Initializes the status to `rejected`. It will be updated to |
| 1205 | * `accepted` if the EncryptedExtension message contain an early data |
| 1206 | * indication extension. |
| Xiaokang Qian | a042b84 | 2022-11-09 01:59:33 +0000 | [diff] [blame] | 1207 | */ |
| Ronald Cron | 4a8c9e2 | 2022-10-26 18:49:09 +0200 | [diff] [blame] | 1208 | ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1209 | } else { |
| 1210 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension")); |
| Xiaokang Qian | f447e8a | 2022-11-08 07:02:27 +0000 | [diff] [blame] | 1211 | ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT; |
| Xiaokang Qian | 0e97d4d | 2022-10-24 11:12:51 +0000 | [diff] [blame] | 1212 | } |
| 1213 | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
| 1214 | |
| Ronald Cron | 41a443a | 2022-10-04 16:38:25 +0200 | [diff] [blame] | 1215 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 1216 | /* For PSK-based key exchange we need the pre_shared_key extension |
| 1217 | * and the psk_key_exchange_modes extension. |
| 1218 | * |
| 1219 | * The pre_shared_key extension MUST be the last extension in the |
| 1220 | * ClientHello. Servers MUST check that it is the last extension and |
| 1221 | * otherwise fail the handshake with an "illegal_parameter" alert. |
| 1222 | * |
| 1223 | * Add the psk_key_exchange_modes extension. |
| 1224 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1225 | ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len); |
| 1226 | if (ret != 0) { |
| 1227 | return ret; |
| 1228 | } |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 1229 | p += ext_len; |
| Ronald Cron | 41a443a | 2022-10-04 16:38:25 +0200 | [diff] [blame] | 1230 | #endif |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 1231 | |
| Ronald Cron | 04fbd2b | 2022-02-18 12:06:07 +0100 | [diff] [blame] | 1232 | *out_len = p - buf; |
| 1233 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1234 | return 0; |
| Ronald Cron | 04fbd2b | 2022-02-18 12:06:07 +0100 | [diff] [blame] | 1235 | } |
| 1236 | |
| Xiaokang Qian | 934ce6f | 2023-02-06 10:23:04 +0000 | [diff] [blame] | 1237 | int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) |
| Xiaokang Qian | 126929f | 2023-01-03 10:29:41 +0000 | [diff] [blame] | 1238 | { |
| Xiaokang Qian | 9074613 | 2023-01-06 05:54:59 +0000 | [diff] [blame] | 1239 | ((void) ssl); |
| Xiaokang Qian | 79f7752 | 2023-01-28 10:35:29 +0000 | [diff] [blame] | 1240 | |
| Xiaokang Qian | 126929f | 2023-01-03 10:29:41 +0000 | [diff] [blame] | 1241 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
| 1242 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 1243 | psa_algorithm_t hash_alg = PSA_ALG_NONE; |
| 1244 | const unsigned char *psk; |
| 1245 | size_t psk_len; |
| 1246 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| Xiaokang Qian | 592021a | 2023-01-04 10:47:05 +0000 | [diff] [blame] | 1247 | |
| Xiaokang Qian | 126929f | 2023-01-03 10:29:41 +0000 | [diff] [blame] | 1248 | if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { |
| Xiaokang Qian | 6be8290 | 2023-02-03 06:04:43 +0000 | [diff] [blame] | 1249 | #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) |
| 1250 | mbedtls_ssl_handshake_set_state( |
| 1251 | ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO); |
| 1252 | #endif |
| Xiaokang Qian | 126929f | 2023-01-03 10:29:41 +0000 | [diff] [blame] | 1253 | MBEDTLS_SSL_DEBUG_MSG( |
| 1254 | 1, ("Set hs psk for early data when writing the first psk")); |
| 1255 | |
| 1256 | ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len); |
| 1257 | if (ret != 0) { |
| 1258 | MBEDTLS_SSL_DEBUG_RET( |
| 1259 | 1, "ssl_tls13_ticket_get_psk", ret); |
| 1260 | return ret; |
| 1261 | } |
| 1262 | |
| 1263 | ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len); |
| 1264 | if (ret != 0) { |
| 1265 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); |
| 1266 | return ret; |
| 1267 | } |
| 1268 | |
| Xiaokang Qian | 64bc9bc | 2023-02-07 02:32:23 +0000 | [diff] [blame] | 1269 | /* |
| 1270 | * Early data are going to be encrypted using the ciphersuite |
| 1271 | * associated with the pre-shared key used for the handshake. |
| 1272 | * Note that if the server rejects early data, the handshake |
| 1273 | * based on the pre-shared key may complete successfully |
| 1274 | * with a selected ciphersuite different from the ciphersuite |
| 1275 | * associated with the pre-shared key. Only the hashes of the |
| 1276 | * two ciphersuites have to be the same. In that case, the |
| 1277 | * encrypted handshake data and application data are |
| 1278 | * encrypted using a different ciphersuite than the one used for |
| 1279 | * the rejected early data. |
| 1280 | */ |
| Xiaokang Qian | 126929f | 2023-01-03 10:29:41 +0000 | [diff] [blame] | 1281 | ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( |
| 1282 | ssl->session_negotiate->ciphersuite); |
| 1283 | ssl->handshake->ciphersuite_info = ciphersuite_info; |
| Xiaokang Qian | 8dc4ce7 | 2023-02-07 10:49:50 +0000 | [diff] [blame] | 1284 | |
| Tom Cosgrove | 5c8505f | 2023-03-07 11:39:52 +0000 | [diff] [blame] | 1285 | /* Enable psk and psk_ephemeral to make stage early happy */ |
| Xiaokang Qian | 126929f | 2023-01-03 10:29:41 +0000 | [diff] [blame] | 1286 | ssl->handshake->key_exchange_mode = |
| 1287 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; |
| 1288 | |
| 1289 | /* Start the TLS 1.3 key schedule: |
| Xiaokang Qian | 8dc4ce7 | 2023-02-07 10:49:50 +0000 | [diff] [blame] | 1290 | * Set the PSK and derive early secret. |
| Xiaokang Qian | 126929f | 2023-01-03 10:29:41 +0000 | [diff] [blame] | 1291 | */ |
| 1292 | ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); |
| 1293 | if (ret != 0) { |
| Xiaokang Qian | 0de0d86 | 2023-02-08 06:04:50 +0000 | [diff] [blame] | 1294 | MBEDTLS_SSL_DEBUG_RET( |
| 1295 | 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret); |
| Xiaokang Qian | 126929f | 2023-01-03 10:29:41 +0000 | [diff] [blame] | 1296 | return ret; |
| 1297 | } |
| 1298 | |
| 1299 | /* Derive early data key material */ |
| 1300 | ret = mbedtls_ssl_tls13_compute_early_transform(ssl); |
| 1301 | if (ret != 0) { |
| Xiaokang Qian | 0de0d86 | 2023-02-08 06:04:50 +0000 | [diff] [blame] | 1302 | MBEDTLS_SSL_DEBUG_RET( |
| 1303 | 1, "mbedtls_ssl_tls13_compute_early_transform", ret); |
| Xiaokang Qian | 126929f | 2023-01-03 10:29:41 +0000 | [diff] [blame] | 1304 | return ret; |
| 1305 | } |
| 1306 | |
| Xiaokang Qian | 126929f | 2023-01-03 10:29:41 +0000 | [diff] [blame] | 1307 | } |
| 1308 | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
| 1309 | return 0; |
| 1310 | } |
| Jerry Yu | 1bc2c1f | 2021-09-01 12:57:29 +0800 | [diff] [blame] | 1311 | /* |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1312 | * Functions for parsing and processing Server Hello |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1313 | */ |
| Ronald Cron | fd6193c | 2022-04-05 11:04:20 +0200 | [diff] [blame] | 1314 | |
| Ronald Cron | da41b38 | 2022-03-30 09:57:11 +0200 | [diff] [blame] | 1315 | /** |
| 1316 | * \brief Detect if the ServerHello contains a supported_versions extension |
| 1317 | * or not. |
| 1318 | * |
| 1319 | * \param[in] ssl SSL context |
| 1320 | * \param[in] buf Buffer containing the ServerHello message |
| 1321 | * \param[in] end End of the buffer containing the ServerHello message |
| 1322 | * |
| 1323 | * \return 0 if the ServerHello does not contain a supported_versions extension |
| 1324 | * \return 1 if the ServerHello contains a supported_versions extension |
| 1325 | * \return A negative value if an error occurred while parsing the ServerHello. |
| 1326 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1327 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1328 | static int ssl_tls13_is_supported_versions_ext_present( |
| 1329 | mbedtls_ssl_context *ssl, |
| 1330 | const unsigned char *buf, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1331 | const unsigned char *end) |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1332 | { |
| 1333 | const unsigned char *p = buf; |
| 1334 | size_t legacy_session_id_echo_len; |
| Ronald Cron | eff5673 | 2023-04-03 17:36:31 +0200 | [diff] [blame] | 1335 | const unsigned char *supported_versions_data; |
| 1336 | const unsigned char *supported_versions_data_end; |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1337 | |
| 1338 | /* |
| 1339 | * Check there is enough data to access the legacy_session_id_echo vector |
| Ronald Cron | da41b38 | 2022-03-30 09:57:11 +0200 | [diff] [blame] | 1340 | * length: |
| 1341 | * - legacy_version 2 bytes |
| 1342 | * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes |
| 1343 | * - legacy_session_id_echo length 1 byte |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1344 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1345 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3); |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1346 | p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2; |
| 1347 | legacy_session_id_echo_len = *p; |
| 1348 | |
| 1349 | /* |
| 1350 | * Jump to the extensions, jumping over: |
| 1351 | * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes |
| 1352 | * - cipher_suite 2 bytes |
| 1353 | * - legacy_compression_method 1 byte |
| 1354 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1355 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4); |
| 1356 | p += legacy_session_id_echo_len + 4; |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1357 | |
| Ronald Cron | 47dce63 | 2023-02-08 17:38:29 +0100 | [diff] [blame] | 1358 | return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts( |
| 1359 | ssl, p, end, |
| Ronald Cron | eff5673 | 2023-04-03 17:36:31 +0200 | [diff] [blame] | 1360 | &supported_versions_data, &supported_versions_data_end); |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1361 | } |
| 1362 | |
| Jerry Yu | 7a186a0 | 2021-10-15 18:46:14 +0800 | [diff] [blame] | 1363 | /* Returns a negative value on failure, and otherwise |
| Ronald Cron | fd6193c | 2022-04-05 11:04:20 +0200 | [diff] [blame] | 1364 | * - 1 if the last eight bytes of the ServerHello random bytes indicate that |
| 1365 | * the server is TLS 1.3 capable but negotiating TLS 1.2 or below. |
| 1366 | * - 0 otherwise |
| 1367 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1368 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1369 | static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl, |
| 1370 | const unsigned char *buf, |
| 1371 | const unsigned char *end) |
| Ronald Cron | fd6193c | 2022-04-05 11:04:20 +0200 | [diff] [blame] | 1372 | { |
| 1373 | /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */ |
| 1374 | static const unsigned char magic_downgrade_string[] = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1375 | { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 }; |
| Ronald Cron | fd6193c | 2022-04-05 11:04:20 +0200 | [diff] [blame] | 1376 | const unsigned char *last_eight_bytes_of_random; |
| 1377 | unsigned char last_byte_of_random; |
| 1378 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1379 | MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2); |
| Ronald Cron | fd6193c | 2022-04-05 11:04:20 +0200 | [diff] [blame] | 1380 | last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8; |
| 1381 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1382 | if (memcmp(last_eight_bytes_of_random, |
| 1383 | magic_downgrade_string, |
| 1384 | sizeof(magic_downgrade_string)) == 0) { |
| Ronald Cron | fd6193c | 2022-04-05 11:04:20 +0200 | [diff] [blame] | 1385 | last_byte_of_random = last_eight_bytes_of_random[7]; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1386 | return last_byte_of_random == 0 || |
| 1387 | last_byte_of_random == 1; |
| Ronald Cron | fd6193c | 2022-04-05 11:04:20 +0200 | [diff] [blame] | 1388 | } |
| 1389 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1390 | return 0; |
| Ronald Cron | fd6193c | 2022-04-05 11:04:20 +0200 | [diff] [blame] | 1391 | } |
| 1392 | |
| 1393 | /* Returns a negative value on failure, and otherwise |
| Ronald Cron | 828aff6 | 2022-05-31 12:04:31 +0200 | [diff] [blame] | 1394 | * - SSL_SERVER_HELLO or |
| 1395 | * - SSL_SERVER_HELLO_HRR |
| XiaokangQian | 51eff22 | 2021-12-10 10:33:56 +0000 | [diff] [blame] | 1396 | * to indicate which message is expected and to be parsed next. |
| 1397 | */ |
| Ronald Cron | 828aff6 | 2022-05-31 12:04:31 +0200 | [diff] [blame] | 1398 | #define SSL_SERVER_HELLO 0 |
| 1399 | #define SSL_SERVER_HELLO_HRR 1 |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1400 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1401 | static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl, |
| 1402 | const unsigned char *buf, |
| 1403 | const unsigned char *end) |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1404 | { |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1405 | |
| 1406 | /* Check whether this message is a HelloRetryRequest ( HRR ) message. |
| 1407 | * |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1408 | * Server Hello and HRR are only distinguished by Random set to the |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1409 | * special value of the SHA-256 of "HelloRetryRequest". |
| 1410 | * |
| 1411 | * struct { |
| 1412 | * ProtocolVersion legacy_version = 0x0303; |
| 1413 | * Random random; |
| 1414 | * opaque legacy_session_id_echo<0..32>; |
| 1415 | * CipherSuite cipher_suite; |
| 1416 | * uint8 legacy_compression_method = 0; |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1417 | * Extension extensions<6..2^16-1>; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1418 | * } ServerHello; |
| 1419 | * |
| 1420 | */ |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 1421 | MBEDTLS_SSL_CHK_BUF_READ_PTR( |
| 1422 | buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)); |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1423 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1424 | if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic, |
| 1425 | sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) { |
| 1426 | return SSL_SERVER_HELLO_HRR; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1427 | } |
| 1428 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1429 | return SSL_SERVER_HELLO; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1430 | } |
| 1431 | |
| Ronald Cron | 828aff6 | 2022-05-31 12:04:31 +0200 | [diff] [blame] | 1432 | /* |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1433 | * Returns a negative value on failure, and otherwise |
| Ronald Cron | 828aff6 | 2022-05-31 12:04:31 +0200 | [diff] [blame] | 1434 | * - SSL_SERVER_HELLO or |
| 1435 | * - SSL_SERVER_HELLO_HRR or |
| 1436 | * - SSL_SERVER_HELLO_TLS1_2 |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1437 | */ |
| Ronald Cron | 828aff6 | 2022-05-31 12:04:31 +0200 | [diff] [blame] | 1438 | #define SSL_SERVER_HELLO_TLS1_2 2 |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1439 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1440 | static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl, |
| 1441 | const unsigned char *buf, |
| 1442 | const unsigned char *end) |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1443 | { |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1444 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Ronald Cron | 5afb904 | 2022-05-31 12:11:39 +0200 | [diff] [blame] | 1445 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1446 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1447 | MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present( |
| 1448 | ssl, buf, end)); |
| Jerry Yu | a66fece | 2022-07-13 14:30:29 +0800 | [diff] [blame] | 1449 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1450 | if (ret == 0) { |
| Ronald Cron | fd6193c | 2022-04-05 11:04:20 +0200 | [diff] [blame] | 1451 | MBEDTLS_SSL_PROC_CHK_NEG( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1452 | ssl_tls13_is_downgrade_negotiation(ssl, buf, end)); |
| Ronald Cron | fd6193c | 2022-04-05 11:04:20 +0200 | [diff] [blame] | 1453 | |
| 1454 | /* If the server is negotiating TLS 1.2 or below and: |
| 1455 | * . we did not propose TLS 1.2 or |
| 1456 | * . the server responded it is TLS 1.3 capable but negotiating a lower |
| 1457 | * version of the protocol and thus we are under downgrade attack |
| 1458 | * abort the handshake with an "illegal parameter" alert. |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1459 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1460 | if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) { |
| 1461 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
| 1462 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
| 1463 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1464 | } |
| 1465 | |
| Ronald Cron | b828c7d | 2023-04-03 16:37:22 +0200 | [diff] [blame] | 1466 | /* |
| 1467 | * Version 1.2 of the protocol has been negotiated, set the |
| 1468 | * ssl->keep_current_message flag for the ServerHello to be kept and |
| 1469 | * parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to |
| 1470 | * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step() |
| 1471 | * will dispatch to the TLS 1.2 state machine. |
| 1472 | */ |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1473 | ssl->keep_current_message = 1; |
| Glenn Strauss | 60bfe60 | 2022-03-14 19:04:24 -0400 | [diff] [blame] | 1474 | ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 1475 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( |
| 1476 | ssl, MBEDTLS_SSL_HS_SERVER_HELLO, |
| 1477 | buf, (size_t) (end - buf))); |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1478 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1479 | if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { |
| 1480 | ret = ssl_tls13_reset_key_share(ssl); |
| 1481 | if (ret != 0) { |
| 1482 | return ret; |
| 1483 | } |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1484 | } |
| 1485 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1486 | return SSL_SERVER_HELLO_TLS1_2; |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 1487 | } |
| 1488 | |
| Jerry Yu | a66fece | 2022-07-13 14:30:29 +0800 | [diff] [blame] | 1489 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 1490 | ssl->session_negotiate->endpoint = ssl->conf->endpoint; |
| 1491 | ssl->session_negotiate->tls_version = ssl->tls_version; |
| 1492 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 1493 | |
| Jerry Yu | 50e00e3 | 2022-10-31 14:45:01 +0800 | [diff] [blame] | 1494 | handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; |
| Ronald Cron | 5afb904 | 2022-05-31 12:11:39 +0200 | [diff] [blame] | 1495 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1496 | ret = ssl_server_hello_is_hrr(ssl, buf, end); |
| 1497 | switch (ret) { |
| Ronald Cron | 828aff6 | 2022-05-31 12:04:31 +0200 | [diff] [blame] | 1498 | case SSL_SERVER_HELLO: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1499 | MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message")); |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1500 | break; |
| Ronald Cron | 828aff6 | 2022-05-31 12:04:31 +0200 | [diff] [blame] | 1501 | case SSL_SERVER_HELLO_HRR: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1502 | MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message")); |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 1503 | /* If a client receives a second HelloRetryRequest in the same |
| 1504 | * connection (i.e., where the ClientHello was itself in response |
| 1505 | * to a HelloRetryRequest), it MUST abort the handshake with an |
| 1506 | * "unexpected_message" alert. |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1507 | */ |
| 1508 | if (handshake->hello_retry_request_count > 0) { |
| 1509 | MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received")); |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 1510 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
| 1511 | MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, |
| 1512 | MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1513 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
| XiaokangQian | 16acd4b | 2022-01-14 07:35:47 +0000 | [diff] [blame] | 1514 | } |
| XiaokangQian | 2b01dc3 | 2022-01-21 02:53:13 +0000 | [diff] [blame] | 1515 | /* |
| 1516 | * Clients must abort the handshake with an "illegal_parameter" |
| 1517 | * alert if the HelloRetryRequest would not result in any change |
| 1518 | * in the ClientHello. |
| 1519 | * In a PSK only key exchange that what we expect. |
| 1520 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1521 | if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { |
| 1522 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 1523 | ("Unexpected HRR in pure PSK key exchange.")); |
| XiaokangQian | 2b01dc3 | 2022-01-21 02:53:13 +0000 | [diff] [blame] | 1524 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1525 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
| 1526 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
| 1527 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| XiaokangQian | 2b01dc3 | 2022-01-21 02:53:13 +0000 | [diff] [blame] | 1528 | } |
| XiaokangQian | 16acd4b | 2022-01-14 07:35:47 +0000 | [diff] [blame] | 1529 | |
| Ronald Cron | 5afb904 | 2022-05-31 12:11:39 +0200 | [diff] [blame] | 1530 | handshake->hello_retry_request_count++; |
| XiaokangQian | 16acd4b | 2022-01-14 07:35:47 +0000 | [diff] [blame] | 1531 | |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1532 | break; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1533 | } |
| 1534 | |
| 1535 | cleanup: |
| 1536 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1537 | return ret; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1538 | } |
| 1539 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1540 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1541 | static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl, |
| 1542 | const unsigned char **buf, |
| 1543 | const unsigned char *end) |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1544 | { |
| 1545 | const unsigned char *p = *buf; |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1546 | size_t legacy_session_id_echo_len; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1547 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1548 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1); |
| 1549 | legacy_session_id_echo_len = *p++; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1550 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1551 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len); |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1552 | |
| 1553 | /* legacy_session_id_echo */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1554 | if (ssl->session_negotiate->id_len != legacy_session_id_echo_len || |
| 1555 | memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) { |
| 1556 | MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID", |
| 1557 | ssl->session_negotiate->id, |
| 1558 | ssl->session_negotiate->id_len); |
| 1559 | MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p, |
| 1560 | legacy_session_id_echo_len); |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1561 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1562 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
| 1563 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1564 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1565 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1566 | } |
| 1567 | |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1568 | p += legacy_session_id_echo_len; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1569 | *buf = p; |
| 1570 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1571 | MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id, |
| 1572 | ssl->session_negotiate->id_len); |
| 1573 | return 0; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1574 | } |
| 1575 | |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1576 | /* Parse ServerHello message and configure context |
| 1577 | * |
| 1578 | * struct { |
| 1579 | * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 |
| 1580 | * Random random; |
| 1581 | * opaque legacy_session_id_echo<0..32>; |
| 1582 | * CipherSuite cipher_suite; |
| 1583 | * uint8 legacy_compression_method = 0; |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1584 | * Extension extensions<6..2^16-1>; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1585 | * } ServerHello; |
| 1586 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1587 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1588 | static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl, |
| 1589 | const unsigned char *buf, |
| 1590 | const unsigned char *end, |
| 1591 | int is_hrr) |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1592 | { |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1593 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1594 | const unsigned char *p = buf; |
| XiaokangQian | 355e09a | 2022-01-20 11:14:50 +0000 | [diff] [blame] | 1595 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1596 | size_t extensions_len; |
| 1597 | const unsigned char *extensions_end; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1598 | uint16_t cipher_suite; |
| Jerry Yu | de4fb2c | 2021-09-19 18:05:08 +0800 | [diff] [blame] | 1599 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| XiaokangQian | b119a35 | 2022-01-26 03:29:10 +0000 | [diff] [blame] | 1600 | int fatal_alert = 0; |
| Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1601 | uint32_t allowed_extensions_mask; |
| Jerry Yu | 50e00e3 | 2022-10-31 14:45:01 +0800 | [diff] [blame] | 1602 | int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST : |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1603 | MBEDTLS_SSL_HS_SERVER_HELLO; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1604 | |
| 1605 | /* |
| 1606 | * Check there is space for minimal fields |
| 1607 | * |
| 1608 | * - legacy_version ( 2 bytes) |
| Jerry Yu | e6d7e5c | 2021-10-26 10:44:32 +0800 | [diff] [blame] | 1609 | * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes) |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1610 | * - legacy_session_id_echo ( 1 byte ), minimum size |
| 1611 | * - cipher_suite ( 2 bytes) |
| 1612 | * - legacy_compression_method ( 1 byte ) |
| 1613 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1614 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6); |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1615 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1616 | MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p); |
| 1617 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2); |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1618 | |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1619 | /* ... |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1620 | * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1621 | * ... |
| 1622 | * with ProtocolVersion defined as: |
| 1623 | * uint16 ProtocolVersion; |
| 1624 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1625 | if (mbedtls_ssl_read_version(p, ssl->conf->transport) != |
| 1626 | MBEDTLS_SSL_VERSION_TLS1_2) { |
| 1627 | MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS.")); |
| 1628 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, |
| 1629 | MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION); |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 1630 | ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; |
| 1631 | goto cleanup; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1632 | } |
| 1633 | p += 2; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1634 | |
| Jerry Yu | e6d7e5c | 2021-10-26 10:44:32 +0800 | [diff] [blame] | 1635 | /* ... |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1636 | * Random random; |
| 1637 | * ... |
| 1638 | * with Random defined as: |
| Jerry Yu | e6d7e5c | 2021-10-26 10:44:32 +0800 | [diff] [blame] | 1639 | * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN]; |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1640 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1641 | if (!is_hrr) { |
| 1642 | memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p, |
| 1643 | MBEDTLS_SERVER_HELLO_RANDOM_LEN); |
| 1644 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", |
| 1645 | p, MBEDTLS_SERVER_HELLO_RANDOM_LEN); |
| XiaokangQian | 53f20b7 | 2022-01-18 10:47:33 +0000 | [diff] [blame] | 1646 | } |
| Jerry Yu | e6d7e5c | 2021-10-26 10:44:32 +0800 | [diff] [blame] | 1647 | p += MBEDTLS_SERVER_HELLO_RANDOM_LEN; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1648 | |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1649 | /* ... |
| 1650 | * opaque legacy_session_id_echo<0..32>; |
| 1651 | * ... |
| 1652 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1653 | if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) { |
| XiaokangQian | 52da558 | 2022-01-26 09:49:29 +0000 | [diff] [blame] | 1654 | fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 1655 | goto cleanup; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1656 | } |
| 1657 | |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1658 | /* ... |
| 1659 | * CipherSuite cipher_suite; |
| 1660 | * ... |
| 1661 | * with CipherSuite defined as: |
| 1662 | * uint8 CipherSuite[2]; |
| 1663 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1664 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 1665 | cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0); |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1666 | p += 2; |
| 1667 | |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1668 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1669 | ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite); |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1670 | /* |
| Ronald Cron | ba120bb | 2022-03-30 22:09:48 +0200 | [diff] [blame] | 1671 | * Check whether this ciphersuite is valid and offered. |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1672 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1673 | if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info, |
| 1674 | ssl->tls_version, |
| 1675 | ssl->tls_version) != 0) || |
| 1676 | !mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) { |
| XiaokangQian | 52da558 | 2022-01-26 09:49:29 +0000 | [diff] [blame] | 1677 | fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1678 | } |
| XiaokangQian | 53f20b7 | 2022-01-18 10:47:33 +0000 | [diff] [blame] | 1679 | /* |
| XiaokangQian | 355e09a | 2022-01-20 11:14:50 +0000 | [diff] [blame] | 1680 | * If we received an HRR before and that the proposed selected |
| 1681 | * ciphersuite in this server hello is not the same as the one |
| 1682 | * proposed in the HRR, we abort the handshake and send an |
| 1683 | * "illegal_parameter" alert. |
| XiaokangQian | 53f20b7 | 2022-01-18 10:47:33 +0000 | [diff] [blame] | 1684 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1685 | else if ((!is_hrr) && (handshake->hello_retry_request_count > 0) && |
| 1686 | (cipher_suite != ssl->session_negotiate->ciphersuite)) { |
| XiaokangQian | 52da558 | 2022-01-26 09:49:29 +0000 | [diff] [blame] | 1687 | fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; |
| XiaokangQian | 355e09a | 2022-01-20 11:14:50 +0000 | [diff] [blame] | 1688 | } |
| XiaokangQian | 53f20b7 | 2022-01-18 10:47:33 +0000 | [diff] [blame] | 1689 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1690 | if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) { |
| 1691 | MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter", |
| 1692 | cipher_suite)); |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 1693 | goto cleanup; |
| XiaokangQian | 53f20b7 | 2022-01-18 10:47:33 +0000 | [diff] [blame] | 1694 | } |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1695 | |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1696 | /* Configure ciphersuites */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1697 | mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info); |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1698 | |
| XiaokangQian | 355e09a | 2022-01-20 11:14:50 +0000 | [diff] [blame] | 1699 | handshake->ciphersuite_info = ciphersuite_info; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1700 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s", |
| 1701 | cipher_suite, ciphersuite_info->name)); |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1702 | |
| 1703 | #if defined(MBEDTLS_HAVE_TIME) |
| YxC | da60913 | 2023-05-22 12:08:12 -0700 | [diff] [blame] | 1704 | ssl->session_negotiate->start = mbedtls_time(NULL); |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1705 | #endif /* MBEDTLS_HAVE_TIME */ |
| 1706 | |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1707 | /* ... |
| 1708 | * uint8 legacy_compression_method = 0; |
| 1709 | * ... |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1710 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1711 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1); |
| 1712 | if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) { |
| 1713 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method")); |
| XiaokangQian | 52da558 | 2022-01-26 09:49:29 +0000 | [diff] [blame] | 1714 | fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 1715 | goto cleanup; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1716 | } |
| 1717 | p++; |
| 1718 | |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1719 | /* ... |
| 1720 | * Extension extensions<6..2^16-1>; |
| 1721 | * ... |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1722 | * struct { |
| 1723 | * ExtensionType extension_type; (2 bytes) |
| 1724 | * opaque extension_data<0..2^16-1>; |
| 1725 | * } Extension; |
| 1726 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1727 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 1728 | extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1729 | p += 2; |
| Jerry Yu | de4fb2c | 2021-09-19 18:05:08 +0800 | [diff] [blame] | 1730 | |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1731 | /* Check extensions do not go beyond the buffer of data. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1732 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len); |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1733 | extensions_end = p + extensions_len; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1734 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1735 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len); |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1736 | |
| Jerry Yu | 50e00e3 | 2022-10-31 14:45:01 +0800 | [diff] [blame] | 1737 | handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; |
| Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 1738 | allowed_extensions_mask = is_hrr ? |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1739 | MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR : |
| 1740 | MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH; |
| Jerry Yu | 2c5363e | 2022-08-04 17:42:49 +0800 | [diff] [blame] | 1741 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1742 | while (p < extensions_end) { |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1743 | unsigned int extension_type; |
| 1744 | size_t extension_data_len; |
| XiaokangQian | 43550bd | 2022-01-21 04:32:58 +0000 | [diff] [blame] | 1745 | const unsigned char *extension_data_end; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1746 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1747 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4); |
| 1748 | extension_type = MBEDTLS_GET_UINT16_BE(p, 0); |
| 1749 | extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2); |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1750 | p += 4; |
| 1751 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1752 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len); |
| XiaokangQian | 43550bd | 2022-01-21 04:32:58 +0000 | [diff] [blame] | 1753 | extension_data_end = p + extension_data_len; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1754 | |
| Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 1755 | ret = mbedtls_ssl_tls13_check_received_extension( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1756 | ssl, hs_msg_type, extension_type, allowed_extensions_mask); |
| 1757 | if (ret != 0) { |
| 1758 | return ret; |
| 1759 | } |
| Jerry Yu | 2c5363e | 2022-08-04 17:42:49 +0800 | [diff] [blame] | 1760 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1761 | switch (extension_type) { |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 1762 | case MBEDTLS_TLS_EXT_COOKIE: |
| 1763 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1764 | ret = ssl_tls13_parse_cookie_ext(ssl, |
| 1765 | p, extension_data_end); |
| 1766 | if (ret != 0) { |
| 1767 | MBEDTLS_SSL_DEBUG_RET(1, |
| 1768 | "ssl_tls13_parse_cookie_ext", |
| 1769 | ret); |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 1770 | goto cleanup; |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 1771 | } |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 1772 | break; |
| XiaokangQian | b851da8 | 2022-01-14 04:03:11 +0000 | [diff] [blame] | 1773 | |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1774 | case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1775 | ret = ssl_tls13_parse_supported_versions_ext(ssl, |
| 1776 | p, |
| 1777 | extension_data_end); |
| 1778 | if (ret != 0) { |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 1779 | goto cleanup; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1780 | } |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1781 | break; |
| 1782 | |
| Ronald Cron | 41a443a | 2022-10-04 16:38:25 +0200 | [diff] [blame] | 1783 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1784 | case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1785 | MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension")); |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1786 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1787 | if ((ret = ssl_tls13_parse_server_pre_shared_key_ext( |
| 1788 | ssl, p, extension_data_end)) != 0) { |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 1789 | MBEDTLS_SSL_DEBUG_RET( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1790 | 1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret); |
| 1791 | return ret; |
| XiaokangQian | eb69aee | 2022-07-05 08:21:43 +0000 | [diff] [blame] | 1792 | } |
| 1793 | break; |
| Ronald Cron | 41a443a | 2022-10-04 16:38:25 +0200 | [diff] [blame] | 1794 | #endif |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1795 | |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1796 | case MBEDTLS_TLS_EXT_KEY_SHARE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1797 | MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension")); |
| 1798 | if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) { |
| XiaokangQian | 52da558 | 2022-01-26 09:49:29 +0000 | [diff] [blame] | 1799 | fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 1800 | goto cleanup; |
| 1801 | } |
| 1802 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1803 | if (is_hrr) { |
| 1804 | ret = ssl_tls13_parse_hrr_key_share_ext(ssl, |
| 1805 | p, extension_data_end); |
| 1806 | } else { |
| 1807 | ret = ssl_tls13_parse_key_share_ext(ssl, |
| 1808 | p, extension_data_end); |
| 1809 | } |
| 1810 | if (ret != 0) { |
| 1811 | MBEDTLS_SSL_DEBUG_RET(1, |
| 1812 | "ssl_tls13_parse_key_share_ext", |
| 1813 | ret); |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 1814 | goto cleanup; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1815 | } |
| 1816 | break; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1817 | |
| 1818 | default: |
| Jerry Yu | 9872eb2 | 2022-08-29 13:42:01 +0800 | [diff] [blame] | 1819 | ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 1820 | goto cleanup; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1821 | } |
| 1822 | |
| 1823 | p += extension_data_len; |
| 1824 | } |
| 1825 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1826 | MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions); |
| Jerry Yu | 2c5363e | 2022-08-04 17:42:49 +0800 | [diff] [blame] | 1827 | |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 1828 | cleanup: |
| 1829 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1830 | if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) { |
| 1831 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, |
| 1832 | MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION); |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 1833 | ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1834 | } else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) { |
| 1835 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
| 1836 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 1837 | ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 1838 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1839 | return ret; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1840 | } |
| 1841 | |
| Xiaokang Qian | cb6e963 | 2022-09-26 11:59:32 +0000 | [diff] [blame] | 1842 | #if defined(MBEDTLS_DEBUG_C) |
| 1843 | static const char *ssl_tls13_get_kex_mode_str(int mode) |
| Xiaokang Qian | 5beec4b | 2022-09-26 08:23:45 +0000 | [diff] [blame] | 1844 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1845 | switch (mode) { |
| Xiaokang Qian | 5beec4b | 2022-09-26 08:23:45 +0000 | [diff] [blame] | 1846 | case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK: |
| 1847 | return "psk"; |
| 1848 | case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL: |
| 1849 | return "ephemeral"; |
| 1850 | case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL: |
| 1851 | return "psk_ephemeral"; |
| 1852 | default: |
| 1853 | return "unknown mode"; |
| 1854 | } |
| 1855 | } |
| Xiaokang Qian | cb6e963 | 2022-09-26 11:59:32 +0000 | [diff] [blame] | 1856 | #endif /* MBEDTLS_DEBUG_C */ |
| Xiaokang Qian | 5beec4b | 2022-09-26 08:23:45 +0000 | [diff] [blame] | 1857 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1858 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1859 | static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1860 | { |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1861 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1862 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| Jerry Yu | 0b17784 | 2021-09-05 19:41:30 +0800 | [diff] [blame] | 1863 | |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1864 | /* Determine the key exchange mode: |
| 1865 | * 1) If both the pre_shared_key and key_share extensions were received |
| 1866 | * then the key exchange mode is PSK with EPHEMERAL. |
| 1867 | * 2) If only the pre_shared_key extension was received then the key |
| 1868 | * exchange mode is PSK-only. |
| 1869 | * 3) If only the key_share extension was received then the key |
| 1870 | * exchange mode is EPHEMERAL-only. |
| Jerry Yu | 0b17784 | 2021-09-05 19:41:30 +0800 | [diff] [blame] | 1871 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1872 | switch (handshake->received_extensions & |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 1873 | (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | |
| 1874 | MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) { |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1875 | /* Only the pre_shared_key extension was received */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1876 | case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY): |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 1877 | handshake->key_exchange_mode = |
| 1878 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1879 | break; |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1880 | |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1881 | /* Only the key_share extension was received */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1882 | case MBEDTLS_SSL_EXT_MASK(KEY_SHARE): |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 1883 | handshake->key_exchange_mode = |
| 1884 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1885 | break; |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1886 | |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1887 | /* Both the pre_shared_key and key_share extensions were received */ |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 1888 | case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | |
| 1889 | MBEDTLS_SSL_EXT_MASK(KEY_SHARE)): |
| 1890 | handshake->key_exchange_mode = |
| 1891 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1892 | break; |
| Jerry Yu | b85277e | 2021-10-13 13:36:05 +0800 | [diff] [blame] | 1893 | |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1894 | /* Neither pre_shared_key nor key_share extension was received */ |
| 1895 | default: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1896 | MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange.")); |
| Jerry Yu | 745bb61 | 2021-10-13 22:01:04 +0800 | [diff] [blame] | 1897 | ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| 1898 | goto cleanup; |
| Jerry Yu | 0b17784 | 2021-09-05 19:41:30 +0800 | [diff] [blame] | 1899 | } |
| Xiaokang Qian | 3f616c2 | 2023-01-12 03:36:31 +0000 | [diff] [blame] | 1900 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
| Xiaokang Qian | 02f5e14 | 2023-02-06 10:44:17 +0000 | [diff] [blame] | 1901 | if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA) && |
| 1902 | (handshake->selected_identity != 0 || |
| 1903 | handshake->ciphersuite_info->id != |
| 1904 | ssl->session_negotiate->ciphersuite)) { |
| Xiaokang Qian | 3f616c2 | 2023-01-12 03:36:31 +0000 | [diff] [blame] | 1905 | /* RFC8446 4.2.11 |
| 1906 | * If the server supplies an "early_data" extension, the |
| 1907 | * client MUST verify that the server's selected_identity |
| 1908 | * is 0. If any other value is returned, the client MUST |
| 1909 | * abort the handshake with an "illegal_parameter" alert. |
| Xiaokang Qian | 02f5e14 | 2023-02-06 10:44:17 +0000 | [diff] [blame] | 1910 | * |
| Xiaokang Qian | 53c4c27 | 2023-02-07 02:42:01 +0000 | [diff] [blame] | 1911 | * RFC 8446 4.2.10 |
| 1912 | * In order to accept early data, the server MUST have accepted a PSK |
| 1913 | * cipher suite and selected the first key offered in the client's |
| 1914 | * "pre_shared_key" extension. In addition, it MUST verify that the |
| 1915 | * following values are the same as those associated with the |
| 1916 | * selected PSK: |
| 1917 | * - The TLS version number |
| 1918 | * - The selected cipher suite |
| Xiaokang Qian | 8dc4ce7 | 2023-02-07 10:49:50 +0000 | [diff] [blame] | 1919 | * - The selected ALPN [RFC7301] protocol, if any |
| 1920 | * |
| 1921 | * We check here that when early data is involved the server |
| 1922 | * selected the cipher suite associated to the pre-shared key |
| 1923 | * as it must have. |
| Xiaokang Qian | 3f616c2 | 2023-01-12 03:36:31 +0000 | [diff] [blame] | 1924 | */ |
| 1925 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
| 1926 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
| 1927 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
| 1928 | } |
| 1929 | #endif |
| Jerry Yu | 0b17784 | 2021-09-05 19:41:30 +0800 | [diff] [blame] | 1930 | |
| Xiaokang Qian | 0de0d86 | 2023-02-08 06:04:50 +0000 | [diff] [blame] | 1931 | if (!mbedtls_ssl_conf_tls13_check_kex_modes( |
| 1932 | ssl, handshake->key_exchange_mode)) { |
| Xiaokang Qian | ac8195f | 2022-09-26 04:01:06 +0000 | [diff] [blame] | 1933 | ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 1934 | MBEDTLS_SSL_DEBUG_MSG( |
| 1935 | 2, ("Key exchange mode(%s) is not supported.", |
| 1936 | ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode))); |
| Xiaokang Qian | ac8195f | 2022-09-26 04:01:06 +0000 | [diff] [blame] | 1937 | goto cleanup; |
| 1938 | } |
| 1939 | |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 1940 | MBEDTLS_SSL_DEBUG_MSG( |
| 1941 | 3, ("Selected key exchange mode: %s", |
| 1942 | ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode))); |
| Xiaokang Qian | 5beec4b | 2022-09-26 08:23:45 +0000 | [diff] [blame] | 1943 | |
| Xiaokang Qian | 7892b6c | 2023-02-02 06:05:48 +0000 | [diff] [blame] | 1944 | /* Start the TLS 1.3 key scheduling if not already done. |
| Jerry Yu | 0b17784 | 2021-09-05 19:41:30 +0800 | [diff] [blame] | 1945 | * |
| Xiaokang Qian | 7892b6c | 2023-02-02 06:05:48 +0000 | [diff] [blame] | 1946 | * If we proposed early data then we have already derived an |
| 1947 | * early secret using the selected PSK and its associated hash. |
| 1948 | * It means that if the negotiated key exchange mode is psk or |
| 1949 | * psk_ephemeral, we have already correctly computed the |
| 1950 | * early secret and thus we do not do it again. In all other |
| 1951 | * cases we compute it here. |
| Xiaokang Qian | 303f82c5 | 2023-01-04 08:43:46 +0000 | [diff] [blame] | 1952 | */ |
| Xiaokang Qian | 9074613 | 2023-01-06 05:54:59 +0000 | [diff] [blame] | 1953 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
| Xiaokang Qian | e04afdc | 2023-02-07 02:19:42 +0000 | [diff] [blame] | 1954 | if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT || |
| 1955 | handshake->key_exchange_mode == |
| 1956 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL) |
| Xiaokang Qian | 9074613 | 2023-01-06 05:54:59 +0000 | [diff] [blame] | 1957 | #endif |
| 1958 | { |
| Xiaokang Qian | 303f82c5 | 2023-01-04 08:43:46 +0000 | [diff] [blame] | 1959 | ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); |
| 1960 | if (ret != 0) { |
| 1961 | MBEDTLS_SSL_DEBUG_RET( |
| 1962 | 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret); |
| 1963 | goto cleanup; |
| 1964 | } |
| Jerry Yu | 0b17784 | 2021-09-05 19:41:30 +0800 | [diff] [blame] | 1965 | } |
| 1966 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1967 | ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl); |
| 1968 | if (ret != 0) { |
| 1969 | MBEDTLS_SSL_DEBUG_RET(1, |
| 1970 | "mbedtls_ssl_tls13_compute_handshake_transform", |
| 1971 | ret); |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1972 | goto cleanup; |
| Jerry Yu | 0b17784 | 2021-09-05 19:41:30 +0800 | [diff] [blame] | 1973 | } |
| 1974 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1975 | mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake); |
| 1976 | MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic")); |
| Xiaokang Qian | 4ef8ba2 | 2023-02-06 11:06:16 +0000 | [diff] [blame] | 1977 | ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id; |
| Jerry Yu | 0b17784 | 2021-09-05 19:41:30 +0800 | [diff] [blame] | 1978 | ssl->session_in = ssl->session_negotiate; |
| 1979 | |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1980 | cleanup: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1981 | if (ret != 0) { |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1982 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
| 1983 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1984 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 1985 | } |
| Jerry Yu | e110d25 | 2022-05-05 10:19:22 +0800 | [diff] [blame] | 1986 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1987 | return ret; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 1988 | } |
| 1989 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 1990 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1991 | static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl) |
| XiaokangQian | 647719a | 2021-12-07 09:16:29 +0000 | [diff] [blame] | 1992 | { |
| 1993 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 1994 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 1995 | mbedtls_ssl_session_reset_msg_layer(ssl, 0); |
| XiaokangQian | 647719a | 2021-12-07 09:16:29 +0000 | [diff] [blame] | 1996 | |
| XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 1997 | /* |
| XiaokangQian | 355e09a | 2022-01-20 11:14:50 +0000 | [diff] [blame] | 1998 | * We are going to re-generate a shared secret corresponding to the group |
| 1999 | * selected by the server, which is different from the group for which we |
| 2000 | * generated a shared secret in the first client hello. |
| 2001 | * Thus, reset the shared secret. |
| XiaokangQian | 51eff22 | 2021-12-10 10:33:56 +0000 | [diff] [blame] | 2002 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2003 | ret = ssl_tls13_reset_key_share(ssl); |
| 2004 | if (ret != 0) { |
| 2005 | return ret; |
| 2006 | } |
| XiaokangQian | 647719a | 2021-12-07 09:16:29 +0000 | [diff] [blame] | 2007 | |
| Xiaokang Qian | 4ef8ba2 | 2023-02-06 11:06:16 +0000 | [diff] [blame] | 2008 | ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2009 | return 0; |
| XiaokangQian | 647719a | 2021-12-07 09:16:29 +0000 | [diff] [blame] | 2010 | } |
| 2011 | |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 2012 | /* |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 2013 | * Wait and parse ServerHello handshake message. |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2014 | * Handler for MBEDTLS_SSL_SERVER_HELLO |
| 2015 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2016 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2017 | static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl) |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2018 | { |
| Jerry Yu | 4a17338 | 2021-10-11 21:45:31 +0800 | [diff] [blame] | 2019 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| XiaokangQian | 647719a | 2021-12-07 09:16:29 +0000 | [diff] [blame] | 2020 | unsigned char *buf = NULL; |
| 2021 | size_t buf_len = 0; |
| XiaokangQian | 78b1fa7 | 2022-01-19 06:56:30 +0000 | [diff] [blame] | 2022 | int is_hrr = 0; |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 2023 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2024 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__)); |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 2025 | |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2026 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( |
| 2027 | ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len)); |
| Ronald Cron | db5dfa1 | 2022-05-31 11:44:38 +0200 | [diff] [blame] | 2028 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2029 | ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len); |
| 2030 | if (ret < 0) { |
| XiaokangQian | 16acd4b | 2022-01-14 07:35:47 +0000 | [diff] [blame] | 2031 | goto cleanup; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2032 | } else { |
| 2033 | is_hrr = (ret == SSL_SERVER_HELLO_HRR); |
| 2034 | } |
| XiaokangQian | d59be77 | 2022-01-24 10:12:51 +0000 | [diff] [blame] | 2035 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2036 | if (ret == SSL_SERVER_HELLO_TLS1_2) { |
| Ronald Cron | 9f0fba3 | 2022-02-10 16:45:15 +0100 | [diff] [blame] | 2037 | ret = 0; |
| 2038 | goto cleanup; |
| 2039 | } |
| 2040 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2041 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf, |
| 2042 | buf + buf_len, |
| 2043 | is_hrr)); |
| 2044 | if (is_hrr) { |
| 2045 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl)); |
| Ronald Cron | fb508b8 | 2022-05-31 14:49:55 +0200 | [diff] [blame] | 2046 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2047 | |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2048 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( |
| 2049 | ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len)); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2050 | |
| 2051 | if (is_hrr) { |
| 2052 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl)); |
| 2053 | #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) |
| 2054 | /* If not offering early data, the client sends a dummy CCS record |
| 2055 | * immediately before its second flight. This may either be before |
| 2056 | * its second ClientHello or before its encrypted handshake flight. |
| 2057 | */ |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2058 | mbedtls_ssl_handshake_set_state( |
| 2059 | ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2060 | #else |
| 2061 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); |
| 2062 | #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ |
| 2063 | } else { |
| 2064 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl)); |
| 2065 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); |
| Ronald Cron | fb508b8 | 2022-05-31 14:49:55 +0200 | [diff] [blame] | 2066 | } |
| Jerry Yu | e1b9c29 | 2021-09-10 10:08:31 +0800 | [diff] [blame] | 2067 | |
| 2068 | cleanup: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2069 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__, |
| 2070 | is_hrr ? "HelloRetryRequest" : "ServerHello")); |
| 2071 | return ret; |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2072 | } |
| 2073 | |
| 2074 | /* |
| XiaokangQian | 2d5c72b | 2021-09-13 07:30:09 +0000 | [diff] [blame] | 2075 | * |
| Ronald Cron | 9d6a545 | 2022-05-30 16:05:38 +0200 | [diff] [blame] | 2076 | * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS |
| XiaokangQian | 2d5c72b | 2021-09-13 07:30:09 +0000 | [diff] [blame] | 2077 | * |
| 2078 | * The EncryptedExtensions message contains any extensions which |
| 2079 | * should be protected, i.e., any which are not needed to establish |
| 2080 | * the cryptographic context. |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2081 | */ |
| XiaokangQian | 2d5c72b | 2021-09-13 07:30:09 +0000 | [diff] [blame] | 2082 | |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2083 | /* Parse EncryptedExtensions message |
| 2084 | * struct { |
| XiaokangQian | 97799ac | 2021-10-11 10:05:54 +0000 | [diff] [blame] | 2085 | * Extension extensions<0..2^16-1>; |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2086 | * } EncryptedExtensions; |
| 2087 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2088 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2089 | static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl, |
| 2090 | const unsigned char *buf, |
| 2091 | const unsigned char *end) |
| XiaokangQian | 2d5c72b | 2021-09-13 07:30:09 +0000 | [diff] [blame] | 2092 | { |
| 2093 | int ret = 0; |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2094 | size_t extensions_len; |
| XiaokangQian | 140f045 | 2021-10-08 08:05:53 +0000 | [diff] [blame] | 2095 | const unsigned char *p = buf; |
| XiaokangQian | 8db25ff | 2021-10-13 05:56:18 +0000 | [diff] [blame] | 2096 | const unsigned char *extensions_end; |
| Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 2097 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| XiaokangQian | 2d5c72b | 2021-09-13 07:30:09 +0000 | [diff] [blame] | 2098 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2099 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 2100 | extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2101 | p += 2; |
| XiaokangQian | 2d5c72b | 2021-09-13 07:30:09 +0000 | [diff] [blame] | 2102 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2103 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len); |
| Ronald Cron | c808359 | 2022-05-31 16:24:05 +0200 | [diff] [blame] | 2104 | extensions_end = p + extensions_len; |
| XiaokangQian | 2d5c72b | 2021-09-13 07:30:09 +0000 | [diff] [blame] | 2105 | |
| Jan Bruckner | 5a3629b | 2023-02-23 12:08:09 +0100 | [diff] [blame] | 2106 | MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len); |
| 2107 | |
| Jerry Yu | 9eba750 | 2022-10-31 13:46:16 +0800 | [diff] [blame] | 2108 | handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; |
| Jerry Yu | cbd082f | 2022-08-04 16:55:10 +0800 | [diff] [blame] | 2109 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2110 | while (p < extensions_end) { |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2111 | unsigned int extension_type; |
| 2112 | size_t extension_data_len; |
| XiaokangQian | 2d5c72b | 2021-09-13 07:30:09 +0000 | [diff] [blame] | 2113 | |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2114 | /* |
| 2115 | * struct { |
| XiaokangQian | 97799ac | 2021-10-11 10:05:54 +0000 | [diff] [blame] | 2116 | * ExtensionType extension_type; (2 bytes) |
| 2117 | * opaque extension_data<0..2^16-1>; |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2118 | * } Extension; |
| 2119 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2120 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4); |
| 2121 | extension_type = MBEDTLS_GET_UINT16_BE(p, 0); |
| 2122 | extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2); |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2123 | p += 4; |
| 2124 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2125 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len); |
| XiaokangQian | 2d5c72b | 2021-09-13 07:30:09 +0000 | [diff] [blame] | 2126 | |
| Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 2127 | ret = mbedtls_ssl_tls13_check_received_extension( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2128 | ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type, |
| 2129 | MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE); |
| 2130 | if (ret != 0) { |
| 2131 | return ret; |
| 2132 | } |
| Jerry Yu | cbd082f | 2022-08-04 16:55:10 +0800 | [diff] [blame] | 2133 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2134 | switch (extension_type) { |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 2135 | #if defined(MBEDTLS_SSL_ALPN) |
| 2136 | case MBEDTLS_TLS_EXT_ALPN: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2137 | MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 2138 | |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2139 | if ((ret = ssl_tls13_parse_alpn_ext( |
| 2140 | ssl, p, (size_t) extension_data_len)) != 0) { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2141 | return ret; |
| lhuang04 | 86cacac | 2022-01-21 07:34:27 -0800 | [diff] [blame] | 2142 | } |
| 2143 | |
| 2144 | break; |
| 2145 | #endif /* MBEDTLS_SSL_ALPN */ |
| Xiaokang Qian | 8bee899 | 2022-10-27 10:21:05 +0000 | [diff] [blame] | 2146 | |
| 2147 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
| 2148 | case MBEDTLS_TLS_EXT_EARLY_DATA: |
| Xiaokang Qian | ca09afc | 2022-11-22 10:05:19 +0000 | [diff] [blame] | 2149 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2150 | if (extension_data_len != 0) { |
| Xiaokang Qian | ca09afc | 2022-11-22 10:05:19 +0000 | [diff] [blame] | 2151 | /* The message must be empty. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2152 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
| 2153 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
| 2154 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Xiaokang Qian | ca09afc | 2022-11-22 10:05:19 +0000 | [diff] [blame] | 2155 | } |
| 2156 | |
| Xiaokang Qian | 8bee899 | 2022-10-27 10:21:05 +0000 | [diff] [blame] | 2157 | break; |
| 2158 | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
| 2159 | |
| Jan Bruckner | 151f642 | 2023-02-10 12:45:19 +0100 | [diff] [blame] | 2160 | #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) |
| 2161 | case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT: |
| 2162 | MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension")); |
| 2163 | |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2164 | ret = mbedtls_ssl_tls13_parse_record_size_limit_ext( |
| 2165 | ssl, p, p + extension_data_len); |
| Jan Bruckner | 151f642 | 2023-02-10 12:45:19 +0100 | [diff] [blame] | 2166 | |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2167 | /* TODO: Return unconditionally here until we handle the record |
| 2168 | * size limit correctly. Once handled correctly, only return in |
| 2169 | * case of errors. */ |
| Jan Bruckner | 151f642 | 2023-02-10 12:45:19 +0100 | [diff] [blame] | 2170 | return ret; |
| 2171 | |
| 2172 | break; |
| 2173 | #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ |
| 2174 | |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2175 | default: |
| Jerry Yu | 79aa721 | 2022-11-08 21:30:21 +0800 | [diff] [blame] | 2176 | MBEDTLS_SSL_PRINT_EXT( |
| Jerry Yu | 9eba750 | 2022-10-31 13:46:16 +0800 | [diff] [blame] | 2177 | 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2178 | extension_type, "( ignored )"); |
| Jerry Yu | cbd082f | 2022-08-04 16:55:10 +0800 | [diff] [blame] | 2179 | break; |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2180 | } |
| 2181 | |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2182 | p += extension_data_len; |
| XiaokangQian | 97799ac | 2021-10-11 10:05:54 +0000 | [diff] [blame] | 2183 | } |
| XiaokangQian | 08da26c | 2021-10-09 10:12:11 +0000 | [diff] [blame] | 2184 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2185 | MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, |
| 2186 | handshake->received_extensions); |
| Jerry Yu | cbd082f | 2022-08-04 16:55:10 +0800 | [diff] [blame] | 2187 | |
| XiaokangQian | 97799ac | 2021-10-11 10:05:54 +0000 | [diff] [blame] | 2188 | /* Check that we consumed all the message. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2189 | if (p != end) { |
| 2190 | MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned")); |
| 2191 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
| 2192 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
| 2193 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| XiaokangQian | 2d5c72b | 2021-09-13 07:30:09 +0000 | [diff] [blame] | 2194 | } |
| 2195 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2196 | return ret; |
| XiaokangQian | 2d5c72b | 2021-09-13 07:30:09 +0000 | [diff] [blame] | 2197 | } |
| 2198 | |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2199 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2200 | static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl) |
| Ronald Cron | 9d6a545 | 2022-05-30 16:05:38 +0200 | [diff] [blame] | 2201 | { |
| 2202 | int ret; |
| 2203 | unsigned char *buf; |
| 2204 | size_t buf_len; |
| 2205 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2206 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions")); |
| Ronald Cron | 9d6a545 | 2022-05-30 16:05:38 +0200 | [diff] [blame] | 2207 | |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2208 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( |
| 2209 | ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, |
| 2210 | &buf, &buf_len)); |
| Ronald Cron | 9d6a545 | 2022-05-30 16:05:38 +0200 | [diff] [blame] | 2211 | |
| 2212 | /* Process the message contents */ |
| 2213 | MBEDTLS_SSL_PROC_CHK( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2214 | ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len)); |
| Ronald Cron | 9d6a545 | 2022-05-30 16:05:38 +0200 | [diff] [blame] | 2215 | |
| Xiaokang Qian | b157e91 | 2022-11-23 08:12:26 +0000 | [diff] [blame] | 2216 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2217 | if (ssl->handshake->received_extensions & |
| 2218 | MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) { |
| Xiaokang Qian | b157e91 | 2022-11-23 08:12:26 +0000 | [diff] [blame] | 2219 | ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; |
| 2220 | } |
| 2221 | #endif |
| 2222 | |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2223 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( |
| 2224 | ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, |
| 2225 | buf, buf_len)); |
| Ronald Cron | 9d6a545 | 2022-05-30 16:05:38 +0200 | [diff] [blame] | 2226 | |
| Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 2227 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2228 | if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { |
| 2229 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); |
| 2230 | } else { |
| 2231 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); |
| 2232 | } |
| Ronald Cron | fb508b8 | 2022-05-31 14:49:55 +0200 | [diff] [blame] | 2233 | #else |
| 2234 | ((void) ssl); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2235 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); |
| Ronald Cron | fb508b8 | 2022-05-31 14:49:55 +0200 | [diff] [blame] | 2236 | #endif |
| Ronald Cron | 9d6a545 | 2022-05-30 16:05:38 +0200 | [diff] [blame] | 2237 | |
| 2238 | cleanup: |
| 2239 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2240 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions")); |
| 2241 | return ret; |
| Ronald Cron | 9d6a545 | 2022-05-30 16:05:38 +0200 | [diff] [blame] | 2242 | |
| 2243 | } |
| 2244 | |
| Xiaokang Qian | 125afcb | 2022-10-28 06:04:06 +0000 | [diff] [blame] | 2245 | /* |
| 2246 | * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA |
| 2247 | * |
| Xiaokang Qian | c81a15a | 2022-12-19 02:43:33 +0000 | [diff] [blame] | 2248 | * RFC 8446 section 4.5 |
| Xiaokang Qian | 125afcb | 2022-10-28 06:04:06 +0000 | [diff] [blame] | 2249 | * |
| Xiaokang Qian | 125afcb | 2022-10-28 06:04:06 +0000 | [diff] [blame] | 2250 | * struct {} EndOfEarlyData; |
| Xiaokang Qian | c81a15a | 2022-12-19 02:43:33 +0000 | [diff] [blame] | 2251 | * |
| 2252 | * If the server sent an "early_data" extension in EncryptedExtensions, the |
| 2253 | * client MUST send an EndOfEarlyData message after receiving the server |
| 2254 | * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message. |
| Xiaokang Qian | 125afcb | 2022-10-28 06:04:06 +0000 | [diff] [blame] | 2255 | */ |
| 2256 | |
| Xiaokang Qian | 125afcb | 2022-10-28 06:04:06 +0000 | [diff] [blame] | 2257 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Xiaokang Qian | 125afcb | 2022-10-28 06:04:06 +0000 | [diff] [blame] | 2258 | static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) |
| 2259 | { |
| 2260 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Xiaokang Qian | 742578c | 2022-12-19 06:34:44 +0000 | [diff] [blame] | 2261 | unsigned char *buf = NULL; |
| 2262 | size_t buf_len; |
| Xiaokang Qian | 57a138d | 2022-12-19 06:40:47 +0000 | [diff] [blame] | 2263 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData")); |
| Xiaokang Qian | 125afcb | 2022-10-28 06:04:06 +0000 | [diff] [blame] | 2264 | |
| Xiaokang Qian | 742578c | 2022-12-19 06:34:44 +0000 | [diff] [blame] | 2265 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( |
| Xiaokang Qian | 0de0d86 | 2023-02-08 06:04:50 +0000 | [diff] [blame] | 2266 | ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, |
| 2267 | &buf, &buf_len)); |
| Xiaokang Qian | 125afcb | 2022-10-28 06:04:06 +0000 | [diff] [blame] | 2268 | |
| Manuel Pégourié-Gonnard | 63e33dd | 2023-02-21 15:45:15 +0100 | [diff] [blame] | 2269 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum( |
| 2270 | ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0)); |
| Xiaokang Qian | 125afcb | 2022-10-28 06:04:06 +0000 | [diff] [blame] | 2271 | |
| Xiaokang Qian | 742578c | 2022-12-19 06:34:44 +0000 | [diff] [blame] | 2272 | MBEDTLS_SSL_PROC_CHK( |
| 2273 | mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0)); |
| Xiaokang Qian | da8402d | 2022-12-15 14:55:35 +0000 | [diff] [blame] | 2274 | |
| Xiaokang Qian | 19d4416 | 2023-01-03 03:39:50 +0000 | [diff] [blame] | 2275 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); |
| Xiaokang Qian | 125afcb | 2022-10-28 06:04:06 +0000 | [diff] [blame] | 2276 | |
| 2277 | cleanup: |
| 2278 | |
| 2279 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData")); |
| 2280 | return ret; |
| 2281 | } |
| 2282 | |
| Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 2283 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2284 | /* |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2285 | * STATE HANDLING: CertificateRequest |
| 2286 | * |
| Jerry Yu | d267431 | 2021-10-29 10:08:19 +0800 | [diff] [blame] | 2287 | */ |
| Xiaofei Bai | 69fcd39 | 2022-01-20 08:25:00 +0000 | [diff] [blame] | 2288 | #define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0 |
| 2289 | #define SSL_CERTIFICATE_REQUEST_SKIP 1 |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2290 | /* Coordination: |
| 2291 | * Deals with the ambiguity of not knowing if a CertificateRequest |
| 2292 | * will be sent. Returns a negative code on failure, or |
| 2293 | * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST |
| 2294 | * - SSL_CERTIFICATE_REQUEST_SKIP |
| 2295 | * indicating if a Certificate Request is expected or not. |
| 2296 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2297 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2298 | static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl) |
| Jerry Yu | d267431 | 2021-10-29 10:08:19 +0800 | [diff] [blame] | 2299 | { |
| Xiaofei Bai | de3f13e | 2022-01-18 05:47:05 +0000 | [diff] [blame] | 2300 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Jerry Yu | d267431 | 2021-10-29 10:08:19 +0800 | [diff] [blame] | 2301 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2302 | if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) { |
| 2303 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
| 2304 | return ret; |
| Jerry Yu | d267431 | 2021-10-29 10:08:19 +0800 | [diff] [blame] | 2305 | } |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2306 | ssl->keep_current_message = 1; |
| Jerry Yu | d267431 | 2021-10-29 10:08:19 +0800 | [diff] [blame] | 2307 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2308 | if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) && |
| 2309 | (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) { |
| 2310 | MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request")); |
| 2311 | return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST; |
| Jerry Yu | d267431 | 2021-10-29 10:08:19 +0800 | [diff] [blame] | 2312 | } |
| 2313 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2314 | MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request")); |
| Ronald Cron | 1938588 | 2022-06-15 16:26:13 +0200 | [diff] [blame] | 2315 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2316 | return SSL_CERTIFICATE_REQUEST_SKIP; |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2317 | } |
| 2318 | |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2319 | /* |
| 2320 | * ssl_tls13_parse_certificate_request() |
| 2321 | * Parse certificate request |
| 2322 | * struct { |
| 2323 | * opaque certificate_request_context<0..2^8-1>; |
| 2324 | * Extension extensions<2..2^16-1>; |
| 2325 | * } CertificateRequest; |
| 2326 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2327 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2328 | static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl, |
| 2329 | const unsigned char *buf, |
| 2330 | const unsigned char *end) |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2331 | { |
| 2332 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2333 | const unsigned char *p = buf; |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2334 | size_t certificate_request_context_len = 0; |
| Xiaofei Bai | 82f0a9a | 2022-01-26 09:21:54 +0000 | [diff] [blame] | 2335 | size_t extensions_len = 0; |
| 2336 | const unsigned char *extensions_end; |
| Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 2337 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2338 | |
| Xiaofei Bai | 82f0a9a | 2022-01-26 09:21:54 +0000 | [diff] [blame] | 2339 | /* ... |
| 2340 | * opaque certificate_request_context<0..2^8-1> |
| 2341 | * ... |
| 2342 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2343 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1); |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2344 | certificate_request_context_len = (size_t) p[0]; |
| Xiaofei Bai | 69fcd39 | 2022-01-20 08:25:00 +0000 | [diff] [blame] | 2345 | p += 1; |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2346 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2347 | if (certificate_request_context_len > 0) { |
| 2348 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len); |
| 2349 | MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context", |
| 2350 | p, certificate_request_context_len); |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2351 | |
| Xiaofei Bai | 69fcd39 | 2022-01-20 08:25:00 +0000 | [diff] [blame] | 2352 | handshake->certificate_request_context = |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2353 | mbedtls_calloc(1, certificate_request_context_len); |
| 2354 | if (handshake->certificate_request_context == NULL) { |
| 2355 | MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); |
| 2356 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2357 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2358 | memcpy(handshake->certificate_request_context, p, |
| 2359 | certificate_request_context_len); |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2360 | p += certificate_request_context_len; |
| 2361 | } |
| 2362 | |
| Xiaofei Bai | 82f0a9a | 2022-01-26 09:21:54 +0000 | [diff] [blame] | 2363 | /* ... |
| 2364 | * Extension extensions<2..2^16-1>; |
| 2365 | * ... |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2366 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2367 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 2368 | extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2369 | p += 2; |
| 2370 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2371 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len); |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2372 | extensions_end = p + extensions_len; |
| 2373 | |
| Jerry Yu | 6d0e78b | 2022-10-31 14:13:25 +0800 | [diff] [blame] | 2374 | handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; |
| Jerry Yu | c55a6af | 2022-08-04 17:01:21 +0800 | [diff] [blame] | 2375 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2376 | while (p < extensions_end) { |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2377 | unsigned int extension_type; |
| 2378 | size_t extension_data_len; |
| 2379 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2380 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4); |
| 2381 | extension_type = MBEDTLS_GET_UINT16_BE(p, 0); |
| 2382 | extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2); |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2383 | p += 4; |
| 2384 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2385 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len); |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2386 | |
| Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 2387 | ret = mbedtls_ssl_tls13_check_received_extension( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2388 | ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type, |
| 2389 | MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR); |
| 2390 | if (ret != 0) { |
| 2391 | return ret; |
| 2392 | } |
| Jerry Yu | c55a6af | 2022-08-04 17:01:21 +0800 | [diff] [blame] | 2393 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2394 | switch (extension_type) { |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2395 | case MBEDTLS_TLS_EXT_SIG_ALG: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2396 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 2397 | ("found signature algorithms extension")); |
| 2398 | ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p, |
| 2399 | p + extension_data_len); |
| 2400 | if (ret != 0) { |
| 2401 | return ret; |
| 2402 | } |
| Jerry Yu | c55a6af | 2022-08-04 17:01:21 +0800 | [diff] [blame] | 2403 | |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2404 | break; |
| 2405 | |
| 2406 | default: |
| Jerry Yu | 79aa721 | 2022-11-08 21:30:21 +0800 | [diff] [blame] | 2407 | MBEDTLS_SSL_PRINT_EXT( |
| Jerry Yu | 6d0e78b | 2022-10-31 14:13:25 +0800 | [diff] [blame] | 2408 | 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2409 | extension_type, "( ignored )"); |
| Xiaofei Bai | 82f0a9a | 2022-01-26 09:21:54 +0000 | [diff] [blame] | 2410 | break; |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2411 | } |
| Jerry Yu | c55a6af | 2022-08-04 17:01:21 +0800 | [diff] [blame] | 2412 | |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2413 | p += extension_data_len; |
| 2414 | } |
| Jerry Yu | c55a6af | 2022-08-04 17:01:21 +0800 | [diff] [blame] | 2415 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2416 | MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, |
| 2417 | handshake->received_extensions); |
| Jerry Yu | c55a6af | 2022-08-04 17:01:21 +0800 | [diff] [blame] | 2418 | |
| Xiaofei Bai | 69fcd39 | 2022-01-20 08:25:00 +0000 | [diff] [blame] | 2419 | /* Check that we consumed all the message. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2420 | if (p != end) { |
| 2421 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 2422 | ("CertificateRequest misaligned")); |
| Xiaofei Bai | c234ecf | 2022-02-08 09:59:23 +0000 | [diff] [blame] | 2423 | goto decode_error; |
| Xiaofei Bai | 69fcd39 | 2022-01-20 08:25:00 +0000 | [diff] [blame] | 2424 | } |
| Jerry Yu | c55a6af | 2022-08-04 17:01:21 +0800 | [diff] [blame] | 2425 | |
| Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 2426 | /* RFC 8446 section 4.3.2 |
| Jerry Yu | c55a6af | 2022-08-04 17:01:21 +0800 | [diff] [blame] | 2427 | * |
| 2428 | * The "signature_algorithms" extension MUST be specified |
| 2429 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2430 | if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) { |
| 2431 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 2432 | ("no signature algorithms extension found")); |
| Xiaofei Bai | c234ecf | 2022-02-08 09:59:23 +0000 | [diff] [blame] | 2433 | goto decode_error; |
| Xiaofei Bai | 69fcd39 | 2022-01-20 08:25:00 +0000 | [diff] [blame] | 2434 | } |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2435 | |
| Jerry Yu | 7840f81 | 2022-01-29 10:26:51 +0800 | [diff] [blame] | 2436 | ssl->handshake->client_auth = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2437 | return 0; |
| Xiaofei Bai | 51f515a | 2022-02-08 07:28:04 +0000 | [diff] [blame] | 2438 | |
| Xiaofei Bai | c234ecf | 2022-02-08 09:59:23 +0000 | [diff] [blame] | 2439 | decode_error: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2440 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
| 2441 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
| 2442 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2443 | } |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2444 | |
| Xiaofei Bai | de3f13e | 2022-01-18 05:47:05 +0000 | [diff] [blame] | 2445 | /* |
| 2446 | * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST |
| 2447 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2448 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2449 | static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl) |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2450 | { |
| Xiaofei Bai | de3f13e | 2022-01-18 05:47:05 +0000 | [diff] [blame] | 2451 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2452 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2453 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request")); |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2454 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2455 | MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl)); |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2456 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2457 | if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) { |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2458 | unsigned char *buf; |
| 2459 | size_t buf_len; |
| 2460 | |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2461 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( |
| 2462 | ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, |
| 2463 | &buf, &buf_len)); |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2464 | |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2465 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request( |
| 2466 | ssl, buf, buf + buf_len)); |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2467 | |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2468 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( |
| 2469 | ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, |
| 2470 | buf, buf_len)); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2471 | } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) { |
| Xiaofei Bai | f6d3696 | 2022-01-16 14:54:35 +0000 | [diff] [blame] | 2472 | ret = 0; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2473 | } else { |
| 2474 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| Xiaofei Bai | 51f515a | 2022-02-08 07:28:04 +0000 | [diff] [blame] | 2475 | ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| 2476 | goto cleanup; |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2477 | } |
| 2478 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2479 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE); |
| Jerry Yu | d267431 | 2021-10-29 10:08:19 +0800 | [diff] [blame] | 2480 | |
| Xiaofei Bai | a0ab777 | 2022-01-16 12:14:45 +0000 | [diff] [blame] | 2481 | cleanup: |
| 2482 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2483 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request")); |
| 2484 | return ret; |
| Jerry Yu | d267431 | 2021-10-29 10:08:19 +0800 | [diff] [blame] | 2485 | } |
| 2486 | |
| 2487 | /* |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2488 | * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE |
| 2489 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2490 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2491 | static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl) |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2492 | { |
| Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 2493 | int ret; |
| 2494 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2495 | ret = mbedtls_ssl_tls13_process_certificate(ssl); |
| 2496 | if (ret != 0) { |
| 2497 | return ret; |
| 2498 | } |
| Xiaofei Bai | 947571e | 2021-09-29 09:12:03 +0000 | [diff] [blame] | 2499 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2500 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY); |
| 2501 | return 0; |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2502 | } |
| 2503 | |
| 2504 | /* |
| 2505 | * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY |
| 2506 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2507 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2508 | static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl) |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2509 | { |
| Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 2510 | int ret; |
| 2511 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2512 | ret = mbedtls_ssl_tls13_process_certificate_verify(ssl); |
| 2513 | if (ret != 0) { |
| 2514 | return ret; |
| 2515 | } |
| Jerry Yu | 30b071c | 2021-09-12 20:16:03 +0800 | [diff] [blame] | 2516 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2517 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); |
| 2518 | return 0; |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2519 | } |
| Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 2520 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
| Ronald Cron | d4c6402 | 2021-12-06 09:06:46 +0100 | [diff] [blame] | 2521 | |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2522 | /* |
| 2523 | * Handler for MBEDTLS_SSL_SERVER_FINISHED |
| 2524 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2525 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2526 | static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl) |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2527 | { |
| XiaokangQian | ac0385c | 2021-11-03 06:40:11 +0000 | [diff] [blame] | 2528 | int ret; |
| 2529 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2530 | ret = mbedtls_ssl_tls13_process_finished_message(ssl); |
| 2531 | if (ret != 0) { |
| 2532 | return ret; |
| 2533 | } |
| XiaokangQian | ac0385c | 2021-11-03 06:40:11 +0000 | [diff] [blame] | 2534 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2535 | ret = mbedtls_ssl_tls13_compute_application_transform(ssl); |
| 2536 | if (ret != 0) { |
| Jerry Yu | e3d67cb | 2022-05-19 15:33:10 +0800 | [diff] [blame] | 2537 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2538 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, |
| 2539 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
| 2540 | return ret; |
| Jerry Yu | e3d67cb | 2022-05-19 15:33:10 +0800 | [diff] [blame] | 2541 | } |
| 2542 | |
| Xiaokang Qian | bc75bc0 | 2022-12-19 06:16:42 +0000 | [diff] [blame] | 2543 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
| 2544 | if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { |
| 2545 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA); |
| Xiaokang Qian | bd0ab06 | 2023-02-02 05:56:30 +0000 | [diff] [blame] | 2546 | } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { |
| 2547 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); |
| Xiaokang Qian | bc75bc0 | 2022-12-19 06:16:42 +0000 | [diff] [blame] | 2548 | } else |
| 2549 | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
| 2550 | { |
| 2551 | #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) |
| 2552 | mbedtls_ssl_handshake_set_state( |
| 2553 | ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); |
| 2554 | #else |
| 2555 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); |
| 2556 | #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ |
| 2557 | } |
| Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 2558 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2559 | return 0; |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2560 | } |
| 2561 | |
| 2562 | /* |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2563 | * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE |
| 2564 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2565 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2566 | static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl) |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2567 | { |
| Ronald Cron | 7a94aca | 2022-03-09 07:44:27 +0100 | [diff] [blame] | 2568 | int non_empty_certificate_msg = 0; |
| 2569 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2570 | MBEDTLS_SSL_DEBUG_MSG(1, |
| 2571 | ("Switch to handshake traffic keys for outbound traffic")); |
| 2572 | mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake); |
| Jerry Yu | 5cc3506 | 2022-01-28 16:16:08 +0800 | [diff] [blame] | 2573 | |
| Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 2574 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2575 | if (ssl->handshake->client_auth) { |
| 2576 | int ret = mbedtls_ssl_tls13_write_certificate(ssl); |
| 2577 | if (ret != 0) { |
| 2578 | return ret; |
| 2579 | } |
| Ronald Cron | 5bb8fc8 | 2022-03-09 07:00:13 +0100 | [diff] [blame] | 2580 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2581 | if (mbedtls_ssl_own_cert(ssl) != NULL) { |
| Ronald Cron | 7a94aca | 2022-03-09 07:44:27 +0100 | [diff] [blame] | 2582 | non_empty_certificate_msg = 1; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2583 | } |
| 2584 | } else { |
| 2585 | MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate")); |
| Ronald Cron | 7a94aca | 2022-03-09 07:44:27 +0100 | [diff] [blame] | 2586 | } |
| Ronald Cron | 9df7c80 | 2022-03-08 18:38:54 +0100 | [diff] [blame] | 2587 | #endif |
| Ronald Cron | 5bb8fc8 | 2022-03-09 07:00:13 +0100 | [diff] [blame] | 2588 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2589 | if (non_empty_certificate_msg) { |
| 2590 | mbedtls_ssl_handshake_set_state(ssl, |
| 2591 | MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY); |
| 2592 | } else { |
| 2593 | MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify")); |
| 2594 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); |
| 2595 | } |
| Ronald Cron | 7a94aca | 2022-03-09 07:44:27 +0100 | [diff] [blame] | 2596 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2597 | return 0; |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2598 | } |
| 2599 | |
| Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 2600 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2601 | /* |
| 2602 | * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY |
| 2603 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2604 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2605 | static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl) |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2606 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2607 | int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl); |
| Ronald Cron | a8b3887 | 2022-03-09 07:59:25 +0100 | [diff] [blame] | 2608 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2609 | if (ret == 0) { |
| 2610 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); |
| 2611 | } |
| Ronald Cron | a8b3887 | 2022-03-09 07:59:25 +0100 | [diff] [blame] | 2612 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2613 | return ret; |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2614 | } |
| Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 2615 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2616 | |
| 2617 | /* |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2618 | * Handler for MBEDTLS_SSL_CLIENT_FINISHED |
| 2619 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2620 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2621 | static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl) |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2622 | { |
| XiaokangQian | 0fa6643 | 2021-11-15 03:33:57 +0000 | [diff] [blame] | 2623 | int ret; |
| 2624 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2625 | ret = mbedtls_ssl_tls13_write_finished_message(ssl); |
| 2626 | if (ret != 0) { |
| 2627 | return ret; |
| Jerry Yu | e3d67cb | 2022-05-19 15:33:10 +0800 | [diff] [blame] | 2628 | } |
| 2629 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2630 | ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl); |
| 2631 | if (ret != 0) { |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 2632 | MBEDTLS_SSL_DEBUG_RET( |
| 2633 | 1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2634 | return ret; |
| 2635 | } |
| 2636 | |
| 2637 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS); |
| 2638 | return 0; |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2639 | } |
| 2640 | |
| 2641 | /* |
| 2642 | * Handler for MBEDTLS_SSL_FLUSH_BUFFERS |
| 2643 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2644 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2645 | static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl) |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2646 | { |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2647 | MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); |
| 2648 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP); |
| 2649 | return 0; |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2650 | } |
| 2651 | |
| 2652 | /* |
| 2653 | * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP |
| 2654 | */ |
| Manuel Pégourié-Gonnard | a3115dc | 2022-06-17 10:52:54 +0200 | [diff] [blame] | 2655 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2656 | static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2657 | { |
| Jerry Yu | 378254d | 2021-10-30 21:44:47 +0800 | [diff] [blame] | 2658 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2659 | mbedtls_ssl_tls13_handshake_wrapup(ssl); |
| Jerry Yu | 378254d | 2021-10-30 21:44:47 +0800 | [diff] [blame] | 2660 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2661 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); |
| 2662 | return 0; |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2663 | } |
| 2664 | |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2665 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| 2666 | |
| Jerry Yu | a0446a0 | 2022-07-13 11:22:55 +0800 | [diff] [blame] | 2667 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2668 | static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl, |
| 2669 | const unsigned char *buf, |
| 2670 | const unsigned char *end) |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2671 | { |
| Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 2672 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
| Jerry Yu | af2c0c8 | 2022-07-12 05:47:21 +0000 | [diff] [blame] | 2673 | const unsigned char *p = buf; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2674 | |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2675 | |
| Jerry Yu | edab637 | 2022-10-31 14:37:31 +0800 | [diff] [blame] | 2676 | handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; |
| Jerry Yu | 6ba9f1c | 2022-08-04 17:53:25 +0800 | [diff] [blame] | 2677 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2678 | while (p < end) { |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2679 | unsigned int extension_type; |
| 2680 | size_t extension_data_len; |
| Jerry Yu | 0c354a2 | 2022-08-29 15:25:36 +0800 | [diff] [blame] | 2681 | int ret; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2682 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2683 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4); |
| 2684 | extension_type = MBEDTLS_GET_UINT16_BE(p, 0); |
| 2685 | extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2686 | p += 4; |
| 2687 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2688 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2689 | |
| Jerry Yu | c4bf5d6 | 2022-10-29 09:08:47 +0800 | [diff] [blame] | 2690 | ret = mbedtls_ssl_tls13_check_received_extension( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2691 | ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type, |
| 2692 | MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST); |
| 2693 | if (ret != 0) { |
| 2694 | return ret; |
| 2695 | } |
| Jerry Yu | 6ba9f1c | 2022-08-04 17:53:25 +0800 | [diff] [blame] | 2696 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2697 | switch (extension_type) { |
| Xiaokang Qian | 0cc4320 | 2022-11-16 08:43:50 +0000 | [diff] [blame] | 2698 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
| Xiaokang Qian | f447e8a | 2022-11-08 07:02:27 +0000 | [diff] [blame] | 2699 | case MBEDTLS_TLS_EXT_EARLY_DATA: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2700 | if (extension_data_len != 4) { |
| Xiaokang Qian | 2d87a9e | 2022-11-09 07:55:48 +0000 | [diff] [blame] | 2701 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
| 2702 | MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2703 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
| 2704 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
| Xiaokang Qian | 2d87a9e | 2022-11-09 07:55:48 +0000 | [diff] [blame] | 2705 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2706 | if (ssl->session != NULL) { |
| Xiaokang Qian | f447e8a | 2022-11-08 07:02:27 +0000 | [diff] [blame] | 2707 | ssl->session->ticket_flags |= |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2708 | MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA; |
| Xiaokang Qian | 2d87a9e | 2022-11-09 07:55:48 +0000 | [diff] [blame] | 2709 | } |
| Xiaokang Qian | f447e8a | 2022-11-08 07:02:27 +0000 | [diff] [blame] | 2710 | break; |
| Xiaokang Qian | 0cc4320 | 2022-11-16 08:43:50 +0000 | [diff] [blame] | 2711 | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
| Xiaokang Qian | f447e8a | 2022-11-08 07:02:27 +0000 | [diff] [blame] | 2712 | |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2713 | default: |
| Jerry Yu | 79aa721 | 2022-11-08 21:30:21 +0800 | [diff] [blame] | 2714 | MBEDTLS_SSL_PRINT_EXT( |
| Jerry Yu | edab637 | 2022-10-31 14:37:31 +0800 | [diff] [blame] | 2715 | 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2716 | extension_type, "( ignored )"); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2717 | break; |
| 2718 | } |
| Jerry Yu | 6ba9f1c | 2022-08-04 17:53:25 +0800 | [diff] [blame] | 2719 | |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2720 | p += extension_data_len; |
| 2721 | } |
| 2722 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2723 | MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, |
| 2724 | handshake->received_extensions); |
| Jerry Yu | 6ba9f1c | 2022-08-04 17:53:25 +0800 | [diff] [blame] | 2725 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2726 | return 0; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2727 | } |
| 2728 | |
| 2729 | /* |
| Jerry Yu | 08aed4d | 2022-07-20 10:36:12 +0800 | [diff] [blame] | 2730 | * From RFC8446, page 74 |
| 2731 | * |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2732 | * struct { |
| 2733 | * uint32 ticket_lifetime; |
| 2734 | * uint32 ticket_age_add; |
| 2735 | * opaque ticket_nonce<0..255>; |
| 2736 | * opaque ticket<1..2^16-1>; |
| 2737 | * Extension extensions<0..2^16-2>; |
| 2738 | * } NewSessionTicket; |
| 2739 | * |
| 2740 | */ |
| Jerry Yu | a0446a0 | 2022-07-13 11:22:55 +0800 | [diff] [blame] | 2741 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2742 | static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl, |
| 2743 | unsigned char *buf, |
| 2744 | unsigned char *end, |
| 2745 | unsigned char **ticket_nonce, |
| 2746 | size_t *ticket_nonce_len) |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2747 | { |
| 2748 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2749 | unsigned char *p = buf; |
| 2750 | mbedtls_ssl_session *session = ssl->session; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2751 | size_t ticket_len; |
| 2752 | unsigned char *ticket; |
| 2753 | size_t extensions_len; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2754 | |
| Jerry Yu | cb3b139 | 2022-07-12 06:09:38 +0000 | [diff] [blame] | 2755 | *ticket_nonce = NULL; |
| 2756 | *ticket_nonce_len = 0; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2757 | /* |
| 2758 | * ticket_lifetime 4 bytes |
| 2759 | * ticket_age_add 4 bytes |
| Jerry Yu | 08aed4d | 2022-07-20 10:36:12 +0800 | [diff] [blame] | 2760 | * ticket_nonce_len 1 byte |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2761 | */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2762 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2763 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2764 | session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); |
| 2765 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 2766 | ("ticket_lifetime: %u", |
| 2767 | (unsigned int) session->ticket_lifetime)); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2768 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2769 | session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4); |
| 2770 | MBEDTLS_SSL_DEBUG_MSG(3, |
| 2771 | ("ticket_age_add: %u", |
| 2772 | (unsigned int) session->ticket_age_add)); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2773 | |
| Jerry Yu | cb3b139 | 2022-07-12 06:09:38 +0000 | [diff] [blame] | 2774 | *ticket_nonce_len = p[8]; |
| 2775 | p += 9; |
| 2776 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2777 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len); |
| Jerry Yu | cb3b139 | 2022-07-12 06:09:38 +0000 | [diff] [blame] | 2778 | *ticket_nonce = p; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2779 | MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len); |
| Jerry Yu | cb3b139 | 2022-07-12 06:09:38 +0000 | [diff] [blame] | 2780 | p += *ticket_nonce_len; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2781 | |
| 2782 | /* Ticket */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2783 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 2784 | ticket_len = MBEDTLS_GET_UINT16_BE(p, 0); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2785 | p += 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2786 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len); |
| 2787 | MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2788 | |
| 2789 | /* Check if we previously received a ticket already. */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2790 | if (session->ticket != NULL || session->ticket_len > 0) { |
| 2791 | mbedtls_free(session->ticket); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2792 | session->ticket = NULL; |
| 2793 | session->ticket_len = 0; |
| 2794 | } |
| 2795 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2796 | if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) { |
| 2797 | MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed")); |
| 2798 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2799 | } |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2800 | memcpy(ticket, p, ticket_len); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2801 | p += ticket_len; |
| 2802 | session->ticket = ticket; |
| 2803 | session->ticket_len = ticket_len; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2804 | |
| Pengyu Lv | 9f92695 | 2022-11-17 15:22:33 +0800 | [diff] [blame] | 2805 | /* Clear all flags in ticket_flags */ |
| Pengyu Lv | 80270b2 | 2023-01-12 11:54:04 +0800 | [diff] [blame] | 2806 | mbedtls_ssl_session_clear_ticket_flags( |
| Pengyu Lv | 9eacb44 | 2022-12-09 14:39:19 +0800 | [diff] [blame] | 2807 | session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); |
| Pengyu Lv | 9f92695 | 2022-11-17 15:22:33 +0800 | [diff] [blame] | 2808 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2809 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
| 2810 | extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2811 | p += 2; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2812 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2813 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2814 | MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2815 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2816 | ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len); |
| 2817 | if (ret != 0) { |
| 2818 | MBEDTLS_SSL_DEBUG_RET(1, |
| 2819 | "ssl_tls13_parse_new_session_ticket_exts", |
| 2820 | ret); |
| 2821 | return ret; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2822 | } |
| Jerry Yu | cb3b139 | 2022-07-12 06:09:38 +0000 | [diff] [blame] | 2823 | |
| Jerry Yu | db8c5fa | 2022-08-03 12:10:13 +0800 | [diff] [blame] | 2824 | /* session has been updated, allow export */ |
| 2825 | session->exported = 0; |
| 2826 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2827 | return 0; |
| Jerry Yu | cb3b139 | 2022-07-12 06:09:38 +0000 | [diff] [blame] | 2828 | } |
| 2829 | |
| Jerry Yu | a0446a0 | 2022-07-13 11:22:55 +0800 | [diff] [blame] | 2830 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2831 | static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl, |
| 2832 | unsigned char *ticket_nonce, |
| 2833 | size_t ticket_nonce_len) |
| Jerry Yu | cb3b139 | 2022-07-12 06:09:38 +0000 | [diff] [blame] | 2834 | { |
| 2835 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2836 | mbedtls_ssl_session *session = ssl->session; |
| 2837 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
| 2838 | psa_algorithm_t psa_hash_alg; |
| 2839 | int hash_length; |
| 2840 | |
| Jerry Yu | 4e6c42a | 2022-07-13 11:16:51 +0800 | [diff] [blame] | 2841 | #if defined(MBEDTLS_HAVE_TIME) |
| 2842 | /* Store ticket creation time */ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2843 | session->ticket_received = mbedtls_time(NULL); |
| Jerry Yu | 4e6c42a | 2022-07-13 11:16:51 +0800 | [diff] [blame] | 2844 | #endif |
| 2845 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2846 | ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite); |
| 2847 | if (ciphersuite_info == NULL) { |
| 2848 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
| 2849 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2850 | } |
| 2851 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2852 | psa_hash_alg = mbedtls_psa_translate_md(ciphersuite_info->mac); |
| 2853 | hash_length = PSA_HASH_LENGTH(psa_hash_alg); |
| 2854 | if (hash_length == -1 || |
| 2855 | (size_t) hash_length > sizeof(session->resumption_key)) { |
| 2856 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
| Jerry Yu | 3afdf36 | 2022-07-20 17:34:14 +0800 | [diff] [blame] | 2857 | } |
| 2858 | |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2859 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2860 | MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret", |
| 2861 | session->app_secrets.resumption_master_secret, |
| 2862 | hash_length); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2863 | |
| Jerry Yu | 4e6c42a | 2022-07-13 11:16:51 +0800 | [diff] [blame] | 2864 | /* Compute resumption key |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2865 | * |
| 2866 | * HKDF-Expand-Label( resumption_master_secret, |
| 2867 | * "resumption", ticket_nonce, Hash.length ) |
| 2868 | */ |
| 2869 | ret = mbedtls_ssl_tls13_hkdf_expand_label( |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2870 | psa_hash_alg, |
| 2871 | session->app_secrets.resumption_master_secret, |
| 2872 | hash_length, |
| 2873 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption), |
| 2874 | ticket_nonce, |
| 2875 | ticket_nonce_len, |
| 2876 | session->resumption_key, |
| 2877 | hash_length); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2878 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2879 | if (ret != 0) { |
| 2880 | MBEDTLS_SSL_DEBUG_RET(2, |
| 2881 | "Creating the ticket-resumed PSK failed", |
| 2882 | ret); |
| 2883 | return ret; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2884 | } |
| 2885 | |
| Jerry Yu | 0a430c8 | 2022-07-20 11:02:48 +0800 | [diff] [blame] | 2886 | session->resumption_key_len = hash_length; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2887 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2888 | MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK", |
| 2889 | session->resumption_key, |
| 2890 | session->resumption_key_len); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2891 | |
| Pengyu Lv | 9f92695 | 2022-11-17 15:22:33 +0800 | [diff] [blame] | 2892 | /* Set ticket_flags depends on the selected key exchange modes */ |
| Pengyu Lv | 80270b2 | 2023-01-12 11:54:04 +0800 | [diff] [blame] | 2893 | mbedtls_ssl_session_set_ticket_flags( |
| Pengyu Lv | 9eacb44 | 2022-12-09 14:39:19 +0800 | [diff] [blame] | 2894 | session, ssl->conf->tls13_kex_modes); |
| Pengyu Lv | 4938a56 | 2023-01-16 11:28:49 +0800 | [diff] [blame] | 2895 | MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags); |
| Pengyu Lv | 9f92695 | 2022-11-17 15:22:33 +0800 | [diff] [blame] | 2896 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2897 | return 0; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2898 | } |
| 2899 | |
| 2900 | /* |
| Jerry Yu | a8d3c50 | 2022-10-30 14:51:23 +0800 | [diff] [blame] | 2901 | * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2902 | */ |
| Jerry Yu | a0446a0 | 2022-07-13 11:22:55 +0800 | [diff] [blame] | 2903 | MBEDTLS_CHECK_RETURN_CRITICAL |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2904 | static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl) |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2905 | { |
| 2906 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| 2907 | unsigned char *buf; |
| 2908 | size_t buf_len; |
| Jerry Yu | cb3b139 | 2022-07-12 06:09:38 +0000 | [diff] [blame] | 2909 | unsigned char *ticket_nonce; |
| 2910 | size_t ticket_nonce_len; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2911 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2912 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket")); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2913 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2914 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( |
| 2915 | ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, |
| 2916 | &buf, &buf_len)); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2917 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2918 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket( |
| 2919 | ssl, buf, buf + buf_len, |
| 2920 | &ticket_nonce, &ticket_nonce_len)); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2921 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2922 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_new_session_ticket( |
| 2923 | ssl, ticket_nonce, ticket_nonce_len)); |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2924 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2925 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); |
| Jerry Yu | 4e6c42a | 2022-07-13 11:16:51 +0800 | [diff] [blame] | 2926 | |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2927 | cleanup: |
| 2928 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2929 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket")); |
| 2930 | return ret; |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 2931 | } |
| 2932 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 2933 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2934 | int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl) |
| Jerry Yu | bc20bdd | 2021-08-24 15:59:48 +0800 | [diff] [blame] | 2935 | { |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 2936 | int ret = 0; |
| Jerry Yu | c8a392c | 2021-08-18 16:46:28 +0800 | [diff] [blame] | 2937 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2938 | switch (ssl->state) { |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 2939 | case MBEDTLS_SSL_HELLO_REQUEST: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2940 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); |
| Jerry Yu | ddda050 | 2022-12-01 19:43:12 +0800 | [diff] [blame] | 2941 | break; |
| 2942 | |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 2943 | case MBEDTLS_SSL_CLIENT_HELLO: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2944 | ret = mbedtls_ssl_write_client_hello(ssl); |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 2945 | break; |
| 2946 | |
| 2947 | case MBEDTLS_SSL_SERVER_HELLO: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2948 | ret = ssl_tls13_process_server_hello(ssl); |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2949 | break; |
| 2950 | |
| 2951 | case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2952 | ret = ssl_tls13_process_encrypted_extensions(ssl); |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2953 | break; |
| 2954 | |
| Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 2955 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
| Jerry Yu | d267431 | 2021-10-29 10:08:19 +0800 | [diff] [blame] | 2956 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2957 | ret = ssl_tls13_process_certificate_request(ssl); |
| Jerry Yu | d267431 | 2021-10-29 10:08:19 +0800 | [diff] [blame] | 2958 | break; |
| 2959 | |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2960 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2961 | ret = ssl_tls13_process_server_certificate(ssl); |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2962 | break; |
| 2963 | |
| 2964 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2965 | ret = ssl_tls13_process_certificate_verify(ssl); |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2966 | break; |
| Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 2967 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2968 | |
| 2969 | case MBEDTLS_SSL_SERVER_FINISHED: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2970 | ret = ssl_tls13_process_server_finished(ssl); |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2971 | break; |
| 2972 | |
| Xiaokang Qian | 125afcb | 2022-10-28 06:04:06 +0000 | [diff] [blame] | 2973 | case MBEDTLS_SSL_END_OF_EARLY_DATA: |
| 2974 | ret = ssl_tls13_write_end_of_early_data(ssl); |
| 2975 | break; |
| 2976 | |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2977 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2978 | ret = ssl_tls13_write_client_certificate(ssl); |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2979 | break; |
| 2980 | |
| Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 2981 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2982 | case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2983 | ret = ssl_tls13_write_client_certificate_verify(ssl); |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2984 | break; |
| Ronald Cron | 928cbd3 | 2022-10-04 16:14:26 +0200 | [diff] [blame] | 2985 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
| Jerry Yu | 566c781 | 2022-01-26 15:41:22 +0800 | [diff] [blame] | 2986 | |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2987 | case MBEDTLS_SSL_CLIENT_FINISHED: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2988 | ret = ssl_tls13_write_client_finished(ssl); |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2989 | break; |
| 2990 | |
| 2991 | case MBEDTLS_SSL_FLUSH_BUFFERS: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2992 | ret = ssl_tls13_flush_buffers(ssl); |
| Jerry Yu | 687101b | 2021-09-14 16:03:56 +0800 | [diff] [blame] | 2993 | break; |
| 2994 | |
| 2995 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2996 | ret = ssl_tls13_handshake_wrapup(ssl); |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 2997 | break; |
| 2998 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 2999 | /* |
| 3000 | * Injection of dummy-CCS's for middlebox compatibility |
| 3001 | */ |
| Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 3002 | #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) |
| XiaokangQian | 0b56a8f | 2021-12-22 02:39:32 +0000 | [diff] [blame] | 3003 | case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3004 | ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); |
| 3005 | if (ret == 0) { |
| 3006 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); |
| 3007 | } |
| Ronald Cron | 9f55f63 | 2022-02-02 16:02:47 +0100 | [diff] [blame] | 3008 | break; |
| 3009 | |
| 3010 | case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3011 | ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); |
| 3012 | if (ret == 0) { |
| Xiaokang Qian | 958b6ff | 2023-03-29 10:37:35 +0000 | [diff] [blame] | 3013 | mbedtls_ssl_handshake_set_state( |
| 3014 | ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3015 | } |
| Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 3016 | break; |
| Xiaokang Qian | f6d8fd3 | 2023-02-02 02:46:26 +0000 | [diff] [blame] | 3017 | |
| Xiaokang Qian | 592021a | 2023-01-04 10:47:05 +0000 | [diff] [blame] | 3018 | case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: |
| 3019 | ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); |
| 3020 | if (ret == 0) { |
| 3021 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); |
| 3022 | |
| Xiaokang Qian | 33ff868 | 2023-01-10 06:32:12 +0000 | [diff] [blame] | 3023 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
| Xiaokang Qian | 592021a | 2023-01-04 10:47:05 +0000 | [diff] [blame] | 3024 | MBEDTLS_SSL_DEBUG_MSG( |
| 3025 | 1, ("Switch to early data keys for outbound traffic")); |
| 3026 | mbedtls_ssl_set_outbound_transform( |
| 3027 | ssl, ssl->handshake->transform_earlydata); |
| Xiaokang Qian | 33ff868 | 2023-01-10 06:32:12 +0000 | [diff] [blame] | 3028 | #endif |
| Xiaokang Qian | 592021a | 2023-01-04 10:47:05 +0000 | [diff] [blame] | 3029 | } |
| 3030 | break; |
| Ronald Cron | 49ad619 | 2021-11-24 16:25:31 +0100 | [diff] [blame] | 3031 | #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ |
| 3032 | |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 3033 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
| Jerry Yu | a8d3c50 | 2022-10-30 14:51:23 +0800 | [diff] [blame] | 3034 | case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3035 | ret = ssl_tls13_process_new_session_ticket(ssl); |
| 3036 | if (ret != 0) { |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 3037 | break; |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3038 | } |
| Jerry Yu | f8a4994 | 2022-07-07 11:32:32 +0000 | [diff] [blame] | 3039 | ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET; |
| 3040 | break; |
| 3041 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
| 3042 | |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 3043 | default: |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3044 | MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); |
| 3045 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 3046 | } |
| 3047 | |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 3048 | return ret; |
| Jerry Yu | 92c6b40 | 2021-08-27 16:59:09 +0800 | [diff] [blame] | 3049 | } |
| Jerry Yu | 65dd2cc | 2021-08-18 16:38:40 +0800 | [diff] [blame] | 3050 | |
| Jerry Yu | fb4b647 | 2022-01-27 15:03:26 +0800 | [diff] [blame] | 3051 | #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */ |