TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ba120bb22882f3dd08ae34c8c8fac9535c42a67a / . / library / ssl_tls13_client.c
blob: 34805021e98ed3861ce21755e5c186b7487295e5 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS ( https://tls.mbed.org )
20 */
21
22#include "common.h"
23
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]24#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]25
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]26#include <string.h>
27
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]30#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]31
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]32#include "ssl_misc.h"
33#include "ecdh_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]34#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]35#include "ssl_tls13_keys.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]36
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]37/* Write extensions */
38
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]39/*
40 * ssl_tls13_write_supported_versions_ext():
41 *
42 * struct {
43 * ProtocolVersion versions<2..254>;
44 * } SupportedVersions;
45 */
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]46static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]47 unsigned char *buf,
48 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]49 size_t *out_len )
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]50{
51 unsigned char *p = buf;
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]52 unsigned char versions_len = ( ssl->handshake->min_minor_ver <=
53 MBEDTLS_SSL_MINOR_VERSION_3 ) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]54
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]55 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]56
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]57 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported versions extension" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]58
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]59 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]60 * - extension_type (2 bytes)
61 * - extension_data_length (2 bytes)
62 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]63 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]64 */
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]65 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + versions_len );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]66
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]67 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]68 MBEDTLS_PUT_UINT16_BE( versions_len + 1, p, 2 );
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]69 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]70
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]71 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]72 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]73
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]74 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]76 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]77 */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]78 mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
79 MBEDTLS_SSL_MINOR_VERSION_4,
80 MBEDTLS_SSL_TRANSPORT_STREAM, p );
81 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:4]" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]83
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]84 if( ssl->handshake->min_minor_ver <= MBEDTLS_SSL_MINOR_VERSION_3 )
85 {
86 mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
87 MBEDTLS_SSL_MINOR_VERSION_3,
88 MBEDTLS_SSL_TRANSPORT_STREAM, p + 2 );
89 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:3]" ) );
90 }
91
92 *out_len = 5 + versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]93
94 return( 0 );
95}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]96
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]97static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
98 const unsigned char *buf,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]99 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]100{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]101 ((void) ssl);
102
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]103 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]104 if( buf[0] != MBEDTLS_SSL_MAJOR_VERSION_3 ||
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]105 buf[1] != MBEDTLS_SSL_MINOR_VERSION_4 )
106 {
107 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]108
109 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
110 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
111 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]112 }
113
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]114 if( &buf[2] != end )
115 {
116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions ext data length incorrect" ) );
117 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
118 MBEDTLS_ERR_SSL_DECODE_ERROR );
119 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
120 }
121
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]122 return( 0 );
123}
124
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]125#if defined(MBEDTLS_SSL_ALPN)
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]126static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl,
127 const unsigned char *buf, size_t len )
128{
129 size_t list_len, name_len;
130 const unsigned char *p = buf;
131 const unsigned char *end = buf + len;
132
133 /* If we didn't send it, the server shouldn't send it */
134 if( ssl->conf->alpn_list == NULL )
135 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
136
137 /*
138 * opaque ProtocolName<1..2^8-1>;
139 *
140 * struct {
141 * ProtocolName protocol_name_list<2..2^16-1>
142 * } ProtocolNameList;
143 *
144 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
145 */
146
147 /* Min length is 2 ( list_len ) + 1 ( name_len ) + 1 ( name ) */
148 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
149
150 list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
151 p += 2;
152 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, list_len );
153
154 name_len = *p++;
155 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, list_len - 1 );
156
157 /* Check that the server chosen protocol was in our list and save it */
158 for ( const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++ )
159 {
160 if( name_len == strlen( *alpn ) &&
161 memcmp( buf + 3, *alpn, name_len ) == 0 )
162 {
163 ssl->alpn_chosen = *alpn;
164 return( 0 );
165 }
166 }
167
168 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
169}
170#endif /* MBEDTLS_SSL_ALPN */
171
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]172static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]173{
174 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]175
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]176 if( group_id == 0 )
177 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
178
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]179#if defined(MBEDTLS_ECDH_C)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]180 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]181 {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]182 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
183 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
184
185 /* Destroy generated private key. */
186 status = psa_destroy_key( ssl->handshake->ecdh_psa_privkey );
187 if( status != PSA_SUCCESS )
188 {
189 ret = psa_ssl_status_to_mbedtls( status );
190 MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
191 return( ret );
192 }
193
194 ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]195 return( 0 );
196 }
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]197 else
198#endif /* MBEDTLS_ECDH_C */
199 if( 0 /* other KEMs? */ )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]200 {
201 /* Do something */
202 }
203
204 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
205}
206
207/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]208 * Functions for writing key_share extension.
209 */
210#if defined(MBEDTLS_ECDH_C)
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]211static int ssl_tls13_generate_and_write_ecdh_key_exchange(
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]212 mbedtls_ssl_context *ssl,
213 uint16_t named_group,
214 unsigned char *buf,
215 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]216 size_t *out_len )
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]217{
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]218 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
219 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
220 psa_key_attributes_t key_attributes;
221 size_t own_pubkey_len;
222 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
223 size_t ecdh_bits = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]224
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]225 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]226
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]227 /* Convert EC group to PSA key type. */
228 if( ( handshake->ecdh_psa_type =
229 mbedtls_psa_parse_tls_ecc_group( named_group, &ecdh_bits ) ) == 0 )
230 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]231
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]232 if( ecdh_bits > 0xffff )
233 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
234 ssl->handshake->ecdh_bits = (uint16_t) ecdh_bits;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]235
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]236 key_attributes = psa_key_attributes_init();
237 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
238 psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
239 psa_set_key_type( &key_attributes, handshake->ecdh_psa_type );
240 psa_set_key_bits( &key_attributes, handshake->ecdh_bits );
Przemyslaw Stekielea859c22022-02-10 10:19:46 +0100[diff] [blame]241
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]242 /* Generate ECDH private key. */
243 status = psa_generate_key( &key_attributes,
244 &handshake->ecdh_psa_privkey );
245 if( status != PSA_SUCCESS )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]246 {
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]247 ret = psa_ssl_status_to_mbedtls( status );
248 MBEDTLS_SSL_DEBUG_RET( 1, "psa_generate_key", ret );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]249 return( ret );
Przemyslaw Stekielea859c22022-02-10 10:19:46 +0100[diff] [blame]250
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]251 }
252
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]253 /* Export the public part of the ECDH private key from PSA. */
254 status = psa_export_public_key( handshake->ecdh_psa_privkey,
255 buf, (size_t)( end - buf ),
256 &own_pubkey_len );
257 if( status != PSA_SUCCESS )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]258 {
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]259 ret = psa_ssl_status_to_mbedtls( status );
260 MBEDTLS_SSL_DEBUG_RET( 1, "psa_export_public_key", ret );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]261 return( ret );
Przemyslaw Stekielea859c22022-02-10 10:19:46 +0100[diff] [blame]262
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]263 }
264
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]265 if( own_pubkey_len > (size_t)( end - buf ) )
266 {
267 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No space in the buffer for ECDH public key." ) );
268 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
269 }
Przemyslaw Stekielea859c22022-02-10 10:19:46 +0100[diff] [blame]270
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]271 *out_len = own_pubkey_len;
Przemyslaw Stekielea859c22022-02-10 10:19:46 +0100[diff] [blame]272
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]273 return( 0 );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]274}
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]275#endif /* MBEDTLS_ECDH_C */
276
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]277static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
278 uint16_t *group_id )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]279{
280 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
281
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]282
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]283#if defined(MBEDTLS_ECDH_C)
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]284 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]285 /* Pick first available ECDHE group compatible with TLS 1.3 */
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]286 if( group_list == NULL )
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]287 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
288
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]289 for ( ; *group_list != 0; group_list++ )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]290 {
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]291 const mbedtls_ecp_curve_info *curve_info;
292 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
293 if( curve_info != NULL &&
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]294 mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]295 {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]296 *group_id = *group_list;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]297 return( 0 );
298 }
299 }
300#else
301 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]302 ((void) group_id);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]303#endif /* MBEDTLS_ECDH_C */
304
305 /*
306 * Add DHE named groups here.
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]307 * Pick first available DHE group compatible with TLS 1.3
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]308 */
309
310 return( ret );
311}
312
313/*
314 * ssl_tls13_write_key_share_ext
315 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]316 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]317 *
318 * struct {
319 * NamedGroup group;
320 * opaque key_exchange<1..2^16-1>;
321 * } KeyShareEntry;
322 * struct {
323 * KeyShareEntry client_shares<0..2^16-1>;
324 * } KeyShareClientHello;
325 */
326static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
327 unsigned char *buf,
328 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]329 size_t *out_len )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]330{
331 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]332 unsigned char *client_shares; /* Start of client_shares */
333 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]334 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]335 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
336
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]337 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]338
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]339 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]340 * - extension_type (2 bytes)
341 * - extension_data_length (2 bytes)
342 * - client_shares_length (2 bytes)
343 */
344 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
345 p += 6;
346
347 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello: adding key share extension" ) );
348
349 /* HRR could already have requested something else. */
350 group_id = ssl->handshake->offered_group_id;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]351 if( !mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) &&
352 !mbedtls_ssl_tls13_named_group_is_dhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]353 {
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]354 MBEDTLS_SSL_PROC_CHK( ssl_tls13_get_default_group_id( ssl,
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]355 &group_id ) );
356 }
357
358 /*
359 * Dispatch to type-specific key generation function.
360 *
361 * So far, we're only supporting ECDHE. With the introduction
362 * of PQC KEMs, we'll want to have multiple branches, one per
363 * type of KEM, and dispatch to the corresponding crypto. And
364 * only one key share entry is allowed.
365 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]366 client_shares = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]367#if defined(MBEDTLS_ECDH_C)
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]368 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]369 {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]370 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]371 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]372 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]373 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]374
375 /* Check there is space for header of KeyShareEntry
376 * - group (2 bytes)
377 * - key_exchange_length (2 bytes)
378 */
379 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
380 p += 4;
Przemyslaw Stekielea859c22022-02-10 10:19:46 +0100[diff] [blame]381 ret = ssl_tls13_generate_and_write_ecdh_key_exchange( ssl, group_id, p, end,
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]382 &key_exchange_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]383 p += key_exchange_len;
384 if( ret != 0 )
385 return( ret );
386
387 /* Write group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]388 MBEDTLS_PUT_UINT16_BE( group_id, group, 0 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]389 /* Write key_exchange_length */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]390 MBEDTLS_PUT_UINT16_BE( key_exchange_len, group, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]391 }
392 else
393#endif /* MBEDTLS_ECDH_C */
394 if( 0 /* other KEMs? */ )
395 {
396 /* Do something */
397 }
398 else
399 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
400
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]401 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]402 client_shares_len = p - client_shares;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]403 if( client_shares_len == 0)
404 {
405 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No key share defined." ) );
406 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]407 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]408 /* Write extension_type */
409 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
410 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]411 MBEDTLS_PUT_UINT16_BE( client_shares_len + 2, buf, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]412 /* Write client_shares_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]413 MBEDTLS_PUT_UINT16_BE( client_shares_len, buf, 4 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]414
415 /* Update offered_group_id field */
416 ssl->handshake->offered_group_id = group_id;
417
418 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]419 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]420
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]421 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]422
423 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
424
425cleanup:
426
427 return( ret );
428}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]429
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]430#if defined(MBEDTLS_ECDH_C)
431
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]432static int ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
433 const unsigned char *buf,
434 size_t buf_len )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]435{
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]436 uint8_t *p = (uint8_t*)buf;
437 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]438
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]439 /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
440 uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE( p, 0 );
441 p += 2;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]442
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]443 /* Check if key size is consistent with given buffer length. */
444 if ( peerkey_len > ( buf_len - 2 ) )
445 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]446
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]447 /* Store peer's ECDH public key. */
Przemyslaw Stekiel0f5ecef2022-02-14 17:10:05 +0100[diff] [blame]448 memcpy( handshake->ecdh_psa_peerkey, p, peerkey_len );
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]449 handshake->ecdh_psa_peerkey_len = peerkey_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]450
451 return( 0 );
452}
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]453#endif /* MBEDTLS_ECDH_C */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]454
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]455/*
456 * ssl_tls13_parse_hrr_key_share_ext()
457 * Parse key_share extension in Hello Retry Request
458 *
459 * struct {
460 * NamedGroup selected_group;
461 * } KeyShareHelloRetryRequest;
462 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]463static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]464 const unsigned char *buf,
465 const unsigned char *end )
466{
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]467 const mbedtls_ecp_curve_info *curve_info = NULL;
468 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]469 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]470 int found = 0;
471
472 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
473 if( group_list == NULL )
474 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
475
476 MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", p, end - buf );
477
478 /* Read selected_group */
XiaokangQianb48894e2022-01-17 02:05:52 +0000[diff] [blame]479 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]480 selected_group = MBEDTLS_GET_UINT16_BE( p, 0 );
481 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", selected_group ) );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]482
483 /* Upon receipt of this extension in a HelloRetryRequest, the client
484 * MUST first verify that the selected_group field corresponds to a
485 * group which was provided in the "supported_groups" extension in the
486 * original ClientHello.
487 * The supported_group was based on the info in ssl->conf->group_list.
488 *
489 * If the server provided a key share that was not sent in the ClientHello
490 * then the client MUST abort the handshake with an "illegal_parameter" alert.
491 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]492 for( ; *group_list != 0; group_list++ )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]493 {
494 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]495 if( curve_info == NULL || curve_info->tls_id != selected_group )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]496 continue;
497
498 /* We found a match */
499 found = 1;
500 break;
501 }
502
503 /* Client MUST verify that the selected_group field does not
504 * correspond to a group which was provided in the "key_share"
505 * extension in the original ClientHello. If the server sent an
506 * HRR message with a key share already provided in the
507 * ClientHello then the client MUST abort the handshake with
508 * an "illegal_parameter" alert.
509 */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]510 if( found == 0 || selected_group == ssl->handshake->offered_group_id )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]511 {
512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) );
513 MBEDTLS_SSL_PEND_FATAL_ALERT(
514 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
515 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
516 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
517 }
518
519 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]520 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]521
522 return( 0 );
523}
524
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]525/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]526 * ssl_tls13_parse_key_share_ext()
527 * Parse key_share extension in Server Hello
528 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]529 * struct {
530 * KeyShareEntry server_share;
531 * } KeyShareServerHello;
532 * struct {
533 * NamedGroup group;
534 * opaque key_exchange<1..2^16-1>;
535 * } KeyShareEntry;
536 */
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]537static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]538 const unsigned char *buf,
539 const unsigned char *end )
540{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]541 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]542 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]543 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]544
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]545 /* ...
546 * NamedGroup group; (2 bytes)
547 * ...
548 */
549 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
550 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]551 p += 2;
552
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]553 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]554 offered_group = ssl->handshake->offered_group_id;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]555 if( offered_group != group )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]556 {
557 MBEDTLS_SSL_DEBUG_MSG( 1,
558 ( "Invalid server key share, our group %u, their group %u",
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]559 (unsigned) offered_group, (unsigned) group ) );
560 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
561 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
562 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]563 }
564
565#if defined(MBEDTLS_ECDH_C)
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]566 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]567 {
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]568 const mbedtls_ecp_curve_info *curve_info =
569 mbedtls_ecp_curve_info_from_tls_id( group );
570 if( curve_info == NULL )
571 {
572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
573 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
574 }
575
576 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
577
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]578 ret = ssl_tls13_read_public_ecdhe_share( ssl, p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]579 if( ret != 0 )
580 return( ret );
581 }
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]582 else
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]583#endif /* MBEDTLS_ECDH_C */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]584 if( 0 /* other KEMs? */ )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]585 {
586 /* Do something */
587 }
588 else
589 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
590
591 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
592 return( ret );
593}
594
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]595/*
596 * ssl_tls13_parse_cookie_ext()
597 * Parse cookie extension in Hello Retry Request
598 *
599 * struct {
600 * opaque cookie<1..2^16-1>;
601 * } Cookie;
602 *
603 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
604 * extension to the client (this is an exception to the usual rule that
605 * the only extensions that may be sent are those that appear in the
606 * ClientHello). When sending the new ClientHello, the client MUST copy
607 * the contents of the extension received in the HelloRetryRequest into
608 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
609 * cookies in their initial ClientHello in subsequent connections.
610 */
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]611static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
612 const unsigned char *buf,
613 const unsigned char *end )
614{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]615 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]616 const unsigned char *p = buf;
617 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
618
619 /* Retrieve length field of cookie */
620 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
621 cookie_len = MBEDTLS_GET_UINT16_BE( p, 0 );
622 p += 2;
623
624 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
625 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
626
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]627 mbedtls_free( handshake->cookie );
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]628 handshake->hrr_cookie_len = 0;
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]629 handshake->cookie = mbedtls_calloc( 1, cookie_len );
630 if( handshake->cookie == NULL )
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]631 {
632 MBEDTLS_SSL_DEBUG_MSG( 1,
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]633 ( "alloc failed ( %ud bytes )",
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]634 cookie_len ) );
635 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
636 }
637
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]638 memcpy( handshake->cookie, p, cookie_len );
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]639 handshake->hrr_cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]640
641 return( 0 );
642}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]643
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]644static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]645 unsigned char *buf,
646 unsigned char *end,
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]647 size_t *out_len )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]648{
649 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]650 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]651 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]652
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]653 if( handshake->cookie == NULL )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]654 {
655 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) );
656 return( 0 );
657 }
658
659 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]660 handshake->cookie,
661 handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]662
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]663 MBEDTLS_SSL_CHK_BUF_PTR( p, end, handshake->hrr_cookie_len + 6 );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]664
665 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) );
666
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]667 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 );
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]668 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len + 2, p, 2 );
669 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len, p, 4 );
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]670 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]671
672 /* Cookie */
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]673 memcpy( p, handshake->cookie, handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]674
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]675 *out_len = handshake->hrr_cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]676
677 return( 0 );
678}
679
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]680int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
681 unsigned char *buf,
682 unsigned char *end,
683 size_t *out_len )
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]684{
685 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
686 unsigned char *p = buf;
687 size_t ext_len;
688
689 *out_len = 0;
690
691 /* Write supported_versions extension
692 *
693 * Supported Versions Extension is mandatory with TLS 1.3.
694 */
695 ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &ext_len );
696 if( ret != 0 )
697 return( ret );
698 p += ext_len;
699
700 /* Echo the cookie if the server provided one in its preceding
701 * HelloRetryRequest message.
702 */
703 ret = ssl_tls13_write_cookie_ext( ssl, p, end, &ext_len );
704 if( ret != 0 )
705 return( ret );
706 p += ext_len;
707
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]708 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
709 {
710 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &ext_len );
711 if( ret != 0 )
712 return( ret );
713 p += ext_len;
714 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]715
716 *out_len = p - buf;
717
718 return( 0 );
719}
720
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]721/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]722 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]723 */
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]724/**
725 * \brief Detect if the ServerHello contains a supported_versions extension
726 * or not.
727 *
728 * \param[in] ssl SSL context
729 * \param[in] buf Buffer containing the ServerHello message
730 * \param[in] end End of the buffer containing the ServerHello message
731 *
732 * \return 0 if the ServerHello does not contain a supported_versions extension
733 * \return 1 if the ServerHello contains a supported_versions extension
734 * \return A negative value if an error occurred while parsing the ServerHello.
735 */
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]736static int ssl_tls13_is_supported_versions_ext_present(
737 mbedtls_ssl_context *ssl,
738 const unsigned char *buf,
739 const unsigned char *end )
740{
741 const unsigned char *p = buf;
742 size_t legacy_session_id_echo_len;
743 size_t extensions_len;
744 const unsigned char *extensions_end;
745
746 /*
747 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]748 * length:
749 * - legacy_version 2 bytes
750 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
751 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]752 */
753 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3 );
754 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
755 legacy_session_id_echo_len = *p;
756
757 /*
758 * Jump to the extensions, jumping over:
759 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
760 * - cipher_suite 2 bytes
761 * - legacy_compression_method 1 byte
762 */
763 p += legacy_session_id_echo_len + 4;
764
765 /* Case of no extension */
766 if( p == end )
767 return( 0 );
768
769 /* ...
770 * Extension extensions<6..2^16-1>;
771 * ...
772 * struct {
773 * ExtensionType extension_type; (2 bytes)
774 * opaque extension_data<0..2^16-1>;
775 * } Extension;
776 */
777 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
778 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
779 p += 2;
780
781 /* Check extensions do not go beyond the buffer of data. */
782 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
783 extensions_end = p + extensions_len;
784
785 while( p < extensions_end )
786 {
787 unsigned int extension_type;
788 size_t extension_data_len;
789
790 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
791 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
792 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
793 p += 4;
794
795 if( extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS )
796 return( 1 );
797
798 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
799 p += extension_data_len;
800 }
801
802 return( 0 );
803}
804
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]805/* Returns a negative value on failure, and otherwise
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]806 * - SSL_SERVER_HELLO_COORDINATE_HELLO or
807 * - SSL_SERVER_HELLO_COORDINATE_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]808 * to indicate which message is expected and to be parsed next.
809 */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]810#define SSL_SERVER_HELLO_COORDINATE_HELLO 0
811#define SSL_SERVER_HELLO_COORDINATE_HRR 1
812static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
813 const unsigned char *buf,
814 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]815{
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]816 static const unsigned char magic_hrr_string[MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]817 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
818 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
819 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
820 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33 ,0x9C };
821
822 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
823 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]824 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]825 * special value of the SHA-256 of "HelloRetryRequest".
826 *
827 * struct {
828 * ProtocolVersion legacy_version = 0x0303;
829 * Random random;
830 * opaque legacy_session_id_echo<0..32>;
831 * CipherSuite cipher_suite;
832 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]833 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]834 * } ServerHello;
835 *
836 */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]837 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 + sizeof( magic_hrr_string ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]838
839 if( memcmp( buf + 2, magic_hrr_string, sizeof( magic_hrr_string ) ) == 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]840 {
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]841 return( SSL_SERVER_HELLO_COORDINATE_HRR );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]842 }
843
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]844 return( SSL_SERVER_HELLO_COORDINATE_HELLO );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]845}
846
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]847/* Fetch and preprocess
848 * Returns a negative value on failure, and otherwise
849 * - SSL_SERVER_HELLO_COORDINATE_HELLO or
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]850 * - SSL_SERVER_HELLO_COORDINATE_HRR or
851 * - SSL_SERVER_HELLO_COORDINATE_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]852 */
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]853#define SSL_SERVER_HELLO_COORDINATE_TLS1_2 2
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]854static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl,
855 unsigned char **buf,
856 size_t *buf_len )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]857{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]858 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]859
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]860 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
861 MBEDTLS_SSL_HS_SERVER_HELLO,
862 buf, buf_len ) );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]863
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]864 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_is_supported_versions_ext_present(
865 ssl, *buf, *buf + *buf_len ) );
866 if( ret == 0 )
867 {
868 /* If the supported versions extension is not present but we were
869 * expecting it, abort the handshake. Otherwise, switch to TLS 1.2
870 * handshake.
871 */
872 if( ssl->handshake->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 )
873 {
874 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
875 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
876 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
877 }
878
879 ssl->keep_current_message = 1;
880 ssl->minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
881 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
882 *buf, *buf_len );
883
884 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
885 {
886 ret = ssl_tls13_reset_key_share( ssl );
887 if( ret != 0 )
888 return( ret );
889 }
890
891 return( SSL_SERVER_HELLO_COORDINATE_TLS1_2 );
892 }
893
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]894 ret = ssl_server_hello_is_hrr( ssl, *buf, *buf + *buf_len );
895 switch( ret )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]896 {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]897 case SSL_SERVER_HELLO_COORDINATE_HELLO:
898 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) );
899 break;
900 case SSL_SERVER_HELLO_COORDINATE_HRR:
901 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]902 /* If a client receives a second
903 * HelloRetryRequest in the same connection (i.e., where the ClientHello
904 * was itself in response to a HelloRetryRequest), it MUST abort the
905 * handshake with an "unexpected_message" alert.
906 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]907 if( ssl->handshake->hello_retry_request_count > 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]908 {
909 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) );
910 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
911 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
912 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
913 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]914 /*
915 * Clients must abort the handshake with an "illegal_parameter"
916 * alert if the HelloRetryRequest would not result in any change
917 * in the ClientHello.
918 * In a PSK only key exchange that what we expect.
919 */
920 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
921 {
922 MBEDTLS_SSL_DEBUG_MSG( 1,
923 ( "Unexpected HRR in pure PSK key exchange." ) );
924 MBEDTLS_SSL_PEND_FATAL_ALERT(
925 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
926 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
927 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
928 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]929
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]930 ssl->handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]931
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]932 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]933 }
934
935cleanup:
936
937 return( ret );
938}
939
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]940static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl,
941 const unsigned char **buf,
942 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]943{
944 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]945 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]946
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]947 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]948 legacy_session_id_echo_len = *p++ ;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]949
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]950 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]951
952 /* legacy_session_id_echo */
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]953 if( ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
954 memcmp( ssl->session_negotiate->id, p , legacy_session_id_echo_len ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]955 {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]956 MBEDTLS_SSL_DEBUG_BUF( 3, "Expected Session ID",
957 ssl->session_negotiate->id,
958 ssl->session_negotiate->id_len );
959 MBEDTLS_SSL_DEBUG_BUF( 3, "Received Session ID", p,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]960 legacy_session_id_echo_len );
961
962 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
963 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
964
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]965 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
966 }
967
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]968 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]969 *buf = p;
970
971 MBEDTLS_SSL_DEBUG_BUF( 3, "Session ID", ssl->session_negotiate->id,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]972 ssl->session_negotiate->id_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]973 return( 0 );
974}
975
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]976static int ssl_tls13_cipher_suite_is_offered( mbedtls_ssl_context *ssl,
977 int cipher_suite )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]978{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]979 const int *ciphersuite_list = ssl->conf->ciphersuite_list;
980
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]981 /* Check whether we have offered this ciphersuite */
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]982 for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]983 {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]984 if( ciphersuite_list[i] == cipher_suite )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]985 {
986 return( 1 );
987 }
988 }
989 return( 0 );
990}
991
992/* Parse ServerHello message and configure context
993 *
994 * struct {
995 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
996 * Random random;
997 * opaque legacy_session_id_echo<0..32>;
998 * CipherSuite cipher_suite;
999 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1000 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1001 * } ServerHello;
1002 */
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1003static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
1004 const unsigned char *buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1005 const unsigned char *end,
1006 int is_hrr )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1007{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1008 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1009 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1010 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1011 size_t extensions_len;
1012 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1013 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1014 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1015 int fatal_alert = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1016
1017 /*
1018 * Check there is space for minimal fields
1019 *
1020 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1021 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1022 * - legacy_session_id_echo ( 1 byte ), minimum size
1023 * - cipher_suite ( 2 bytes)
1024 * - legacy_compression_method ( 1 byte )
1025 */
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1026 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1027
1028 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello", p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1029 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", p, 2 );
1030
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1031 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1032 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1033 * ...
1034 * with ProtocolVersion defined as:
1035 * uint16 ProtocolVersion;
1036 */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1037 if( !( p[0] == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1038 p[1] == MBEDTLS_SSL_MINOR_VERSION_3 ) )
1039 {
1040 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1041 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1042 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1043 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1044 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1045 }
1046 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1047
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1048 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1049 * Random random;
1050 * ...
1051 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1052 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1053 */
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1054 if( !is_hrr )
1055 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1056 memcpy( &handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1057 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1058 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
1059 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1060 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1061 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1062
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1063 /* ...
1064 * opaque legacy_session_id_echo<0..32>;
1065 * ...
1066 */
1067 if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1068 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1069 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1070 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1071 }
1072
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1073 /* ...
1074 * CipherSuite cipher_suite;
1075 * ...
1076 * with CipherSuite defined as:
1077 * uint8 CipherSuite[2];
1078 */
1079 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1080 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
1081 p += 2;
1082
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1083
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1084 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1085 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame^]1086 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1087 * Via the force_ciphersuite version we may have instructed the client
1088 * to use a different ciphersuite.
1089 */
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame^]1090 if( ( mbedtls_ssl_validate_ciphersuite(
1091 ssl, ciphersuite_info, ssl->minor_ver, ssl->minor_ver ) != 0 ) ||
1092 !ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1093 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1094 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1095 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1096 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1097 * If we received an HRR before and that the proposed selected
1098 * ciphersuite in this server hello is not the same as the one
1099 * proposed in the HRR, we abort the handshake and send an
1100 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1101 */
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1102 else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
1103 ( cipher_suite != ssl->session_negotiate->ciphersuite ) )
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1104 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1105 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1106 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1107
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1108 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1109 {
1110 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
1111 cipher_suite ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1112 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1113 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1114
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1115 /* Configure ciphersuites */
1116 mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info );
1117
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1118 handshake->ciphersuite_info = ciphersuite_info;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1119 ssl->session_negotiate->ciphersuite = cipher_suite;
1120
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1121 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s",
1122 cipher_suite, ciphersuite_info->name ) );
1123
1124#if defined(MBEDTLS_HAVE_TIME)
1125 ssl->session_negotiate->start = time( NULL );
1126#endif /* MBEDTLS_HAVE_TIME */
1127
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1128 /* ...
1129 * uint8 legacy_compression_method = 0;
1130 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1131 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1132 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1133 if( p[0] != 0 )
1134 {
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1135 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1136 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1137 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1138 }
1139 p++;
1140
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1141 /* ...
1142 * Extension extensions<6..2^16-1>;
1143 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1144 * struct {
1145 * ExtensionType extension_type; (2 bytes)
1146 * opaque extension_data<0..2^16-1>;
1147 * } Extension;
1148 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1149 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1150 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1151 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1152
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1153 /* Check extensions do not go beyond the buffer of data. */
1154 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1155 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1156
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1157 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1158
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1159 while( p < extensions_end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1160 {
1161 unsigned int extension_type;
1162 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1163 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1164
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1165 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1166 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1167 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1168 p += 4;
1169
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1170 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1171 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1172
1173 switch( extension_type )
1174 {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1175 case MBEDTLS_TLS_EXT_COOKIE:
1176
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1177 if( !is_hrr )
1178 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1179 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1180 goto cleanup;
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1181 }
1182
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1183 ret = ssl_tls13_parse_cookie_ext( ssl,
1184 p, extension_data_end );
1185 if( ret != 0 )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1186 {
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1187 MBEDTLS_SSL_DEBUG_RET( 1,
1188 "ssl_tls13_parse_cookie_ext",
1189 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1190 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1191 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1192 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1193
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1194 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1195 ret = ssl_tls13_parse_supported_versions_ext( ssl,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1196 p,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1197 extension_data_end );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1198 if( ret != 0 )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1199 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1200 break;
1201
1202 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1203 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) );
1204 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1205
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1206 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1207 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1208
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1209 case MBEDTLS_TLS_EXT_KEY_SHARE:
1210 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1211 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1212 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1213 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1214 goto cleanup;
1215 }
1216
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1217 if( is_hrr )
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1218 ret = ssl_tls13_parse_hrr_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1219 p, extension_data_end );
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1220 else
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1221 ret = ssl_tls13_parse_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1222 p, extension_data_end );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1223 if( ret != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1224 {
1225 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1226 "ssl_tls13_parse_key_share_ext",
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1227 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1228 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1229 }
1230 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1231
1232 default:
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1233 MBEDTLS_SSL_DEBUG_MSG(
1234 3,
1235 ( "unknown extension found: %u ( ignoring )",
1236 extension_type ) );
1237
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1238 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1239 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1240 }
1241
1242 p += extension_data_len;
1243 }
1244
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1245cleanup:
1246
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1247 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1248 {
1249 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1250 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1251 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1252 }
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1253 else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1254 {
1255 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1256 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1257 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1258 }
1259 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1260}
1261
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1262static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1263{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1264 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1265 mbedtls_ssl_key_set traffic_keys;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1266 mbedtls_ssl_transform *transform_handshake = NULL;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1267 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1268
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1269 /* Determine the key exchange mode:
1270 * 1) If both the pre_shared_key and key_share extensions were received
1271 * then the key exchange mode is PSK with EPHEMERAL.
1272 * 2) If only the pre_shared_key extension was received then the key
1273 * exchange mode is PSK-only.
1274 * 3) If only the key_share extension was received then the key
1275 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1276 */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1277 switch( handshake->extensions_present &
1278 ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) )
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1279 {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1280 /* Only the pre_shared_key extension was received */
1281 case MBEDTLS_SSL_EXT_PRE_SHARED_KEY:
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1282 handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1283 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1284
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1285 /* Only the key_share extension was received */
1286 case MBEDTLS_SSL_EXT_KEY_SHARE:
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1287 handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1288 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1289
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1290 /* Both the pre_shared_key and key_share extensions were received */
1291 case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ):
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1292 handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1293 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1294
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1295 /* Neither pre_shared_key nor key_share extension was received */
1296 default:
1297 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) );
1298 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1299 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1300 }
1301
1302 /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
1303 *
1304 * TODO: We don't have to do this in case we offered 0-RTT and the
1305 * server accepted it. In this case, we could skip generating
1306 * the early secret. */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1307 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1308 if( ret != 0 )
1309 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1310 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_key_schedule_stage_early_data",
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1311 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1312 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1313 }
1314
1315 /* Compute handshake secret */
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1316 ret = mbedtls_ssl_tls13_key_schedule_stage_handshake( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1317 if( ret != 0 )
1318 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1319 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_master_secret", ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1320 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1321 }
1322
1323 /* Next evolution in key schedule: Establish handshake secret and
1324 * key material. */
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1325 ret = mbedtls_ssl_tls13_generate_handshake_keys( ssl, &traffic_keys );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1326 if( ret != 0 )
1327 {
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1328 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_generate_handshake_keys",
1329 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1330 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1331 }
1332
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1333 transform_handshake = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1334 if( transform_handshake == NULL )
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1335 {
1336 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1337 goto cleanup;
1338 }
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1339
1340 ret = mbedtls_ssl_tls13_populate_transform( transform_handshake,
1341 ssl->conf->endpoint,
1342 ssl->session_negotiate->ciphersuite,
1343 &traffic_keys,
1344 ssl );
1345 if( ret != 0 )
1346 {
1347 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1348 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1349 }
1350
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1351 handshake->transform_handshake = transform_handshake;
1352 mbedtls_ssl_set_inbound_transform( ssl, transform_handshake );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1353
1354 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
1355 ssl->session_in = ssl->session_negotiate;
1356
1357 /*
1358 * State machine update
1359 */
1360 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
1361
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1362cleanup:
1363
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1364 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1365 if( ret != 0 )
1366 {
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1367 mbedtls_free( transform_handshake );
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1368
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1369 MBEDTLS_SSL_PEND_FATAL_ALERT(
1370 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1371 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1372 }
1373 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1374}
1375
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1376static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1377{
1378 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1379
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1380#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1381 /* If not offering early data, the client sends a dummy CCS record
1382 * immediately before its second flight. This may either be before
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1383 * its second ClientHello or before its encrypted handshake flight.
1384 */
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1385 mbedtls_ssl_handshake_set_state( ssl,
1386 MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
1387#else
1388 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
1389#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1390
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1391 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1392
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1393 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1394 * We are going to re-generate a shared secret corresponding to the group
1395 * selected by the server, which is different from the group for which we
1396 * generated a shared secret in the first client hello.
1397 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1398 */
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1399 ret = ssl_tls13_reset_key_share( ssl );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1400 if( ret != 0 )
1401 return( ret );
1402
1403 return( 0 );
1404}
1405
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1406/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1407 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1408 * Handler for MBEDTLS_SSL_SERVER_HELLO
1409 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1410static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1411{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1412 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1413 unsigned char *buf = NULL;
1414 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1415 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1416
1417 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
1418
1419 /* Coordination step
1420 * - Fetch record
1421 * - Make sure it's either a ServerHello or a HRR.
1422 * - Switch processing routine in case of HRR
1423 */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1424 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
1425 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
1426
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1427 ret = ssl_tls13_server_hello_coordinate( ssl, &buf, &buf_len );
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1428 if( ret < 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1429 goto cleanup;
1430 else
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1431 is_hrr = ( ret == SSL_SERVER_HELLO_COORDINATE_HRR );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1432
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1433 if( ret == SSL_SERVER_HELLO_COORDINATE_TLS1_2 )
1434 {
1435 ret = 0;
1436 goto cleanup;
1437 }
1438
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1439 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1440 buf + buf_len,
1441 is_hrr ) );
1442 if( is_hrr )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1443 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) );
1444
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1445 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1446 buf, buf_len );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1447
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1448 if( is_hrr )
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1449 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) );
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1450 else
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1451 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1452
1453cleanup:
XiaokangQiana9090612022-01-27 03:48:27 +0000[diff] [blame]1454 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__,
1455 is_hrr?"HelloRetryRequest":"ServerHello" ) );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1456 return( ret );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1457}
1458
1459/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1460 *
1461 * EncryptedExtensions message
1462 *
1463 * The EncryptedExtensions message contains any extensions which
1464 * should be protected, i.e., any which are not needed to establish
1465 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1466 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1467
1468/*
1469 * Overview
1470 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1471
1472/* Main entry point; orchestrates the other functions */
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1473static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1474
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1475static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
1476 const unsigned char *buf,
1477 const unsigned char *end );
1478static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1479
1480/*
XiaokangQianc1fe0002021-09-16 03:02:14 +0000[diff] [blame]1481 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1482 */
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1483static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1484{
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1485 int ret;
1486 unsigned char *buf;
1487 size_t buf_len;
1488
1489 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) );
1490
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1491 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianab7f50d2021-10-21 06:23:29 +0000[diff] [blame]1492 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1493 &buf, &buf_len ) );
1494
1495 /* Process the message contents */
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1496 MBEDTLS_SSL_PROC_CHK(
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1497 ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1498
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1499 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
1500 buf, buf_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1501
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1502 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_encrypted_extensions( ssl ) );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1503
1504cleanup:
1505
1506 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) );
1507 return( ret );
1508
1509}
1510
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1511/* Parse EncryptedExtensions message
1512 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1513 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1514 * } EncryptedExtensions;
1515 */
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1516static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
1517 const unsigned char *buf,
1518 const unsigned char *end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1519{
1520 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1521 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]1522 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1523 const unsigned char *extensions_end;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1524
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1525 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1526 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1527 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1528
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1529 MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len );
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1530 extensions_end = p + extensions_len;
1531 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1532
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1533 while( p < extensions_end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1534 {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1535 unsigned int extension_type;
1536 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1537
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1538 /*
1539 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1540 * ExtensionType extension_type; (2 bytes)
1541 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1542 * } Extension;
1543 */
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1544 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1545 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1546 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1547 p += 4;
1548
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1549 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1550
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1551 /* The client MUST check EncryptedExtensions for the
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1552 * presence of any forbidden extensions and if any are found MUST abort
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1553 * the handshake with an "unsupported_extension" alert.
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1554 */
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1555 switch( extension_type )
1556 {
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1557
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1558 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1559 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extensions supported groups" ) );
1560 break;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1561
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]1562#if defined(MBEDTLS_SSL_ALPN)
1563 case MBEDTLS_TLS_EXT_ALPN:
1564 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1565
1566 if( ( ret = ssl_tls13_parse_alpn_ext( ssl, p, (size_t)extension_data_len ) ) != 0 )
1567 {
1568 return( ret );
1569 }
1570
1571 break;
1572#endif /* MBEDTLS_SSL_ALPN */
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1573 default:
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1574 MBEDTLS_SSL_DEBUG_MSG(
1575 3, ( "unsupported extension found: %u ", extension_type) );
1576 MBEDTLS_SSL_PEND_FATAL_ALERT(
Jerry Yu7aa71862021-10-28 21:41:30 +0800[diff] [blame]1577 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1578 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1579 return ( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1580 }
1581
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1582 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1583 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1584
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1585 /* Check that we consumed all the message. */
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]1586 if( p != end )
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1587 {
1588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "EncryptedExtension lengths misaligned" ) );
Jerry Yu7aa71862021-10-28 21:41:30 +0800[diff] [blame]1589 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]1590 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1591 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1592 }
1593
1594 return( ret );
1595}
1596
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1597static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1598{
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1599#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1600 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1601 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1602 else
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1603 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1604#else
1605 ((void) ssl);
1606 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1607#endif
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1608 return( 0 );
1609}
1610
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1611#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1612/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1613 *
1614 * STATE HANDLING: CertificateRequest
1615 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1616 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1617#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
1618#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1619/* Coordination:
1620 * Deals with the ambiguity of not knowing if a CertificateRequest
1621 * will be sent. Returns a negative code on failure, or
1622 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
1623 * - SSL_CERTIFICATE_REQUEST_SKIP
1624 * indicating if a Certificate Request is expected or not.
1625 */
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1626static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1627{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]1628 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1629
Xiaofei Bai7c8b6a92022-02-08 15:21:13 +0000[diff] [blame]1630 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1631 {
1632 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= skip parse certificate request" ) );
1633 return( SSL_CERTIFICATE_REQUEST_SKIP );
1634 }
1635
1636 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1637 {
1638 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1639 return( ret );
1640 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1641 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1642
1643 if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) &&
1644 ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) )
1645 {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1646 return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1647 }
1648
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1649 return( SSL_CERTIFICATE_REQUEST_SKIP );
1650}
1651
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1652/*
1653 * ssl_tls13_parse_certificate_request()
1654 * Parse certificate request
1655 * struct {
1656 * opaque certificate_request_context<0..2^8-1>;
1657 * Extension extensions<2..2^16-1>;
1658 * } CertificateRequest;
1659 */
1660static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
1661 const unsigned char *buf,
1662 const unsigned char *end )
1663{
1664 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1665 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1666 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1667 size_t extensions_len = 0;
1668 const unsigned char *extensions_end;
1669 unsigned char sig_alg_ext_found = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1670
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1671 /* ...
1672 * opaque certificate_request_context<0..2^8-1>
1673 * ...
1674 */
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1675 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
1676 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1677 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1678
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1679 if( certificate_request_context_len > 0 )
1680 {
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]1681 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1682 MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context",
1683 p, certificate_request_context_len );
1684
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1685 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1686 handshake->certificate_request_context =
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]1687 mbedtls_calloc( 1, certificate_request_context_len );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1688 if( handshake->certificate_request_context == NULL )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1689 {
1690 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
1691 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
1692 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1693 memcpy( handshake->certificate_request_context, p,
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1694 certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1695 p += certificate_request_context_len;
1696 }
1697
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1698 /* ...
1699 * Extension extensions<2..2^16-1>;
1700 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1701 */
1702 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1703 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1704 p += 2;
1705
1706 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1707 extensions_end = p + extensions_len;
1708
1709 while( p < extensions_end )
1710 {
1711 unsigned int extension_type;
1712 size_t extension_data_len;
1713
1714 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
1715 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1716 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1717 p += 4;
1718
1719 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1720
1721 switch( extension_type )
1722 {
1723 case MBEDTLS_TLS_EXT_SIG_ALG:
1724 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1725 ( "found signature algorithms extension" ) );
1726 ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ssl, p,
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1727 p + extension_data_len );
1728 if( ret != 0 )
1729 return( ret );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1730 if( ! sig_alg_ext_found )
1731 sig_alg_ext_found = 1;
1732 else
1733 {
1734 MBEDTLS_SSL_DEBUG_MSG( 3,
1735 ( "Duplicate signature algorithms extensions found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]1736 goto decode_error;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1737 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1738 break;
1739
1740 default:
1741 MBEDTLS_SSL_DEBUG_MSG(
1742 3,
1743 ( "unknown extension found: %u ( ignoring )",
1744 extension_type ) );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1745 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1746 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1747 p += extension_data_len;
1748 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1749 /* Check that we consumed all the message. */
1750 if( p != end )
1751 {
1752 MBEDTLS_SSL_DEBUG_MSG( 1,
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]1753 ( "CertificateRequest misaligned" ) );
1754 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1755 }
1756 /* Check that we found signature algorithms extension */
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1757 if( ! sig_alg_ext_found )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1758 {
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]1759 MBEDTLS_SSL_DEBUG_MSG( 3,
1760 ( "no signature algorithms extension found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]1761 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1762 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1763
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]1764 ssl->handshake->client_auth = 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1765 return( 0 );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]1766
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]1767decode_error:
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]1768 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1769 MBEDTLS_ERR_SSL_DECODE_ERROR );
1770 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1771}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1772
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]1773/*
1774 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
1775 */
1776static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1777{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]1778 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1779
1780 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1781
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1782 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
1783
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1784 if( ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST )
1785 {
1786 unsigned char *buf;
1787 size_t buf_len;
1788
1789 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
1790 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
1791 &buf, &buf_len ) );
1792
1793 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_request( ssl,
1794 buf, buf + buf_len ) );
1795
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1796 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
1797 buf, buf_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1798 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1799 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1800 {
1801 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]1802 ret = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1803 }
1804 else
1805 {
1806 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]1807 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1808 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1809 }
1810
1811 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]1812 ssl->handshake->client_auth ? "a" : "no" ) );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1813
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1814 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
1815
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1816cleanup:
1817
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1818 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
1819 return( ret );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1820}
1821
1822/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1823 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
1824 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1825static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1826{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]1827 int ret;
1828
1829 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]1830 if( ret != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]1831 return( ret );
1832
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1833 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
1834 return( 0 );
1835}
1836
1837/*
1838 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
1839 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1840static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1841{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]1842 int ret;
1843
1844 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
1845 if( ret != 0 )
1846 return( ret );
1847
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1848 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1849 return( 0 );
1850}
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1851#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]1852
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1853/*
1854 * Handler for MBEDTLS_SSL_SERVER_FINISHED
1855 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1856static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1857{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1858 int ret;
1859
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1860 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1861 if( ret != 0 )
1862 return( ret );
1863
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1864#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1865 mbedtls_ssl_handshake_set_state(
1866 ssl,
1867 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED );
1868#else
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1869 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1870#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1871
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1872 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1873}
1874
1875/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1876 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
1877 */
1878static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
1879{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]1880 int non_empty_certificate_msg = 0;
1881
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1882 MBEDTLS_SSL_DEBUG_MSG( 1,
1883 ( "Switch to handshake traffic keys for outbound traffic" ) );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1884 mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1885
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]1886#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]1887 if( ssl->handshake->client_auth )
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]1888 {
1889 int ret = mbedtls_ssl_tls13_write_certificate( ssl );
1890 if( ret != 0 )
1891 return( ret );
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]1892
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]1893 if( mbedtls_ssl_own_cert( ssl ) != NULL )
1894 non_empty_certificate_msg = 1;
1895 }
1896 else
1897 {
1898 MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate message to send." ) );
1899 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]1900#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]1901
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]1902 if( non_empty_certificate_msg )
1903 {
1904 mbedtls_ssl_handshake_set_state( ssl,
1905 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
1906 }
1907 else
1908 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
1909
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]1910 return( 0 );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1911}
1912
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]1913#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1914/*
1915 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
1916 */
1917static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
1918{
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]1919 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
1920
1921 if( ret == 0 )
1922 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
1923
1924 return( ret );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1925}
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]1926#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1927
1928/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1929 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
1930 */
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1931static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1932{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1933 int ret;
1934
1935 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
1936 if( ret != 0 )
1937 return( ret );
1938
1939 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
1940 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1941}
1942
1943/*
1944 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
1945 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1946static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1947{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1948 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
Jerry Yuad8d0ba2021-09-28 17:58:26 +0800[diff] [blame]1949 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1950 return( 0 );
1951}
1952
1953/*
1954 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
1955 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1956static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1957{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1958 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
1959 mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
1960
1961 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) );
1962 mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
1963
1964 mbedtls_ssl_tls13_handshake_wrapup( ssl );
1965
1966 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
1967 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1968}
1969
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]1970int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]1971{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]1972 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]1973
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]1974 switch( ssl->state )
1975 {
1976 /*
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]1977 * ssl->state is initialized as HELLO_REQUEST. It is the same
1978 * as CLIENT_HELLO state.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]1979 */
1980 case MBEDTLS_SSL_HELLO_REQUEST:
1981 case MBEDTLS_SSL_CLIENT_HELLO:
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]1982 ret = mbedtls_ssl_write_client_hello( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]1983 break;
1984
1985 case MBEDTLS_SSL_SERVER_HELLO:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1986 ret = ssl_tls13_process_server_hello( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1987 break;
1988
1989 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1990 ret = ssl_tls13_process_encrypted_extensions( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1991 break;
1992
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1993#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1994 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
1995 ret = ssl_tls13_process_certificate_request( ssl );
1996 break;
1997
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1998 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1999 ret = ssl_tls13_process_server_certificate( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2000 break;
2001
2002 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2003 ret = ssl_tls13_process_certificate_verify( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2004 break;
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]2005#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2006
2007 case MBEDTLS_SSL_SERVER_FINISHED:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2008 ret = ssl_tls13_process_server_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2009 break;
2010
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2011 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2012 ret = ssl_tls13_write_client_certificate( ssl );
2013 break;
2014
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2015#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2016 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2017 ret = ssl_tls13_write_client_certificate_verify( ssl );
2018 break;
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]2019#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2020
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2021 case MBEDTLS_SSL_CLIENT_FINISHED:
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2022 ret = ssl_tls13_write_client_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2023 break;
2024
2025 case MBEDTLS_SSL_FLUSH_BUFFERS:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2026 ret = ssl_tls13_flush_buffers( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2027 break;
2028
2029 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2030 ret = ssl_tls13_handshake_wrapup( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2031 break;
2032
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2033 /*
2034 * Injection of dummy-CCS's for middlebox compatibility
2035 */
2036#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]2037 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]2038 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2039 if( ret == 0 )
2040 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2041 break;
2042
2043 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
2044 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2045 if( ret == 0 )
2046 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2047 break;
2048#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2049
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2050 default:
2051 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2052 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2053 }
2054
2055 return( ret );
2056}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]2057
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2058#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]2059
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2060