TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / dd1bef788e4be1f3de968d6b79be462026674e24 / . / library / ssl_tls13_server.c
blob: f1fc1e5d228e851caacf8add75724920014471d6 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18*/
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]23
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]24#include "mbedtls/debug.h"
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]25#include "mbedtls/error.h"
26#include "mbedtls/platform.h"
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]27#include "mbedtls/constant_time.h"
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]28
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]29#include "ssl_misc.h"
30#include "ssl_tls13_keys.h"
31#include "ssl_debug_helpers.h"
32
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]33#if defined(MBEDTLS_ECP_C)
34#include "mbedtls/ecp.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]35#endif /* MBEDTLS_ECP_C */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]36
XiaokangQiana9c58412022-02-17 09:41:26 +0000[diff] [blame]37#if defined(MBEDTLS_PLATFORM_C)
38#include "mbedtls/platform.h"
39#else
40#include <stdlib.h>
41#define mbedtls_calloc calloc
42#define mbedtls_free free
43#endif /* MBEDTLS_PLATFORM_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]44
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]45#include "ssl_misc.h"
46#include "ssl_tls13_keys.h"
47#include "ssl_debug_helpers.h"
48
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]49#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
50/* From RFC 8446:
51 *
52 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
53 * struct {
54 * PskKeyExchangeMode ke_modes<1..255>;
55 * } PskKeyExchangeModes;
56 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]57MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]58static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
59 const unsigned char *buf,
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]60 const unsigned char *end )
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]61{
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]62 const unsigned char *p = buf;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]63 size_t ke_modes_len;
64 int ke_modes = 0;
65
Jerry Yu854dd9e2022-07-15 14:28:27 +0800[diff] [blame]66 /* Read ke_modes length (1 Byte) */
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]67 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
68 ke_modes_len = *p++;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]69 /* Currently, there are only two PSK modes, so even without looking
70 * at the content, something's wrong if the list has more than 2 items. */
71 if( ke_modes_len > 2 )
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]72 {
73 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
74 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]75 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]76 }
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]77
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]78 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ke_modes_len );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]79
80 while( ke_modes_len-- != 0 )
81 {
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]82 switch( *p++ )
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]83 {
84 case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
85 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
86 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK KEX MODE" ) );
87 break;
88 case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:
89 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
90 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK_EPHEMERAL KEX MODE" ) );
91 break;
92 default:
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]93 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
94 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]95 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
96 }
97 }
98
99 ssl->handshake->tls13_kex_modes = ke_modes;
100 return( 0 );
101}
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]102
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]103#define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1
104#define SSL_TLS1_3_OFFERED_PSK_MATCH 0
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]105MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]106static int ssl_tls13_offered_psks_check_identity_match(
107 mbedtls_ssl_context *ssl,
108 const unsigned char *identity,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]109 size_t identity_len,
110 int *psk_type )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]111{
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]112 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]113 /* Check identity with external configured function */
114 if( ssl->conf->f_psk != NULL )
115 {
116 if( ssl->conf->f_psk(
117 ssl->conf->p_psk, ssl, identity, identity_len ) == 0 )
118 {
119 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
120 }
121 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
122 }
123
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]124 MBEDTLS_SSL_DEBUG_BUF( 5, "identity", identity, identity_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]125 /* Check identity with pre-configured psk */
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]126 if( ssl->conf->psk_identity != NULL &&
127 identity_len == ssl->conf->psk_identity_len &&
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]128 mbedtls_ct_memcmp( ssl->conf->psk_identity,
129 identity, identity_len ) == 0 )
130 {
131 mbedtls_ssl_set_hs_psk( ssl, ssl->conf->psk, ssl->conf->psk_len );
132 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
133 }
134
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]135 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
136}
137
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]138MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]139static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl,
140 const unsigned char *binder,
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]141 size_t binder_len,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]142 int psk_type,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]143 psa_algorithm_t psk_hash_alg )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]144{
145 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]146
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]147 unsigned char transcript[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]148 size_t transcript_len;
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]149 unsigned char *psk;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]150 size_t psk_len;
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]151 unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]152
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]153 /* Get current state of handshake transcript. */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]154 ret = mbedtls_ssl_get_handshake_transcript(
155 ssl, mbedtls_hash_info_md_from_psa( psk_hash_alg ),
156 transcript, sizeof( transcript ), &transcript_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]157 if( ret != 0 )
158 return( ret );
159
Jerry Yu40f37712022-07-26 16:58:57 +0800[diff] [blame]160 ret = mbedtls_ssl_tls13_export_handshake_psk( ssl, &psk, &psk_len );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]161 if( ret != 0 )
162 return( ret );
163
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]164 ret = mbedtls_ssl_tls13_create_psk_binder( ssl, psk_hash_alg,
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]165 psk, psk_len, psk_type,
166 transcript,
167 server_computed_binder );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]168#if defined(MBEDTLS_USE_PSA_CRYPTO)
169 mbedtls_free( (void*)psk );
170#endif
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]171 if( ret != 0 )
172 {
173 MBEDTLS_SSL_DEBUG_MSG( 1, ( "PSK binder calculation failed." ) );
174 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
175 }
176
177 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( computed ): ",
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]178 server_computed_binder, transcript_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]179 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( received ): ", binder, binder_len );
180
181 if( mbedtls_ct_memcmp( server_computed_binder, binder, binder_len ) == 0 )
182 {
183 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
184 }
185
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]186 mbedtls_platform_zeroize( server_computed_binder,
187 sizeof( server_computed_binder ) );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]188 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
189}
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]190
Jerry Yudd1bef72022-08-23 17:57:02 +0800[diff] [blame^]191static const mbedtls_ssl_ciphersuite_t *ssl_tls13_get_ciphersuite_info_by_id(
192 mbedtls_ssl_context *ssl,
193 uint16_t cipher_suite )
194{
195 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
196 if( ! mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
197 return( NULL );
198
199 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
200 if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
201 ssl->tls_version,
202 ssl->tls_version ) != 0 ) )
203 {
204 return( NULL );
205 }
206 return( ciphersuite_info );
207}
208
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]209MBEDTLS_CHECK_RETURN_CRITICAL
210static int ssl_tls13_psk_external_check_ciphersuites( mbedtls_ssl_context *ssl,
211 const unsigned char *buf,
212 const unsigned char *end,
213 size_t binder_len,
214 uint16_t *selected_cipher_suite )
215{
216 mbedtls_md_type_t psk_alg;
217
218 *selected_cipher_suite = 0;
219
220 switch( binder_len )
221 {
222#if defined(MBEDTLS_SHA256_C)
223 case 32:
224 psk_alg = MBEDTLS_MD_SHA256;
225 break;
226#endif
227#if defined(MBEDTLS_SHA384_C)
228 case 48:
229 psk_alg = MBEDTLS_MD_SHA384;
230 break;
231#endif
232 default:
233 return( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
234 }
235 /*
236 * Search for a matching ciphersuite
237 */
238 for ( const unsigned char *p = buf ; p < end ; p += 2 )
239 {
240 uint16_t cipher_suite;
241 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
242
243 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
244
245 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
246 if( ! mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
247 continue;
248
249 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
250 if( ( mbedtls_ssl_validate_ciphersuite(
251 ssl, ciphersuite_info, ssl->tls_version,
252 ssl->tls_version ) != 0 ) )
253 {
254 continue;
255 }
256
257 /* MAC of selected ciphersuite MUST be same with PSK binder if exist.
258 * Otherwise, client should reject.
259 */
260 if( psk_alg != MBEDTLS_MD_NONE && psk_alg != ciphersuite_info->mac )
261 continue;
262
263 *selected_cipher_suite = cipher_suite;
264
265 MBEDTLS_SSL_DEBUG_MSG( 5, ( "PSK matched ciphersuite: %04x - %s",
266 cipher_suite,
267 ciphersuite_info->name ) );
268 return( 0 );
269 }
270
271 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
272}
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]273/* Parser for pre_shared_key extension in client hello
274 * struct {
275 * opaque identity<1..2^16-1>;
276 * uint32 obfuscated_ticket_age;
277 * } PskIdentity;
278 *
279 * opaque PskBinderEntry<32..255>;
280 *
281 * struct {
282 * PskIdentity identities<7..2^16-1>;
283 * PskBinderEntry binders<33..2^16-1>;
284 * } OfferedPsks;
285 *
286 * struct {
287 * select (Handshake.msg_type) {
288 * case client_hello: OfferedPsks;
289 * ....
290 * };
291 * } PreSharedKeyExtension;
292 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]293MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]294static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]295 const unsigned char *pre_shared_key_ext,
296 const unsigned char *pre_shared_key_ext_end,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]297 const unsigned char *ciphersuites,
298 const unsigned char *ciphersuites_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]299{
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]300 const unsigned char *identities = pre_shared_key_ext;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]301 const unsigned char *p_identity_len;
302 size_t identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]303 const unsigned char *identities_end;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]304 const unsigned char *binders;
305 const unsigned char *p_binder_len;
306 size_t binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]307 const unsigned char *binders_end;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]308 int matched_identity = -1;
309 int identity_id = -1;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]310
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]311 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key extension",
312 pre_shared_key_ext,
313 pre_shared_key_ext_end - pre_shared_key_ext );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]314
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]315 /* identities_len 2 bytes
316 * identities_data >= 7 bytes
317 */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]318 MBEDTLS_SSL_CHK_BUF_READ_PTR( identities, pre_shared_key_ext_end, 7 + 2 );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]319 identities_len = MBEDTLS_GET_UINT16_BE( identities, 0 );
320 p_identity_len = identities + 2;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]321 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, pre_shared_key_ext_end,
322 identities_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]323 identities_end = p_identity_len + identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]324
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]325 /* binders_len 2 bytes
326 * binders >= 33 bytes
327 */
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]328 binders = identities_end;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]329 MBEDTLS_SSL_CHK_BUF_READ_PTR( binders, pre_shared_key_ext_end, 33 + 2 );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]330 binders_len = MBEDTLS_GET_UINT16_BE( binders, 0 );
331 p_binder_len = binders + 2;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]332 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, pre_shared_key_ext_end, binders_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]333 binders_end = p_binder_len + binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]334
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]335 ssl->handshake->update_checksum( ssl, pre_shared_key_ext,
336 identities_end - pre_shared_key_ext );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]337
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]338 while( p_identity_len < identities_end && p_binder_len < binders_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]339 {
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]340 const unsigned char *identity;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]341 size_t identity_len;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]342 const unsigned char *binder;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]343 size_t binder_len;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]344 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]345 int psk_type;
346 uint16_t cipher_suite;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]347 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]348
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]349 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, identities_end, 2 + 1 + 4 );
350 identity_len = MBEDTLS_GET_UINT16_BE( p_identity_len, 0 );
351 identity = p_identity_len + 2;
352 MBEDTLS_SSL_CHK_BUF_READ_PTR( identity, identities_end, identity_len + 4 );
353 p_identity_len += identity_len + 6;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]354
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]355 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, binders_end, 1 + 32 );
356 binder_len = *p_binder_len;
357 binder = p_binder_len + 1;
358 MBEDTLS_SSL_CHK_BUF_READ_PTR( binder, binders_end, binder_len );
359 p_binder_len += binder_len + 1;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]360
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]361 identity_id++;
362 if( matched_identity != -1 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]363 continue;
364
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]365 ret = ssl_tls13_offered_psks_check_identity_match(
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]366 ssl, identity, identity_len, &psk_type );
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]367 if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]368 continue;
369
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]370 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL )
371 {
372 ret = ssl_tls13_psk_external_check_ciphersuites(
373 ssl, ciphersuites, ciphersuites_end,
374 binder_len, &cipher_suite );
375 if( ret < 0 )
376 {
377 /* See below, no cipher_suite available, abort handshake */
378 MBEDTLS_SSL_PEND_FATAL_ALERT(
379 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
380 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
381 return( ret );
382 }
383 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
384 }
385 else
386 {
387 MBEDTLS_SSL_DEBUG_MSG( 4, ( "`psk_type = %d` not support yet",
388 psk_type ) );
389 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
390 }
391
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]392 ret = ssl_tls13_offered_psks_check_binder_match(
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]393 ssl, binder, binder_len, psk_type,
394 mbedtls_psa_translate_md( ciphersuite_info->mac ) );
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]395 if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]396 {
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]397 /* For the security rationale, handshake should be abort when binder
398 * value mismatch. See RFC 8446 section 4.2.11.2 and appendix E.6. */
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]399 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Binder is not matched." ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]400 MBEDTLS_SSL_DEBUG_RET( 1,
401 "ssl_tls13_offered_psks_check_binder_match" , ret );
402 MBEDTLS_SSL_PEND_FATAL_ALERT(
403 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
404 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
405 return( ret );
406 }
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]407
408 matched_identity = identity_id;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]409
410 /* Update handshake parameters */
411 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL )
412 {
413 ssl->session_negotiate->ciphersuite = cipher_suite;
414 ssl->handshake->ciphersuite_info = ciphersuite_info;
415 MBEDTLS_SSL_DEBUG_MSG( 2, ( "overwrite ciphersuite: %04x - %s",
416 cipher_suite,
417 ciphersuite_info->name ) );
418 }
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]419 }
420
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]421 if( p_identity_len != identities_end || p_binder_len != binders_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]422 {
423 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extesion decode error" ) );
424 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
425 MBEDTLS_ERR_SSL_DECODE_ERROR );
426 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
427 }
428
Jerry Yu6f1db3f2022-07-22 23:05:59 +0800[diff] [blame]429 /* Update the handshake transcript with the binder list. */
430 ssl->handshake->update_checksum( ssl,
431 identities_end,
432 (size_t)( binders_end - identities_end ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]433 if( matched_identity == -1 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]434 {
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]435 MBEDTLS_SSL_DEBUG_MSG( 3, ( "No matched PSK or ticket." ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]436 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]437 }
438
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]439 ssl->handshake->selected_identity = (uint16_t)matched_identity;
440 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Pre shared key found" ) );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]441
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]442 return( 0 );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]443}
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]444
445/*
446 * struct {
447 * select ( Handshake.msg_type ) {
448 * ....
449 * case server_hello:
450 * uint16 selected_identity;
451 * }
452 * } PreSharedKeyExtension;
453 */
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]454static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
455 unsigned char *buf,
456 unsigned char *end,
457 size_t *olen )
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]458{
459 unsigned char *p = (unsigned char*)buf;
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]460
461 *olen = 0;
462
463#if defined(MBEDTLS_USE_PSA_CRYPTO)
464 if( mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
465#else
466 if( ssl->handshake->psk == NULL )
467#endif
468 {
469 /* We shouldn't have called this extension writer unless we've
470 * chosen to use a PSK. */
471 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
472 }
473
474 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding pre_shared_key extension" ) );
475 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
476
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]477 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]478 MBEDTLS_PUT_UINT16_BE( 2, p, 2 );
479
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]480 MBEDTLS_PUT_UINT16_BE( ssl->handshake->selected_identity, p, 4 );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]481
482 *olen = 6;
483
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]484 MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent selected_identity: %u",
485 ssl->handshake->selected_identity ) );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]486
487 return( 0 );
488}
489
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]490#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
491
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]492/* From RFC 8446:
493 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]494 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]495 * } SupportedVersions;
496 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]497MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]498static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
499 const unsigned char *buf,
500 const unsigned char *end )
501{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]502 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]503 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]504 const unsigned char *versions_end;
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]505 uint16_t tls_version;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]506 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]507
508 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]509 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]510 p += 1;
511
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]512 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, versions_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]513 versions_end = p + versions_len;
514 while( p < versions_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]515 {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]516 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, versions_end, 2 );
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]517 tls_version = mbedtls_ssl_read_version( p, ssl->conf->transport );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]518 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]519
520 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]521 if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]522 {
523 tls13_supported = 1;
524 break;
525 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]526 }
527
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]528 if( !tls13_supported )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]529 {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]530 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 is not supported by the client" ) );
531
532 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
533 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
534 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
535 }
536
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%04x]",
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]538 (unsigned int)tls_version ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]539
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]540 return( 0 );
541}
542
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]543#if defined(MBEDTLS_ECDH_C)
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]544/*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]545 *
546 * From RFC 8446:
547 * enum {
548 * ... (0xFFFF)
549 * } NamedGroup;
550 * struct {
551 * NamedGroup named_group_list<2..2^16-1>;
552 * } NamedGroupList;
553 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]554MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]555static int ssl_tls13_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
556 const unsigned char *buf,
557 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]558{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]559 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000[diff] [blame]560 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]561 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]562
563 MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", p, end - buf );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]564 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]565 named_group_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]566 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]567 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]568 named_group_list_end = p + named_group_list_len;
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]569 ssl->handshake->hrr_selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]570
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]571 while( p < named_group_list_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]572 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]573 uint16_t named_group;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]574 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, named_group_list_end, 2 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]575 named_group = MBEDTLS_GET_UINT16_BE( p, 0 );
576 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]577
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]578 MBEDTLS_SSL_DEBUG_MSG( 2,
579 ( "got named group: %s(%04x)",
580 mbedtls_ssl_named_group_to_str( named_group ),
581 named_group ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]582
583 if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
584 ! mbedtls_ssl_named_group_is_supported( named_group ) ||
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]585 ssl->handshake->hrr_selected_group != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]586 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]587 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]588 }
589
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]590 MBEDTLS_SSL_DEBUG_MSG( 2,
591 ( "add named group %s(%04x) into received list.",
592 mbedtls_ssl_named_group_to_str( named_group ),
593 named_group ) );
594
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]595 ssl->handshake->hrr_selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]596 }
597
598 return( 0 );
599
600}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]601#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]602
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]603#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
604
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]605#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]606/*
607 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]608 * extension is correct and stores the first acceptable key share and its associated group.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]609 *
610 * Possible return values are:
611 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]612 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]613 * does not match a group supported by the server. A HelloRetryRequest will
614 * be needed.
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]615 * - A negative value for fatal errors.
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]616 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]617MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]618static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
619 const unsigned char *buf,
620 const unsigned char *end )
621{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]622 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]623 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]624 unsigned char const *client_shares_end;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]625 size_t client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]626
627 /* From RFC 8446:
628 *
629 * struct {
630 * KeyShareEntry client_shares<0..2^16-1>;
631 * } KeyShareClientHello;
632 *
633 */
634
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]635 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]636 client_shares_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]637 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]638 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, client_shares_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]639
640 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]641 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]642
643 /* We try to find a suitable key share entry and copy it to the
644 * handshake context. Later, we have to find out whether we can do
645 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]646 * dismiss it and send a HelloRetryRequest message.
647 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]648
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]649 while( p < client_shares_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]650 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]651 uint16_t group;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]652 size_t key_exchange_len;
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]653 const unsigned char *key_exchange;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]654
655 /*
656 * struct {
657 * NamedGroup group;
658 * opaque key_exchange<1..2^16-1>;
659 * } KeyShareEntry;
660 */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]661 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, 4 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]662 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]663 key_exchange_len = MBEDTLS_GET_UINT16_BE( p, 2 );
664 p += 4;
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]665 key_exchange = p;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]666 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, key_exchange_len );
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]667 p += key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]668
669 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]670 * for input validation purposes.
671 */
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]672 if( ! mbedtls_ssl_named_group_is_offered( ssl, group ) ||
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]673 ! mbedtls_ssl_named_group_is_supported( group ) ||
674 ssl->handshake->offered_group_id != 0 )
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]675 {
676 continue;
677 }
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]678
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]679 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]680 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]681 */
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]682 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
683 {
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]684 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH group: %s (%04x)",
685 mbedtls_ssl_named_group_to_str( group ),
686 group ) );
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]687 ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]688 ssl, key_exchange - 2, key_exchange_len + 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]689 if( ret != 0 )
690 return( ret );
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]691
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]692 }
693 else
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]694 {
695 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]696 (unsigned) group ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]697 continue;
698 }
699
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]700 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]701 }
702
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]703
704 if( ssl->handshake->offered_group_id == 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]705 {
706 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching key share" ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]707 return( SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]708 }
709 return( 0 );
710}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]711#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]712
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]713#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]714static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]715{
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]716 ((void) ssl);
717
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]718 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]719 MBEDTLS_SSL_DEBUG_MSG( 3,
720 ( "- KEY_SHARE_EXTENSION ( %s )",
721 ( ( ssl->handshake->extensions_present
722 & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
723 MBEDTLS_SSL_DEBUG_MSG( 3,
724 ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
725 ( ( ssl->handshake->extensions_present
726 & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
727 "TRUE" : "FALSE" ) );
728 MBEDTLS_SSL_DEBUG_MSG( 3,
729 ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
730 ( ( ssl->handshake->extensions_present
731 & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
732 MBEDTLS_SSL_DEBUG_MSG( 3,
733 ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
734 ( ( ssl->handshake->extensions_present
735 & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
736 MBEDTLS_SSL_DEBUG_MSG( 3,
737 ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
738 ( ( ssl->handshake->extensions_present
739 & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
740 "TRUE" : "FALSE" ) );
741 MBEDTLS_SSL_DEBUG_MSG( 3,
742 ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
743 ( ( ssl->handshake->extensions_present
744 & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
745 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]746#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]747 MBEDTLS_SSL_DEBUG_MSG( 3,
748 ( "- SERVERNAME_EXTENSION ( %s )",
749 ( ( ssl->handshake->extensions_present
750 & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
751 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]752#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]753#if defined ( MBEDTLS_SSL_ALPN )
754 MBEDTLS_SSL_DEBUG_MSG( 3,
755 ( "- ALPN_EXTENSION ( %s )",
756 ( ( ssl->handshake->extensions_present
757 & MBEDTLS_SSL_EXT_ALPN ) > 0 ) ?
758 "TRUE" : "FALSE" ) );
759#endif /* MBEDTLS_SSL_ALPN */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]760}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]761#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]762
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]763MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]764static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]765 int exts_mask )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]766{
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]767 int masked = ssl->handshake->extensions_present & exts_mask;
768 return( masked == exts_mask );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]769}
770
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]771MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]772static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
773 mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]774{
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]775 return( ssl_tls13_client_hello_has_exts(
776 ssl,
777 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
778 MBEDTLS_SSL_EXT_KEY_SHARE |
779 MBEDTLS_SSL_EXT_SIG_ALG ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]780}
781
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]782#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
783MBEDTLS_CHECK_RETURN_CRITICAL
784static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
785 mbedtls_ssl_context *ssl )
786{
787 return( ssl_tls13_client_hello_has_exts(
788 ssl,
789 MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
790 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
791}
792
793MBEDTLS_CHECK_RETURN_CRITICAL
794static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
795 mbedtls_ssl_context *ssl )
796{
797 return( ssl_tls13_client_hello_has_exts(
798 ssl,
799 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
800 MBEDTLS_SSL_EXT_KEY_SHARE |
801 MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
802 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
803}
804#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
805
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]806MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]807static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]808{
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]809 return( mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) &&
810 ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) );
811}
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]812
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]813MBEDTLS_CHECK_RETURN_CRITICAL
814static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
815{
816#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
817 return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) &&
818 mbedtls_ssl_tls13_psk_enabled( ssl ) &&
819 ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) );
820#else
821 ((void) ssl);
822 return( 0 );
823#endif
824}
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]825
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]826MBEDTLS_CHECK_RETURN_CRITICAL
827static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
828{
829#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
830 return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) &&
831 mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) &&
832 ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) );
833#else
834 ((void) ssl);
835 return( 0 );
836#endif
837}
838
839static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl )
840{
841 /*
842 * Determine the key exchange algorithm to use.
843 * There are three types of key exchanges supported in TLS 1.3:
844 * - (EC)DH with ECDSA,
845 * - (EC)DH with PSK,
846 * - plain PSK.
847 *
848 * The PSK-based key exchanges may additionally be used with 0-RTT.
849 *
850 * Our built-in order of preference is
Jerry Yuce6ed702022-07-22 21:49:53 +0800[diff] [blame]851 * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
852 * 2 ) Certificate Mode ( ephemeral )
853 * 3 ) Plain PSK Mode ( psk )
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]854 */
855
856 ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
857
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]858 if( ssl_tls13_check_psk_ephemeral_key_exchange( ssl ) )
859 {
860 ssl->handshake->key_exchange_mode =
861 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
862 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk_ephemeral" ) );
863 }
864 else
865 if( ssl_tls13_check_ephemeral_key_exchange( ssl ) )
866 {
867 ssl->handshake->key_exchange_mode =
868 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
869 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: ephemeral" ) );
870 }
871 else
Jerry Yuce6ed702022-07-22 21:49:53 +0800[diff] [blame]872 if( ssl_tls13_check_psk_key_exchange( ssl ) )
873 {
874 ssl->handshake->key_exchange_mode =
875 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
876 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk" ) );
877 }
878 else
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]879 {
880 MBEDTLS_SSL_DEBUG_MSG(
881 1,
882 ( "ClientHello message misses mandatory extensions." ) );
883 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ,
884 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
885 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
886 }
887
888 return( 0 );
889
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]890}
891
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]892#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
893 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]894/*
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]895 * Pick best ( private key, certificate chain ) pair based on the signature
896 * algorithms supported by the client.
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]897 */
Ronald Cronce7d76e2022-07-08 18:56:49 +0200[diff] [blame]898MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian07aad072022-06-14 05:35:09 +0000[diff] [blame]899static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]900{
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]901 mbedtls_ssl_key_cert *key_cert, *key_cert_list;
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]902 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]903
904#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
905 if( ssl->handshake->sni_key_cert != NULL )
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]906 key_cert_list = ssl->handshake->sni_key_cert;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]907 else
908#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]909 key_cert_list = ssl->conf->key_cert;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]910
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]911 if( key_cert_list == NULL )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]912 {
913 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
914 return( -1 );
915 }
916
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]917 for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]918 {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]919 for( key_cert = key_cert_list; key_cert != NULL;
920 key_cert = key_cert->next )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]921 {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]922 MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate",
923 key_cert->cert );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]924
925 /*
926 * This avoids sending the client a cert it'll reject based on
927 * keyUsage or other extensions.
928 */
929 if( mbedtls_x509_crt_check_key_usage(
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]930 key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE ) != 0 ||
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]931 mbedtls_x509_crt_check_extended_key_usage(
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]932 key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
933 MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ) ) != 0 )
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]934 {
935 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]936 "(extended) key usage extension" ) );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]937 continue;
938 }
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]939
Jerry Yucc539102022-06-27 16:27:35 +0800[diff] [blame]940 MBEDTLS_SSL_DEBUG_MSG( 3,
941 ( "ssl_tls13_pick_key_cert:"
942 "check signature algorithm %s [%04x]",
943 mbedtls_ssl_sig_alg_to_str( *sig_alg ),
944 *sig_alg ) );
Jerry Yufb526692022-06-19 11:22:49 +0800[diff] [blame]945 if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
Jerry Yud099cf02022-06-19 13:47:00 +0800[diff] [blame]946 *sig_alg, &key_cert->cert->pk ) )
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]947 {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]948 ssl->handshake->key_cert = key_cert;
Jerry Yucc539102022-06-27 16:27:35 +0800[diff] [blame]949 MBEDTLS_SSL_DEBUG_MSG( 3,
950 ( "ssl_tls13_pick_key_cert:"
951 "selected signature algorithm"
952 " %s [%04x]",
953 mbedtls_ssl_sig_alg_to_str( *sig_alg ),
954 *sig_alg ) );
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]955 MBEDTLS_SSL_DEBUG_CRT(
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]956 3, "selected certificate (chain)",
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]957 ssl->handshake->key_cert->cert );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]958 return( 0 );
959 }
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]960 }
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]961 }
962
Jerry Yu9d3e2fa2022-06-27 22:14:01 +0800[diff] [blame]963 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert:"
964 "no suitable certificate found" ) );
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]965 return( -1 );
966}
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]967#endif /* MBEDTLS_X509_CRT_PARSE_C &&
968 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]969
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]970/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]971 *
972 * STATE HANDLING: ClientHello
973 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]974 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]975 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]976 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]977 *
978 * In this case, the server progresses to sending its ServerHello.
979 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]980 * 2) The ClientHello was well-formed but didn't match the server's
981 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]982 *
983 * For example, the client might not have offered a key share which
984 * the server supports, or the server might require a cookie.
985 *
986 * In this case, the server sends a HelloRetryRequest.
987 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]988 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]989 *
990 * In this case, we abort the handshake.
991 *
992 */
993
994/*
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]995 * Structure of this message:
996 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]997 * uint16 ProtocolVersion;
998 * opaque Random[32];
999 * uint8 CipherSuite[2]; // Cryptographic suite selector
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1000 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1001 * struct {
1002 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1003 * Random random;
1004 * opaque legacy_session_id<0..32>;
1005 * CipherSuite cipher_suites<2..2^16-2>;
1006 * opaque legacy_compression_methods<1..2^8-1>;
1007 * Extension extensions<8..2^16-1>;
1008 * } ClientHello;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1009 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1010
1011#define SSL_CLIENT_HELLO_OK 0
1012#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
1013
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1014MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1015static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
1016 const unsigned char *buf,
1017 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1018{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1019 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1020 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1021 size_t legacy_session_id_len;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]1022 size_t cipher_suites_len;
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1023 const unsigned char *cipher_suites_end;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1024 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1025 const unsigned char *extensions_end;
Jerry Yu49ca9282022-05-05 11:05:22 +0800[diff] [blame]1026 int hrr_required = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1027
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1028#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1029 const unsigned char *cipher_suites;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1030 const unsigned char *pre_shared_key_ext = NULL;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1031 const unsigned char *pre_shared_key_ext_end = NULL;
1032#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1033
1034 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
1035
1036 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1037 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1038 * 0 . 1 protocol version
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1039 * 2 . 33 random bytes
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]1040 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1041 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1042 * .. . .. ciphersuite list length ( 2 bytes )
1043 * .. . .. ciphersuite list
1044 * .. . .. compression alg. list length ( 1 byte )
1045 * .. . .. compression alg. list
1046 * .. . .. extensions length ( 2 bytes, optional )
1047 * .. . .. extensions ( optional )
1048 */
1049
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1050 /*
bootstrap-prime6dbbf442022-05-17 19:30:44 -0400[diff] [blame]1051 * Minimal length ( with everything empty and extensions omitted ) is
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1052 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1053 * read at least up to session id length without worrying.
1054 */
1055 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 38 );
1056
1057 /* ...
1058 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1059 * ...
1060 * with ProtocolVersion defined as:
1061 * uint16 ProtocolVersion;
1062 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]1063 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
1064 MBEDTLS_SSL_VERSION_TLS1_2 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1065 {
1066 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1067 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1068 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1069 return ( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1070 }
1071 p += 2;
1072
1073 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]1074 * Only support TLS 1.3 currently, temporarily set the version.
1075 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]1076 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]1077
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]1078#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1079 /* Store minor version for later use with ticket serialization. */
1080 ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1081 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]1082#endif
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]1083
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1084 /* ...
1085 * Random random;
1086 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1087 * with Random defined as:
1088 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1089 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1090 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1091 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1092
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1093 memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
1094 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1095
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1096 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1097 * opaque legacy_session_id<0..32>;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1098 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1099 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1100 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]1101 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1102
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1103 if( legacy_session_id_len > sizeof( ssl->session_negotiate->id ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1104 {
1105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1106 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1107 }
1108
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1109 ssl->session_negotiate->id_len = legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1110 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1111 p, legacy_session_id_len );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1112 /*
1113 * Check we have enough data for the legacy session identifier
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1114 * and the ciphersuite list length.
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1115 */
1116 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1117
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1118 memcpy( &ssl->session_negotiate->id[0], p, legacy_session_id_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1119 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1120
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1121 cipher_suites_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1122 p += 2;
1123
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1124 /* Check we have enough data for the ciphersuite list, the legacy
1125 * compression methods and the length of the extensions.
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1126 *
1127 * cipher_suites cipher_suites_len bytes
1128 * legacy_compression_methods 2 bytes
1129 * extensions_len 2 bytes
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1130 */
1131 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1132
Jerry Yu24b8c812022-08-20 19:06:56 +0800[diff] [blame]1133 /* ...
1134 * CipherSuite cipher_suites<2..2^16-2>;
1135 * ...
1136 * with CipherSuite defined as:
1137 * uint8 CipherSuite[2];
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1138 */
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1139#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1140 cipher_suites = p;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1141#endif
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1142 cipher_suites_end = p + cipher_suites_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1143 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1144 p, cipher_suites_len );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1145
1146 /*
1147 * Search for a matching ciphersuite
1148 */
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1149 for ( ; p < cipher_suites_end; p += 2 )
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]1150 {
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1151 uint16_t cipher_suite;
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1152 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1153
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1154 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, cipher_suites_end, 2 );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1155
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1156 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yudd1bef72022-08-23 17:57:02 +0800[diff] [blame^]1157 ciphersuite_info = ssl_tls13_get_ciphersuite_info_by_id(
1158 ssl,cipher_suite );
1159 if( ciphersuite_info == NULL )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1160 continue;
1161
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1162 ssl->session_negotiate->ciphersuite = cipher_suite;
1163 ssl->handshake->ciphersuite_info = ciphersuite_info;
1164 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %04x - %s",
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1165 cipher_suite,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1166 ciphersuite_info->name ) );
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]1167 }
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1168
1169 if( ssl->handshake->ciphersuite_info == NULL )
1170 {
1171 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1172 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1173 return ( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1174 }
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1175
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1176 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1177 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1178 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1179 */
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]1180 if( p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1181 {
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1182 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
1183 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1184 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1185 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1186 }
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1187 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1188
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1189 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1190 * Extension extensions<8..2^16-1>;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1191 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1192 * with Extension defined as:
1193 * struct {
1194 * ExtensionType extension_type;
1195 * opaque extension_data<0..2^16-1>;
1196 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1197 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1198 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1199 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1200 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1201 extensions_end = p + extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1202
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1203 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1204
1205 while( p < extensions_end )
1206 {
1207 unsigned int extension_type;
1208 size_t extension_data_len;
1209 const unsigned char *extension_data_end;
1210
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1211 /* RFC 8446, page 57
1212 *
1213 * The "pre_shared_key" extension MUST be the last extension in the
1214 * ClientHello (this facilitates implementation as described below).
1215 * Servers MUST check that it is the last extension and otherwise fail
1216 * the handshake with an "illegal_parameter" alert.
1217 */
1218 if( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY )
1219 {
1220 MBEDTLS_SSL_DEBUG_MSG(
1221 3, ( "pre_shared_key is not last extension." ) );
1222 MBEDTLS_SSL_PEND_FATAL_ALERT(
1223 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1224 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1225 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1226 }
1227
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]1228 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1229 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1230 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1231 p += 4;
1232
1233 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1234 extension_data_end = p + extension_data_len;
1235
1236 switch( extension_type )
1237 {
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1238#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1239 case MBEDTLS_TLS_EXT_SERVERNAME:
1240 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
XiaokangQian9b2b7712022-05-17 02:57:00 +0000[diff] [blame]1241 ret = mbedtls_ssl_parse_server_name_ext( ssl, p,
1242 extension_data_end );
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1243 if( ret != 0 )
1244 {
1245 MBEDTLS_SSL_DEBUG_RET(
1246 1, "mbedtls_ssl_parse_servername_ext", ret );
1247 return( ret );
1248 }
1249 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SERVERNAME;
1250 break;
1251#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1252
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1253#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1254 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1255 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
1256
1257 /* Supported Groups Extension
1258 *
1259 * When sent by the client, the "supported_groups" extension
1260 * indicates the named groups which the client supports,
1261 * ordered from most preferred to least preferred.
1262 */
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1263 ret = ssl_tls13_parse_supported_groups_ext(
1264 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1265 if( ret != 0 )
1266 {
1267 MBEDTLS_SSL_DEBUG_RET( 1,
1268 "mbedtls_ssl_parse_supported_groups_ext", ret );
1269 return( ret );
1270 }
1271
1272 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
1273 break;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1274#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1275
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1276#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1277 case MBEDTLS_TLS_EXT_KEY_SHARE:
1278 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) );
1279
1280 /*
1281 * Key Share Extension
1282 *
1283 * When sent by the client, the "key_share" extension
1284 * contains the endpoint's cryptographic parameters for
1285 * ECDHE/DHE key establishment methods.
1286 */
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1287 ret = ssl_tls13_parse_key_shares_ext(
1288 ssl, p, extension_data_end );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1289 if( ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1290 {
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1291 MBEDTLS_SSL_DEBUG_MSG( 2, ( "HRR needed " ) );
Jerry Yu49ca9282022-05-05 11:05:22 +0800[diff] [blame]1292 hrr_required = 1;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1293 }
1294
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1295 if( ret < 0 )
1296 {
1297 MBEDTLS_SSL_DEBUG_RET(
1298 1, "ssl_tls13_parse_key_shares_ext", ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1299 return( ret );
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1300 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1301
1302 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
1303 break;
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1304#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1305
1306 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1307 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) );
1308
1309 ret = ssl_tls13_parse_supported_versions_ext(
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1310 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1311 if( ret != 0 )
1312 {
1313 MBEDTLS_SSL_DEBUG_RET( 1,
1314 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
1315 return( ret );
1316 }
1317 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
1318 break;
1319
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]1320#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1321 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
1322 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found psk key exchange modes extension" ) );
1323
1324 ret = ssl_tls13_parse_key_exchange_modes_ext(
1325 ssl, p, extension_data_end );
1326 if( ret != 0 )
1327 {
1328 MBEDTLS_SSL_DEBUG_RET(
1329 1, "ssl_tls13_parse_key_exchange_modes_ext", ret );
1330 return( ret );
1331 }
1332
1333 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
1334 break;
1335#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1336
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1337 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1338 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
Jerry Yu13ab81d2022-07-22 23:17:11 +0800[diff] [blame]1339 if( ( ssl->handshake->extensions_present &
1340 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 )
1341 {
1342 MBEDTLS_SSL_PEND_FATAL_ALERT(
1343 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1344 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1345 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1346 }
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1347#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1348 /* Delay processing of the PSK identity once we have
1349 * found out which algorithms to use. We keep a pointer
1350 * to the buffer and the size for later processing.
1351 */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1352 pre_shared_key_ext = p;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1353 pre_shared_key_ext_end = extension_data_end;
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1354#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1355 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
1356 break;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1357
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]1358#if defined(MBEDTLS_SSL_ALPN)
1359 case MBEDTLS_TLS_EXT_ALPN:
1360 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1361
1362 ret = mbedtls_ssl_parse_alpn_ext( ssl, p, extension_data_end );
1363 if( ret != 0 )
1364 {
1365 MBEDTLS_SSL_DEBUG_RET(
1366 1, ( "mbedtls_ssl_parse_alpn_ext" ), ret );
1367 return( ret );
1368 }
1369 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_ALPN;
1370 break;
1371#endif /* MBEDTLS_SSL_ALPN */
1372
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1373#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1374 case MBEDTLS_TLS_EXT_SIG_ALG:
1375 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1376
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1377 ret = mbedtls_ssl_parse_sig_alg_ext(
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1378 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1379 if( ret != 0 )
1380 {
1381 MBEDTLS_SSL_DEBUG_MSG( 1,
1382 ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
1383 ret ) );
1384 return( ret );
1385 }
1386 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
1387 break;
1388#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1389
1390 default:
1391 MBEDTLS_SSL_DEBUG_MSG( 3,
1392 ( "unknown extension found: %ud ( ignoring )",
1393 extension_type ) );
1394 }
1395
1396 p += extension_data_len;
1397 }
1398
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1399#if defined(MBEDTLS_DEBUG_C)
1400 /* List all the extensions we have received */
1401 ssl_tls13_debug_print_client_hello_exts( ssl );
1402#endif /* MBEDTLS_DEBUG_C */
1403
1404 mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
1405 MBEDTLS_SSL_HS_CLIENT_HELLO,
1406 p - buf );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]1407
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1408#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1409 /* Update checksum with either
1410 * - The entire content of the CH message, if no PSK extension is present
1411 * - The content up to but excluding the PSK extension, if present.
1412 */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1413 /* If we've settled on a PSK-based exchange, parse PSK identity ext */
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1414 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) &&
Jerry Yu32e13702022-07-29 13:04:08 +0800[diff] [blame]1415 mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1416 ( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1417 {
1418 ssl->handshake->update_checksum( ssl, buf,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1419 pre_shared_key_ext - buf );
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]1420 ret = ssl_tls13_parse_pre_shared_key_ext( ssl,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1421 pre_shared_key_ext,
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1422 pre_shared_key_ext_end,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1423 cipher_suites,
1424 cipher_suites_end );
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]1425 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1426 {
1427 ssl->handshake->extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
Jerry Yu6f1db3f2022-07-22 23:05:59 +0800[diff] [blame]1428 }
1429 else if( ret != 0 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1430 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]1431 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_pre_shared_key_ext" ),
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1432 ret );
1433 return( ret );
1434 }
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1435 }
1436 else
1437#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1438 {
1439 ssl->handshake->update_checksum( ssl, buf, p - buf );
1440 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1441
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1442 ret = ssl_tls13_determine_key_exchange_mode( ssl );
1443 if( ret < 0 )
1444 return( ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1445
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1446 return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK );
1447}
1448
1449/* Update the handshake state machine */
1450
Ronald Cronce7d76e2022-07-08 18:56:49 +0200[diff] [blame]1451MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1452static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
1453{
1454 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1455
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1456 /*
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1457 * Server certificate selection
1458 */
1459 if( ssl->conf->f_cert_cb && ( ret = ssl->conf->f_cert_cb( ssl ) ) != 0 )
1460 {
1461 MBEDTLS_SSL_DEBUG_RET( 1, "f_cert_cb", ret );
1462 return( ret );
1463 }
1464#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1465 ssl->handshake->sni_name = NULL;
1466 ssl->handshake->sni_name_len = 0;
1467#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1468
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1469 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
1470 if( ret != 0 )
1471 {
1472 MBEDTLS_SSL_DEBUG_RET( 1,
1473 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret );
1474 return( ret );
1475 }
1476
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1477 return( 0 );
1478
1479}
1480
1481/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1482 * Main entry point from the state machine; orchestrates the otherfunctions.
1483 */
1484
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1485MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1486static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
1487{
1488
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1489 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1490 unsigned char* buf = NULL;
1491 size_t buflen = 0;
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1492 int parse_client_hello_ret;
1493
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1494 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1495
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1496 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
1497 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
1498 &buf, &buflen ) );
1499
1500 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_parse_client_hello( ssl, buf,
1501 buf + buflen ) );
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]1502 parse_client_hello_ret = ret; /* Store return value of parse_client_hello,
1503 * only SSL_CLIENT_HELLO_OK or
1504 * SSL_CLIENT_HELLO_HRR_REQUIRED at this
1505 * stage as negative error codes are handled
1506 * by MBEDTLS_SSL_PROC_CHK_NEG. */
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1507
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1508 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_client_hello( ssl ) );
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1509
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1510 if( parse_client_hello_ret == SSL_CLIENT_HELLO_OK )
1511 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
1512 else
1513 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1514
1515cleanup:
1516
1517 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1518 return( ret );
1519}
1520
1521/*
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1522 * Handler for MBEDTLS_SSL_SERVER_HELLO
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]1523 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1524MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1525static int ssl_tls13_prepare_server_hello( mbedtls_ssl_context *ssl )
1526{
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1527 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1528 unsigned char *server_randbytes =
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1529 ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1530 if( ssl->conf->f_rng == NULL )
1531 {
1532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
1533 return( MBEDTLS_ERR_SSL_NO_RNG );
1534 }
1535
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1536 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, server_randbytes,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1537 MBEDTLS_SERVER_HELLO_RANDOM_LEN ) ) != 0 )
1538 {
1539 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
1540 return( ret );
1541 }
1542
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1543 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", server_randbytes,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1544 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1545
1546#if defined(MBEDTLS_HAVE_TIME)
1547 ssl->session_negotiate->start = time( NULL );
1548#endif /* MBEDTLS_HAVE_TIME */
1549
1550 return( ret );
1551}
1552
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1553/*
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]1554 * ssl_tls13_write_server_hello_supported_versions_ext ():
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1555 *
1556 * struct {
Jerry Yufb9f54d2022-04-06 10:08:34 +0800[diff] [blame]1557 * ProtocolVersion selected_version;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1558 * } SupportedVersions;
1559 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1560MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]1561static int ssl_tls13_write_server_hello_supported_versions_ext(
1562 mbedtls_ssl_context *ssl,
1563 unsigned char *buf,
1564 unsigned char *end,
1565 size_t *out_len )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1566{
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1567 *out_len = 0;
1568
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1569 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, write selected version" ) );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1570
1571 /* Check if we have space to write the extension:
1572 * - extension_type (2 bytes)
1573 * - extension_data_length (2 bytes)
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1574 * - selected_version (2 bytes)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1575 */
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1576 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1577
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1578 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1579
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1580 MBEDTLS_PUT_UINT16_BE( 2, buf, 2 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1581
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1582 mbedtls_ssl_write_version( buf + 4,
1583 ssl->conf->transport,
1584 ssl->tls_version );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1585
1586 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [%04x]",
1587 ssl->tls_version ) );
1588
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1589 *out_len = 6;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1590
1591 return( 0 );
1592}
1593
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1594
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1595
1596/* Generate and export a single key share. For hybrid KEMs, this can
1597 * be called multiple times with the different components of the hybrid. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1598MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1599static int ssl_tls13_generate_and_write_key_share( mbedtls_ssl_context *ssl,
1600 uint16_t named_group,
1601 unsigned char *buf,
1602 unsigned char *end,
1603 size_t *out_len )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1604{
1605 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1606
1607 *out_len = 0;
1608
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1609#if defined(MBEDTLS_ECDH_C)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1610 if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) )
1611 {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1612 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
1613 ssl, named_group, buf, end, out_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1614 if( ret != 0 )
1615 {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1616 MBEDTLS_SSL_DEBUG_RET(
1617 1, "mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange",
1618 ret );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1619 return( ret );
1620 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1621 }
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1622 else
1623#endif /* MBEDTLS_ECDH_C */
1624 if( 0 /* Other kinds of KEMs */ )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1625 {
1626 }
1627 else
1628 {
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1629 ((void) ssl);
1630 ((void) named_group);
1631 ((void) buf);
1632 ((void) end);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1633 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1634 }
1635
1636 return( ret );
1637}
1638
1639/*
1640 * ssl_tls13_write_key_share_ext
1641 *
1642 * Structure of key_share extension in ServerHello:
1643 *
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1644 * struct {
1645 * NamedGroup group;
1646 * opaque key_exchange<1..2^16-1>;
1647 * } KeyShareEntry;
1648 * struct {
1649 * KeyShareEntry server_share;
1650 * } KeyShareServerHello;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1651 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1652MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1653static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
1654 unsigned char *buf,
1655 unsigned char *end,
1656 size_t *out_len )
1657{
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1658 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1659 unsigned char *p = buf;
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1660 uint16_t group = ssl->handshake->offered_group_id;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1661 unsigned char *server_share = buf + 4;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1662 size_t key_exchange_length;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1663
1664 *out_len = 0;
1665
1666 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding key share extension" ) );
1667
1668 /* Check if we have space for header and length fields:
1669 * - extension_type (2 bytes)
1670 * - extension_data_length (2 bytes)
1671 * - group (2 bytes)
1672 * - key_exchange_length (2 bytes)
1673 */
1674 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 8 );
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1675 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, p, 0 );
1676 MBEDTLS_PUT_UINT16_BE( group, server_share, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1677 p += 8;
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1678
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1679 /* When we introduce PQC-ECDHE hybrids, we'll want to call this
1680 * function multiple times. */
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1681 ret = ssl_tls13_generate_and_write_key_share(
Jerry Yue65d8012022-04-23 10:34:35 +0800[diff] [blame]1682 ssl, group, server_share + 4, end, &key_exchange_length );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1683 if( ret != 0 )
1684 return( ret );
1685 p += key_exchange_length;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1686
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1687 MBEDTLS_PUT_UINT16_BE( key_exchange_length, server_share + 2, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1688
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1689 MBEDTLS_PUT_UINT16_BE( p - server_share, buf, 2 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1690
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1691 *out_len = p - buf;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1692
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1693 return( 0 );
1694}
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1695
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1696MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1697static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl,
1698 unsigned char *buf,
1699 unsigned char *end,
1700 size_t *out_len )
1701{
1702 uint16_t selected_group = ssl->handshake->hrr_selected_group;
1703 /* key_share Extension
1704 *
1705 * struct {
1706 * select (Handshake.msg_type) {
1707 * ...
1708 * case hello_retry_request:
1709 * NamedGroup selected_group;
1710 * ...
1711 * };
1712 * } KeyShare;
1713 */
1714
1715 *out_len = 0;
1716
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]1717 /*
1718 * For a pure PSK key exchange, there is no group to agree upon. The purpose
1719 * of the HRR is then to transmit a cookie to force the client to demonstrate
1720 * reachability at their apparent network address (primarily useful for DTLS).
1721 */
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1722 if( ! mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1723 return( 0 );
1724
1725 /* We should only send the key_share extension if the client's initial
1726 * key share was not acceptable. */
1727 if( ssl->handshake->offered_group_id != 0 )
1728 {
1729 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Skip key_share extension in HRR" ) );
1730 return( 0 );
1731 }
1732
1733 if( selected_group == 0 )
1734 {
1735 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching named group found" ) );
1736 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1737 }
1738
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]1739 /* Check if we have enough space:
1740 * - extension_type (2 bytes)
1741 * - extension_data_length (2 bytes)
1742 * - selected_group (2 bytes)
1743 */
Ronald Cron154d1b62022-06-01 15:33:26 +0200[diff] [blame]1744 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1745
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1746 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1747 MBEDTLS_PUT_UINT16_BE( 2, buf, 2 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1748 MBEDTLS_PUT_UINT16_BE( selected_group, buf, 4 );
1749
1750 MBEDTLS_SSL_DEBUG_MSG( 3,
1751 ( "HRR selected_group: %s (%x)",
1752 mbedtls_ssl_named_group_to_str( selected_group ),
1753 selected_group ) );
1754
1755 *out_len = 6;
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1756
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]1757 return( 0 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1758}
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1759
1760/*
1761 * Structure of ServerHello message:
1762 *
1763 * struct {
1764 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1765 * Random random;
1766 * opaque legacy_session_id_echo<0..32>;
1767 * CipherSuite cipher_suite;
1768 * uint8 legacy_compression_method = 0;
1769 * Extension extensions<6..2^16-1>;
1770 * } ServerHello;
1771 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1772MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1773static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]1774 unsigned char *buf,
1775 unsigned char *end,
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1776 size_t *out_len,
1777 int is_hrr )
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]1778{
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1779 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1780 unsigned char *p = buf;
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1781 unsigned char *p_extensions_len;
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]1782 size_t output_len;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1783
1784 *out_len = 0;
1785
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]1786 /* ...
1787 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1788 * ...
1789 * with ProtocolVersion defined as:
1790 * uint16 ProtocolVersion;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1791 */
1792 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1793 MBEDTLS_PUT_UINT16_BE( 0x0303, p, 0 );
1794 p += 2;
1795
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1796 /* ...
1797 * Random random;
1798 * ...
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]1799 * with Random defined as:
1800 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1801 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1802 MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1803 if( is_hrr )
1804 {
1805 memcpy( p, mbedtls_ssl_tls13_hello_retry_request_magic,
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]1806 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1807 }
1808 else
1809 {
1810 memcpy( p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]1811 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1812 }
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1813 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1814 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1815 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
1816
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]1817 /* ...
1818 * opaque legacy_session_id_echo<0..32>;
1819 * ...
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1820 */
1821 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 + ssl->session_negotiate->id_len );
1822 *p++ = (unsigned char)ssl->session_negotiate->id_len;
1823 if( ssl->session_negotiate->id_len > 0 )
1824 {
1825 memcpy( p, &ssl->session_negotiate->id[0],
1826 ssl->session_negotiate->id_len );
1827 p += ssl->session_negotiate->id_len;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1828
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1829 MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id,
1830 ssl->session_negotiate->id_len );
1831 }
1832
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]1833 /* ...
1834 * CipherSuite cipher_suite;
1835 * ...
1836 * with CipherSuite defined as:
1837 * uint8 CipherSuite[2];
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1838 */
1839 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1840 MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 );
1841 p += 2;
1842 MBEDTLS_SSL_DEBUG_MSG( 3,
1843 ( "server hello, chosen ciphersuite: %s ( id=%d )",
1844 mbedtls_ssl_get_ciphersuite_name(
1845 ssl->session_negotiate->ciphersuite ),
1846 ssl->session_negotiate->ciphersuite ) );
1847
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]1848 /* ...
1849 * uint8 legacy_compression_method = 0;
1850 * ...
1851 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1852 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
Thomas Daubney31e03a82022-07-25 15:59:25 +0100[diff] [blame]1853 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1854
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]1855 /* ...
1856 * Extension extensions<6..2^16-1>;
1857 * ...
1858 * struct {
1859 * ExtensionType extension_type; (2 bytes)
1860 * opaque extension_data<0..2^16-1>;
1861 * } Extension;
1862 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1863 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1864 p_extensions_len = p;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1865 p += 2;
1866
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]1867 if( ( ret = ssl_tls13_write_server_hello_supported_versions_ext(
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1868 ssl, p, end, &output_len ) ) != 0 )
1869 {
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1870 MBEDTLS_SSL_DEBUG_RET(
1871 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1872 return( ret );
1873 }
1874 p += output_len;
1875
Jerry Yu56acc942022-07-30 23:02:36 +0800[diff] [blame]1876 if( mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1877 {
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1878 if( is_hrr )
1879 ret = ssl_tls13_write_hrr_key_share_ext( ssl, p, end, &output_len );
1880 else
1881 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1882 if( ret != 0 )
1883 return( ret );
1884 p += output_len;
1885 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1886
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]1887#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]1888 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]1889 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]1890 ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, p, end, &output_len );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]1891 if( ret != 0 )
1892 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]1893 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_server_pre_shared_key_ext",
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]1894 ret );
1895 return( ret );
1896 }
1897 p += output_len;
1898 }
1899#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1900
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1901 MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1902
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1903 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello extensions",
1904 p_extensions_len, p - p_extensions_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1905
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1906 *out_len = p - buf;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1907
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1908 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", buf, *out_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1909
1910 return( ret );
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]1911}
1912
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1913MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1914static int ssl_tls13_finalize_write_server_hello( mbedtls_ssl_context *ssl )
1915{
1916 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1917 ret = mbedtls_ssl_tls13_compute_handshake_transform( ssl );
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1918 if( ret != 0 )
1919 {
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1920 MBEDTLS_SSL_DEBUG_RET( 1,
1921 "mbedtls_ssl_tls13_compute_handshake_transform",
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1922 ret );
1923 return( ret );
1924 }
1925
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1926 return( ret );
1927}
1928
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1929MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]1930static int ssl_tls13_write_server_hello( mbedtls_ssl_context *ssl )
1931{
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1932 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1933 unsigned char *buf;
1934 size_t buf_len, msg_len;
1935
1936 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1937
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1938 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_server_hello( ssl ) );
1939
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1940 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1941 MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len ) );
1942
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1943 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
1944 buf + buf_len,
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1945 &msg_len,
1946 0 ) );
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1947
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1948 mbedtls_ssl_add_hs_msg_to_checksum(
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1949 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
1950
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1951 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1952 ssl, buf_len, msg_len ) );
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1953
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1954 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_server_hello( ssl ) );
1955
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]1956#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1957 /* The server sends a dummy change_cipher_spec record immediately
1958 * after its first handshake message. This may either be after
1959 * a ServerHello or a HelloRetryRequest.
1960 */
Gabor Mezei96ae9262022-06-28 11:45:18 +0200[diff] [blame]1961 mbedtls_ssl_handshake_set_state(
1962 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]1963#else
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1964 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]1965#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1966
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1967cleanup:
1968
1969 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1970 return( ret );
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]1971}
1972
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]1973
1974/*
1975 * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
1976 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1977MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron7b840462022-06-01 17:05:53 +0200[diff] [blame]1978static int ssl_tls13_prepare_hello_retry_request( mbedtls_ssl_context *ssl )
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]1979{
1980 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1981 if( ssl->handshake->hello_retry_request_count > 0 )
1982 {
1983 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) );
1984 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1985 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1986 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1987 }
1988
1989 /*
1990 * Create stateless transcript hash for HRR
1991 */
1992 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) );
1993 ret = mbedtls_ssl_reset_transcript_for_hrr( ssl );
1994 if( ret != 0 )
1995 {
1996 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret );
1997 return( ret );
1998 }
1999 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
2000
2001 return( 0 );
2002}
2003
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2004MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2005static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl )
2006{
2007 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2008 unsigned char *buf;
2009 size_t buf_len, msg_len;
2010
2011 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) );
2012
Ronald Cron7b840462022-06-01 17:05:53 +0200[diff] [blame]2013 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_hello_retry_request( ssl ) );
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2014
2015 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg(
2016 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
2017 &buf, &buf_len ) );
2018
2019 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
2020 buf + buf_len,
2021 &msg_len,
2022 1 ) );
2023 mbedtls_ssl_add_hs_msg_to_checksum(
2024 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
2025
2026
2027 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len,
2028 msg_len ) );
2029
2030 ssl->handshake->hello_retry_request_count++;
2031
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2032#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2033 /* The server sends a dummy change_cipher_spec record immediately
2034 * after its first handshake message. This may either be after
2035 * a ServerHello or a HelloRetryRequest.
2036 */
Gabor Mezei96ae9262022-06-28 11:45:18 +0200[diff] [blame]2037 mbedtls_ssl_handshake_set_state(
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]2038 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2039#else
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2040 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2041#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2042
2043cleanup:
2044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) );
2045 return( ret );
2046}
2047
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2048/*
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2049 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2050 */
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2051
2052/*
2053 * struct {
2054 * Extension extensions<0..2 ^ 16 - 1>;
2055 * } EncryptedExtensions;
2056 *
2057 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2058MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2059static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl,
2060 unsigned char *buf,
2061 unsigned char *end,
2062 size_t *out_len )
2063{
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2064 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2065 unsigned char *p = buf;
2066 size_t extensions_len = 0;
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2067 unsigned char *p_extensions_len;
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2068 size_t output_len;
Jerry Yu9da5e5a2022-05-03 15:46:09 +0800[diff] [blame]2069
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2070 *out_len = 0;
2071
2072 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2073 p_extensions_len = p;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2074 p += 2;
2075
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2076 ((void) ssl);
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2077 ((void) ret);
2078 ((void) output_len);
2079
2080#if defined(MBEDTLS_SSL_ALPN)
2081 ret = mbedtls_ssl_write_alpn_ext( ssl, p, end, &output_len );
2082 if( ret != 0 )
2083 return( ret );
XiaokangQian95d5f542022-06-24 02:29:26 +0000[diff] [blame]2084 p += output_len;
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2085#endif /* MBEDTLS_SSL_ALPN */
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2086
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2087 extensions_len = ( p - p_extensions_len ) - 2;
2088 MBEDTLS_PUT_UINT16_BE( extensions_len, p_extensions_len, 0 );
2089
2090 *out_len = p - buf;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2091
2092 MBEDTLS_SSL_DEBUG_BUF( 4, "encrypted extensions", buf, *out_len );
2093
2094 return( 0 );
2095}
2096
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2097MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2098static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl )
2099{
2100 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2101 unsigned char *buf;
Jerry Yu39730a72022-05-03 12:14:04 +0800[diff] [blame]2102 size_t buf_len, msg_len;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2103
Gabor Mezei54719122022-06-28 11:34:56 +0200[diff] [blame]2104 mbedtls_ssl_set_outbound_transform( ssl,
2105 ssl->handshake->transform_handshake );
2106 MBEDTLS_SSL_DEBUG_MSG(
2107 3, ( "switching to handshake transform for outbound data" ) );
2108
Jerry Yuab452cc2022-04-28 15:27:08 +0800[diff] [blame]2109 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write encrypted extensions" ) );
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2110
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2111 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2112 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf, &buf_len ) );
2113
2114 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_encrypted_extensions_body(
2115 ssl, buf, buf + buf_len, &msg_len ) );
2116
2117 mbedtls_ssl_add_hs_msg_to_checksum(
2118 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len );
2119
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2120 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2121 ssl, buf_len, msg_len ) );
2122
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2123#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]2124 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2125 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2126 else
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2127 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2128#else
2129 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2130#endif
2131
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2132cleanup:
2133
Jerry Yuab452cc2022-04-28 15:27:08 +0800[diff] [blame]2134 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write encrypted extensions" ) );
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2135 return( ret );
2136}
2137
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2138#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2139#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
2140#define SSL_CERTIFICATE_REQUEST_SKIP 1
2141/* Coordination:
2142 * Check whether a CertificateRequest message should be written.
2143 * Returns a negative code on failure, or
2144 * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
2145 * - SSL_CERTIFICATE_REQUEST_SKIP
2146 * indicating if the writing of the CertificateRequest
2147 * should be skipped or not.
2148 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2149MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2150static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
2151{
2152 int authmode;
2153
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]2154#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2155 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
2156 authmode = ssl->handshake->sni_authmode;
2157 else
2158#endif
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2159 authmode = ssl->conf->authmode;
2160
2161 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
2162 return( SSL_CERTIFICATE_REQUEST_SKIP );
2163
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]2164 ssl->handshake->certificate_request_sent = 1;
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2165
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2166 return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST );
2167}
2168
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2169/*
2170 * struct {
2171 * opaque certificate_request_context<0..2^8-1>;
2172 * Extension extensions<2..2^16-1>;
2173 * } CertificateRequest;
2174 *
2175 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2176MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2177static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl,
2178 unsigned char *buf,
2179 const unsigned char *end,
2180 size_t *out_len )
2181{
2182 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2183 unsigned char *p = buf;
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2184 size_t output_len = 0;
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2185 unsigned char *p_extensions_len;
2186
2187 *out_len = 0;
2188
2189 /* Check if we have enough space:
2190 * - certificate_request_context (1 byte)
2191 * - extensions length (2 bytes)
2192 */
2193 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
2194
2195 /*
2196 * Write certificate_request_context
2197 */
2198 /*
2199 * We use a zero length context for the normal handshake
2200 * messages. For post-authentication handshake messages
2201 * this request context would be set to a non-zero value.
2202 */
2203 *p++ = 0x0;
2204
2205 /*
2206 * Write extensions
2207 */
2208 /* The extensions must contain the signature_algorithms. */
2209 p_extensions_len = p;
2210 p += 2;
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2211 ret = mbedtls_ssl_write_sig_alg_ext( ssl, p, end, &output_len );
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2212 if( ret != 0 )
2213 return( ret );
2214
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2215 p += output_len;
XiaokangQianaad9b0a2022-05-09 01:11:21 +0000[diff] [blame]2216 MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2217
2218 *out_len = p - buf;
2219
2220 return( 0 );
2221}
2222
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2223MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2224static int ssl_tls13_write_certificate_request( mbedtls_ssl_context *ssl )
2225{
2226 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2227
2228 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2229
2230 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
2231
2232 if( ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST )
2233 {
2234 unsigned char *buf;
2235 size_t buf_len, msg_len;
2236
2237 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2238 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, &buf, &buf_len ) );
2239
2240 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_request_body(
2241 ssl, buf, buf + buf_len, &msg_len ) );
2242
2243 mbedtls_ssl_add_hs_msg_to_checksum(
2244 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len );
2245
2246 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2247 ssl, buf_len, msg_len ) );
2248 }
2249 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
2250 {
2251 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2252 ret = 0;
2253 }
2254 else
2255 {
2256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2257 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2258 goto cleanup;
2259 }
2260
2261 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
2262cleanup:
2263
2264 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2265 return( ret );
2266}
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2267
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2268/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2269 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2270 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2271MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2272static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2273{
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2274 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]2275
2276#if defined(MBEDTLS_X509_CRT_PARSE_C)
2277 if( ( ssl_tls13_pick_key_cert( ssl ) != 0 ) ||
2278 mbedtls_ssl_own_cert( ssl ) == NULL )
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2279 {
Jerry Yub89125b2022-05-13 15:45:49 +0800[diff] [blame]2280 MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate available." ) );
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2281 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2282 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2283 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2284 }
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]2285#endif /* MBEDTLS_X509_CRT_PARSE_C */
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2286
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2287 ret = mbedtls_ssl_tls13_write_certificate( ssl );
2288 if( ret != 0 )
Jerry Yu1bff7112022-04-16 14:29:11 +0800[diff] [blame]2289 return( ret );
Jerry Yu1bff7112022-04-16 14:29:11 +0800[diff] [blame]2290 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
2291 return( 0 );
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2292}
2293
2294/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2295 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2296 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2297MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2298static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2299{
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2300 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2301 if( ret != 0 )
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2302 return( ret );
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2303 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2304 return( 0 );
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2305}
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2306#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2307
2308/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2309 * Handler for MBEDTLS_SSL_SERVER_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2310 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2311MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2312static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2313{
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2314 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu27bdc7c2022-04-16 13:33:27 +0800[diff] [blame]2315
2316 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
2317 if( ret != 0 )
2318 return( ret );
2319
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2320 ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
2321 if( ret != 0 )
2322 {
2323 MBEDTLS_SSL_PEND_FATAL_ALERT(
2324 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2325 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2326 return( ret );
2327 }
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]2328
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2329 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
2330 mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2331
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2332 if( ssl->handshake->certificate_request_sent )
2333 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2334 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2335 {
2336 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate" ) );
2337 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2338 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2339 }
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2340
Jerry Yu27bdc7c2022-04-16 13:33:27 +0800[diff] [blame]2341 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2342}
2343
2344/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2345 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2346 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2347MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2348static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2349{
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2350 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2351
Jerry Yuff226982022-04-16 16:52:57 +0800[diff] [blame]2352 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
2353 if( ret != 0 )
2354 return( ret );
2355
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2356 ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl );
2357 if( ret != 0 )
2358 {
2359 MBEDTLS_SSL_DEBUG_RET( 1,
2360 "mbedtls_ssl_tls13_generate_resumption_master_secret ", ret );
2361 }
2362
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2363 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yuff226982022-04-16 16:52:57 +0800[diff] [blame]2364 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2365}
2366
2367/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2368 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2369 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2370MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2371static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2372{
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2373 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2374
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2375 mbedtls_ssl_tls13_handshake_wrapup( ssl );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2376
2377#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2378 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
2379#else
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2380 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2381#endif
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2382 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2383}
2384
2385/*
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2386 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
2387 */
2388#define SSL_NEW_SESSION_TICKET_SKIP 0
2389#define SSL_NEW_SESSION_TICKET_WRITE 1
2390MBEDTLS_CHECK_RETURN_CRITICAL
2391static int ssl_tls13_write_new_session_ticket_coordinate( mbedtls_ssl_context *ssl )
2392{
2393 /* Check whether the use of session tickets is enabled */
2394 if( ssl->conf->f_ticket_write == NULL )
2395 {
2396 MBEDTLS_SSL_DEBUG_MSG( 2, ( "new session ticket is not enabled" ) );
2397 return( SSL_NEW_SESSION_TICKET_SKIP );
2398 }
2399
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2400 return( SSL_NEW_SESSION_TICKET_WRITE );
2401}
2402
2403#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2404MBEDTLS_CHECK_RETURN_CRITICAL
2405static int ssl_tls13_prepare_new_session_ticket( mbedtls_ssl_context *ssl,
2406 unsigned char *ticket_nonce,
2407 size_t ticket_nonce_size )
2408{
2409 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2410 mbedtls_ssl_session *session = ssl->session;
2411 mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2412 psa_algorithm_t psa_hash_alg;
2413 int hash_length;
2414
2415 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> prepare NewSessionTicket msg" ) );
2416
2417#if defined(MBEDTLS_HAVE_TIME)
2418 session->start = mbedtls_time( NULL );
2419#endif
2420
2421 /* Generate ticket_age_add */
2422 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng,
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2423 (unsigned char *) &session->ticket_age_add,
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2424 sizeof( session->ticket_age_add ) ) != 0 ) )
2425 {
2426 MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_age_add", ret );
2427 return( ret );
2428 }
2429 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2430 (unsigned int)session->ticket_age_add ) );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2431
2432 /* Generate ticket_nonce */
2433 ret = ssl->conf->f_rng( ssl->conf->p_rng, ticket_nonce, ticket_nonce_size );
2434 if( ret != 0 )
2435 {
2436 MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_nonce", ret );
2437 return( ret );
2438 }
2439 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:",
2440 ticket_nonce, ticket_nonce_size );
2441
2442 ciphersuite_info =
2443 (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
2444 psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
2445 hash_length = PSA_HASH_LENGTH( psa_hash_alg );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2446 if( hash_length == -1 ||
Jerry Yu61197152022-07-21 16:28:02 +0800[diff] [blame]2447 (size_t)hash_length > sizeof( session->resumption_key ) )
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2448 {
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2449 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2450 }
2451
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2452 /* In this code the psk key length equals the length of the hash */
2453 session->resumption_key_len = hash_length;
2454 session->ciphersuite = ciphersuite_info->id;
2455
2456 /* Compute resumption key
2457 *
2458 * HKDF-Expand-Label( resumption_master_secret,
2459 * "resumption", ticket_nonce, Hash.length )
2460 */
2461 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2462 psa_hash_alg,
2463 session->app_secrets.resumption_master_secret,
2464 hash_length,
2465 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
2466 ticket_nonce,
2467 ticket_nonce_size,
2468 session->resumption_key,
2469 hash_length );
2470
2471 if( ret != 0 )
2472 {
2473 MBEDTLS_SSL_DEBUG_RET( 2,
2474 "Creating the ticket-resumed PSK failed",
2475 ret );
2476 return ( ret );
2477 }
2478 MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
2479 session->resumption_key,
2480 session->resumption_key_len );
2481
2482 MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
2483 session->app_secrets.resumption_master_secret,
2484 hash_length );
2485
2486 return( 0 );
2487}
2488
2489/* This function creates a NewSessionTicket message in the following format:
2490 *
2491 * struct {
2492 * uint32 ticket_lifetime;
2493 * uint32 ticket_age_add;
2494 * opaque ticket_nonce<0..255>;
2495 * opaque ticket<1..2^16-1>;
2496 * Extension extensions<0..2^16-2>;
2497 * } NewSessionTicket;
2498 *
2499 * The ticket inside the NewSessionTicket message is an encrypted container
2500 * carrying the necessary information so that the server is later able to
2501 * re-start the communication.
2502 *
2503 * The following fields are placed inside the ticket by the
2504 * f_ticket_write() function:
2505 *
2506 * - creation time (start)
2507 * - flags (flags)
2508 * - age add (ticket_age_add)
2509 * - key (key)
2510 * - key length (key_len)
2511 * - ciphersuite (ciphersuite)
2512 */
2513MBEDTLS_CHECK_RETURN_CRITICAL
2514static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl,
2515 unsigned char *buf,
2516 unsigned char *end,
2517 size_t *out_len,
2518 unsigned char *ticket_nonce,
2519 size_t ticket_nonce_size )
2520{
2521 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2522 unsigned char *p = buf;
2523 mbedtls_ssl_session *session = ssl->session;
2524 size_t ticket_len;
2525 uint32_t ticket_lifetime;
2526
2527 *out_len = 0;
2528 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write NewSessionTicket msg" ) );
2529
2530 /*
2531 * ticket_lifetime 4 bytes
2532 * ticket_age_add 4 bytes
2533 * ticket_nonce 1 + ticket_nonce_size bytes
2534 * ticket >=2 bytes
2535 */
2536 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + 4 + 1 + ticket_nonce_size + 2 );
2537
2538 /* Generate ticket and ticket_lifetime */
2539 ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
2540 session,
2541 p + 9 + ticket_nonce_size + 2,
2542 end,
2543 &ticket_len,
2544 &ticket_lifetime);
2545 if( ret != 0 )
2546 {
2547 MBEDTLS_SSL_DEBUG_RET( 1, "write_ticket", ret );
2548 return( ret );
2549 }
2550 /* RFC 8446 4.6.1
2551 * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
2552 * unsigned integer in network byte order from the time of ticket
2553 * issuance. Servers MUST NOT use any value greater than
2554 * 604800 seconds (7 days). The value of zero indicates that the
2555 * ticket should be discarded immediately. Clients MUST NOT cache
2556 * tickets for longer than 7 days, regardless of the ticket_lifetime,
2557 * and MAY delete tickets earlier based on local policy. A server
2558 * MAY treat a ticket as valid for a shorter period of time than what
2559 * is stated in the ticket_lifetime.
2560 */
2561 ticket_lifetime %= 604800;
2562 MBEDTLS_PUT_UINT32_BE( ticket_lifetime, p, 0 );
2563 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_lifetime: %u",
2564 ( unsigned int )ticket_lifetime ) );
2565
2566 /* Write ticket_age_add */
2567 MBEDTLS_PUT_UINT32_BE( session->ticket_age_add, p, 4 );
2568 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
2569 ( unsigned int )session->ticket_age_add ) );
2570
2571 /* Write ticket_nonce */
2572 p[8] = ( unsigned char )ticket_nonce_size;
2573 if( ticket_nonce_size > 0 )
2574 {
2575 memcpy( p + 9, ticket_nonce, ticket_nonce_size );
2576 }
2577 p += 9 + ticket_nonce_size;
2578
2579 /* Write ticket */
2580 MBEDTLS_PUT_UINT16_BE( ticket_len, p, 0 );
2581 p += 2;
2582 MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", p, ticket_len);
2583 p += ticket_len;
2584
2585 /* Ticket Extensions
2586 *
2587 * Note: We currently don't have any extensions.
2588 * Set length to zero.
2589 */
2590 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2591 MBEDTLS_PUT_UINT16_BE( 0, p, 0 );
2592 p += 2;
2593
2594 *out_len = p - buf;
2595 MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len );
2596 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2597
2598 return( 0 );
2599}
2600
2601/*
2602 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
2603 */
2604static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl )
2605{
2606 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2607
2608 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_new_session_ticket_coordinate( ssl ) );
2609
2610 if( ret == SSL_NEW_SESSION_TICKET_WRITE )
2611 {
2612 unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
2613 unsigned char *buf;
2614 size_t buf_len, msg_len;
2615
2616 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_new_session_ticket(
2617 ssl, ticket_nonce, sizeof( ticket_nonce ) ) );
2618
2619 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2620 MBEDTLS_SSL_HS_NEW_SESSION_TICKET, &buf, &buf_len ) );
2621
2622 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_new_session_ticket_body(
2623 ssl, buf, buf + buf_len, &msg_len,
2624 ticket_nonce, sizeof( ticket_nonce ) ) );
2625
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2626 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2627 ssl, buf_len, msg_len ) );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2628
2629 mbedtls_ssl_handshake_set_state( ssl,
2630 MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2631 }
2632 else
2633 {
2634 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2635 }
2636
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2637cleanup:
2638
2639 return( ret );
2640}
2641#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2642
2643/*
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]2644 * TLS 1.3 State Machine -- server side
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2645 */
Jerry Yu27561932021-08-27 17:07:38 +0800[diff] [blame]2646int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2647{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]2648 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2649
2650 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
2651 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2652
Jerry Yue3b34122021-09-28 17:53:35 +0800[diff] [blame]2653 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)",
2654 mbedtls_ssl_states_str( ssl->state ),
2655 ssl->state ) );
Jerry Yu6e81b272021-09-27 11:16:17 +0800[diff] [blame]2656
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2657 switch( ssl->state )
2658 {
2659 /* start state */
2660 case MBEDTLS_SSL_HELLO_REQUEST:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2661 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]2662 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2663 break;
2664
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2665 case MBEDTLS_SSL_CLIENT_HELLO:
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]2666 ret = ssl_tls13_process_client_hello( ssl );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2667 if( ret != 0 )
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]2668 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_client_hello", ret );
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]2669 break;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2670
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]2671 case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
2672 ret = ssl_tls13_write_hello_retry_request( ssl );
2673 if( ret != 0 )
2674 {
2675 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_hello_retry_request", ret );
2676 return( ret );
2677 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2678 break;
2679
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2680 case MBEDTLS_SSL_SERVER_HELLO:
2681 ret = ssl_tls13_write_server_hello( ssl );
2682 break;
2683
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2684 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2685 ret = ssl_tls13_write_encrypted_extensions( ssl );
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2686 if( ret != 0 )
2687 {
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2688 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_encrypted_extensions", ret );
2689 return( ret );
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2690 }
Jerry Yu48330562022-05-06 21:35:44 +0800[diff] [blame]2691 break;
Jerry Yu6a2cd9e2022-05-05 11:14:19 +0800[diff] [blame]2692
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2693#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
2694 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Xiaofei Bai5ee73d82022-03-14 02:48:30 +0000[diff] [blame]2695 ret = ssl_tls13_write_certificate_request( ssl );
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2696 break;
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2697
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2698 case MBEDTLS_SSL_SERVER_CERTIFICATE:
2699 ret = ssl_tls13_write_server_certificate( ssl );
2700 break;
2701
2702 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
2703 ret = ssl_tls13_write_certificate_verify( ssl );
2704 break;
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2705#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2706
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2707 /*
2708 * Injection of dummy-CCS's for middlebox compatibility
2709 */
2710#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]2711 case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2712 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2713 if( ret == 0 )
2714 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2715 break;
2716
2717 case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
2718 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2719 if( ret == 0 )
2720 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
2721 break;
2722#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2723
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2724 case MBEDTLS_SSL_SERVER_FINISHED:
2725 ret = ssl_tls13_write_server_finished( ssl );
2726 break;
2727
2728 case MBEDTLS_SSL_CLIENT_FINISHED:
2729 ret = ssl_tls13_process_client_finished( ssl );
2730 break;
2731
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2732 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
2733 ret = ssl_tls13_handshake_wrapup( ssl );
2734 break;
2735
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2736 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2737 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]2738 if( ret == 0 )
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2739 {
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]2740 if( ssl->session_negotiate->peer_cert != NULL )
2741 {
2742 mbedtls_ssl_handshake_set_state(
2743 ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
2744 }
2745 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2746 {
2747 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]2748 mbedtls_ssl_handshake_set_state(
2749 ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2750 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2751 }
2752 break;
2753
2754 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2755 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
2756 if( ret == 0 )
2757 {
2758 mbedtls_ssl_handshake_set_state(
2759 ssl, MBEDTLS_SSL_CLIENT_FINISHED );
2760 }
2761 break;
2762
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2763#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2764 case MBEDTLS_SSL_NEW_SESSION_TICKET:
2765 ret = ssl_tls13_write_new_session_ticket( ssl );
2766 if( ret != 0 )
2767 {
2768 MBEDTLS_SSL_DEBUG_RET( 1,
2769 "ssl_tls13_write_new_session_ticket ",
2770 ret );
2771 }
2772 break;
2773 case MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH:
2774 /* This state is necessary to do the flush of the New Session
2775 * Ticket message written in MBEDTLS_SSL_NEW_SESSION_TICKET
2776 * as part of ssl_prepare_handshake_step.
2777 */
2778 ret = 0;
2779 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2780 break;
2781
2782#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2783
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2784 default:
2785 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]2786 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2787 }
2788
2789 return( ret );
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2790}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]2791
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2792#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */