TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / eb69aee6af8cd0901fb34d3088fd99b78e9658ed / . / library / ssl_tls13_client.c
blob: 62f00fac8c023de0816691e440bc24f34bb9c71f [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS ( https://tls.mbed.org )
20 */
21
22#include "common.h"
23
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]24#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]25
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]26#include <string.h>
27
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]30#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]31
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]32#include "ssl_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]33#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]34#include "ssl_tls13_keys.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]35
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]36/* Write extensions */
37
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]38/*
39 * ssl_tls13_write_supported_versions_ext():
40 *
41 * struct {
42 * ProtocolVersion versions<2..254>;
43 * } SupportedVersions;
44 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]45MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]46static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]47 unsigned char *buf,
48 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]49 size_t *out_len )
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]50{
51 unsigned char *p = buf;
Glenn Strausscd78df62022-04-07 19:07:11 -0400[diff] [blame]52 unsigned char versions_len = ( ssl->handshake->min_tls_version <=
53 MBEDTLS_SSL_VERSION_TLS1_2 ) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]54
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]55 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]56
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]57 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported versions extension" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]58
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]59 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]60 * - extension_type (2 bytes)
61 * - extension_data_length (2 bytes)
62 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]63 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]64 */
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]65 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + versions_len );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]66
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]67 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]68 MBEDTLS_PUT_UINT16_BE( versions_len + 1, p, 2 );
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]69 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]70
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]71 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]72 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]73
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]74 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]76 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]77 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]78 mbedtls_ssl_write_version( p, MBEDTLS_SSL_TRANSPORT_STREAM,
79 MBEDTLS_SSL_VERSION_TLS1_3 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]80 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:4]" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]81
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Glenn Strausscd78df62022-04-07 19:07:11 -0400[diff] [blame]83 if( ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 )
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]84 {
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]85 mbedtls_ssl_write_version( p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
86 MBEDTLS_SSL_VERSION_TLS1_2 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]87 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:3]" ) );
88 }
89
90 *out_len = 5 + versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]91
92 return( 0 );
93}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]94
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]95MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]96static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
97 const unsigned char *buf,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]98 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]99{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]100 ((void) ssl);
101
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]102 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]103 if( mbedtls_ssl_read_version( buf, ssl->conf->transport ) !=
104 MBEDTLS_SSL_VERSION_TLS1_3 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]105 {
106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]107
108 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
109 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
110 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]111 }
112
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]113 if( &buf[2] != end )
114 {
115 MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions ext data length incorrect" ) );
116 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
117 MBEDTLS_ERR_SSL_DECODE_ERROR );
118 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
119 }
120
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]121 return( 0 );
122}
123
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]124#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]125MBEDTLS_CHECK_RETURN_CRITICAL
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]126static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl,
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]127 const unsigned char *buf, size_t len )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]128{
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]129 const unsigned char *p = buf;
130 const unsigned char *end = buf + len;
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]131 size_t protocol_name_list_len, protocol_name_len;
132 const unsigned char *protocol_name_list_end;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]133
134 /* If we didn't send it, the server shouldn't send it */
135 if( ssl->conf->alpn_list == NULL )
136 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
137
138 /*
139 * opaque ProtocolName<1..2^8-1>;
140 *
141 * struct {
142 * ProtocolName protocol_name_list<2..2^16-1>
143 * } ProtocolNameList;
144 *
145 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
146 */
147
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]148 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
149 protocol_name_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]150 p += 2;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]151
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]152 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, protocol_name_list_len );
153 protocol_name_list_end = p + protocol_name_list_len;
154
155 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, 1 );
156 protocol_name_len = *p++;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]157
158 /* Check that the server chosen protocol was in our list and save it */
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]159 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, protocol_name_len );
160 for( const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++ )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]161 {
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]162 if( protocol_name_len == strlen( *alpn ) &&
163 memcmp( p, *alpn, protocol_name_len ) == 0 )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]164 {
165 ssl->alpn_chosen = *alpn;
166 return( 0 );
167 }
168 }
169
170 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
171}
172#endif /* MBEDTLS_SSL_ALPN */
173
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]174MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]175static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]176{
177 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]178
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]179 if( group_id == 0 )
180 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
181
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]182#if defined(MBEDTLS_ECDH_C)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]183 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]184 {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]185 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
186 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
187
188 /* Destroy generated private key. */
189 status = psa_destroy_key( ssl->handshake->ecdh_psa_privkey );
190 if( status != PSA_SUCCESS )
191 {
192 ret = psa_ssl_status_to_mbedtls( status );
193 MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
194 return( ret );
195 }
196
197 ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]198 return( 0 );
199 }
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]200 else
201#endif /* MBEDTLS_ECDH_C */
202 if( 0 /* other KEMs? */ )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]203 {
204 /* Do something */
205 }
206
207 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
208}
209
210/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]211 * Functions for writing key_share extension.
212 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]213MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]214static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
215 uint16_t *group_id )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]216{
217 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
218
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]219
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]220#if defined(MBEDTLS_ECDH_C)
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]221 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]222 /* Pick first available ECDHE group compatible with TLS 1.3 */
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]223 if( group_list == NULL )
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]224 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
225
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]226 for ( ; *group_list != 0; group_list++ )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]227 {
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]228 const mbedtls_ecp_curve_info *curve_info;
229 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
230 if( curve_info != NULL &&
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]231 mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]232 {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]233 *group_id = *group_list;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]234 return( 0 );
235 }
236 }
237#else
238 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]239 ((void) group_id);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]240#endif /* MBEDTLS_ECDH_C */
241
242 /*
243 * Add DHE named groups here.
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]244 * Pick first available DHE group compatible with TLS 1.3
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]245 */
246
247 return( ret );
248}
249
250/*
251 * ssl_tls13_write_key_share_ext
252 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]253 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]254 *
255 * struct {
256 * NamedGroup group;
257 * opaque key_exchange<1..2^16-1>;
258 * } KeyShareEntry;
259 * struct {
260 * KeyShareEntry client_shares<0..2^16-1>;
261 * } KeyShareClientHello;
262 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]263MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]264static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
265 unsigned char *buf,
266 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]267 size_t *out_len )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]268{
269 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]270 unsigned char *client_shares; /* Start of client_shares */
271 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]272 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]273 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
274
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]275 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]276
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]277 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]278 * - extension_type (2 bytes)
279 * - extension_data_length (2 bytes)
280 * - client_shares_length (2 bytes)
281 */
282 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
283 p += 6;
284
285 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello: adding key share extension" ) );
286
287 /* HRR could already have requested something else. */
288 group_id = ssl->handshake->offered_group_id;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]289 if( !mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) &&
290 !mbedtls_ssl_tls13_named_group_is_dhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]291 {
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]292 MBEDTLS_SSL_PROC_CHK( ssl_tls13_get_default_group_id( ssl,
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]293 &group_id ) );
294 }
295
296 /*
297 * Dispatch to type-specific key generation function.
298 *
299 * So far, we're only supporting ECDHE. With the introduction
300 * of PQC KEMs, we'll want to have multiple branches, one per
301 * type of KEM, and dispatch to the corresponding crypto. And
302 * only one key share entry is allowed.
303 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]304 client_shares = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]305#if defined(MBEDTLS_ECDH_C)
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]306 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]307 {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]308 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]309 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]310 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]311 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]312
313 /* Check there is space for header of KeyShareEntry
314 * - group (2 bytes)
315 * - key_exchange_length (2 bytes)
316 */
317 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
318 p += 4;
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]319 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
320 ssl, group_id, p, end, &key_exchange_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]321 p += key_exchange_len;
322 if( ret != 0 )
323 return( ret );
324
325 /* Write group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]326 MBEDTLS_PUT_UINT16_BE( group_id, group, 0 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]327 /* Write key_exchange_length */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]328 MBEDTLS_PUT_UINT16_BE( key_exchange_len, group, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]329 }
330 else
331#endif /* MBEDTLS_ECDH_C */
332 if( 0 /* other KEMs? */ )
333 {
334 /* Do something */
335 }
336 else
337 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
338
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]339 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]340 client_shares_len = p - client_shares;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]341 if( client_shares_len == 0)
342 {
343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No key share defined." ) );
344 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]345 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]346 /* Write extension_type */
347 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
348 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]349 MBEDTLS_PUT_UINT16_BE( client_shares_len + 2, buf, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]350 /* Write client_shares_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]351 MBEDTLS_PUT_UINT16_BE( client_shares_len, buf, 4 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]352
353 /* Update offered_group_id field */
354 ssl->handshake->offered_group_id = group_id;
355
356 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]357 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]358
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]359 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]360
361 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
362
363cleanup:
364
365 return( ret );
366}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]367
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]368
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]369/*
370 * ssl_tls13_parse_hrr_key_share_ext()
371 * Parse key_share extension in Hello Retry Request
372 *
373 * struct {
374 * NamedGroup selected_group;
375 * } KeyShareHelloRetryRequest;
376 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]377MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]378static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]379 const unsigned char *buf,
380 const unsigned char *end )
381{
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]382 const mbedtls_ecp_curve_info *curve_info = NULL;
383 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]384 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]385 int found = 0;
386
387 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
388 if( group_list == NULL )
389 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
390
391 MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", p, end - buf );
392
393 /* Read selected_group */
XiaokangQianb48894e2022-01-17 02:05:52 +0000[diff] [blame]394 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]395 selected_group = MBEDTLS_GET_UINT16_BE( p, 0 );
396 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", selected_group ) );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]397
398 /* Upon receipt of this extension in a HelloRetryRequest, the client
399 * MUST first verify that the selected_group field corresponds to a
400 * group which was provided in the "supported_groups" extension in the
401 * original ClientHello.
402 * The supported_group was based on the info in ssl->conf->group_list.
403 *
404 * If the server provided a key share that was not sent in the ClientHello
405 * then the client MUST abort the handshake with an "illegal_parameter" alert.
406 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]407 for( ; *group_list != 0; group_list++ )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]408 {
409 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]410 if( curve_info == NULL || curve_info->tls_id != selected_group )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]411 continue;
412
413 /* We found a match */
414 found = 1;
415 break;
416 }
417
418 /* Client MUST verify that the selected_group field does not
419 * correspond to a group which was provided in the "key_share"
420 * extension in the original ClientHello. If the server sent an
421 * HRR message with a key share already provided in the
422 * ClientHello then the client MUST abort the handshake with
423 * an "illegal_parameter" alert.
424 */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]425 if( found == 0 || selected_group == ssl->handshake->offered_group_id )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]426 {
427 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) );
428 MBEDTLS_SSL_PEND_FATAL_ALERT(
429 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
430 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
431 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
432 }
433
434 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]435 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]436
437 return( 0 );
438}
439
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]440/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]441 * ssl_tls13_parse_key_share_ext()
442 * Parse key_share extension in Server Hello
443 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]444 * struct {
445 * KeyShareEntry server_share;
446 * } KeyShareServerHello;
447 * struct {
448 * NamedGroup group;
449 * opaque key_exchange<1..2^16-1>;
450 * } KeyShareEntry;
451 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]452MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]453static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]454 const unsigned char *buf,
455 const unsigned char *end )
456{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]457 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]458 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]459 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]460
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]461 /* ...
462 * NamedGroup group; (2 bytes)
463 * ...
464 */
465 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
466 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]467 p += 2;
468
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]469 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]470 offered_group = ssl->handshake->offered_group_id;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]471 if( offered_group != group )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]472 {
473 MBEDTLS_SSL_DEBUG_MSG( 1,
474 ( "Invalid server key share, our group %u, their group %u",
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]475 (unsigned) offered_group, (unsigned) group ) );
476 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
477 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
478 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]479 }
480
481#if defined(MBEDTLS_ECDH_C)
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]482 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]483 {
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]484 const mbedtls_ecp_curve_info *curve_info =
485 mbedtls_ecp_curve_info_from_tls_id( group );
486 if( curve_info == NULL )
487 {
488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
489 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
490 }
491
492 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
493
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]494 ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ssl, p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]495 if( ret != 0 )
496 return( ret );
497 }
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]498 else
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]499#endif /* MBEDTLS_ECDH_C */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]500 if( 0 /* other KEMs? */ )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]501 {
502 /* Do something */
503 }
504 else
505 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
506
507 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
508 return( ret );
509}
510
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]511/*
512 * ssl_tls13_parse_cookie_ext()
513 * Parse cookie extension in Hello Retry Request
514 *
515 * struct {
516 * opaque cookie<1..2^16-1>;
517 * } Cookie;
518 *
519 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
520 * extension to the client (this is an exception to the usual rule that
521 * the only extensions that may be sent are those that appear in the
522 * ClientHello). When sending the new ClientHello, the client MUST copy
523 * the contents of the extension received in the HelloRetryRequest into
524 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
525 * cookies in their initial ClientHello in subsequent connections.
526 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]527MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]528static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
529 const unsigned char *buf,
530 const unsigned char *end )
531{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]532 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]533 const unsigned char *p = buf;
534 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
535
536 /* Retrieve length field of cookie */
537 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
538 cookie_len = MBEDTLS_GET_UINT16_BE( p, 0 );
539 p += 2;
540
541 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
542 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
543
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]544 mbedtls_free( handshake->cookie );
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]545 handshake->hrr_cookie_len = 0;
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]546 handshake->cookie = mbedtls_calloc( 1, cookie_len );
547 if( handshake->cookie == NULL )
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]548 {
549 MBEDTLS_SSL_DEBUG_MSG( 1,
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]550 ( "alloc failed ( %ud bytes )",
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]551 cookie_len ) );
552 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
553 }
554
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]555 memcpy( handshake->cookie, p, cookie_len );
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]556 handshake->hrr_cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]557
558 return( 0 );
559}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]560
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]561MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]562static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]563 unsigned char *buf,
564 unsigned char *end,
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]565 size_t *out_len )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]566{
567 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]568 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]569 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]570
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]571 if( handshake->cookie == NULL )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]572 {
573 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) );
574 return( 0 );
575 }
576
577 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]578 handshake->cookie,
579 handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]580
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]581 MBEDTLS_SSL_CHK_BUF_PTR( p, end, handshake->hrr_cookie_len + 6 );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]582
583 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) );
584
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]585 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 );
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]586 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len + 2, p, 2 );
587 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len, p, 4 );
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]588 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]589
590 /* Cookie */
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]591 memcpy( p, handshake->cookie, handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]592
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]593 *out_len = handshake->hrr_cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]594
595 return( 0 );
596}
597
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame^]598#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
599/*
600 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
601 *
602 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
603 *
604 * struct {
605 * PskKeyExchangeMode ke_modes<1..255>;
606 * } PskKeyExchangeModes;
607 */
608static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
609 unsigned char *buf,
610 unsigned char *end,
611 size_t *out_len )
612{
613 const unsigned char *psk;
614 size_t psk_len;
615 const unsigned char *psk_identity;
616 size_t psk_identity_len;
617 unsigned char *p = buf;
618 int num_modes = 0;
619
620 ((void) num_modes );
621 *out_len = 0;
622 /* Skip writing extension if no PSK key exchange mode
623 * is enabled in the config.
624 */
625 if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) ||
626 mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len,
627 &psk_identity, &psk_identity_len ) != 0 )
628 {
629 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip psk_key_exchange_modes extension" ) );
630 return( 0 );
631 }
632
633 /* Require 7 bytes of data, otherwise fail,
634 * even if extension might be shorter.
635 */
636 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 );
637 MBEDTLS_SSL_DEBUG_MSG(
638 3, ( "client hello, adding psk_key_exchange_modes extension" ) );
639
640 /* Extension Type */
641 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0 );
642
643 /* Skip extension length (2 byte) and
644 * PSK mode list length (1 byte) for now.
645 */
646 p += 5;
647
648 if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
649 {
650 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
651 num_modes++;
652
653 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
654 }
655
656 if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
657 {
658 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
659 num_modes++;
660
661 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
662 }
663
664 /* Add extension length: PSK mode list length byte + actual
665 * PSK mode list length
666 */
667 MBEDTLS_PUT_UINT16_BE( num_modes + 1, buf, 2 );
668 /* Add PSK mode list length */
669 buf[4] = num_modes;
670
671 *out_len = p - buf;
672 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
673 return ( 0 );
674}
675#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
676
677/*
678 * mbedtls_ssl_tls13_write_pre_shared_key_ext() structure:
679 *
680 * struct {
681 * opaque identity<1..2^16-1>;
682 * uint32 obfuscated_ticket_age;
683 * } PskIdentity;
684 *
685 * opaque PskBinderEntry<32..255>;
686 *
687 * struct {
688 * select ( Handshake.msg_type ) {
689 *
690 * case client_hello:
691 * PskIdentity identities<7..2^16-1>;
692 * PskBinderEntry binders<33..2^16-1>;
693 *
694 * case server_hello:
695 * uint16 selected_identity;
696 * };
697 *
698 * } PreSharedKeyExtension;
699 *
700 *
701 * part = 0 ==> everything up to the PSK binder list,
702 * returning the binder list length in `binder_list_length`.
703 * part = 1 ==> the PSK binder list
704 */
705
706#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
707
708int mbedtls_ssl_tls13_write_pre_shared_key_ext_without_binders(
709 mbedtls_ssl_context *ssl,
710 unsigned char *buf, unsigned char *end,
711 size_t *out_len, size_t *binders_len )
712{
713 unsigned char *p = buf;
714 const unsigned char *psk;
715 size_t psk_len;
716 const unsigned char *psk_identity;
717 size_t psk_identity_len;
718 const mbedtls_ssl_ciphersuite_t *suite_info = NULL;
719 const int *ciphersuites;
720 int hash_len = 0;
721 size_t identities_len, l_binders_len;
722 uint32_t obfuscated_ticket_age = 0;
723 psa_algorithm_t psa_hash_alg;
724
725 *out_len = 0;
726 *binders_len = 0;
727
728 /* Check if we have any PSKs to offer. If so, return the first.
729 *
730 * NOTE: Ultimately, we want to be able to offer multiple PSKs,
731 * in which case we want to iterate over them here.
732 *
733 * As it stands, however, we only ever offer one, chosen
734 * by the following heuristic:
735 * - If a ticket has been configured, offer the corresponding PSK.
736 * - If no ticket has been configured by an external PSK has been
737 * configured, offer that.
738 * - Otherwise, skip the PSK extension.
739 */
740
741 if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len,
742 &psk_identity, &psk_identity_len ) != 0 )
743 {
744 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) );
745 return( 0 );
746 }
747
748 /*
749 * Ciphersuite list
750 */
751 ciphersuites = ssl->conf->ciphersuite_list;
752 for ( int i = 0; ciphersuites[i] != 0; i++ )
753 {
754 suite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
755
756 if( suite_info == NULL )
757 continue;
758
759 /* In this implementation we only add one pre-shared-key extension. */
760 ssl->session_negotiate->ciphersuite = ciphersuites[i];
761 ssl->handshake->ciphersuite_info = suite_info;
762 break;
763 }
764
765 if( suite_info != NULL )
766 {
767 psa_hash_alg = mbedtls_psa_translate_md( suite_info->mac );
768 hash_len = PSA_HASH_LENGTH( psa_hash_alg );
769 }
770 if( hash_len == -1 )
771 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
772
773 /* Check if we have space to write the extension, binder included.
774 * - extension_type (2 bytes)
775 * - extension_data_len (2 bytes)
776 * - identities_len (2 bytes)
777 * - identity_len (2 bytes)
778 * - identity (psk_identity_len bytes)
779 * - obfuscated_ticket_age (4 bytes)
780 * - binders_len (2 bytes)
781 * - binder_len (1 byte)
782 * - binder (hash_len bytes)
783 */
784
785 identities_len = 6 + psk_identity_len;
786 l_binders_len = 1 + hash_len;
787 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + 2 + identities_len + 2 + l_binders_len );
788
789 MBEDTLS_SSL_DEBUG_MSG( 3,
790 ( "client hello, adding pre_shared_key extension, "
791 "omitting PSK binder list" ) );
792
793 /* Extension header */
794 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 );
795 MBEDTLS_PUT_UINT16_BE( 2 + identities_len + 2 + l_binders_len , p, 2 );
796
797 MBEDTLS_PUT_UINT16_BE( identities_len, p, 4 );
798 MBEDTLS_PUT_UINT16_BE( psk_identity_len, p, 6 );
799 p += 8;
800 memcpy( p, psk_identity, psk_identity_len );
801 p += psk_identity_len;
802
803 /* add obfuscated ticket age */
804 MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, p, 0 );
805 p += 4;
806
807 *out_len = ( p - buf ) + l_binders_len + 2;
808 *binders_len = l_binders_len + 2;
809
810 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
811
812 return( 0 );
813}
814
815int mbedtls_ssl_tls13_write_pre_shared_key_ext_binders(
816 mbedtls_ssl_context *ssl,
817 unsigned char *buf, unsigned char *end )
818{
819 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
820 unsigned char *p = buf;
821 const mbedtls_ssl_ciphersuite_t *suite_info = NULL;
822 const int *ciphersuites;
823 int hash_len = 0;
824 const unsigned char *psk;
825 size_t psk_len;
826 const unsigned char *psk_identity;
827 size_t psk_identity_len;
828 int psk_type;
829 unsigned char transcript[MBEDTLS_MD_MAX_SIZE];
830 size_t transcript_len;
831 psa_algorithm_t psa_hash_alg;
832
833 /* Check if we have any PSKs to offer. If so, return the first.
834 *
835 * NOTE: Ultimately, we want to be able to offer multiple PSKs,
836 * in which case we want to iterate over them here.
837 *
838 * As it stands, however, we only ever offer one, chosen
839 * by the following heuristic:
840 * - If a ticket has been configured, offer the corresponding PSK.
841 * - If no ticket has been configured by an external PSK has been
842 * configured, offer that.
843 * - Otherwise, skip the PSK extension.
844 */
845
846 if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len,
847 &psk_identity, &psk_identity_len ) != 0 )
848 {
849 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
850 }
851
852 /*
853 * Ciphersuite list
854 */
855 ciphersuites = ssl->conf->ciphersuite_list;
856 for ( int i = 0; ciphersuites[i] != 0; i++ )
857 {
858 suite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
859
860 if( suite_info == NULL )
861 continue;
862
863 /* In this implementation we only add one pre-shared-key extension. */
864 ssl->session_negotiate->ciphersuite = ciphersuites[i];
865 ssl->handshake->ciphersuite_info = suite_info;
866 break;
867 }
868
869 if( suite_info != NULL )
870 {
871 psa_hash_alg = mbedtls_psa_translate_md( suite_info->mac );
872 hash_len = PSA_HASH_LENGTH( psa_hash_alg );
873 }
874 if( ( hash_len == -1 ) || ( ( end - buf ) != 3 + hash_len ) )
875 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
876
877 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list" ) );
878
879 /* 2 bytes length field for array of psk binders */
880 MBEDTLS_PUT_UINT16_BE( hash_len + 1, p, 0 );
881 p += 2;
882
883 /* 1 bytes length field for next psk binder */
884 *p++ = MBEDTLS_BYTE_0( hash_len );
885
886 if( ssl->handshake->resume == 1 )
887 psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
888 else
889 psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
890
891 /* Get current state of handshake transcript. */
892 ret = mbedtls_ssl_get_handshake_transcript( ssl, suite_info->mac,
893 transcript, sizeof( transcript ),
894 &transcript_len );
895 if( ret != 0 )
896 return( ret );
897
898 ret = mbedtls_ssl_tls13_create_psk_binder( ssl,
899 mbedtls_psa_translate_md( suite_info->mac ),
900 psk, psk_len, psk_type,
901 transcript, p );
902 if( ret != 0 )
903 {
904 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret );
905 return( ret );
906 }
907
908 return( 0 );
909}
910#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
911
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]912int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
913 unsigned char *buf,
914 unsigned char *end,
915 size_t *out_len )
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]916{
917 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
918 unsigned char *p = buf;
919 size_t ext_len;
920
921 *out_len = 0;
922
923 /* Write supported_versions extension
924 *
925 * Supported Versions Extension is mandatory with TLS 1.3.
926 */
927 ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &ext_len );
928 if( ret != 0 )
929 return( ret );
930 p += ext_len;
931
932 /* Echo the cookie if the server provided one in its preceding
933 * HelloRetryRequest message.
934 */
935 ret = ssl_tls13_write_cookie_ext( ssl, p, end, &ext_len );
936 if( ret != 0 )
937 return( ret );
938 p += ext_len;
939
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]940 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
941 {
942 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &ext_len );
943 if( ret != 0 )
944 return( ret );
945 p += ext_len;
946 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]947
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame^]948#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
949 /* For PSK-based key exchange we need the pre_shared_key extension
950 * and the psk_key_exchange_modes extension.
951 *
952 * The pre_shared_key extension MUST be the last extension in the
953 * ClientHello. Servers MUST check that it is the last extension and
954 * otherwise fail the handshake with an "illegal_parameter" alert.
955 *
956 * Add the psk_key_exchange_modes extension.
957 */
958 ret = ssl_tls13_write_psk_key_exchange_modes_ext( ssl, p, end, &ext_len );
959 if( ret != 0 )
960 return( ret );
961 p += ext_len;
962#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
963
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]964 *out_len = p - buf;
965
966 return( 0 );
967}
968
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]969/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]970 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]971 */
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]972
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]973/**
974 * \brief Detect if the ServerHello contains a supported_versions extension
975 * or not.
976 *
977 * \param[in] ssl SSL context
978 * \param[in] buf Buffer containing the ServerHello message
979 * \param[in] end End of the buffer containing the ServerHello message
980 *
981 * \return 0 if the ServerHello does not contain a supported_versions extension
982 * \return 1 if the ServerHello contains a supported_versions extension
983 * \return A negative value if an error occurred while parsing the ServerHello.
984 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]985MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]986static int ssl_tls13_is_supported_versions_ext_present(
987 mbedtls_ssl_context *ssl,
988 const unsigned char *buf,
989 const unsigned char *end )
990{
991 const unsigned char *p = buf;
992 size_t legacy_session_id_echo_len;
993 size_t extensions_len;
994 const unsigned char *extensions_end;
995
996 /*
997 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]998 * length:
999 * - legacy_version 2 bytes
1000 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1001 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1002 */
1003 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3 );
1004 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1005 legacy_session_id_echo_len = *p;
1006
1007 /*
1008 * Jump to the extensions, jumping over:
1009 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1010 * - cipher_suite 2 bytes
1011 * - legacy_compression_method 1 byte
1012 */
Ronald Cron28271062022-06-10 14:43:55 +0200[diff] [blame]1013 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len + 4 );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1014 p += legacy_session_id_echo_len + 4;
1015
1016 /* Case of no extension */
1017 if( p == end )
1018 return( 0 );
1019
1020 /* ...
1021 * Extension extensions<6..2^16-1>;
1022 * ...
1023 * struct {
1024 * ExtensionType extension_type; (2 bytes)
1025 * opaque extension_data<0..2^16-1>;
1026 * } Extension;
1027 */
1028 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1029 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1030 p += 2;
1031
1032 /* Check extensions do not go beyond the buffer of data. */
1033 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1034 extensions_end = p + extensions_len;
1035
1036 while( p < extensions_end )
1037 {
1038 unsigned int extension_type;
1039 size_t extension_data_len;
1040
1041 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
1042 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1043 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1044 p += 4;
1045
1046 if( extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS )
1047 return( 1 );
1048
1049 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1050 p += extension_data_len;
1051 }
1052
1053 return( 0 );
1054}
1055
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]1056/* Returns a negative value on failure, and otherwise
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1057 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1058 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1059 * - 0 otherwise
1060 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1061MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1062static int ssl_tls13_is_downgrade_negotiation( mbedtls_ssl_context *ssl,
1063 const unsigned char *buf,
1064 const unsigned char *end )
1065{
1066 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1067 static const unsigned char magic_downgrade_string[] =
1068 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
1069 const unsigned char *last_eight_bytes_of_random;
1070 unsigned char last_byte_of_random;
1071
1072 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2 );
1073 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1074
1075 if( memcmp( last_eight_bytes_of_random,
1076 magic_downgrade_string,
1077 sizeof( magic_downgrade_string ) ) == 0 )
1078 {
1079 last_byte_of_random = last_eight_bytes_of_random[7];
1080 return( last_byte_of_random == 0 ||
1081 last_byte_of_random == 1 );
1082 }
1083
1084 return( 0 );
1085}
1086
1087/* Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1088 * - SSL_SERVER_HELLO or
1089 * - SSL_SERVER_HELLO_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1090 * to indicate which message is expected and to be parsed next.
1091 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1092#define SSL_SERVER_HELLO 0
1093#define SSL_SERVER_HELLO_HRR 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1094MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1095static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
1096 const unsigned char *buf,
1097 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1098{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1099
1100 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1101 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1102 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1103 * special value of the SHA-256 of "HelloRetryRequest".
1104 *
1105 * struct {
1106 * ProtocolVersion legacy_version = 0x0303;
1107 * Random random;
1108 * opaque legacy_session_id_echo<0..32>;
1109 * CipherSuite cipher_suite;
1110 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1111 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1112 * } ServerHello;
1113 *
1114 */
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]1115 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end,
1116 2 + sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1117
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]1118 if( memcmp( buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1119 sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) ) == 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1120 {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1121 return( SSL_SERVER_HELLO_HRR );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1122 }
1123
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1124 return( SSL_SERVER_HELLO );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1125}
1126
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1127/*
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1128 * Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1129 * - SSL_SERVER_HELLO or
1130 * - SSL_SERVER_HELLO_HRR or
1131 * - SSL_SERVER_HELLO_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1132 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1133#define SSL_SERVER_HELLO_TLS1_2 2
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1134MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1135static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl,
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1136 const unsigned char *buf,
1137 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1138{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1139 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1140 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1141
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1142 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_is_supported_versions_ext_present(
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1143 ssl, buf, end ) );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1144 if( ret == 0 )
1145 {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1146 MBEDTLS_SSL_PROC_CHK_NEG(
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1147 ssl_tls13_is_downgrade_negotiation( ssl, buf, end ) );
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1148
1149 /* If the server is negotiating TLS 1.2 or below and:
1150 * . we did not propose TLS 1.2 or
1151 * . the server responded it is TLS 1.3 capable but negotiating a lower
1152 * version of the protocol and thus we are under downgrade attack
1153 * abort the handshake with an "illegal parameter" alert.
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1154 */
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1155 if( handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret )
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1156 {
1157 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1158 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1159 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1160 }
1161
1162 ssl->keep_current_message = 1;
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1163 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1164 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1165 buf, (size_t)(end - buf) );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1166
1167 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1168 {
1169 ret = ssl_tls13_reset_key_share( ssl );
1170 if( ret != 0 )
1171 return( ret );
1172 }
1173
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1174 return( SSL_SERVER_HELLO_TLS1_2 );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1175 }
1176
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1177 handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
1178
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1179 ret = ssl_server_hello_is_hrr( ssl, buf, end );
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1180 switch( ret )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1181 {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1182 case SSL_SERVER_HELLO:
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1183 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) );
1184 break;
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1185 case SSL_SERVER_HELLO_HRR:
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1186 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1187 /* If a client receives a second
1188 * HelloRetryRequest in the same connection (i.e., where the ClientHello
1189 * was itself in response to a HelloRetryRequest), it MUST abort the
1190 * handshake with an "unexpected_message" alert.
1191 */
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1192 if( handshake->hello_retry_request_count > 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1193 {
1194 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) );
1195 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1196 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1197 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1198 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1199 /*
1200 * Clients must abort the handshake with an "illegal_parameter"
1201 * alert if the HelloRetryRequest would not result in any change
1202 * in the ClientHello.
1203 * In a PSK only key exchange that what we expect.
1204 */
1205 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1206 {
1207 MBEDTLS_SSL_DEBUG_MSG( 1,
1208 ( "Unexpected HRR in pure PSK key exchange." ) );
1209 MBEDTLS_SSL_PEND_FATAL_ALERT(
1210 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1211 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1212 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1213 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1214
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1215 handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1216
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1217 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1218 }
1219
1220cleanup:
1221
1222 return( ret );
1223}
1224
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1225MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1226static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl,
1227 const unsigned char **buf,
1228 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1229{
1230 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1231 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1232
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1233 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1234 legacy_session_id_echo_len = *p++ ;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1235
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1236 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1237
1238 /* legacy_session_id_echo */
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1239 if( ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1240 memcmp( ssl->session_negotiate->id, p , legacy_session_id_echo_len ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1241 {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1242 MBEDTLS_SSL_DEBUG_BUF( 3, "Expected Session ID",
1243 ssl->session_negotiate->id,
1244 ssl->session_negotiate->id_len );
1245 MBEDTLS_SSL_DEBUG_BUF( 3, "Received Session ID", p,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1246 legacy_session_id_echo_len );
1247
1248 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1249 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1250
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1251 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1252 }
1253
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1254 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1255 *buf = p;
1256
1257 MBEDTLS_SSL_DEBUG_BUF( 3, "Session ID", ssl->session_negotiate->id,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1258 ssl->session_negotiate->id_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1259 return( 0 );
1260}
1261
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame^]1262#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1263/*
1264 * struct {
1265 * opaque identity<1..2^16-1>;
1266 * uint32 obfuscated_ticket_age;
1267 * } PskIdentity;
1268 *
1269 * opaque PskBinderEntry<32..255>;
1270 *
1271 * struct {
1272 * select ( Handshake.msg_type ) {
1273 * case client_hello:
1274 * PskIdentity identities<7..2^16-1>;
1275 * PskBinderEntry binders<33..2^16-1>;
1276 * case server_hello:
1277 * uint16 selected_identity;
1278 * };
1279 *
1280 * } PreSharedKeyExtension;
1281 *
1282 */
1283
1284static int ssl_tls13_parse_server_psk_identity_ext( mbedtls_ssl_context *ssl,
1285 const unsigned char *buf,
1286 size_t len )
1287{
1288 int ret = 0;
1289 size_t selected_identity;
1290
1291 const unsigned char *psk;
1292 size_t psk_len;
1293 const unsigned char *psk_identity;
1294 size_t psk_identity_len;
1295
1296
1297 /* Check which PSK we've offered.
1298 *
1299 * NOTE: Ultimately, we want to offer multiple PSKs, and in this
1300 * case, we need to iterate over them here.
1301 */
1302 if( mbedtls_ssl_get_psk_to_offer( ssl, &psk, &psk_len,
1303 &psk_identity, &psk_identity_len ) != 0 )
1304 {
1305 /* If we haven't offered a PSK, the server must not send
1306 * a PSK identity extension. */
1307 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1308 }
1309
1310 if( len != (size_t) 2 )
1311 {
1312 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad psk_identity extension in server hello message" ) );
1313 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1314 }
1315
1316 selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 );
1317
1318 /* We have offered only one PSK, so the only valid choice
1319 * for the server is PSK index 0.
1320 *
1321 * This will change once we support multiple PSKs. */
1322 if( selected_identity > 0 )
1323 {
1324 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server's chosen PSK identity out of range" ) );
1325
1326 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
1327 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1328 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ) ) != 0 )
1329 {
1330 return( ret );
1331 }
1332
1333 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1334 }
1335
1336 /* Set the chosen PSK
1337 *
1338 * TODO: We don't have to do this in case we offered 0-RTT and the
1339 * server accepted it, because in this case we've already
1340 * set the handshake PSK. */
1341 ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len );
1342 if( ret != 0 )
1343 {
1344 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret );
1345 return( ret );
1346 }
1347
1348 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
1349 return( 0 );
1350}
1351
1352#endif
1353
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1354/* Parse ServerHello message and configure context
1355 *
1356 * struct {
1357 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1358 * Random random;
1359 * opaque legacy_session_id_echo<0..32>;
1360 * CipherSuite cipher_suite;
1361 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1362 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1363 * } ServerHello;
1364 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1365MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1366static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
1367 const unsigned char *buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1368 const unsigned char *end,
1369 int is_hrr )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1370{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1371 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1372 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1373 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1374 size_t extensions_len;
1375 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1376 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1377 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1378 int fatal_alert = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1379
1380 /*
1381 * Check there is space for minimal fields
1382 *
1383 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1384 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1385 * - legacy_session_id_echo ( 1 byte ), minimum size
1386 * - cipher_suite ( 2 bytes)
1387 * - legacy_compression_method ( 1 byte )
1388 */
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1389 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1390
1391 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello", p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1392 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", p, 2 );
1393
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1394 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1395 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1396 * ...
1397 * with ProtocolVersion defined as:
1398 * uint16 ProtocolVersion;
1399 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]1400 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
1401 MBEDTLS_SSL_VERSION_TLS1_2 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1402 {
1403 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1404 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1405 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1406 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1407 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1408 }
1409 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1410
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1411 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1412 * Random random;
1413 * ...
1414 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1415 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1416 */
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1417 if( !is_hrr )
1418 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1419 memcpy( &handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1420 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1421 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
1422 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1423 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1424 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1425
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1426 /* ...
1427 * opaque legacy_session_id_echo<0..32>;
1428 * ...
1429 */
1430 if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1431 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1432 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1433 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1434 }
1435
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1436 /* ...
1437 * CipherSuite cipher_suite;
1438 * ...
1439 * with CipherSuite defined as:
1440 * uint8 CipherSuite[2];
1441 */
1442 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1443 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
1444 p += 2;
1445
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1446
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1447 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1448 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1449 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1450 */
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1451 if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
1452 ssl->tls_version,
1453 ssl->tls_version ) != 0 ) ||
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1454 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1455 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1456 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1457 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1458 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1459 * If we received an HRR before and that the proposed selected
1460 * ciphersuite in this server hello is not the same as the one
1461 * proposed in the HRR, we abort the handshake and send an
1462 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1463 */
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1464 else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
1465 ( cipher_suite != ssl->session_negotiate->ciphersuite ) )
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1466 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1467 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1468 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1469
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1470 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1471 {
1472 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
1473 cipher_suite ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1474 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1475 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1476
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1477 /* Configure ciphersuites */
1478 mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info );
1479
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1480 handshake->ciphersuite_info = ciphersuite_info;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1481 ssl->session_negotiate->ciphersuite = cipher_suite;
1482
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1483 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s",
1484 cipher_suite, ciphersuite_info->name ) );
1485
1486#if defined(MBEDTLS_HAVE_TIME)
1487 ssl->session_negotiate->start = time( NULL );
1488#endif /* MBEDTLS_HAVE_TIME */
1489
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1490 /* ...
1491 * uint8 legacy_compression_method = 0;
1492 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1493 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1494 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1495 if( p[0] != 0 )
1496 {
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1497 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1498 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1499 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1500 }
1501 p++;
1502
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1503 /* ...
1504 * Extension extensions<6..2^16-1>;
1505 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1506 * struct {
1507 * ExtensionType extension_type; (2 bytes)
1508 * opaque extension_data<0..2^16-1>;
1509 * } Extension;
1510 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1511 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1512 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1513 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1514
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1515 /* Check extensions do not go beyond the buffer of data. */
1516 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1517 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1518
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1519 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1520
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1521 while( p < extensions_end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1522 {
1523 unsigned int extension_type;
1524 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1525 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1526
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1527 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1528 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1529 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1530 p += 4;
1531
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1532 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1533 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1534
1535 switch( extension_type )
1536 {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1537 case MBEDTLS_TLS_EXT_COOKIE:
1538
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1539 if( !is_hrr )
1540 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1541 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1542 goto cleanup;
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1543 }
1544
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1545 ret = ssl_tls13_parse_cookie_ext( ssl,
1546 p, extension_data_end );
1547 if( ret != 0 )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1548 {
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1549 MBEDTLS_SSL_DEBUG_RET( 1,
1550 "ssl_tls13_parse_cookie_ext",
1551 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1552 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1553 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1554 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1555
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1556 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1557 ret = ssl_tls13_parse_supported_versions_ext( ssl,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1558 p,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1559 extension_data_end );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1560 if( ret != 0 )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1561 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1562 break;
1563
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame^]1564#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1565 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame^]1566 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
1567 if( is_hrr )
1568 {
1569 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
1570 goto cleanup;
1571 }
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1572
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame^]1573 if( ( ret = ssl_tls13_parse_server_psk_identity_ext(
1574 ssl, p, extension_data_len ) ) != 0 )
1575 {
1576 MBEDTLS_SSL_DEBUG_RET(
1577 1, ( "ssl_tls13_parse_server_psk_identity_ext" ), ret );
1578 return( ret );
1579 }
1580 break;
1581#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1582
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1583 case MBEDTLS_TLS_EXT_KEY_SHARE:
1584 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1585 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1586 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1587 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1588 goto cleanup;
1589 }
1590
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1591 if( is_hrr )
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1592 ret = ssl_tls13_parse_hrr_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1593 p, extension_data_end );
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1594 else
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1595 ret = ssl_tls13_parse_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1596 p, extension_data_end );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1597 if( ret != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1598 {
1599 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1600 "ssl_tls13_parse_key_share_ext",
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1601 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1602 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1603 }
1604 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1605
1606 default:
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1607 MBEDTLS_SSL_DEBUG_MSG(
1608 3,
1609 ( "unknown extension found: %u ( ignoring )",
1610 extension_type ) );
1611
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1612 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1613 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1614 }
1615
1616 p += extension_data_len;
1617 }
1618
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1619cleanup:
1620
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1621 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1622 {
1623 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1624 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1625 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1626 }
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1627 else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1628 {
1629 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1630 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1631 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1632 }
1633 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1634}
1635
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1636MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1637static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1638{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1639 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1640 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1641
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1642 /* Determine the key exchange mode:
1643 * 1) If both the pre_shared_key and key_share extensions were received
1644 * then the key exchange mode is PSK with EPHEMERAL.
1645 * 2) If only the pre_shared_key extension was received then the key
1646 * exchange mode is PSK-only.
1647 * 3) If only the key_share extension was received then the key
1648 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1649 */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1650 switch( handshake->extensions_present &
1651 ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) )
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1652 {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1653 /* Only the pre_shared_key extension was received */
1654 case MBEDTLS_SSL_EXT_PRE_SHARED_KEY:
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1655 handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1656 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1657
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1658 /* Only the key_share extension was received */
1659 case MBEDTLS_SSL_EXT_KEY_SHARE:
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1660 handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1661 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1662
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1663 /* Both the pre_shared_key and key_share extensions were received */
1664 case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ):
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1665 handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1666 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1667
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1668 /* Neither pre_shared_key nor key_share extension was received */
1669 default:
1670 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) );
1671 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1672 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1673 }
1674
1675 /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
1676 *
1677 * TODO: We don't have to do this in case we offered 0-RTT and the
1678 * server accepted it. In this case, we could skip generating
1679 * the early secret. */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1680 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1681 if( ret != 0 )
1682 {
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1683 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_key_schedule_stage_early",
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1684 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1685 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1686 }
1687
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1688 ret = mbedtls_ssl_tls13_compute_handshake_transform( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1689 if( ret != 0 )
1690 {
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1691 MBEDTLS_SSL_DEBUG_RET( 1,
1692 "mbedtls_ssl_tls13_compute_handshake_transform",
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1693 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1694 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1695 }
1696
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1697 mbedtls_ssl_set_inbound_transform( ssl, handshake->transform_handshake );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1698 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
1699 ssl->session_in = ssl->session_negotiate;
1700
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1701cleanup:
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1702 if( ret != 0 )
1703 {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1704 MBEDTLS_SSL_PEND_FATAL_ALERT(
1705 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1706 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1707 }
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1708
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1709 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1710}
1711
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1712MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1713static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1714{
1715 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1716
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1717 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1718
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1719 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1720 * We are going to re-generate a shared secret corresponding to the group
1721 * selected by the server, which is different from the group for which we
1722 * generated a shared secret in the first client hello.
1723 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1724 */
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1725 ret = ssl_tls13_reset_key_share( ssl );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1726 if( ret != 0 )
1727 return( ret );
1728
1729 return( 0 );
1730}
1731
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1732/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1733 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1734 * Handler for MBEDTLS_SSL_SERVER_HELLO
1735 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1736MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1737static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1738{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1739 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1740 unsigned char *buf = NULL;
1741 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1742 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1743
1744 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
1745
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1746 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
1747 MBEDTLS_SSL_HS_SERVER_HELLO,
1748 &buf, &buf_len ) );
1749
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1750 ret = ssl_tls13_preprocess_server_hello( ssl, buf, buf + buf_len );
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1751 if( ret < 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1752 goto cleanup;
1753 else
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1754 is_hrr = ( ret == SSL_SERVER_HELLO_HRR );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1755
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1756 if( ret == SSL_SERVER_HELLO_TLS1_2 )
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1757 {
1758 ret = 0;
1759 goto cleanup;
1760 }
1761
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1762 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1763 buf + buf_len,
1764 is_hrr ) );
1765 if( is_hrr )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1766 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) );
1767
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1768 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1769 buf, buf_len );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1770
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1771 if( is_hrr )
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1772 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1773 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1774#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1775 /* If not offering early data, the client sends a dummy CCS record
1776 * immediately before its second flight. This may either be before
1777 * its second ClientHello or before its encrypted handshake flight.
1778 */
1779 mbedtls_ssl_handshake_set_state( ssl,
1780 MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
1781#else
1782 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
1783#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1784 }
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1785 else
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1786 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1787 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1788 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
1789 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1790
1791cleanup:
XiaokangQiana9090612022-01-27 03:48:27 +0000[diff] [blame]1792 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__,
1793 is_hrr?"HelloRetryRequest":"ServerHello" ) );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1794 return( ret );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1795}
1796
1797/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1798 *
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]1799 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1800 *
1801 * The EncryptedExtensions message contains any extensions which
1802 * should be protected, i.e., any which are not needed to establish
1803 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1804 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1805
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1806/* Parse EncryptedExtensions message
1807 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1808 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1809 * } EncryptedExtensions;
1810 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1811MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1812static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
1813 const unsigned char *buf,
1814 const unsigned char *end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1815{
1816 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1817 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]1818 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1819 const unsigned char *extensions_end;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1820
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1821 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1822 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1823 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1824
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1825 MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len );
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1826 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
Ronald Cronc8083592022-05-31 16:24:05 +0200[diff] [blame]1827 extensions_end = p + extensions_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1828
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1829 while( p < extensions_end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1830 {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1831 unsigned int extension_type;
1832 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1833
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1834 /*
1835 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1836 * ExtensionType extension_type; (2 bytes)
1837 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1838 * } Extension;
1839 */
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1840 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1841 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1842 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1843 p += 4;
1844
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1845 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1846
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1847 /* The client MUST check EncryptedExtensions for the
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1848 * presence of any forbidden extensions and if any are found MUST abort
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1849 * the handshake with an "unsupported_extension" alert.
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1850 */
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1851 switch( extension_type )
1852 {
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1853
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1854 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1855 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extensions supported groups" ) );
1856 break;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1857
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]1858#if defined(MBEDTLS_SSL_ALPN)
1859 case MBEDTLS_TLS_EXT_ALPN:
1860 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1861
1862 if( ( ret = ssl_tls13_parse_alpn_ext( ssl, p, (size_t)extension_data_len ) ) != 0 )
1863 {
1864 return( ret );
1865 }
1866
1867 break;
1868#endif /* MBEDTLS_SSL_ALPN */
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1869 default:
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1870 MBEDTLS_SSL_DEBUG_MSG(
1871 3, ( "unsupported extension found: %u ", extension_type) );
1872 MBEDTLS_SSL_PEND_FATAL_ALERT(
Jerry Yu7aa71862021-10-28 21:41:30 +0800[diff] [blame]1873 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1874 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1875 return ( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1876 }
1877
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1878 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1879 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1880
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1881 /* Check that we consumed all the message. */
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]1882 if( p != end )
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1883 {
1884 MBEDTLS_SSL_DEBUG_MSG( 1, ( "EncryptedExtension lengths misaligned" ) );
Jerry Yu7aa71862021-10-28 21:41:30 +0800[diff] [blame]1885 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]1886 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1887 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1888 }
1889
1890 return( ret );
1891}
1892
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1893MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]1894static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
1895{
1896 int ret;
1897 unsigned char *buf;
1898 size_t buf_len;
1899
1900 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) );
1901
1902 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
1903 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
1904 &buf, &buf_len ) );
1905
1906 /* Process the message contents */
1907 MBEDTLS_SSL_PROC_CHK(
1908 ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
1909
1910 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
1911 buf, buf_len );
1912
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1913#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1914 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
1915 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1916 else
1917 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
1918#else
1919 ((void) ssl);
1920 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1921#endif
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]1922
1923cleanup:
1924
1925 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) );
1926 return( ret );
1927
1928}
1929
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1930#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1931/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1932 * STATE HANDLING: CertificateRequest
1933 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1934 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1935#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
1936#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1937/* Coordination:
1938 * Deals with the ambiguity of not knowing if a CertificateRequest
1939 * will be sent. Returns a negative code on failure, or
1940 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
1941 * - SSL_CERTIFICATE_REQUEST_SKIP
1942 * indicating if a Certificate Request is expected or not.
1943 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1944MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1945static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1946{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]1947 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1948
Xiaofei Bai7c8b6a92022-02-08 15:21:13 +0000[diff] [blame]1949 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1950 {
1951 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= skip parse certificate request" ) );
1952 return( SSL_CERTIFICATE_REQUEST_SKIP );
1953 }
1954
1955 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1956 {
1957 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1958 return( ret );
1959 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1960 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1961
1962 if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) &&
1963 ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) )
1964 {
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]1965 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got a certificate request" ) );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1966 return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1967 }
1968
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]1969 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got no certificate request" ) );
1970
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1971 return( SSL_CERTIFICATE_REQUEST_SKIP );
1972}
1973
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1974/*
1975 * ssl_tls13_parse_certificate_request()
1976 * Parse certificate request
1977 * struct {
1978 * opaque certificate_request_context<0..2^8-1>;
1979 * Extension extensions<2..2^16-1>;
1980 * } CertificateRequest;
1981 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1982MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1983static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
1984 const unsigned char *buf,
1985 const unsigned char *end )
1986{
1987 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1988 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1989 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1990 size_t extensions_len = 0;
1991 const unsigned char *extensions_end;
1992 unsigned char sig_alg_ext_found = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1993
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1994 /* ...
1995 * opaque certificate_request_context<0..2^8-1>
1996 * ...
1997 */
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1998 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
1999 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2000 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2001
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2002 if( certificate_request_context_len > 0 )
2003 {
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2004 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2005 MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context",
2006 p, certificate_request_context_len );
2007
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2008 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2009 handshake->certificate_request_context =
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]2010 mbedtls_calloc( 1, certificate_request_context_len );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2011 if( handshake->certificate_request_context == NULL )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2012 {
2013 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2014 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2015 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2016 memcpy( handshake->certificate_request_context, p,
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2017 certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2018 p += certificate_request_context_len;
2019 }
2020
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2021 /* ...
2022 * Extension extensions<2..2^16-1>;
2023 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2024 */
2025 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
2026 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2027 p += 2;
2028
2029 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2030 extensions_end = p + extensions_len;
2031
2032 while( p < extensions_end )
2033 {
2034 unsigned int extension_type;
2035 size_t extension_data_len;
2036
2037 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
2038 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2039 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2040 p += 4;
2041
2042 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
2043
2044 switch( extension_type )
2045 {
2046 case MBEDTLS_TLS_EXT_SIG_ALG:
2047 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2048 ( "found signature algorithms extension" ) );
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]2049 ret = mbedtls_ssl_parse_sig_alg_ext( ssl, p,
Gabor Mezei696956d2022-05-13 16:27:29 +0200[diff] [blame]2050 p + extension_data_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2051 if( ret != 0 )
2052 return( ret );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2053 if( ! sig_alg_ext_found )
2054 sig_alg_ext_found = 1;
2055 else
2056 {
2057 MBEDTLS_SSL_DEBUG_MSG( 3,
2058 ( "Duplicate signature algorithms extensions found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2059 goto decode_error;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2060 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2061 break;
2062
2063 default:
2064 MBEDTLS_SSL_DEBUG_MSG(
2065 3,
2066 ( "unknown extension found: %u ( ignoring )",
2067 extension_type ) );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2068 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2069 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2070 p += extension_data_len;
2071 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2072 /* Check that we consumed all the message. */
2073 if( p != end )
2074 {
2075 MBEDTLS_SSL_DEBUG_MSG( 1,
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2076 ( "CertificateRequest misaligned" ) );
2077 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2078 }
2079 /* Check that we found signature algorithms extension */
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2080 if( ! sig_alg_ext_found )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2081 {
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]2082 MBEDTLS_SSL_DEBUG_MSG( 3,
2083 ( "no signature algorithms extension found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2084 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2085 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2086
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]2087 ssl->handshake->client_auth = 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2088 return( 0 );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2089
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2090decode_error:
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2091 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2092 MBEDTLS_ERR_SSL_DECODE_ERROR );
2093 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2094}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2095
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2096/*
2097 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2098 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2099MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2100static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2101{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2102 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2103
2104 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2105
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2106 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
2107
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2108 if( ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST )
2109 {
2110 unsigned char *buf;
2111 size_t buf_len;
2112
2113 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
2114 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2115 &buf, &buf_len ) );
2116
2117 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_request( ssl,
2118 buf, buf + buf_len ) );
2119
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]2120 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2121 buf, buf_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2122 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2123 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2124 {
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]2125 ret = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2126 }
2127 else
2128 {
2129 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2130 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2131 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2132 }
2133
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2134 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
2135
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2136cleanup:
2137
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2138 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
2139 return( ret );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2140}
2141
2142/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2143 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2144 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2145MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2146static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2147{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2148 int ret;
2149
2150 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]2151 if( ret != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2152 return( ret );
2153
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2154 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
2155 return( 0 );
2156}
2157
2158/*
2159 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2160 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2161MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2162static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2163{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2164 int ret;
2165
2166 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
2167 if( ret != 0 )
2168 return( ret );
2169
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2170 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2171 return( 0 );
2172}
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]2173#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]2174
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2175/*
2176 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2177 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2178MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2179static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2180{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2181 int ret;
2182
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]2183 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2184 if( ret != 0 )
2185 return( ret );
2186
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2187 ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
2188 if( ret != 0 )
2189 {
2190 MBEDTLS_SSL_PEND_FATAL_ALERT(
2191 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2192 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2193 return( ret );
2194 }
2195
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2196#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2197 mbedtls_ssl_handshake_set_state(
2198 ssl,
2199 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED );
2200#else
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]2201 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2202#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2203
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2204 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2205}
2206
2207/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2208 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2209 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2210MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2211static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
2212{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2213 int non_empty_certificate_msg = 0;
2214
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2215 MBEDTLS_SSL_DEBUG_MSG( 1,
2216 ( "Switch to handshake traffic keys for outbound traffic" ) );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2217 mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2218
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2219#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2220 if( ssl->handshake->client_auth )
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2221 {
2222 int ret = mbedtls_ssl_tls13_write_certificate( ssl );
2223 if( ret != 0 )
2224 return( ret );
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2225
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2226 if( mbedtls_ssl_own_cert( ssl ) != NULL )
2227 non_empty_certificate_msg = 1;
2228 }
2229 else
2230 {
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]2231 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2232 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2233#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2234
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2235 if( non_empty_certificate_msg )
2236 {
2237 mbedtls_ssl_handshake_set_state( ssl,
2238 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
2239 }
2240 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2241 {
2242 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate verify" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2243 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2244 }
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2245
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2246 return( 0 );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2247}
2248
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2249#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2250/*
2251 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2252 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2253MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2254static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
2255{
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2256 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
2257
2258 if( ret == 0 )
2259 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
2260
2261 return( ret );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2262}
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]2263#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2264
2265/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2266 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2267 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2268MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2269static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2270{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2271 int ret;
2272
2273 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
2274 if( ret != 0 )
2275 return( ret );
2276
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2277 ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl );
2278 if( ret != 0 )
2279 {
2280 MBEDTLS_SSL_DEBUG_RET( 1,
2281 "mbedtls_ssl_tls13_generate_resumption_master_secret ", ret );
2282 return ( ret );
2283 }
2284
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2285 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
2286 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2287}
2288
2289/*
2290 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2291 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2292MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2293static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2294{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2295 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
Jerry Yuad8d0ba2021-09-28 17:58:26 +0800[diff] [blame]2296 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2297 return( 0 );
2298}
2299
2300/*
2301 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2302 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2303MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2304static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2305{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2306
2307 mbedtls_ssl_tls13_handshake_wrapup( ssl );
2308
2309 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2310 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2311}
2312
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2313#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2314
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2315MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2316static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
2317 const unsigned char *buf,
2318 const unsigned char *end )
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2319{
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2320 const unsigned char *p = buf;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2321
2322 ((void) ssl);
2323
2324 while( p < end )
2325 {
2326 unsigned int extension_type;
2327 size_t extension_data_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2328
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2329 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
2330 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2331 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2332 p += 4;
2333
2334 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2335
2336 switch( extension_type )
2337 {
2338 case MBEDTLS_TLS_EXT_EARLY_DATA:
2339 MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) );
2340 break;
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2341
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2342 default:
2343 break;
2344 }
2345 p += extension_data_len;
2346 }
2347
2348 return( 0 );
2349}
2350
2351/*
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2352 * From RFC8446, page 74
2353 *
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2354 * struct {
2355 * uint32 ticket_lifetime;
2356 * uint32 ticket_age_add;
2357 * opaque ticket_nonce<0..255>;
2358 * opaque ticket<1..2^16-1>;
2359 * Extension extensions<0..2^16-2>;
2360 * } NewSessionTicket;
2361 *
2362 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2363MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2364static int ssl_tls13_parse_new_session_ticket( mbedtls_ssl_context *ssl,
2365 unsigned char *buf,
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2366 unsigned char *end,
2367 unsigned char **ticket_nonce,
2368 size_t *ticket_nonce_len )
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2369{
2370 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2371 unsigned char *p = buf;
2372 mbedtls_ssl_session *session = ssl->session;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2373 size_t ticket_len;
2374 unsigned char *ticket;
2375 size_t extensions_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2376
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2377 *ticket_nonce = NULL;
2378 *ticket_nonce_len = 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2379 /*
2380 * ticket_lifetime 4 bytes
2381 * ticket_age_add 4 bytes
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2382 * ticket_nonce_len 1 byte
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2383 */
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2384 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 9 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2385
2386 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE( p, 0 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2387 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2388 ( "ticket_lifetime: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2389 ( unsigned int )session->ticket_lifetime ) );
2390
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2391 session->ticket_age_add = MBEDTLS_GET_UINT32_BE( p, 4 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2392 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2393 ( "ticket_age_add: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2394 ( unsigned int )session->ticket_age_add ) );
2395
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2396 *ticket_nonce_len = p[8];
2397 p += 9;
2398
2399 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, *ticket_nonce_len );
2400 *ticket_nonce = p;
2401 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len );
2402 p += *ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2403
2404 /* Ticket */
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2405 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2406 ticket_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2407 p += 2;
2408 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ticket_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2409 MBEDTLS_SSL_DEBUG_BUF( 3, "received ticket", p, ticket_len ) ;
2410
2411 /* Check if we previously received a ticket already. */
2412 if( session->ticket != NULL || session->ticket_len > 0 )
2413 {
2414 mbedtls_free( session->ticket );
2415 session->ticket = NULL;
2416 session->ticket_len = 0;
2417 }
2418
2419 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
2420 {
2421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
2422 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2423 }
2424 memcpy( ticket, p, ticket_len );
2425 p += ticket_len;
2426 session->ticket = ticket;
2427 session->ticket_len = ticket_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2428
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2429 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2430 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2431 p += 2;
2432 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2433
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2434 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket extension", p, extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2435
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2436 ret = ssl_tls13_parse_new_session_ticket_exts( ssl, p, p + extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2437 if( ret != 0 )
2438 {
2439 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2440 "ssl_tls13_parse_new_session_ticket_exts",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2441 ret );
2442 return( ret );
2443 }
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2444
2445 return( 0 );
2446}
2447
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2448MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2449static int ssl_tls13_postprocess_new_session_ticket( mbedtls_ssl_context *ssl,
2450 unsigned char *ticket_nonce,
2451 size_t ticket_nonce_len )
2452{
2453 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2454 mbedtls_ssl_session *session = ssl->session;
2455 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2456 psa_algorithm_t psa_hash_alg;
2457 int hash_length;
2458
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2459#if defined(MBEDTLS_HAVE_TIME)
2460 /* Store ticket creation time */
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2461 session->ticket_received = mbedtls_time( NULL );
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2462#endif
2463
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2464 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( session->ciphersuite );
2465 if( ciphersuite_info == NULL )
2466 {
2467 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2468 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2469 }
2470
2471 psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
2472 hash_length = PSA_HASH_LENGTH( psa_hash_alg );
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2473 if( hash_length == -1 ||
2474 ( size_t )hash_length > sizeof( session->resumption_key ) )
2475 {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2476 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2477 }
2478
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2479
2480 MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
2481 session->app_secrets.resumption_master_secret,
2482 hash_length );
2483
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2484 /* Compute resumption key
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2485 *
2486 * HKDF-Expand-Label( resumption_master_secret,
2487 * "resumption", ticket_nonce, Hash.length )
2488 */
2489 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2490 psa_hash_alg,
2491 session->app_secrets.resumption_master_secret,
2492 hash_length,
2493 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
2494 ticket_nonce,
2495 ticket_nonce_len,
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2496 session->resumption_key,
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2497 hash_length );
2498
2499 if( ret != 0 )
2500 {
2501 MBEDTLS_SSL_DEBUG_RET( 2,
2502 "Creating the ticket-resumed PSK failed",
2503 ret );
2504 return( ret );
2505 }
2506
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2507 session->resumption_key_len = hash_length;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2508
2509 MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2510 session->resumption_key,
2511 session->resumption_key_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2512
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2513 return( 0 );
2514}
2515
2516/*
Jerry Yua357cf42022-07-12 05:36:45 +0000[diff] [blame]2517 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2518 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2519MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2520static int ssl_tls13_process_new_session_ticket( mbedtls_ssl_context *ssl )
2521{
2522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2523 unsigned char *buf;
2524 size_t buf_len;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2525 unsigned char *ticket_nonce;
2526 size_t ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2527
2528 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2529
2530 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
2531 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2532 &buf, &buf_len ) );
2533
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2534 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_new_session_ticket(
2535 ssl, buf, buf + buf_len,
2536 &ticket_nonce, &ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2537
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2538 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_new_session_ticket(
2539 ssl, ticket_nonce, ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2540
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2541 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2542
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2543cleanup:
2544
2545 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2546 return( ret );
2547}
2548#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2549
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2550int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]2551{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2552 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]2553
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2554 switch( ssl->state )
2555 {
2556 /*
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]2557 * ssl->state is initialized as HELLO_REQUEST. It is the same
2558 * as CLIENT_HELLO state.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2559 */
2560 case MBEDTLS_SSL_HELLO_REQUEST:
2561 case MBEDTLS_SSL_CLIENT_HELLO:
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]2562 ret = mbedtls_ssl_write_client_hello( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2563 break;
2564
2565 case MBEDTLS_SSL_SERVER_HELLO:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2566 ret = ssl_tls13_process_server_hello( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2567 break;
2568
2569 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2570 ret = ssl_tls13_process_encrypted_extensions( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2571 break;
2572
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]2573#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2574 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
2575 ret = ssl_tls13_process_certificate_request( ssl );
2576 break;
2577
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2578 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2579 ret = ssl_tls13_process_server_certificate( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2580 break;
2581
2582 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2583 ret = ssl_tls13_process_certificate_verify( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2584 break;
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]2585#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2586
2587 case MBEDTLS_SSL_SERVER_FINISHED:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2588 ret = ssl_tls13_process_server_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2589 break;
2590
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2591 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2592 ret = ssl_tls13_write_client_certificate( ssl );
2593 break;
2594
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2595#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2596 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2597 ret = ssl_tls13_write_client_certificate_verify( ssl );
2598 break;
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]2599#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2600
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2601 case MBEDTLS_SSL_CLIENT_FINISHED:
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2602 ret = ssl_tls13_write_client_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2603 break;
2604
2605 case MBEDTLS_SSL_FLUSH_BUFFERS:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2606 ret = ssl_tls13_flush_buffers( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2607 break;
2608
2609 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2610 ret = ssl_tls13_handshake_wrapup( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2611 break;
2612
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2613 /*
2614 * Injection of dummy-CCS's for middlebox compatibility
2615 */
2616#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]2617 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]2618 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2619 if( ret == 0 )
2620 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2621 break;
2622
2623 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
2624 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2625 if( ret == 0 )
2626 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2627 break;
2628#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2629
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2630#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua357cf42022-07-12 05:36:45 +0000[diff] [blame]2631 case MBEDTLS_SSL_NEW_SESSION_TICKET:
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2632 ret = ssl_tls13_process_new_session_ticket( ssl );
2633 if( ret != 0 )
2634 break;
2635 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
2636 break;
2637#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2638
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2639 default:
2640 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2641 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2642 }
2643
2644 return( ret );
2645}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]2646
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2647#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]2648
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2649