TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fff641a273a2c7596a88a6f525dfbf29cbd6a2d8 / . / library / ssl_tls13_client.c
blob: a9b9b03c10c1f062ca52973dede008be37cf3636 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS ( https://tls.mbed.org )
20 */
21
22#include "common.h"
23
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]24#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]25
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]26#include <string.h>
27
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]30#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]31
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]32#include "ssl_misc.h"
33#include "ecdh_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]34#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]35#include "ssl_tls13_keys.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]36
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]37/* Write extensions */
38
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]39/*
40 * ssl_tls13_write_supported_versions_ext():
41 *
42 * struct {
43 * ProtocolVersion versions<2..254>;
44 * } SupportedVersions;
45 */
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]46static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]47 unsigned char *buf,
48 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]49 size_t *out_len )
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]50{
51 unsigned char *p = buf;
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]52 unsigned char versions_len = ( ssl->handshake->min_minor_ver <=
53 MBEDTLS_SSL_MINOR_VERSION_3 ) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]54
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]55 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]56
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]57 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported versions extension" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]58
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]59 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]60 * - extension_type (2 bytes)
61 * - extension_data_length (2 bytes)
62 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]63 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]64 */
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]65 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + versions_len );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]66
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]67 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]68 MBEDTLS_PUT_UINT16_BE( versions_len + 1, p, 2 );
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]69 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]70
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]71 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]72 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]73
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]74 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]76 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]77 */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]78 mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
79 MBEDTLS_SSL_MINOR_VERSION_4,
80 MBEDTLS_SSL_TRANSPORT_STREAM, p );
81 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:4]" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]83
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]84 if( ssl->handshake->min_minor_ver <= MBEDTLS_SSL_MINOR_VERSION_3 )
85 {
86 mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
87 MBEDTLS_SSL_MINOR_VERSION_3,
88 MBEDTLS_SSL_TRANSPORT_STREAM, p + 2 );
89 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:3]" ) );
90 }
91
92 *out_len = 5 + versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]93
94 return( 0 );
95}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]96
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]97static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
98 const unsigned char *buf,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]99 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]100{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]101 ((void) ssl);
102
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]103 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]104 if( buf[0] != MBEDTLS_SSL_MAJOR_VERSION_3 ||
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]105 buf[1] != MBEDTLS_SSL_MINOR_VERSION_4 )
106 {
107 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]108
109 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
110 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
111 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]112 }
113
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]114 if( &buf[2] != end )
115 {
116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions ext data length incorrect" ) );
117 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
118 MBEDTLS_ERR_SSL_DECODE_ERROR );
119 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
120 }
121
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]122 return( 0 );
123}
124
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]125#if defined(MBEDTLS_SSL_ALPN)
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]126static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl,
127 const unsigned char *buf, size_t len )
128{
129 size_t list_len, name_len;
130 const unsigned char *p = buf;
131 const unsigned char *end = buf + len;
132
133 /* If we didn't send it, the server shouldn't send it */
134 if( ssl->conf->alpn_list == NULL )
135 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
136
137 /*
138 * opaque ProtocolName<1..2^8-1>;
139 *
140 * struct {
141 * ProtocolName protocol_name_list<2..2^16-1>
142 * } ProtocolNameList;
143 *
144 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
145 */
146
147 /* Min length is 2 ( list_len ) + 1 ( name_len ) + 1 ( name ) */
148 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
149
150 list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
151 p += 2;
152 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, list_len );
153
154 name_len = *p++;
155 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, list_len - 1 );
156
157 /* Check that the server chosen protocol was in our list and save it */
158 for ( const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++ )
159 {
160 if( name_len == strlen( *alpn ) &&
161 memcmp( buf + 3, *alpn, name_len ) == 0 )
162 {
163 ssl->alpn_chosen = *alpn;
164 return( 0 );
165 }
166 }
167
168 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
169}
170#endif /* MBEDTLS_SSL_ALPN */
171
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]172static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]173{
174 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]175
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]176 if( group_id == 0 )
177 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
178
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]179#if defined(MBEDTLS_ECDH_C)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]180 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]181 {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]182 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
183 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
184
185 /* Destroy generated private key. */
186 status = psa_destroy_key( ssl->handshake->ecdh_psa_privkey );
187 if( status != PSA_SUCCESS )
188 {
189 ret = psa_ssl_status_to_mbedtls( status );
190 MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
191 return( ret );
192 }
193
194 ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]195 return( 0 );
196 }
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]197 else
198#endif /* MBEDTLS_ECDH_C */
199 if( 0 /* other KEMs? */ )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]200 {
201 /* Do something */
202 }
203
204 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
205}
206
207/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]208 * Functions for writing key_share extension.
209 */
210#if defined(MBEDTLS_ECDH_C)
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]211static int ssl_tls13_generate_and_write_ecdh_key_exchange(
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]212 mbedtls_ssl_context *ssl,
213 uint16_t named_group,
214 unsigned char *buf,
215 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]216 size_t *out_len )
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]217{
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]218 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
219 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
220 psa_key_attributes_t key_attributes;
221 size_t own_pubkey_len;
222 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
223 size_t ecdh_bits = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]224
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]225 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]226
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]227 /* Convert EC group to PSA key type. */
228 if( ( handshake->ecdh_psa_type =
229 mbedtls_psa_parse_tls_ecc_group( named_group, &ecdh_bits ) ) == 0 )
230 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]231
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]232 if( ecdh_bits > 0xffff )
233 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
234 ssl->handshake->ecdh_bits = (uint16_t) ecdh_bits;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]235
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]236 key_attributes = psa_key_attributes_init();
237 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
238 psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
239 psa_set_key_type( &key_attributes, handshake->ecdh_psa_type );
240 psa_set_key_bits( &key_attributes, handshake->ecdh_bits );
Przemyslaw Stekielea859c22022-02-10 10:19:46 +0100[diff] [blame]241
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]242 /* Generate ECDH private key. */
243 status = psa_generate_key( &key_attributes,
244 &handshake->ecdh_psa_privkey );
245 if( status != PSA_SUCCESS )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]246 {
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]247 ret = psa_ssl_status_to_mbedtls( status );
248 MBEDTLS_SSL_DEBUG_RET( 1, "psa_generate_key", ret );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]249 return( ret );
Przemyslaw Stekielea859c22022-02-10 10:19:46 +0100[diff] [blame]250
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]251 }
252
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]253 /* Export the public part of the ECDH private key from PSA. */
254 status = psa_export_public_key( handshake->ecdh_psa_privkey,
255 buf, (size_t)( end - buf ),
256 &own_pubkey_len );
257 if( status != PSA_SUCCESS )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]258 {
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]259 ret = psa_ssl_status_to_mbedtls( status );
260 MBEDTLS_SSL_DEBUG_RET( 1, "psa_export_public_key", ret );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]261 return( ret );
Przemyslaw Stekielea859c22022-02-10 10:19:46 +0100[diff] [blame]262
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]263 }
264
Przemek Stekiele894c5c2022-03-02 08:45:56 +0100[diff] [blame]265 *out_len = own_pubkey_len;
Przemyslaw Stekielea859c22022-02-10 10:19:46 +0100[diff] [blame]266
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]267 return( 0 );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]268}
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]269#endif /* MBEDTLS_ECDH_C */
270
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]271static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
272 uint16_t *group_id )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]273{
274 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
275
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]276
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]277#if defined(MBEDTLS_ECDH_C)
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]278 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]279 /* Pick first available ECDHE group compatible with TLS 1.3 */
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]280 if( group_list == NULL )
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]281 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
282
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]283 for ( ; *group_list != 0; group_list++ )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]284 {
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]285 const mbedtls_ecp_curve_info *curve_info;
286 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
287 if( curve_info != NULL &&
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]288 mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]289 {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]290 *group_id = *group_list;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]291 return( 0 );
292 }
293 }
294#else
295 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]296 ((void) group_id);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]297#endif /* MBEDTLS_ECDH_C */
298
299 /*
300 * Add DHE named groups here.
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]301 * Pick first available DHE group compatible with TLS 1.3
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]302 */
303
304 return( ret );
305}
306
307/*
308 * ssl_tls13_write_key_share_ext
309 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]310 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]311 *
312 * struct {
313 * NamedGroup group;
314 * opaque key_exchange<1..2^16-1>;
315 * } KeyShareEntry;
316 * struct {
317 * KeyShareEntry client_shares<0..2^16-1>;
318 * } KeyShareClientHello;
319 */
320static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
321 unsigned char *buf,
322 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]323 size_t *out_len )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]324{
325 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]326 unsigned char *client_shares; /* Start of client_shares */
327 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]328 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]329 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
330
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]331 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]332
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]333 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]334 * - extension_type (2 bytes)
335 * - extension_data_length (2 bytes)
336 * - client_shares_length (2 bytes)
337 */
338 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
339 p += 6;
340
341 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello: adding key share extension" ) );
342
343 /* HRR could already have requested something else. */
344 group_id = ssl->handshake->offered_group_id;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]345 if( !mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) &&
346 !mbedtls_ssl_tls13_named_group_is_dhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]347 {
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]348 MBEDTLS_SSL_PROC_CHK( ssl_tls13_get_default_group_id( ssl,
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]349 &group_id ) );
350 }
351
352 /*
353 * Dispatch to type-specific key generation function.
354 *
355 * So far, we're only supporting ECDHE. With the introduction
356 * of PQC KEMs, we'll want to have multiple branches, one per
357 * type of KEM, and dispatch to the corresponding crypto. And
358 * only one key share entry is allowed.
359 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]360 client_shares = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]361#if defined(MBEDTLS_ECDH_C)
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]362 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]363 {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]364 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]365 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]366 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]367 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]368
369 /* Check there is space for header of KeyShareEntry
370 * - group (2 bytes)
371 * - key_exchange_length (2 bytes)
372 */
373 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
374 p += 4;
Przemyslaw Stekielea859c22022-02-10 10:19:46 +0100[diff] [blame]375 ret = ssl_tls13_generate_and_write_ecdh_key_exchange( ssl, group_id, p, end,
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]376 &key_exchange_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]377 p += key_exchange_len;
378 if( ret != 0 )
379 return( ret );
380
381 /* Write group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]382 MBEDTLS_PUT_UINT16_BE( group_id, group, 0 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]383 /* Write key_exchange_length */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]384 MBEDTLS_PUT_UINT16_BE( key_exchange_len, group, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]385 }
386 else
387#endif /* MBEDTLS_ECDH_C */
388 if( 0 /* other KEMs? */ )
389 {
390 /* Do something */
391 }
392 else
393 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
394
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]395 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]396 client_shares_len = p - client_shares;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]397 if( client_shares_len == 0)
398 {
399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No key share defined." ) );
400 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]401 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]402 /* Write extension_type */
403 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
404 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]405 MBEDTLS_PUT_UINT16_BE( client_shares_len + 2, buf, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]406 /* Write client_shares_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]407 MBEDTLS_PUT_UINT16_BE( client_shares_len, buf, 4 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]408
409 /* Update offered_group_id field */
410 ssl->handshake->offered_group_id = group_id;
411
412 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]413 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]414
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]415 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]416
417 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
418
419cleanup:
420
421 return( ret );
422}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]423
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]424#if defined(MBEDTLS_ECDH_C)
425
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]426static int ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
427 const unsigned char *buf,
428 size_t buf_len )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]429{
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]430 uint8_t *p = (uint8_t*)buf;
431 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]432
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]433 /* Get size of the TLS opaque key_exchange field of the KeyShareEntry struct. */
434 uint16_t peerkey_len = MBEDTLS_GET_UINT16_BE( p, 0 );
435 p += 2;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]436
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]437 /* Check if key size is consistent with given buffer length. */
438 if ( peerkey_len > ( buf_len - 2 ) )
439 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]440
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]441 /* Store peer's ECDH public key. */
Przemyslaw Stekiel0f5ecef2022-02-14 17:10:05 +0100[diff] [blame]442 memcpy( handshake->ecdh_psa_peerkey, p, peerkey_len );
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]443 handshake->ecdh_psa_peerkey_len = peerkey_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]444
445 return( 0 );
446}
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]447#endif /* MBEDTLS_ECDH_C */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]448
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]449/*
450 * ssl_tls13_parse_hrr_key_share_ext()
451 * Parse key_share extension in Hello Retry Request
452 *
453 * struct {
454 * NamedGroup selected_group;
455 * } KeyShareHelloRetryRequest;
456 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]457static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]458 const unsigned char *buf,
459 const unsigned char *end )
460{
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]461 const mbedtls_ecp_curve_info *curve_info = NULL;
462 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]463 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]464 int found = 0;
465
466 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
467 if( group_list == NULL )
468 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
469
470 MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", p, end - buf );
471
472 /* Read selected_group */
XiaokangQianb48894e2022-01-17 02:05:52 +0000[diff] [blame]473 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]474 selected_group = MBEDTLS_GET_UINT16_BE( p, 0 );
475 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", selected_group ) );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]476
477 /* Upon receipt of this extension in a HelloRetryRequest, the client
478 * MUST first verify that the selected_group field corresponds to a
479 * group which was provided in the "supported_groups" extension in the
480 * original ClientHello.
481 * The supported_group was based on the info in ssl->conf->group_list.
482 *
483 * If the server provided a key share that was not sent in the ClientHello
484 * then the client MUST abort the handshake with an "illegal_parameter" alert.
485 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]486 for( ; *group_list != 0; group_list++ )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]487 {
488 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]489 if( curve_info == NULL || curve_info->tls_id != selected_group )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]490 continue;
491
492 /* We found a match */
493 found = 1;
494 break;
495 }
496
497 /* Client MUST verify that the selected_group field does not
498 * correspond to a group which was provided in the "key_share"
499 * extension in the original ClientHello. If the server sent an
500 * HRR message with a key share already provided in the
501 * ClientHello then the client MUST abort the handshake with
502 * an "illegal_parameter" alert.
503 */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]504 if( found == 0 || selected_group == ssl->handshake->offered_group_id )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]505 {
506 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) );
507 MBEDTLS_SSL_PEND_FATAL_ALERT(
508 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
509 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
510 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
511 }
512
513 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]514 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]515
516 return( 0 );
517}
518
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]519/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]520 * ssl_tls13_parse_key_share_ext()
521 * Parse key_share extension in Server Hello
522 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]523 * struct {
524 * KeyShareEntry server_share;
525 * } KeyShareServerHello;
526 * struct {
527 * NamedGroup group;
528 * opaque key_exchange<1..2^16-1>;
529 * } KeyShareEntry;
530 */
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]531static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]532 const unsigned char *buf,
533 const unsigned char *end )
534{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]535 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]536 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]537 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]538
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]539 /* ...
540 * NamedGroup group; (2 bytes)
541 * ...
542 */
543 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
544 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]545 p += 2;
546
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]547 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]548 offered_group = ssl->handshake->offered_group_id;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]549 if( offered_group != group )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]550 {
551 MBEDTLS_SSL_DEBUG_MSG( 1,
552 ( "Invalid server key share, our group %u, their group %u",
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]553 (unsigned) offered_group, (unsigned) group ) );
554 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
555 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
556 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]557 }
558
559#if defined(MBEDTLS_ECDH_C)
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]560 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]561 {
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]562 const mbedtls_ecp_curve_info *curve_info =
563 mbedtls_ecp_curve_info_from_tls_id( group );
564 if( curve_info == NULL )
565 {
566 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
567 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
568 }
569
570 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
571
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]572 ret = ssl_tls13_read_public_ecdhe_share( ssl, p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]573 if( ret != 0 )
574 return( ret );
575 }
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]576 else
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]577#endif /* MBEDTLS_ECDH_C */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]578 if( 0 /* other KEMs? */ )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]579 {
580 /* Do something */
581 }
582 else
583 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
584
585 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
586 return( ret );
587}
588
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]589/*
590 * ssl_tls13_parse_cookie_ext()
591 * Parse cookie extension in Hello Retry Request
592 *
593 * struct {
594 * opaque cookie<1..2^16-1>;
595 * } Cookie;
596 *
597 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
598 * extension to the client (this is an exception to the usual rule that
599 * the only extensions that may be sent are those that appear in the
600 * ClientHello). When sending the new ClientHello, the client MUST copy
601 * the contents of the extension received in the HelloRetryRequest into
602 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
603 * cookies in their initial ClientHello in subsequent connections.
604 */
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]605static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
606 const unsigned char *buf,
607 const unsigned char *end )
608{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]609 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]610 const unsigned char *p = buf;
611 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
612
613 /* Retrieve length field of cookie */
614 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
615 cookie_len = MBEDTLS_GET_UINT16_BE( p, 0 );
616 p += 2;
617
618 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
619 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
620
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]621 mbedtls_free( handshake->cookie );
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]622 handshake->hrr_cookie_len = 0;
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]623 handshake->cookie = mbedtls_calloc( 1, cookie_len );
624 if( handshake->cookie == NULL )
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]625 {
626 MBEDTLS_SSL_DEBUG_MSG( 1,
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]627 ( "alloc failed ( %ud bytes )",
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]628 cookie_len ) );
629 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
630 }
631
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]632 memcpy( handshake->cookie, p, cookie_len );
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]633 handshake->hrr_cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]634
635 return( 0 );
636}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]637
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]638static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]639 unsigned char *buf,
640 unsigned char *end,
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]641 size_t *out_len )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]642{
643 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]644 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]645 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]646
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]647 if( handshake->cookie == NULL )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]648 {
649 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) );
650 return( 0 );
651 }
652
653 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]654 handshake->cookie,
655 handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]656
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]657 MBEDTLS_SSL_CHK_BUF_PTR( p, end, handshake->hrr_cookie_len + 6 );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]658
659 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) );
660
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]661 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 );
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]662 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len + 2, p, 2 );
663 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len, p, 4 );
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]664 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]665
666 /* Cookie */
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]667 memcpy( p, handshake->cookie, handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]668
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]669 *out_len = handshake->hrr_cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]670
671 return( 0 );
672}
673
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]674int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
675 unsigned char *buf,
676 unsigned char *end,
677 size_t *out_len )
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]678{
679 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
680 unsigned char *p = buf;
681 size_t ext_len;
682
683 *out_len = 0;
684
685 /* Write supported_versions extension
686 *
687 * Supported Versions Extension is mandatory with TLS 1.3.
688 */
689 ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &ext_len );
690 if( ret != 0 )
691 return( ret );
692 p += ext_len;
693
694 /* Echo the cookie if the server provided one in its preceding
695 * HelloRetryRequest message.
696 */
697 ret = ssl_tls13_write_cookie_ext( ssl, p, end, &ext_len );
698 if( ret != 0 )
699 return( ret );
700 p += ext_len;
701
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]702 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
703 {
704 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &ext_len );
705 if( ret != 0 )
706 return( ret );
707 p += ext_len;
708 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]709
710 *out_len = p - buf;
711
712 return( 0 );
713}
714
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]715/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]716 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]717 */
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]718/**
719 * \brief Detect if the ServerHello contains a supported_versions extension
720 * or not.
721 *
722 * \param[in] ssl SSL context
723 * \param[in] buf Buffer containing the ServerHello message
724 * \param[in] end End of the buffer containing the ServerHello message
725 *
726 * \return 0 if the ServerHello does not contain a supported_versions extension
727 * \return 1 if the ServerHello contains a supported_versions extension
728 * \return A negative value if an error occurred while parsing the ServerHello.
729 */
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]730static int ssl_tls13_is_supported_versions_ext_present(
731 mbedtls_ssl_context *ssl,
732 const unsigned char *buf,
733 const unsigned char *end )
734{
735 const unsigned char *p = buf;
736 size_t legacy_session_id_echo_len;
737 size_t extensions_len;
738 const unsigned char *extensions_end;
739
740 /*
741 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]742 * length:
743 * - legacy_version 2 bytes
744 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
745 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]746 */
747 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3 );
748 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
749 legacy_session_id_echo_len = *p;
750
751 /*
752 * Jump to the extensions, jumping over:
753 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
754 * - cipher_suite 2 bytes
755 * - legacy_compression_method 1 byte
756 */
757 p += legacy_session_id_echo_len + 4;
758
759 /* Case of no extension */
760 if( p == end )
761 return( 0 );
762
763 /* ...
764 * Extension extensions<6..2^16-1>;
765 * ...
766 * struct {
767 * ExtensionType extension_type; (2 bytes)
768 * opaque extension_data<0..2^16-1>;
769 * } Extension;
770 */
771 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
772 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
773 p += 2;
774
775 /* Check extensions do not go beyond the buffer of data. */
776 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
777 extensions_end = p + extensions_len;
778
779 while( p < extensions_end )
780 {
781 unsigned int extension_type;
782 size_t extension_data_len;
783
784 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
785 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
786 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
787 p += 4;
788
789 if( extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS )
790 return( 1 );
791
792 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
793 p += extension_data_len;
794 }
795
796 return( 0 );
797}
798
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]799/* Returns a negative value on failure, and otherwise
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]800 * - SSL_SERVER_HELLO_COORDINATE_HELLO or
801 * - SSL_SERVER_HELLO_COORDINATE_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]802 * to indicate which message is expected and to be parsed next.
803 */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]804#define SSL_SERVER_HELLO_COORDINATE_HELLO 0
805#define SSL_SERVER_HELLO_COORDINATE_HRR 1
806static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
807 const unsigned char *buf,
808 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]809{
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]810 static const unsigned char magic_hrr_string[MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]811 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
812 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
813 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
814 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33 ,0x9C };
815
816 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
817 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]818 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]819 * special value of the SHA-256 of "HelloRetryRequest".
820 *
821 * struct {
822 * ProtocolVersion legacy_version = 0x0303;
823 * Random random;
824 * opaque legacy_session_id_echo<0..32>;
825 * CipherSuite cipher_suite;
826 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]827 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]828 * } ServerHello;
829 *
830 */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]831 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 + sizeof( magic_hrr_string ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]832
833 if( memcmp( buf + 2, magic_hrr_string, sizeof( magic_hrr_string ) ) == 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]834 {
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]835 return( SSL_SERVER_HELLO_COORDINATE_HRR );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]836 }
837
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]838 return( SSL_SERVER_HELLO_COORDINATE_HELLO );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]839}
840
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]841/* Fetch and preprocess
842 * Returns a negative value on failure, and otherwise
843 * - SSL_SERVER_HELLO_COORDINATE_HELLO or
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]844 * - SSL_SERVER_HELLO_COORDINATE_HRR or
845 * - SSL_SERVER_HELLO_COORDINATE_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]846 */
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]847#define SSL_SERVER_HELLO_COORDINATE_TLS1_2 2
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]848static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl,
849 unsigned char **buf,
850 size_t *buf_len )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]851{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]852 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]853
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]854 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
855 MBEDTLS_SSL_HS_SERVER_HELLO,
856 buf, buf_len ) );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]857
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]858 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_is_supported_versions_ext_present(
859 ssl, *buf, *buf + *buf_len ) );
860 if( ret == 0 )
861 {
862 /* If the supported versions extension is not present but we were
863 * expecting it, abort the handshake. Otherwise, switch to TLS 1.2
864 * handshake.
865 */
866 if( ssl->handshake->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 )
867 {
868 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
869 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
870 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
871 }
872
873 ssl->keep_current_message = 1;
874 ssl->minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
875 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
876 *buf, *buf_len );
877
878 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
879 {
880 ret = ssl_tls13_reset_key_share( ssl );
881 if( ret != 0 )
882 return( ret );
883 }
884
885 return( SSL_SERVER_HELLO_COORDINATE_TLS1_2 );
886 }
887
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]888 ret = ssl_server_hello_is_hrr( ssl, *buf, *buf + *buf_len );
889 switch( ret )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]890 {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]891 case SSL_SERVER_HELLO_COORDINATE_HELLO:
892 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) );
893 break;
894 case SSL_SERVER_HELLO_COORDINATE_HRR:
895 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]896 /* If a client receives a second
897 * HelloRetryRequest in the same connection (i.e., where the ClientHello
898 * was itself in response to a HelloRetryRequest), it MUST abort the
899 * handshake with an "unexpected_message" alert.
900 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]901 if( ssl->handshake->hello_retry_request_count > 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]902 {
903 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) );
904 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
905 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
906 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
907 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]908 /*
909 * Clients must abort the handshake with an "illegal_parameter"
910 * alert if the HelloRetryRequest would not result in any change
911 * in the ClientHello.
912 * In a PSK only key exchange that what we expect.
913 */
914 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
915 {
916 MBEDTLS_SSL_DEBUG_MSG( 1,
917 ( "Unexpected HRR in pure PSK key exchange." ) );
918 MBEDTLS_SSL_PEND_FATAL_ALERT(
919 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
920 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
921 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
922 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]923
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]924 ssl->handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]925
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]926 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]927 }
928
929cleanup:
930
931 return( ret );
932}
933
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]934static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl,
935 const unsigned char **buf,
936 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]937{
938 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]939 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]940
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]941 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]942 legacy_session_id_echo_len = *p++ ;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]943
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]944 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]945
946 /* legacy_session_id_echo */
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]947 if( ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
948 memcmp( ssl->session_negotiate->id, p , legacy_session_id_echo_len ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]949 {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]950 MBEDTLS_SSL_DEBUG_BUF( 3, "Expected Session ID",
951 ssl->session_negotiate->id,
952 ssl->session_negotiate->id_len );
953 MBEDTLS_SSL_DEBUG_BUF( 3, "Received Session ID", p,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]954 legacy_session_id_echo_len );
955
956 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
957 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
958
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]959 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
960 }
961
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]962 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]963 *buf = p;
964
965 MBEDTLS_SSL_DEBUG_BUF( 3, "Session ID", ssl->session_negotiate->id,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]966 ssl->session_negotiate->id_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]967 return( 0 );
968}
969
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]970static int ssl_tls13_cipher_suite_is_offered( mbedtls_ssl_context *ssl,
971 int cipher_suite )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]972{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]973 const int *ciphersuite_list = ssl->conf->ciphersuite_list;
974
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]975 /* Check whether we have offered this ciphersuite */
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]976 for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]977 {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]978 if( ciphersuite_list[i] == cipher_suite )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]979 {
980 return( 1 );
981 }
982 }
983 return( 0 );
984}
985
986/* Parse ServerHello message and configure context
987 *
988 * struct {
989 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
990 * Random random;
991 * opaque legacy_session_id_echo<0..32>;
992 * CipherSuite cipher_suite;
993 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]994 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]995 * } ServerHello;
996 */
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]997static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
998 const unsigned char *buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]999 const unsigned char *end,
1000 int is_hrr )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1001{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1002 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1003 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1004 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1005 size_t extensions_len;
1006 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1007 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1008 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1009 int fatal_alert = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1010
1011 /*
1012 * Check there is space for minimal fields
1013 *
1014 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1015 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1016 * - legacy_session_id_echo ( 1 byte ), minimum size
1017 * - cipher_suite ( 2 bytes)
1018 * - legacy_compression_method ( 1 byte )
1019 */
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1020 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1021
1022 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello", p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1023 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", p, 2 );
1024
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1025 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1026 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1027 * ...
1028 * with ProtocolVersion defined as:
1029 * uint16 ProtocolVersion;
1030 */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1031 if( !( p[0] == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1032 p[1] == MBEDTLS_SSL_MINOR_VERSION_3 ) )
1033 {
1034 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1035 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1036 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1037 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1038 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1039 }
1040 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1041
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1042 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1043 * Random random;
1044 * ...
1045 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1046 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1047 */
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1048 if( !is_hrr )
1049 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1050 memcpy( &handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1051 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1052 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
1053 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1054 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1055 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1056
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1057 /* ...
1058 * opaque legacy_session_id_echo<0..32>;
1059 * ...
1060 */
1061 if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1062 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1063 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1064 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1065 }
1066
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1067 /* ...
1068 * CipherSuite cipher_suite;
1069 * ...
1070 * with CipherSuite defined as:
1071 * uint8 CipherSuite[2];
1072 */
1073 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1074 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
1075 p += 2;
1076
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1077
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1078 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1079 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1080 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1081 */
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1082 if( ( mbedtls_ssl_validate_ciphersuite(
1083 ssl, ciphersuite_info, ssl->minor_ver, ssl->minor_ver ) != 0 ) ||
1084 !ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1085 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1086 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1087 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1088 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1089 * If we received an HRR before and that the proposed selected
1090 * ciphersuite in this server hello is not the same as the one
1091 * proposed in the HRR, we abort the handshake and send an
1092 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1093 */
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1094 else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
1095 ( cipher_suite != ssl->session_negotiate->ciphersuite ) )
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1096 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1097 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1098 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1099
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1100 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1101 {
1102 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
1103 cipher_suite ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1104 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1105 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1106
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1107 /* Configure ciphersuites */
1108 mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info );
1109
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1110 handshake->ciphersuite_info = ciphersuite_info;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1111 ssl->session_negotiate->ciphersuite = cipher_suite;
1112
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1113 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s",
1114 cipher_suite, ciphersuite_info->name ) );
1115
1116#if defined(MBEDTLS_HAVE_TIME)
1117 ssl->session_negotiate->start = time( NULL );
1118#endif /* MBEDTLS_HAVE_TIME */
1119
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1120 /* ...
1121 * uint8 legacy_compression_method = 0;
1122 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1123 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1124 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1125 if( p[0] != 0 )
1126 {
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1127 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1128 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1129 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1130 }
1131 p++;
1132
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1133 /* ...
1134 * Extension extensions<6..2^16-1>;
1135 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1136 * struct {
1137 * ExtensionType extension_type; (2 bytes)
1138 * opaque extension_data<0..2^16-1>;
1139 * } Extension;
1140 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1141 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1142 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1143 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1144
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1145 /* Check extensions do not go beyond the buffer of data. */
1146 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1147 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1148
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1149 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1150
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1151 while( p < extensions_end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1152 {
1153 unsigned int extension_type;
1154 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1155 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1156
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1157 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1158 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1159 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1160 p += 4;
1161
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1162 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1163 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1164
1165 switch( extension_type )
1166 {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1167 case MBEDTLS_TLS_EXT_COOKIE:
1168
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1169 if( !is_hrr )
1170 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1171 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1172 goto cleanup;
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1173 }
1174
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1175 ret = ssl_tls13_parse_cookie_ext( ssl,
1176 p, extension_data_end );
1177 if( ret != 0 )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1178 {
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1179 MBEDTLS_SSL_DEBUG_RET( 1,
1180 "ssl_tls13_parse_cookie_ext",
1181 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1182 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1183 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1184 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1185
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1186 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1187 ret = ssl_tls13_parse_supported_versions_ext( ssl,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1188 p,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1189 extension_data_end );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1190 if( ret != 0 )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1191 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1192 break;
1193
1194 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1195 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) );
1196 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1197
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1198 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1199 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1200
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1201 case MBEDTLS_TLS_EXT_KEY_SHARE:
1202 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1203 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1204 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1205 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1206 goto cleanup;
1207 }
1208
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1209 if( is_hrr )
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1210 ret = ssl_tls13_parse_hrr_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1211 p, extension_data_end );
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1212 else
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1213 ret = ssl_tls13_parse_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1214 p, extension_data_end );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1215 if( ret != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1216 {
1217 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1218 "ssl_tls13_parse_key_share_ext",
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1219 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1220 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1221 }
1222 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1223
1224 default:
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1225 MBEDTLS_SSL_DEBUG_MSG(
1226 3,
1227 ( "unknown extension found: %u ( ignoring )",
1228 extension_type ) );
1229
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1230 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1231 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1232 }
1233
1234 p += extension_data_len;
1235 }
1236
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1237cleanup:
1238
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1239 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1240 {
1241 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1242 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1243 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1244 }
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1245 else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1246 {
1247 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1248 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1249 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1250 }
1251 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1252}
1253
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1254static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1255{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1256 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1257 mbedtls_ssl_key_set traffic_keys;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1258 mbedtls_ssl_transform *transform_handshake = NULL;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1259 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1260
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1261 /* Determine the key exchange mode:
1262 * 1) If both the pre_shared_key and key_share extensions were received
1263 * then the key exchange mode is PSK with EPHEMERAL.
1264 * 2) If only the pre_shared_key extension was received then the key
1265 * exchange mode is PSK-only.
1266 * 3) If only the key_share extension was received then the key
1267 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1268 */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1269 switch( handshake->extensions_present &
1270 ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) )
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1271 {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1272 /* Only the pre_shared_key extension was received */
1273 case MBEDTLS_SSL_EXT_PRE_SHARED_KEY:
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1274 handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1275 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1276
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1277 /* Only the key_share extension was received */
1278 case MBEDTLS_SSL_EXT_KEY_SHARE:
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1279 handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1280 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1281
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1282 /* Both the pre_shared_key and key_share extensions were received */
1283 case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ):
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1284 handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1285 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1286
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1287 /* Neither pre_shared_key nor key_share extension was received */
1288 default:
1289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) );
1290 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1291 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1292 }
1293
1294 /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
1295 *
1296 * TODO: We don't have to do this in case we offered 0-RTT and the
1297 * server accepted it. In this case, we could skip generating
1298 * the early secret. */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1299 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1300 if( ret != 0 )
1301 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1302 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_key_schedule_stage_early_data",
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1303 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1304 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1305 }
1306
1307 /* Compute handshake secret */
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1308 ret = mbedtls_ssl_tls13_key_schedule_stage_handshake( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1309 if( ret != 0 )
1310 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1311 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_master_secret", ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1312 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1313 }
1314
1315 /* Next evolution in key schedule: Establish handshake secret and
1316 * key material. */
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1317 ret = mbedtls_ssl_tls13_generate_handshake_keys( ssl, &traffic_keys );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1318 if( ret != 0 )
1319 {
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1320 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_generate_handshake_keys",
1321 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1322 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1323 }
1324
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1325 transform_handshake = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1326 if( transform_handshake == NULL )
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1327 {
1328 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1329 goto cleanup;
1330 }
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1331
1332 ret = mbedtls_ssl_tls13_populate_transform( transform_handshake,
1333 ssl->conf->endpoint,
1334 ssl->session_negotiate->ciphersuite,
1335 &traffic_keys,
1336 ssl );
1337 if( ret != 0 )
1338 {
1339 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1340 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1341 }
1342
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1343 handshake->transform_handshake = transform_handshake;
1344 mbedtls_ssl_set_inbound_transform( ssl, transform_handshake );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1345
1346 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
1347 ssl->session_in = ssl->session_negotiate;
1348
1349 /*
1350 * State machine update
1351 */
1352 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
1353
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1354cleanup:
1355
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1356 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1357 if( ret != 0 )
1358 {
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1359 mbedtls_free( transform_handshake );
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1360
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1361 MBEDTLS_SSL_PEND_FATAL_ALERT(
1362 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1363 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1364 }
1365 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1366}
1367
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1368static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1369{
1370 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1371
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1372#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1373 /* If not offering early data, the client sends a dummy CCS record
1374 * immediately before its second flight. This may either be before
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1375 * its second ClientHello or before its encrypted handshake flight.
1376 */
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1377 mbedtls_ssl_handshake_set_state( ssl,
1378 MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
1379#else
1380 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
1381#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1382
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1383 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1384
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1385 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1386 * We are going to re-generate a shared secret corresponding to the group
1387 * selected by the server, which is different from the group for which we
1388 * generated a shared secret in the first client hello.
1389 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1390 */
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1391 ret = ssl_tls13_reset_key_share( ssl );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1392 if( ret != 0 )
1393 return( ret );
1394
1395 return( 0 );
1396}
1397
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1398/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1399 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1400 * Handler for MBEDTLS_SSL_SERVER_HELLO
1401 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1402static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1403{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1404 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1405 unsigned char *buf = NULL;
1406 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1407 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1408
1409 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
1410
1411 /* Coordination step
1412 * - Fetch record
1413 * - Make sure it's either a ServerHello or a HRR.
1414 * - Switch processing routine in case of HRR
1415 */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1416 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
1417 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
1418
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1419 ret = ssl_tls13_server_hello_coordinate( ssl, &buf, &buf_len );
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1420 if( ret < 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1421 goto cleanup;
1422 else
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1423 is_hrr = ( ret == SSL_SERVER_HELLO_COORDINATE_HRR );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1424
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1425 if( ret == SSL_SERVER_HELLO_COORDINATE_TLS1_2 )
1426 {
1427 ret = 0;
1428 goto cleanup;
1429 }
1430
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1431 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1432 buf + buf_len,
1433 is_hrr ) );
1434 if( is_hrr )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1435 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) );
1436
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1437 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1438 buf, buf_len );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1439
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1440 if( is_hrr )
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1441 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) );
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1442 else
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1443 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1444
1445cleanup:
XiaokangQiana9090612022-01-27 03:48:27 +0000[diff] [blame]1446 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__,
1447 is_hrr?"HelloRetryRequest":"ServerHello" ) );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1448 return( ret );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1449}
1450
1451/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1452 *
1453 * EncryptedExtensions message
1454 *
1455 * The EncryptedExtensions message contains any extensions which
1456 * should be protected, i.e., any which are not needed to establish
1457 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1458 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1459
1460/*
1461 * Overview
1462 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1463
1464/* Main entry point; orchestrates the other functions */
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1465static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1466
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1467static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
1468 const unsigned char *buf,
1469 const unsigned char *end );
1470static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1471
1472/*
XiaokangQianc1fe0002021-09-16 03:02:14 +0000[diff] [blame]1473 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1474 */
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1475static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1476{
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1477 int ret;
1478 unsigned char *buf;
1479 size_t buf_len;
1480
1481 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) );
1482
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1483 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianab7f50d2021-10-21 06:23:29 +0000[diff] [blame]1484 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1485 &buf, &buf_len ) );
1486
1487 /* Process the message contents */
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1488 MBEDTLS_SSL_PROC_CHK(
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1489 ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1490
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1491 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
1492 buf, buf_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1493
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1494 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_encrypted_extensions( ssl ) );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1495
1496cleanup:
1497
1498 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) );
1499 return( ret );
1500
1501}
1502
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1503/* Parse EncryptedExtensions message
1504 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1505 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1506 * } EncryptedExtensions;
1507 */
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1508static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
1509 const unsigned char *buf,
1510 const unsigned char *end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1511{
1512 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1513 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]1514 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1515 const unsigned char *extensions_end;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1516
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1517 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1518 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1519 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1520
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1521 MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len );
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1522 extensions_end = p + extensions_len;
1523 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1524
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1525 while( p < extensions_end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1526 {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1527 unsigned int extension_type;
1528 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1529
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1530 /*
1531 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1532 * ExtensionType extension_type; (2 bytes)
1533 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1534 * } Extension;
1535 */
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1536 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1537 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1538 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1539 p += 4;
1540
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1541 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1542
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1543 /* The client MUST check EncryptedExtensions for the
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1544 * presence of any forbidden extensions and if any are found MUST abort
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1545 * the handshake with an "unsupported_extension" alert.
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1546 */
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1547 switch( extension_type )
1548 {
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1549
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1550 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1551 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extensions supported groups" ) );
1552 break;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1553
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]1554#if defined(MBEDTLS_SSL_ALPN)
1555 case MBEDTLS_TLS_EXT_ALPN:
1556 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1557
1558 if( ( ret = ssl_tls13_parse_alpn_ext( ssl, p, (size_t)extension_data_len ) ) != 0 )
1559 {
1560 return( ret );
1561 }
1562
1563 break;
1564#endif /* MBEDTLS_SSL_ALPN */
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1565 default:
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1566 MBEDTLS_SSL_DEBUG_MSG(
1567 3, ( "unsupported extension found: %u ", extension_type) );
1568 MBEDTLS_SSL_PEND_FATAL_ALERT(
Jerry Yu7aa71862021-10-28 21:41:30 +0800[diff] [blame]1569 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1570 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1571 return ( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1572 }
1573
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1574 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1575 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1576
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1577 /* Check that we consumed all the message. */
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]1578 if( p != end )
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1579 {
1580 MBEDTLS_SSL_DEBUG_MSG( 1, ( "EncryptedExtension lengths misaligned" ) );
Jerry Yu7aa71862021-10-28 21:41:30 +0800[diff] [blame]1581 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]1582 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1583 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1584 }
1585
1586 return( ret );
1587}
1588
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1589static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1590{
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1591#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1592 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1593 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1594 else
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1595 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1596#else
1597 ((void) ssl);
1598 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1599#endif
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1600 return( 0 );
1601}
1602
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1603#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1604/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1605 *
1606 * STATE HANDLING: CertificateRequest
1607 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1608 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1609#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
1610#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1611/* Coordination:
1612 * Deals with the ambiguity of not knowing if a CertificateRequest
1613 * will be sent. Returns a negative code on failure, or
1614 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
1615 * - SSL_CERTIFICATE_REQUEST_SKIP
1616 * indicating if a Certificate Request is expected or not.
1617 */
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1618static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1619{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]1620 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1621
Xiaofei Bai7c8b6a92022-02-08 15:21:13 +0000[diff] [blame]1622 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1623 {
1624 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= skip parse certificate request" ) );
1625 return( SSL_CERTIFICATE_REQUEST_SKIP );
1626 }
1627
1628 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1629 {
1630 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1631 return( ret );
1632 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1633 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1634
1635 if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) &&
1636 ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) )
1637 {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1638 return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1639 }
1640
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1641 return( SSL_CERTIFICATE_REQUEST_SKIP );
1642}
1643
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1644/*
1645 * ssl_tls13_parse_certificate_request()
1646 * Parse certificate request
1647 * struct {
1648 * opaque certificate_request_context<0..2^8-1>;
1649 * Extension extensions<2..2^16-1>;
1650 * } CertificateRequest;
1651 */
1652static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
1653 const unsigned char *buf,
1654 const unsigned char *end )
1655{
1656 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1657 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1658 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1659 size_t extensions_len = 0;
1660 const unsigned char *extensions_end;
1661 unsigned char sig_alg_ext_found = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1662
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1663 /* ...
1664 * opaque certificate_request_context<0..2^8-1>
1665 * ...
1666 */
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1667 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
1668 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1669 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1670
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1671 if( certificate_request_context_len > 0 )
1672 {
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]1673 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1674 MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context",
1675 p, certificate_request_context_len );
1676
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1677 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1678 handshake->certificate_request_context =
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]1679 mbedtls_calloc( 1, certificate_request_context_len );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1680 if( handshake->certificate_request_context == NULL )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1681 {
1682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
1683 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
1684 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1685 memcpy( handshake->certificate_request_context, p,
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1686 certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1687 p += certificate_request_context_len;
1688 }
1689
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1690 /* ...
1691 * Extension extensions<2..2^16-1>;
1692 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1693 */
1694 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1695 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1696 p += 2;
1697
1698 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1699 extensions_end = p + extensions_len;
1700
1701 while( p < extensions_end )
1702 {
1703 unsigned int extension_type;
1704 size_t extension_data_len;
1705
1706 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
1707 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1708 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1709 p += 4;
1710
1711 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1712
1713 switch( extension_type )
1714 {
1715 case MBEDTLS_TLS_EXT_SIG_ALG:
1716 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1717 ( "found signature algorithms extension" ) );
1718 ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ssl, p,
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1719 p + extension_data_len );
1720 if( ret != 0 )
1721 return( ret );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1722 if( ! sig_alg_ext_found )
1723 sig_alg_ext_found = 1;
1724 else
1725 {
1726 MBEDTLS_SSL_DEBUG_MSG( 3,
1727 ( "Duplicate signature algorithms extensions found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]1728 goto decode_error;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1729 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1730 break;
1731
1732 default:
1733 MBEDTLS_SSL_DEBUG_MSG(
1734 3,
1735 ( "unknown extension found: %u ( ignoring )",
1736 extension_type ) );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1737 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1738 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1739 p += extension_data_len;
1740 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1741 /* Check that we consumed all the message. */
1742 if( p != end )
1743 {
1744 MBEDTLS_SSL_DEBUG_MSG( 1,
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]1745 ( "CertificateRequest misaligned" ) );
1746 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1747 }
1748 /* Check that we found signature algorithms extension */
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]1749 if( ! sig_alg_ext_found )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1750 {
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]1751 MBEDTLS_SSL_DEBUG_MSG( 3,
1752 ( "no signature algorithms extension found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]1753 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1754 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1755
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]1756 ssl->handshake->client_auth = 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1757 return( 0 );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]1758
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]1759decode_error:
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]1760 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1761 MBEDTLS_ERR_SSL_DECODE_ERROR );
1762 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1763}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1764
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]1765/*
1766 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
1767 */
1768static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1769{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]1770 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1771
1772 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
1773
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1774 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
1775
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1776 if( ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST )
1777 {
1778 unsigned char *buf;
1779 size_t buf_len;
1780
1781 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
1782 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
1783 &buf, &buf_len ) );
1784
1785 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_request( ssl,
1786 buf, buf + buf_len ) );
1787
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1788 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
1789 buf, buf_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1790 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]1791 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1792 {
1793 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]1794 ret = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1795 }
1796 else
1797 {
1798 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]1799 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1800 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1801 }
1802
1803 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]1804 ssl->handshake->client_auth ? "a" : "no" ) );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1805
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1806 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
1807
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1808cleanup:
1809
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]1810 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
1811 return( ret );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1812}
1813
1814/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1815 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
1816 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1817static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1818{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]1819 int ret;
1820
1821 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]1822 if( ret != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]1823 return( ret );
1824
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1825 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
1826 return( 0 );
1827}
1828
1829/*
1830 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
1831 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1832static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1833{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]1834 int ret;
1835
1836 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
1837 if( ret != 0 )
1838 return( ret );
1839
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1840 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1841 return( 0 );
1842}
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1843#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]1844
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1845/*
1846 * Handler for MBEDTLS_SSL_SERVER_FINISHED
1847 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1848static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1849{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1850 int ret;
1851
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1852 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1853 if( ret != 0 )
1854 return( ret );
1855
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1856#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1857 mbedtls_ssl_handshake_set_state(
1858 ssl,
1859 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED );
1860#else
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]1861 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1862#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1863
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1864 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1865}
1866
1867/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1868 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
1869 */
1870static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
1871{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]1872 int non_empty_certificate_msg = 0;
1873
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1874 MBEDTLS_SSL_DEBUG_MSG( 1,
1875 ( "Switch to handshake traffic keys for outbound traffic" ) );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1876 mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]1877
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]1878#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]1879 if( ssl->handshake->client_auth )
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]1880 {
1881 int ret = mbedtls_ssl_tls13_write_certificate( ssl );
1882 if( ret != 0 )
1883 return( ret );
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]1884
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]1885 if( mbedtls_ssl_own_cert( ssl ) != NULL )
1886 non_empty_certificate_msg = 1;
1887 }
1888 else
1889 {
1890 MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate message to send." ) );
1891 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]1892#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]1893
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]1894 if( non_empty_certificate_msg )
1895 {
1896 mbedtls_ssl_handshake_set_state( ssl,
1897 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
1898 }
1899 else
1900 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
1901
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]1902 return( 0 );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1903}
1904
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]1905#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1906/*
1907 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
1908 */
1909static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
1910{
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]1911 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
1912
1913 if( ret == 0 )
1914 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
1915
1916 return( ret );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1917}
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]1918#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]1919
1920/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1921 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
1922 */
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1923static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1924{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1925 int ret;
1926
1927 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
1928 if( ret != 0 )
1929 return( ret );
1930
1931 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
1932 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1933}
1934
1935/*
1936 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
1937 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1938static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1939{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1940 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
Jerry Yuad8d0ba2021-09-28 17:58:26 +0800[diff] [blame]1941 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1942 return( 0 );
1943}
1944
1945/*
1946 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
1947 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1948static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1949{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1950 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
1951 mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
1952
1953 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) );
1954 mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
1955
1956 mbedtls_ssl_tls13_handshake_wrapup( ssl );
1957
1958 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
1959 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1960}
1961
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]1962int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]1963{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]1964 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]1965
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]1966 switch( ssl->state )
1967 {
1968 /*
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]1969 * ssl->state is initialized as HELLO_REQUEST. It is the same
1970 * as CLIENT_HELLO state.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]1971 */
1972 case MBEDTLS_SSL_HELLO_REQUEST:
1973 case MBEDTLS_SSL_CLIENT_HELLO:
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]1974 ret = mbedtls_ssl_write_client_hello( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]1975 break;
1976
1977 case MBEDTLS_SSL_SERVER_HELLO:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1978 ret = ssl_tls13_process_server_hello( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1979 break;
1980
1981 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1982 ret = ssl_tls13_process_encrypted_extensions( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1983 break;
1984
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1985#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]1986 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
1987 ret = ssl_tls13_process_certificate_request( ssl );
1988 break;
1989
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1990 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1991 ret = ssl_tls13_process_server_certificate( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1992 break;
1993
1994 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1995 ret = ssl_tls13_process_certificate_verify( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1996 break;
Jerry Yua93ac112021-10-27 16:31:48 +0800[diff] [blame]1997#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1998
1999 case MBEDTLS_SSL_SERVER_FINISHED:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2000 ret = ssl_tls13_process_server_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2001 break;
2002
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2003 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2004 ret = ssl_tls13_write_client_certificate( ssl );
2005 break;
2006
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2007#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2008 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2009 ret = ssl_tls13_write_client_certificate_verify( ssl );
2010 break;
Jerry Yu90f152d2022-01-29 22:12:42 +0800[diff] [blame]2011#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2012
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2013 case MBEDTLS_SSL_CLIENT_FINISHED:
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2014 ret = ssl_tls13_write_client_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2015 break;
2016
2017 case MBEDTLS_SSL_FLUSH_BUFFERS:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2018 ret = ssl_tls13_flush_buffers( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2019 break;
2020
2021 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2022 ret = ssl_tls13_handshake_wrapup( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2023 break;
2024
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2025 /*
2026 * Injection of dummy-CCS's for middlebox compatibility
2027 */
2028#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]2029 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]2030 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2031 if( ret == 0 )
2032 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2033 break;
2034
2035 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
2036 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2037 if( ret == 0 )
2038 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2039 break;
2040#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2041
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2042 default:
2043 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2044 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2045 }
2046
2047 return( ret );
2048}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]2049
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2050#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]2051
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2052