Blame - library/ssl_tls13_client.c - mirror/mbed-tls

2021-08-24 15:59:48 +0800

[diff] [blame]

12

#include <string.h>

13

Valerio Setti

b4f5076

2024-01-17 10:24:52 +0100

[diff] [blame]

14

#include "debug_internal.h"

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

15

#include "mbedtls/error.h"

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

16

#include "mbedtls/platform.h"

Jerry Yu

a13c7e7

2021-08-17 10:44:40 +0800

[diff] [blame]

17

Jerry Yu

bdc7188

2021-09-14 19:30:36 +0800

[diff] [blame]

18

#include "ssl_misc.h"

Ronald Cron

3d580bf

2022-02-18 17:24:56 +0100

[diff] [blame]

19

#include "ssl_client.h"

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

20

#include "ssl_tls13_keys.h"

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

21

#include "ssl_debug_helpers.h"

Valerio Setti

384fbde

2024-01-02 13:26:40 +0100

[diff] [blame]

22

#include "mbedtls/psa_util.h"

Jerry Yu

bdc7188

2021-09-14 19:30:36 +0800

[diff] [blame]

23

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

24

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Andrzej Kurek

0064484

2023-05-30 05:45:00 -0400

[diff] [blame]

25

/* Define a local translating function to save code size by not using too many

26

* arguments in each translating place. */

27

static int local_err_translation(psa_status_t status)

28

{

29

return psa_status_to_mbedtls(status, psa_to_ssl_errors,

Andrzej Kurek

1e4a030

2023-05-30 09:45:17 -0400

[diff] [blame]

30

ARRAY_LENGTH(psa_to_ssl_errors),

Andrzej Kurek

0064484

2023-05-30 05:45:00 -0400

[diff] [blame]

31

psa_generic_status_to_mbedtls);

32

}

33

#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)

Andrzej Kurek

a6033ac

2023-05-30 15:16:34 -0400

[diff] [blame]

34

#endif

35

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

36

/* Write extensions */

37

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

38

/*

39

* ssl_tls13_write_supported_versions_ext():

40

*

41

* struct {

42

* ProtocolVersion versions<2..254>;

43

* } SupportedVersions;

44

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

45

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

46

static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,

47

unsigned char *buf,

48

unsigned char *end,

49

size_t *out_len)

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

50

{

51

unsigned char *p = buf;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

52

unsigned char versions_len = (ssl->handshake->min_tls_version <=

53

MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

54

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

55

*out_len = 0;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

56

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

57

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

58

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

59

/* Check if we have space to write the extension:

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

60

* - extension_type (2 bytes)

61

* - extension_data_length (2 bytes)

62

* - versions_length (1 byte )

Ronald Cron

a77fc27

2022-03-30 17:20:47 +0200

[diff] [blame]

63

* - versions (2 or 4 bytes)

Jerry Yu

159c5a0

2021-08-31 12:51:25 +0800

[diff] [blame]

64

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

65

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

66

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

67

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);

68

MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);

Jerry Yu

eecfbf0

2021-08-30 18:32:07 +0800

[diff] [blame]

69

p += 4;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

70

Jerry Yu

1bc2c1f

2021-09-01 12:57:29 +0800

[diff] [blame]

71

/* Length of versions */

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

72

*p++ = versions_len;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

73

Jerry Yu

0c63af6

2021-09-02 12:59:12 +0800

[diff] [blame]

74

/* Write values of supported versions.

Jerry Yu

0c63af6

2021-09-02 12:59:12 +0800

[diff] [blame]

75

* They are defined by the configuration.

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

76

* Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

77

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

78

mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,

79

MBEDTLS_SSL_VERSION_TLS1_3);

80

MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

81

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

82

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

83

if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {

84

mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,

85

MBEDTLS_SSL_VERSION_TLS1_2);

86

MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

87

}

88

89

*out_len = 5 + versions_len;

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

90

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

91

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

92

ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

93

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

94

return 0;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

95

}

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

96

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

97

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

98

static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,

99

const unsigned char *buf,

100

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

101

{

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

102

((void) ssl);

103

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

104

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);

105

if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=

106

MBEDTLS_SSL_VERSION_TLS1_3) {

107

MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

108

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

109

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

110

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

111

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

112

}

113

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

114

if (&buf[2] != end) {

Xiaokang Qian

91bb3f0

2023-04-03 09:07:03 +0000

[diff] [blame]

115

MBEDTLS_SSL_DEBUG_MSG(

116

1, ("supported_versions ext data length incorrect"));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

117

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

118

MBEDTLS_ERR_SSL_DECODE_ERROR);

119

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Ronald Cron

9847338

2022-03-30 20:04:10 +0200

[diff] [blame]

120

}

121

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

122

return 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

123

}

124

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

125

#if defined(MBEDTLS_SSL_ALPN)

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

126

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

127

static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,

128

const unsigned char *buf, size_t len)

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

129

{

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

130

const unsigned char *p = buf;

131

const unsigned char *end = buf + len;

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

132

size_t protocol_name_list_len, protocol_name_len;

133

const unsigned char *protocol_name_list_end;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

134

135

/* If we didn't send it, the server shouldn't send it */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

136

if (ssl->conf->alpn_list == NULL) {

137

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

138

}

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

139

140

/*

141

* opaque ProtocolName<1..2^8-1>;

142

*

143

* struct {

144

* ProtocolName protocol_name_list<2..2^16-1>

145

* } ProtocolNameList;

146

*

147

* the "ProtocolNameList" MUST contain exactly one "ProtocolName"

148

*/

149

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

150

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

151

protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

152

p += 2;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

153

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

154

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

155

protocol_name_list_end = p + protocol_name_list_len;

156

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

157

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

158

protocol_name_len = *p++;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

159

160

/* Check that the server chosen protocol was in our list and save it */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

161

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);

162

for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {

163

if (protocol_name_len == strlen(*alpn) &&

164

memcmp(p, *alpn, protocol_name_len) == 0) {

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

165

ssl->alpn_chosen = *alpn;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

166

return 0;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

}

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

170

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

171

}

172

#endif /* MBEDTLS_SSL_ALPN */

173

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

174

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

175

static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

176

{

177

uint16_t group_id = ssl->handshake->offered_group_id;

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

178

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

179

if (group_id == 0) {

180

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

181

}

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

182

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

183

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

184

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

185

mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

186

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

187

psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;

188

189

/* Destroy generated private key. */

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

190

status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

191

if (status != PSA_SUCCESS) {

Andrzej Kurek

8a045ce

2022-12-23 11:00:06 -0500

[diff] [blame]

192

ret = PSA_TO_MBEDTLS_ERR(status);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

193

MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);

194

return ret;

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

195

}

196

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

197

ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

198

return 0;

199

} else

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

200

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

201

if (0 /* other KEMs? */) {

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

/* Do something */

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

205

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

206

}

207

208

/*

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

209

* Functions for writing key_share extension.

210

*/

Ronald Cron

766c0cd

2022-10-18 12:17:11 +0200

[diff] [blame]

211

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

212

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

213

static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,

214

uint16_t *group_id)

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

215

{

216

int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

217

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

218

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

219

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

220

const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

221

/* Pick first available ECDHE group compatible with TLS 1.3 */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

222

if (group_list == NULL) {

223

return MBEDTLS_ERR_SSL_BAD_CONFIG;

224

}

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

225

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

226

for (; *group_list != 0; group_list++) {

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

227

#if defined(PSA_WANT_ALG_ECDH)

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

228

if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(

229

*group_list, NULL, NULL) == PSA_SUCCESS) &&

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

230

mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {

Brett Warren

14efd33

2021-10-06 09:32:11 +0100

[diff] [blame]

231

*group_id = *group_list;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

232

return 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

233

}

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

234

#endif

235

#if defined(PSA_WANT_ALG_FFDH)

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

236

if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

237

*group_id = *group_list;

238

return 0;

239

}

240

#endif

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

241

}

242

#else

243

((void) ssl);

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

244

((void) group_id);

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

245

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

246

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

247

return ret;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

}

/*

* ssl_tls13_write_key_share_ext

252

*

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

253

* Structure of key_share extension in ClientHello:

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

*

* struct {

* NamedGroup group;

* opaque key_exchange<1..2^16-1>;

258

* } KeyShareEntry;

259

* struct {

260

* KeyShareEntry client_shares<0..2^16-1>;

261

* } KeyShareClientHello;

262

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

263

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

264

static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,

265

unsigned char *buf,

266

unsigned char *end,

267

size_t *out_len)

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

268

{

269

unsigned char *p = buf;

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

270

unsigned char *client_shares; /* Start of client_shares */

271

size_t client_shares_len; /* Length of client_shares */

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

272

uint16_t group_id;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

273

int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

274

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

275

*out_len = 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

276

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

277

/* Check if we have space for header and length fields:

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

278

* - extension_type (2 bytes)

279

* - extension_data_length (2 bytes)

280

* - client_shares_length (2 bytes)

281

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

282

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

283

p += 6;

284

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

285

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

286

287

/* HRR could already have requested something else. */

288

group_id = ssl->handshake->offered_group_id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

289

if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

290

!mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

291

MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,

292

&group_id));

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

}

/*

* Dispatch to type-specific key generation function.

297

*

298

* So far, we're only supporting ECDHE. With the introduction

299

* of PQC KEMs, we'll want to have multiple branches, one per

300

* type of KEM, and dispatch to the corresponding crypto. And

301

* only one key share entry is allowed.

302

*/

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

303

client_shares = p;

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

304

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

305

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

306

mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

307

/* Pointer to group */

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

308

unsigned char *group = p;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

309

/* Length of key_exchange */

Przemyslaw Stekiel

4f419e5

2022-02-10 15:56:26 +0100

[diff] [blame]

310

size_t key_exchange_len = 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

311

312

/* Check there is space for header of KeyShareEntry

313

* - group (2 bytes)

314

* - key_exchange_length (2 bytes)

315

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

316

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

317

p += 4;

Przemek Stekiel

408569f

2023-07-06 11:26:44 +0200

[diff] [blame]

318

ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

319

ssl, group_id, p, end, &key_exchange_len);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

320

p += key_exchange_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

321

if (ret != 0) {

Nadav Tasher

aebe857

2024-11-23 17:57:58 +0200

[diff] [blame]

322

MBEDTLS_SSL_DEBUG_MSG(1, ("client hello: failed generating xxdh key exchange"));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

323

return ret;

324

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

325

326

/* Write group */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

327

MBEDTLS_PUT_UINT16_BE(group_id, group, 0);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

328

/* Write key_exchange_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

329

MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);

330

} else

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

331

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

332

if (0 /* other KEMs? */) {

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

333

/* Do something */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

334

} else {

335

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

336

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

337

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

338

/* Length of client_shares */

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

339

client_shares_len = p - client_shares;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

340

if (client_shares_len == 0) {

341

MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));

342

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

7c522d4

2021-09-08 17:55:09 +0800

[diff] [blame]

343

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

344

/* Write extension_type */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

345

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

346

/* Write extension_data_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

347

MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

348

/* Write client_shares_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

349

MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

350

351

/* Update offered_group_id field */

352

ssl->handshake->offered_group_id = group_id;

353

354

/* Output the total length of key_share extension. */

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

355

*out_len = p - buf;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

356

Xiaokang Qian

91bb3f0

2023-04-03 09:07:03 +0000

[diff] [blame]

357

MBEDTLS_SSL_DEBUG_BUF(

358

3, "client hello, key_share extension", buf, *out_len);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

359

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

360

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

364

return ret;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

365

}

Ronald Cron

766c0cd

2022-10-18 12:17:11 +0200

[diff] [blame]

366

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

367

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

368

/*

369

* ssl_tls13_parse_hrr_key_share_ext()

370

* Parse key_share extension in Hello Retry Request

371

*

372

* struct {

373

* NamedGroup selected_group;

374

* } KeyShareHelloRetryRequest;

375

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

376

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

377

static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,

378

const unsigned char *buf,

379

const unsigned char *end)

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

380

{

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

381

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

382

const unsigned char *p = buf;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

383

int selected_group;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

384

int found = 0;

385

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

386

const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);

387

if (group_list == NULL) {

388

return MBEDTLS_ERR_SSL_BAD_CONFIG;

389

}

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

390

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

391

MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

392

393

/* Read selected_group */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

394

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

395

selected_group = MBEDTLS_GET_UINT16_BE(p, 0);

396

MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

397

398

/* Upon receipt of this extension in a HelloRetryRequest, the client

399

* MUST first verify that the selected_group field corresponds to a

400

* group which was provided in the "supported_groups" extension in the

401

* original ClientHello.

402

* The supported_group was based on the info in ssl->conf->group_list.

403

*

404

* If the server provided a key share that was not sent in the ClientHello

405

* then the client MUST abort the handshake with an "illegal_parameter" alert.

406

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

407

for (; *group_list != 0; group_list++) {

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

408

#if defined(PSA_WANT_ALG_ECDH)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

409

if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {

410

if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(

411

*group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||

412

*group_list != selected_group) {

413

found = 1;

414

break;

415

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

416

}

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

417

#endif /* PSA_WANT_ALG_ECDH */

418

#if defined(PSA_WANT_ALG_FFDH)

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

419

if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

420

found = 1;

421

break;

422

}

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

423

#endif /* PSA_WANT_ALG_FFDH */

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

424

}

425

426

/* Client MUST verify that the selected_group field does not

427

* correspond to a group which was provided in the "key_share"

428

* extension in the original ClientHello. If the server sent an

429

* HRR message with a key share already provided in the

430

* ClientHello then the client MUST abort the handshake with

431

* an "illegal_parameter" alert.

432

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

433

if (found == 0 || selected_group == ssl->handshake->offered_group_id) {

434

MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

435

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

436

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

437

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

438

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

439

}

440

441

/* Remember server's preference for next ClientHello */

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

442

ssl->handshake->offered_group_id = selected_group;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

443

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

444

return 0;

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

445

#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Andrzej Kurek

c19fb08

2022-10-03 10:52:24 -0400

[diff] [blame]

446

(void) ssl;

447

(void) buf;

448

(void) end;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

449

return MBEDTLS_ERR_SSL_BAD_CONFIG;

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

450

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

451

}

452

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

453

/*

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

454

* ssl_tls13_parse_key_share_ext()

455

* Parse key_share extension in Server Hello

456

*

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

457

* struct {

458

* KeyShareEntry server_share;

459

* } KeyShareServerHello;

460

* struct {

461

* NamedGroup group;

462

* opaque key_exchange<1..2^16-1>;

463

* } KeyShareEntry;

464

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

465

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

466

static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,

467

const unsigned char *buf,

468

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

469

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

470

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

471

const unsigned char *p = buf;

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

472

uint16_t group, offered_group;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

473

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

474

/* ...

475

* NamedGroup group; (2 bytes)

476

* ...

477

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

478

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

479

group = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

480

p += 2;

481

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

482

/* Check that the chosen group matches the one we offered. */

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

483

offered_group = ssl->handshake->offered_group_id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

484

if (offered_group != group) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

485

MBEDTLS_SSL_DEBUG_MSG(

486

1, ("Invalid server key share, our group %u, their group %u",

487

(unsigned) offered_group, (unsigned) group));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

488

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

489

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

490

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

491

}

492

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

493

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

494

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

495

mbedtls_ssl_tls13_named_group_is_ffdh(group)) {

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

496

MBEDTLS_SSL_DEBUG_MSG(2,

497

("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

498

ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

if (ret != 0) {

return ret;

}

} else

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

503

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

504

if (0 /* other KEMs? */) {

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

505

/* Do something */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

506

} else {

507

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

508

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

509

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

510

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

511

}

512

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

513

/*

514

* ssl_tls13_parse_cookie_ext()

515

* Parse cookie extension in Hello Retry Request

516

*

517

* struct {

518

* opaque cookie<1..2^16-1>;

519

* } Cookie;

520

*

521

* When sending a HelloRetryRequest, the server MAY provide a "cookie"

522

* extension to the client (this is an exception to the usual rule that

523

* the only extensions that may be sent are those that appear in the

524

* ClientHello). When sending the new ClientHello, the client MUST copy

525

* the contents of the extension received in the HelloRetryRequest into

526

* a "cookie" extension in the new ClientHello. Clients MUST NOT use

527

* cookies in their initial ClientHello in subsequent connections.

528

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

529

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

530

static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,

531

const unsigned char *buf,

532

const unsigned char *end)

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

533

{

XiaokangQian

25c9c90

2022-02-08 10:49:53 +0000

[diff] [blame]

534

uint16_t cookie_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

535

const unsigned char *p = buf;

536

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

537

538

/* Retrieve length field of cookie */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

539

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

540

cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

541

p += 2;

542

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

543

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);

544

MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

545

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

546

mbedtls_free(handshake->cookie);

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

547

handshake->cookie_len = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

548

handshake->cookie = mbedtls_calloc(1, cookie_len);

549

if (handshake->cookie == NULL) {

550

MBEDTLS_SSL_DEBUG_MSG(1,

551

("alloc failed ( %ud bytes )",

552

cookie_len));

553

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

554

}

555

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

556

memcpy(handshake->cookie, p, cookie_len);

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

557

handshake->cookie_len = cookie_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

558

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

559

return 0;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

560

}

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

561

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

562

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

563

static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,

564

unsigned char *buf,

565

unsigned char *end,

566

size_t *out_len)

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

567

{

568

unsigned char *p = buf;

XiaokangQian

9deb90f

2022-02-08 10:31:07 +0000

[diff] [blame]

569

*out_len = 0;

XiaokangQian

c02768a

2022-02-10 07:31:25 +0000

[diff] [blame]

570

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

571

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

572

if (handshake->cookie == NULL) {

573

MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));

574

return 0;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

575

}

576

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

577

MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",

578

handshake->cookie,

579

handshake->cookie_len);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

580

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

581

MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

582

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

583

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

584

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

585

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);

586

MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);

587

MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);

XiaokangQian

233397e

2022-02-07 08:32:16 +0000

[diff] [blame]

588

p += 6;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

589

590

/* Cookie */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

591

memcpy(p, handshake->cookie, handshake->cookie_len);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

592

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

593

*out_len = handshake->cookie_len + 6;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

594

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

595

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

596

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

597

return 0;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

598

}

599

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

600

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

601

/*

602

* ssl_tls13_write_psk_key_exchange_modes_ext() structure:

603

*

604

* enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;

605

*

606

* struct {

607

* PskKeyExchangeMode ke_modes<1..255>;

608

* } PskKeyExchangeModes;

609

*/

XiaokangQian

8698195

2022-07-19 09:51:50 +0000

[diff] [blame]

610

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

611

static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,

612

unsigned char *buf,

613

unsigned char *end,

614

size_t *out_len)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

615

{

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

616

unsigned char *p = buf;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

617

int ke_modes_len = 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

618

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

619

((void) ke_modes_len);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

620

*out_len = 0;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

621

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

622

/* Skip writing extension if no PSK key exchange mode

XiaokangQian

7c12d31

2022-07-20 07:25:43 +0000

[diff] [blame]

623

* is enabled in the config.

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

624

*/

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

625

if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

626

MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));

627

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

628

}

629

630

/* Require 7 bytes of data, otherwise fail,

631

* even if extension might be shorter.

632

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

633

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

634

MBEDTLS_SSL_DEBUG_MSG(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

635

3, ("client hello, adding psk_key_exchange_modes extension"));

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

636

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

637

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

638

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

639

/* Skip extension length (2 bytes) and

640

* ke_modes length (1 byte) for now.

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

*/

p += 5;

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

644

if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

645

*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

646

ke_modes_len++;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

647

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

648

MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

649

}

650

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

651

if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {

Ronald Cron

a709a0f

2022-09-27 16:46:11 +0200

[diff] [blame]

652

*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;

653

ke_modes_len++;

654

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

655

MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));

Ronald Cron

a709a0f

2022-09-27 16:46:11 +0200

[diff] [blame]

656

}

657

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

658

/* Now write the extension and ke_modes length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

659

MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

660

buf[4] = ke_modes_len;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

661

662

*out_len = p - buf;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

663

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

664

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

665

ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

666

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

667

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

668

}

Jerry Yu

db8c5fa

2022-08-03 12:10:13 +0800

[diff] [blame]

669

Norbert Fabritius

ba1de9f

2023-01-24 17:58:13 +0100

[diff] [blame]

670

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

671

static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

672

{

Jerry Yu

21f9095

2022-10-08 10:30:53 +0800

[diff] [blame]

673

const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

674

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

675

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

676

if (ciphersuite_info != NULL) {

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

677

return mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

678

}

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

679

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

680

return PSA_ALG_NONE;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

681

}

682

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

683

static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)

Xiaokang Qian

b781a23

2022-11-01 07:39:46 +0000

[diff] [blame]

684

{

685

mbedtls_ssl_session *session = ssl->session_negotiate;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

686

return ssl->handshake->resume &&

Pengyu Lv

9356678

2022-12-07 12:10:05 +0800

[diff] [blame]

687

session != NULL && session->ticket != NULL &&

Pengyu Lv

fc2cb96

2023-11-10 10:22:36 +0800

[diff] [blame]

688

mbedtls_ssl_conf_tls13_is_kex_mode_enabled(

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

689

ssl, mbedtls_ssl_tls13_session_get_ticket_flags(

Pengyu Lv

9b84ea7

2023-01-16 14:08:23 +0800

[diff] [blame]

690

session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));

Xiaokang Qian

b781a23

2022-11-01 07:39:46 +0000

[diff] [blame]

691

}

692

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

693

#if defined(MBEDTLS_SSL_EARLY_DATA)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

694

static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

695

{

696

mbedtls_ssl_session *session = ssl->session_negotiate;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

697

return ssl->handshake->resume &&

698

session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

699

mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&

Jerry Yu

c2b1bc4

2023-11-22 10:08:13 +0800

[diff] [blame]

700

mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

}

#endif

Xiaokang Qian

2022-11-01 07:39:46 +0000

[diff] [blame]

704

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

705

static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,

706

psa_algorithm_t *hash_alg,

707

const unsigned char **identity,

708

size_t *identity_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

709

{

710

mbedtls_ssl_session *session = ssl->session_negotiate;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

711

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

712

if (!ssl_tls13_has_configured_ticket(ssl)) {

713

return -1;

714

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

715

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

716

*hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

717

*identity = session->ticket;

718

*identity_len = session->ticket_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

719

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

720

}

721

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

722

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

723

static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,

724

psa_algorithm_t *hash_alg,

725

const unsigned char **psk,

726

size_t *psk_len)

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

727

{

728

729

mbedtls_ssl_session *session = ssl->session_negotiate;

730

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

731

if (!ssl_tls13_has_configured_ticket(ssl)) {

732

return -1;

733

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

734

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

735

*hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

736

*psk = session->resumption_key;

737

*psk_len = session->resumption_key_len;

738

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

739

return 0;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

740

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

741

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

742

743

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

744

static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,

745

psa_algorithm_t *hash_alg,

746

const unsigned char **identity,

747

size_t *identity_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

748

{

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

749

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

750

if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

751

return -1;

752

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

753

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

754

*hash_alg = PSA_ALG_SHA_256;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

755

*identity = ssl->conf->psk_identity;

756

*identity_len = ssl->conf->psk_identity_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

757

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

758

}

759

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

760

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

761

static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,

762

psa_algorithm_t *hash_alg,

763

const unsigned char **psk,

764

size_t *psk_len)

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

765

{

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

766

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

767

if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

768

return -1;

769

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

770

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

771

*hash_alg = PSA_ALG_SHA_256;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

772

*psk = ssl->conf->psk;

773

*psk_len = ssl->conf->psk_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

774

return 0;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

775

}

776

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

777

static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

778

{

779

int configured_psk_count = 0;

780

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

781

if (ssl_tls13_has_configured_ticket(ssl)) {

782

MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

783

configured_psk_count++;

784

}

785

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

786

if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

787

MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

788

configured_psk_count++;

789

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

790

return configured_psk_count;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

791

}

792

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

793

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

794

static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,

795

unsigned char *buf,

796

unsigned char *end,

797

const unsigned char *identity,

798

size_t identity_len,

799

uint32_t obfuscated_ticket_age,

800

size_t *out_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

801

{

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

802

((void) ssl);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

803

*out_len = 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

804

805

/*

806

* - identity_len (2 bytes)

807

* - identity (psk_identity_len bytes)

808

* - obfuscated_ticket_age (4 bytes)

809

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

810

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

811

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

812

MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);

813

memcpy(buf + 2, identity, identity_len);

814

MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

815

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

816

MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

817

818

*out_len = 6 + identity_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

819

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

820

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

821

}

822

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

823

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

824

static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,

unsigned char *buf,

unsigned char *end,

int psk_type,

psa_algorithm_t hash_alg,

829

const unsigned char *psk,

830

size_t psk_len,

831

size_t *out_len)

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

832

{

833

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

834

unsigned char binder_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

835

unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

836

size_t transcript_len = 0;

*out_len = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

840

binder_len = PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

841

842

/*

843

* - binder_len (1 bytes)

844

* - binder (binder_len bytes)

845

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

846

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

847

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

848

buf[0] = binder_len;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

849

850

/* Get current state of handshake transcript. */

851

ret = mbedtls_ssl_get_handshake_transcript(

Manuel Pégourié-Gonnard

2d6d993

2023-03-28 11:38:08 +0200

[diff] [blame]

852

ssl, mbedtls_md_type_from_psa_alg(hash_alg),

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

853

transcript, sizeof(transcript), &transcript_len);

854

if (ret != 0) {

855

return ret;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

856

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

857

858

ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,

859

psk, psk_len, psk_type,

860

transcript, buf + 1);

861

if (ret != 0) {

862

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);

863

return ret;

864

}

865

MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

866

867

*out_len = 1 + binder_len;

868

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

869

return 0;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

}

/*

* mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:

874

*

875

* struct {

876

* opaque identity<1..2^16-1>;

877

* uint32 obfuscated_ticket_age;

878

* } PskIdentity;

879

*

880

* opaque PskBinderEntry<32..255>;

881

*

882

* struct {

883

* PskIdentity identities<7..2^16-1>;

884

* PskBinderEntry binders<33..2^16-1>;

* } OfferedPsks;

*

* struct {

* select (Handshake.msg_type) {

889

* case client_hello: OfferedPsks;

890

* ...

891

* };

892

* } PreSharedKeyExtension;

893

*

894

*/

XiaokangQian

3ad67bf

2022-07-21 02:26:21 +0000

[diff] [blame]

895

int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

896

mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,

897

size_t *out_len, size_t *binders_len)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

898

{

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

899

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

900

int configured_psk_count = 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

901

unsigned char *p = buf;

Xiaokang Qian

854db28

2022-12-19 07:31:27 +0000

[diff] [blame]

902

psa_algorithm_t hash_alg = PSA_ALG_NONE;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

903

const unsigned char *identity;

904

size_t identity_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

905

size_t l_binders_len = 0;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

906

size_t output_len;

Xiaokang Qian

7179f81

2023-02-03 03:38:44 +0000

[diff] [blame]

907

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

*out_len = 0;

*binders_len = 0;

/* Check if we have any PSKs to offer. If no, skip pre_shared_key */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

912

configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);

913

if (configured_psk_count == 0) {

914

MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));

915

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

916

}

917

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

918

MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",

919

configured_psk_count));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

920

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

921

/* Check if we have space to write the extension, binders included.

922

* - extension_type (2 bytes)

923

* - extension_data_len (2 bytes)

924

* - identities_len (2 bytes)

925

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

926

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

927

p += 6;

928

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

929

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

930

if (ssl_tls13_ticket_get_identity(

931

ssl, &hash_alg, &identity, &identity_len) == 0) {

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

932

#if defined(MBEDTLS_HAVE_TIME)

Jerry Yu

cebffc3

2022-12-15 18:00:05 +0800

[diff] [blame]

933

mbedtls_ms_time_t now = mbedtls_ms_time();

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

934

mbedtls_ssl_session *session = ssl->session_negotiate;

Jerry Yu

cf91351

2023-11-14 11:06:52 +0800

[diff] [blame]

935

/* The ticket age has been checked to be smaller than the

Jerry Yu

46c7926

2023-11-10 13:58:16 +0800

[diff] [blame]

936

* `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than

937

* 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the

938

* cast to `uint32_t` of the ticket age is safe. */

Jerry Yu

6916e70

2022-10-10 21:33:51 +0800

[diff] [blame]

939

uint32_t obfuscated_ticket_age =

Jerry Yu

342a555

2023-11-10 14:23:39 +0800

[diff] [blame]

940

(uint32_t) (now - session->ticket_reception_time);

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

941

obfuscated_ticket_age += session->ticket_age_add;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

942

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

943

ret = ssl_tls13_write_identity(ssl, p, end,

944

identity, identity_len,

945

obfuscated_ticket_age,

946

&output_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

947

#else

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

948

ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,

949

0, &output_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

950

#endif /* MBEDTLS_HAVE_TIME */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

951

if (ret != 0) {

952

return ret;

953

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

954

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

955

p += output_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

956

l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

957

}

958

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

959

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

960

if (ssl_tls13_psk_get_identity(

961

ssl, &hash_alg, &identity, &identity_len) == 0) {

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

962

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

963

ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

968

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

969

p += output_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

970

l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

971

}

972

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

973

MBEDTLS_SSL_DEBUG_MSG(3,

974

("client hello, adding pre_shared_key extension, "

975

"omitting PSK binder list"));

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

976

977

/* Take into account the two bytes for the length of the binders. */

978

l_binders_len += 2;

Jerry Yu

6916e70

2022-10-10 21:33:51 +0800

[diff] [blame]

979

/* Check if there is enough space for binders */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

980

MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

981

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

982

/*

983

* - extension_type (2 bytes)

984

* - extension_data_len (2 bytes)

985

* - identities_len (2 bytes)

986

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

987

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);

988

MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);

989

MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

990

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

991

*out_len = (p - buf) + l_binders_len;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

992

*binders_len = l_binders_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

993

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

994

MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

995

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

996

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

997

}

998

XiaokangQian

8698195

2022-07-19 09:51:50 +0000

[diff] [blame]

999

int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1000

mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1001

{

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1002

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1003

unsigned char *p = buf;

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1004

psa_algorithm_t hash_alg = PSA_ALG_NONE;

1005

const unsigned char *psk;

1006

size_t psk_len;

1007

size_t output_len;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1008

1009

/* Check if we have space to write binders_len.

1010

* - binders_len (2 bytes)

1011

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1012

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1013

p += 2;

1014

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1015

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1016

if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1017

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1018

ret = ssl_tls13_write_binder(ssl, p, end,

1019

MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,

1020

hash_alg, psk, psk_len,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1025

p += output_len;

1026

}

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1027

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1028

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1029

if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1030

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1031

ret = ssl_tls13_write_binder(ssl, p, end,

1032

MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,

1033

hash_alg, psk, psk_len,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

p += output_len;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1041

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1042

1043

/*

1044

* - binders_len (2 bytes)

1045

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1046

MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1047

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1048

MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1049

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

1050

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1051

ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1052

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1053

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1054

}

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

/*

* struct {

* opaque identity<1..2^16-1>;

1059

* uint32 obfuscated_ticket_age;

1060

* } PskIdentity;

1061

*

1062

* opaque PskBinderEntry<32..255>;

*

* struct {

*

* select (Handshake.msg_type) {

1067

* ...

1068

* case server_hello: uint16 selected_identity;

1069

* };

1070

*

1071

* } PreSharedKeyExtension;

1072

*

1073

*/

1074

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1075

static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,

1076

const unsigned char *buf,

1077

const unsigned char *end)

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

1078

{

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1079

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1080

int selected_identity;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1081

const unsigned char *psk;

1082

size_t psk_len;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1083

psa_algorithm_t hash_alg;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1084

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1085

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);

1086

selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);

Xiaokang Qian

2a67493

2023-01-04 03:15:09 +0000

[diff] [blame]

1087

ssl->handshake->selected_identity = (uint16_t) selected_identity;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1088

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1089

MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1090

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1091

if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {

1092

MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1093

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1094

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1095

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1096

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1097

}

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1098

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1099

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1100

if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {

1101

ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);

1102

} else

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1103

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1104

if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

1105

ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);

1106

} else {

1107

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

1108

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1109

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1110

if (ret != 0) {

1111

return ret;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1112

}

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1113

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

1114

if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac)

Xiaokang Qian

eb31cbc

2023-02-07 02:08:56 +0000

[diff] [blame]

1115

!= hash_alg) {

1116

MBEDTLS_SSL_DEBUG_MSG(

1117

1, ("Invalid ciphersuite for external psk."));

1118

1119

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1120

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1121

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1122

}

1123

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1124

ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);

1125

if (ret != 0) {

1126

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);

return ret;

}

return 0;

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

1131

}

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1132

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1133

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1134

int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,

1135

unsigned char *buf,

1136

unsigned char *end,

1137

size_t *out_len)

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1138

{

1139

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1140

unsigned char *p = buf;

size_t ext_len;

*out_len = 0;

Gilles Peskine

2024-08-23 21:55:24 +0200

[diff] [blame]

1145

ret = mbedtls_ssl_tls13_crypto_init(ssl);

if (ret != 0) {

return ret;

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1150

/* Write supported_versions extension

1151

*

1152

* Supported Versions Extension is mandatory with TLS 1.3.

1153

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1154

ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);

1155

if (ret != 0) {

1156

return ret;

1157

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1158

p += ext_len;

1159

1160

/* Echo the cookie if the server provided one in its preceding

1161

* HelloRetryRequest message.

1162

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1163

ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);

1164

if (ret != 0) {

1165

return ret;

1166

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1167

p += ext_len;

1168

Yanray Wang

42017cd

2023-11-08 11:15:23 +0800

[diff] [blame]

1169

#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)

1170

ret = mbedtls_ssl_tls13_write_record_size_limit_ext(

Waleed Elmelegy

148dfb6

2024-01-04 18:02:35 +0000

[diff] [blame]

1171

ssl, p, end, &ext_len);

Yanray Wang

42017cd

2023-11-08 11:15:23 +0800

[diff] [blame]

if (ret != 0) {

return ret;

}

p += ext_len;

#endif

Ronald Cron

2022-10-18 12:17:11 +0200

[diff] [blame]

1178

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1179

if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1180

ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);

1181

if (ret != 0) {

1182

return ret;

1183

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1184

p += ext_len;

1185

}

Ronald Cron

766c0cd

2022-10-18 12:17:11 +0200

[diff] [blame]

1186

#endif

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1187

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1188

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

84dfbf4

2024-02-14 10:38:09 +0100

[diff] [blame]

1189

/* In the first ClientHello, write the early data indication extension if

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1190

* necessary and update the early data state.

Ronald Cron

84dfbf4

2024-02-14 10:38:09 +0100

[diff] [blame]

1191

* If an HRR has been received and thus we are currently writing the

1192

* second ClientHello, the second ClientHello must not contain an early

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1193

* data extension and the early data state must stay as it is:

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1194

* MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT or

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1195

* MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED.

Ronald Cron

84dfbf4

2024-02-14 10:38:09 +0100

[diff] [blame]

1196

*/

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1197

if (!ssl->handshake->hello_retry_request_flag) {

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

1198

if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&

1199

ssl_tls13_early_data_has_valid_ticket(ssl) &&

1200

ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {

1201

ret = mbedtls_ssl_tls13_write_early_data_ext(

1202

ssl, 0, p, end, &ext_len);

if (ret != 0) {

return ret;

}

p += ext_len;

Jerry Yu

5233539

2023-11-23 18:06:06 +0800

[diff] [blame]

1207

Ronald Cron

3641df2

2024-03-03 16:10:58 +0100

[diff] [blame]

1208

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT;

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

1209

} else {

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1210

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1211

}

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1212

}

1213

#endif /* MBEDTLS_SSL_EARLY_DATA */

1214

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1215

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1216

/* For PSK-based key exchange we need the pre_shared_key extension

1217

* and the psk_key_exchange_modes extension.

1218

*

1219

* The pre_shared_key extension MUST be the last extension in the

1220

* ClientHello. Servers MUST check that it is the last extension and

1221

* otherwise fail the handshake with an "illegal_parameter" alert.

1222

*

1223

* Add the psk_key_exchange_modes extension.

1224

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1225

ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);

1226

if (ret != 0) {

1227

return ret;

1228

}

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1229

p += ext_len;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1230

#endif

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1231

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1232

*out_len = p - buf;

1233

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1234

return 0;

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1235

}

1236

Xiaokang Qian

934ce6f

2023-02-06 10:23:04 +0000

[diff] [blame]

1237

int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1238

{

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1239

((void) ssl);

Xiaokang Qian

79f7752

2023-01-28 10:35:29 +0000

[diff] [blame]

1240

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1241

#if defined(MBEDTLS_SSL_EARLY_DATA)

1242

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1243

psa_algorithm_t hash_alg = PSA_ALG_NONE;

1244

const unsigned char *psk;

1245

size_t psk_len;

1246

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

Xiaokang Qian

592021a

2023-01-04 10:47:05 +0000

[diff] [blame]

1247

Ronald Cron

3641df2

2024-03-03 16:10:58 +0100

[diff] [blame]

1248

if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT) {

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1249

MBEDTLS_SSL_DEBUG_MSG(

1250

1, ("Set hs psk for early data when writing the first psk"));

1251

1252

ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);

1253

if (ret != 0) {

1254

MBEDTLS_SSL_DEBUG_RET(

1255

1, "ssl_tls13_ticket_get_psk", ret);

return ret;

}

ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);

1260

if (ret != 0) {

1261

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);

return ret;

}

Xiaokang Qian

2023-02-07 02:32:23 +0000

[diff] [blame]

1265

/*

1266

* Early data are going to be encrypted using the ciphersuite

1267

* associated with the pre-shared key used for the handshake.

1268

* Note that if the server rejects early data, the handshake

1269

* based on the pre-shared key may complete successfully

1270

* with a selected ciphersuite different from the ciphersuite

1271

* associated with the pre-shared key. Only the hashes of the

1272

* two ciphersuites have to be the same. In that case, the

1273

* encrypted handshake data and application data are

1274

* encrypted using a different ciphersuite than the one used for

1275

* the rejected early data.

1276

*/

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1277

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(

1278

ssl->session_negotiate->ciphersuite);

1279

ssl->handshake->ciphersuite_info = ciphersuite_info;

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1280

Tom Cosgrove

5c8505f

2023-03-07 11:39:52 +0000

[diff] [blame]

1281

/* Enable psk and psk_ephemeral to make stage early happy */

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1282

ssl->handshake->key_exchange_mode =

1283

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;

1284

1285

/* Start the TLS 1.3 key schedule:

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1286

* Set the PSK and derive early secret.

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1287

*/

1288

ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);

1289

if (ret != 0) {

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1290

MBEDTLS_SSL_DEBUG_RET(

1291

1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

return ret;

}

/* Derive early data key material */

1296

ret = mbedtls_ssl_tls13_compute_early_transform(ssl);

1297

if (ret != 0) {

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1298

MBEDTLS_SSL_DEBUG_RET(

1299

1, "mbedtls_ssl_tls13_compute_early_transform", ret);

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

return ret;

}

Ronald Cron

2024-01-19 08:15:33 +0100

[diff] [blame]

1303

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

1304

mbedtls_ssl_handshake_set_state(

1305

ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);

1306

#else

1307

MBEDTLS_SSL_DEBUG_MSG(

1308

1, ("Switch to early data keys for outbound traffic"));

1309

mbedtls_ssl_set_outbound_transform(

1310

ssl, ssl->handshake->transform_earlydata);

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1311

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;

Ronald Cron

297c608

2024-01-19 08:15:33 +0100

[diff] [blame]

1312

#endif

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1313

}

1314

#endif /* MBEDTLS_SSL_EARLY_DATA */

1315

return 0;

1316

}

Jerry Yu

1bc2c1f

2021-09-01 12:57:29 +0800

[diff] [blame]

1317

/*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1318

* Functions for parsing and processing Server Hello

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1319

*/

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1320

Ronald Cron

da41b38

2022-03-30 09:57:11 +0200

[diff] [blame]

1321

/**

1322

* \brief Detect if the ServerHello contains a supported_versions extension

1323

* or not.

1324

*

1325

* \param[in] ssl SSL context

1326

* \param[in] buf Buffer containing the ServerHello message

1327

* \param[in] end End of the buffer containing the ServerHello message

1328

*

1329

* \return 0 if the ServerHello does not contain a supported_versions extension

1330

* \return 1 if the ServerHello contains a supported_versions extension

1331

* \return A negative value if an error occurred while parsing the ServerHello.

1332

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1333

MBEDTLS_CHECK_RETURN_CRITICAL

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1334

static int ssl_tls13_is_supported_versions_ext_present(

1335

mbedtls_ssl_context *ssl,

1336

const unsigned char *buf,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1337

const unsigned char *end)

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1338

{

1339

const unsigned char *p = buf;

1340

size_t legacy_session_id_echo_len;

Ronald Cron

eff5673

2023-04-03 17:36:31 +0200

[diff] [blame]

1341

const unsigned char *supported_versions_data;

1342

const unsigned char *supported_versions_data_end;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1343

1344

/*

1345

* Check there is enough data to access the legacy_session_id_echo vector

Ronald Cron

da41b38

2022-03-30 09:57:11 +0200

[diff] [blame]

1346

* length:

1347

* - legacy_version 2 bytes

1348

* - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes

1349

* - legacy_session_id_echo length 1 byte

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1350

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1351

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1352

p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;

1353

legacy_session_id_echo_len = *p;

1354

1355

/*

1356

* Jump to the extensions, jumping over:

1357

* - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes

1358

* - cipher_suite 2 bytes

1359

* - legacy_compression_method 1 byte

1360

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1361

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);

1362

p += legacy_session_id_echo_len + 4;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1363

Ronald Cron

47dce63

2023-02-08 17:38:29 +0100

[diff] [blame]

1364

return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(

1365

ssl, p, end,

Ronald Cron

eff5673

2023-04-03 17:36:31 +0200

[diff] [blame]

1366

&supported_versions_data, &supported_versions_data_end);

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1367

}

1368

Jerry Yu

7a186a0

2021-10-15 18:46:14 +0800

[diff] [blame]

1369

/* Returns a negative value on failure, and otherwise

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1370

* - 1 if the last eight bytes of the ServerHello random bytes indicate that

1371

* the server is TLS 1.3 capable but negotiating TLS 1.2 or below.

1372

* - 0 otherwise

1373

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1374

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1375

static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,

1376

const unsigned char *buf,

1377

const unsigned char *end)

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1378

{

1379

/* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */

1380

static const unsigned char magic_downgrade_string[] =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1381

{ 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1382

const unsigned char *last_eight_bytes_of_random;

1383

unsigned char last_byte_of_random;

1384

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1385

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1386

last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;

1387

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1388

if (memcmp(last_eight_bytes_of_random,

1389

magic_downgrade_string,

1390

sizeof(magic_downgrade_string)) == 0) {

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1391

last_byte_of_random = last_eight_bytes_of_random[7];

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1392

return last_byte_of_random == 0 ||

1393

last_byte_of_random == 1;

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1394

}

1395

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1396

return 0;

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1397

}

1398

1399

/* Returns a negative value on failure, and otherwise

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1400

* - SSL_SERVER_HELLO or

1401

* - SSL_SERVER_HELLO_HRR

XiaokangQian

51eff22

2021-12-10 10:33:56 +0000

[diff] [blame]

1402

* to indicate which message is expected and to be parsed next.

1403

*/

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1404

#define SSL_SERVER_HELLO 0

1405

#define SSL_SERVER_HELLO_HRR 1

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1406

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1407

static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,

1408

const unsigned char *buf,

1409

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1410

{

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1411

1412

/* Check whether this message is a HelloRetryRequest ( HRR ) message.

1413

*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1414

* Server Hello and HRR are only distinguished by Random set to the

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1415

* special value of the SHA-256 of "HelloRetryRequest".

1416

*

1417

* struct {

1418

* ProtocolVersion legacy_version = 0x0303;

1419

* Random random;

1420

* opaque legacy_session_id_echo<0..32>;

1421

* CipherSuite cipher_suite;

1422

* uint8 legacy_compression_method = 0;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1423

* Extension extensions<6..2^16-1>;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1424

* } ServerHello;

1425

*

1426

*/

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1427

MBEDTLS_SSL_CHK_BUF_READ_PTR(

1428

buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1429

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1430

if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,

1431

sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {

1432

return SSL_SERVER_HELLO_HRR;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1433

}

1434

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1435

return SSL_SERVER_HELLO;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1436

}

1437

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1438

/*

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1439

* Returns a negative value on failure, and otherwise

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1440

* - SSL_SERVER_HELLO or

1441

* - SSL_SERVER_HELLO_HRR or

1442

* - SSL_SERVER_HELLO_TLS1_2

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1443

*/

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1444

#define SSL_SERVER_HELLO_TLS1_2 2

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1445

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1446

static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,

1447

const unsigned char *buf,

1448

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1449

{

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1450

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1451

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1452

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1453

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(

1454

ssl, buf, end));

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1455

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1456

if (ret == 0) {

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1457

MBEDTLS_SSL_PROC_CHK_NEG(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1458

ssl_tls13_is_downgrade_negotiation(ssl, buf, end));

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1459

1460

/* If the server is negotiating TLS 1.2 or below and:

1461

* . we did not propose TLS 1.2 or

1462

* . the server responded it is TLS 1.3 capable but negotiating a lower

1463

* version of the protocol and thus we are under downgrade attack

1464

* abort the handshake with an "illegal parameter" alert.

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1465

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1466

if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {

1467

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1468

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1469

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1470

}

1471

Ronald Cron

b828c7d

2023-04-03 16:37:22 +0200

[diff] [blame]

1472

/*

1473

* Version 1.2 of the protocol has been negotiated, set the

1474

* ssl->keep_current_message flag for the ServerHello to be kept and

1475

* parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to

1476

* MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()

1477

* will dispatch to the TLS 1.2 state machine.

1478

*/

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1479

ssl->keep_current_message = 1;

Glenn Strauss

60bfe60

2022-03-14 19:04:24 -0400

[diff] [blame]

1480

ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1481

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

1482

ssl, MBEDTLS_SSL_HS_SERVER_HELLO,

1483

buf, (size_t) (end - buf)));

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1484

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1485

if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1486

ret = ssl_tls13_reset_key_share(ssl);

1487

if (ret != 0) {

1488

return ret;

1489

}

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1490

}

1491

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1492

return SSL_SERVER_HELLO_TLS1_2;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1493

}

1494

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1495

ssl->session_negotiate->tls_version = ssl->tls_version;

Ronald Cron

17ef8df

2023-11-22 10:29:42 +0100

[diff] [blame]

1496

ssl->session_negotiate->endpoint = ssl->conf->endpoint;

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1497

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1498

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1499

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1500

ret = ssl_server_hello_is_hrr(ssl, buf, end);

1501

switch (ret) {

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1502

case SSL_SERVER_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1503

MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1504

break;

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1505

case SSL_SERVER_HELLO_HRR:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1506

MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1507

/* If a client receives a second HelloRetryRequest in the same

1508

* connection (i.e., where the ClientHello was itself in response

1509

* to a HelloRetryRequest), it MUST abort the handshake with an

1510

* "unexpected_message" alert.

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1511

*/

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1512

if (handshake->hello_retry_request_flag) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1513

MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1514

MBEDTLS_SSL_PEND_FATAL_ALERT(

1515

MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,

1516

MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1517

return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1518

}

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1519

/*

1520

* Clients must abort the handshake with an "illegal_parameter"

1521

* alert if the HelloRetryRequest would not result in any change

1522

* in the ClientHello.

1523

* In a PSK only key exchange that what we expect.

1524

*/

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1525

if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1526

MBEDTLS_SSL_DEBUG_MSG(1,

1527

("Unexpected HRR in pure PSK key exchange."));

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1528

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1529

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1530

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1531

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1532

}

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1533

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1534

handshake->hello_retry_request_flag = 1;

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1535

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1536

break;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

}

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1541

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1542

}

1543

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1544

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1545

static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,

1546

const unsigned char **buf,

1547

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1548

{

1549

const unsigned char *p = *buf;

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1550

size_t legacy_session_id_echo_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1551

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1552

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

1553

legacy_session_id_echo_len = *p++;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1554

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1555

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1556

1557

/* legacy_session_id_echo */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1558

if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||

1559

memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {

1560

MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",

1561

ssl->session_negotiate->id,

1562

ssl->session_negotiate->id_len);

1563

MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,

1564

legacy_session_id_echo_len);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1565

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1566

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1567

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1568

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1569

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1570

}

1571

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1572

p += legacy_session_id_echo_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1573

*buf = p;

1574

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1575

MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,

1576

ssl->session_negotiate->id_len);

1577

return 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1578

}

1579

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1580

/* Parse ServerHello message and configure context

1581

*

1582

* struct {

1583

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

1584

* Random random;

1585

* opaque legacy_session_id_echo<0..32>;

1586

* CipherSuite cipher_suite;

1587

* uint8 legacy_compression_method = 0;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1588

* Extension extensions<6..2^16-1>;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1589

* } ServerHello;

1590

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1591

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1592

static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,

1593

const unsigned char *buf,

1594

const unsigned char *end,

1595

int is_hrr)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1596

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1597

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1598

const unsigned char *p = buf;

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1599

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1600

size_t extensions_len;

1601

const unsigned char *extensions_end;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1602

uint16_t cipher_suite;

Jerry Yu

de4fb2c

2021-09-19 18:05:08 +0800

[diff] [blame]

1603

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

XiaokangQian

b119a35

2022-01-26 03:29:10 +0000

[diff] [blame]

1604

int fatal_alert = 0;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1605

uint32_t allowed_extensions_mask;

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1606

int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1607

MBEDTLS_SSL_HS_SERVER_HELLO;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1608

1609

/*

1610

* Check there is space for minimal fields

1611

*

1612

* - legacy_version ( 2 bytes)

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1613

* - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1614

* - legacy_session_id_echo ( 1 byte ), minimum size

1615

* - cipher_suite ( 2 bytes)

1616

* - legacy_compression_method ( 1 byte )

1617

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1618

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1619

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1620

MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);

1621

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1622

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1623

/* ...

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1624

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1625

* ...

1626

* with ProtocolVersion defined as:

1627

* uint16 ProtocolVersion;

1628

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1629

if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=

1630

MBEDTLS_SSL_VERSION_TLS1_2) {

1631

MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));

1632

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,

1633

MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1634

ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;

1635

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1636

}

1637

p += 2;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1638

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1639

/* ...

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1640

* Random random;

1641

* ...

1642

* with Random defined as:

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1643

* opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1644

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1645

if (!is_hrr) {

1646

memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,

1647

MBEDTLS_SERVER_HELLO_RANDOM_LEN);

1648

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",

1649

p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1650

}

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1651

p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1652

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1653

/* ...

1654

* opaque legacy_session_id_echo<0..32>;

1655

* ...

1656

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1657

if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1658

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1659

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1660

}

1661

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1662

/* ...

1663

* CipherSuite cipher_suite;

1664

* ...

1665

* with CipherSuite defined as:

1666

* uint8 CipherSuite[2];

1667

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1668

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

1669

cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1670

p += 2;

1671

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1672

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1673

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1674

/*

Ronald Cron

ba120bb

2022-03-30 22:09:48 +0200

[diff] [blame]

1675

* Check whether this ciphersuite is valid and offered.

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1676

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1677

if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,

1678

ssl->tls_version,

1679

ssl->tls_version) != 0) ||

1680

!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1681

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1682

}

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1683

/*

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1684

* If we received an HRR before and that the proposed selected

1685

* ciphersuite in this server hello is not the same as the one

1686

* proposed in the HRR, we abort the handshake and send an

1687

* "illegal_parameter" alert.

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1688

*/

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1689

else if ((!is_hrr) && handshake->hello_retry_request_flag &&

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1690

(cipher_suite != ssl->session_negotiate->ciphersuite)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1691

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1692

}

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1693

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1694

if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {

1695

MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",

1696

cipher_suite));

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1697

goto cleanup;

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1698

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1699

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1700

/* Configure ciphersuites */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1701

mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1702

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1703

handshake->ciphersuite_info = ciphersuite_info;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1704

MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",

1705

cipher_suite, ciphersuite_info->name));

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1706

1707

#if defined(MBEDTLS_HAVE_TIME)

YxC

da60913

2023-05-22 12:08:12 -0700

[diff] [blame]

1708

ssl->session_negotiate->start = mbedtls_time(NULL);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1709

#endif /* MBEDTLS_HAVE_TIME */

1710

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1711

/* ...

1712

* uint8 legacy_compression_method = 0;

1713

* ...

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1714

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1715

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

1716

if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {

1717

MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1718

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1719

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

}

p++;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1723

/* ...

1724

* Extension extensions<6..2^16-1>;

1725

* ...

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1726

* struct {

1727

* ExtensionType extension_type; (2 bytes)

1728

* opaque extension_data<0..2^16-1>;

1729

* } Extension;

1730

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1731

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

1732

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1733

p += 2;

Jerry Yu

de4fb2c

2021-09-19 18:05:08 +0800

[diff] [blame]

1734

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1735

/* Check extensions do not go beyond the buffer of data. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1736

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1737

extensions_end = p + extensions_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1738

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1739

MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1740

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1741

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1742

allowed_extensions_mask = is_hrr ?

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1743

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :

1744

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1745

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1746

while (p < extensions_end) {

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1747

unsigned int extension_type;

1748

size_t extension_data_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

1749

const unsigned char *extension_data_end;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1750

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1751

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

1752

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

1753

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1754

p += 4;

1755

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1756

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

1757

extension_data_end = p + extension_data_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1758

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

1759

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1760

ssl, hs_msg_type, extension_type, allowed_extensions_mask);

1761

if (ret != 0) {

1762

return ret;

1763

}

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1764

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1765

switch (extension_type) {

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1766

case MBEDTLS_TLS_EXT_COOKIE:

1767

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1768

ret = ssl_tls13_parse_cookie_ext(ssl,

1769

p, extension_data_end);

1770

if (ret != 0) {

1771

MBEDTLS_SSL_DEBUG_RET(1,

1772

"ssl_tls13_parse_cookie_ext",

1773

ret);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1774

goto cleanup;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1775

}

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1776

break;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1777

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1778

case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1779

ret = ssl_tls13_parse_supported_versions_ext(ssl,

1780

p,

1781

extension_data_end);

1782

if (ret != 0) {

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1783

goto cleanup;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1784

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1785

break;

1786

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1787

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1788

case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1789

MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1790

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1791

if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(

1792

ssl, p, extension_data_end)) != 0) {

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1793

MBEDTLS_SSL_DEBUG_RET(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1794

1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);

1795

return ret;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1796

}

1797

break;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1798

#endif

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1799

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1800

case MBEDTLS_TLS_EXT_KEY_SHARE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1801

MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1802

if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1803

fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

goto cleanup;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1807

if (is_hrr) {

1808

ret = ssl_tls13_parse_hrr_key_share_ext(ssl,

1809

p, extension_data_end);

1810

} else {

1811

ret = ssl_tls13_parse_key_share_ext(ssl,

1812

p, extension_data_end);

1813

}

1814

if (ret != 0) {

1815

MBEDTLS_SSL_DEBUG_RET(1,

1816

"ssl_tls13_parse_key_share_ext",

1817

ret);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1818

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1819

}

1820

break;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1821

1822

default:

Jerry Yu

9872eb2

2022-08-29 13:42:01 +0800

[diff] [blame]

1823

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

1824

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1825

}

1826

1827

p += extension_data_len;

1828

}

1829

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1830

MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1831

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1832

cleanup:

1833

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1834

if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {

1835

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,

1836

MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1837

ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1838

} else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {

1839

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1840

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1841

ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1842

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1843

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1844

}

1845

Xiaokang Qian

cb6e963

2022-09-26 11:59:32 +0000

[diff] [blame]

1846

#if defined(MBEDTLS_DEBUG_C)

1847

static const char *ssl_tls13_get_kex_mode_str(int mode)

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1848

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1849

switch (mode) {

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1850

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:

1851

return "psk";

1852

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:

1853

return "ephemeral";

1854

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:

1855

return "psk_ephemeral";

1856

default:

1857

return "unknown mode";

1858

}

1859

}

Xiaokang Qian

cb6e963

2022-09-26 11:59:32 +0000

[diff] [blame]

1860

#endif /* MBEDTLS_DEBUG_C */

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1861

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1862

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1863

static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1864

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1865

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1866

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1867

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1868

/* Determine the key exchange mode:

1869

* 1) If both the pre_shared_key and key_share extensions were received

1870

* then the key exchange mode is PSK with EPHEMERAL.

1871

* 2) If only the pre_shared_key extension was received then the key

1872

* exchange mode is PSK-only.

1873

* 3) If only the key_share extension was received then the key

1874

* exchange mode is EPHEMERAL-only.

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1875

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1876

switch (handshake->received_extensions &

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1877

(MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

1878

MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1879

/* Only the pre_shared_key extension was received */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1880

case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1881

handshake->key_exchange_mode =

1882

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1883

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1884

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1885

/* Only the key_share extension was received */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1886

case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1887

handshake->key_exchange_mode =

1888

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1889

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1890

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1891

/* Both the pre_shared_key and key_share extensions were received */

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1892

case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

1893

MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):

1894

handshake->key_exchange_mode =

1895

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1896

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1897

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1898

/* Neither pre_shared_key nor key_share extension was received */

1899

default:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1900

MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1901

ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

1902

goto cleanup;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1903

}

1904

Pengyu Lv

fc2cb96

2023-11-10 10:22:36 +0800

[diff] [blame]

1905

if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1906

ssl, handshake->key_exchange_mode)) {

Xiaokang Qian

ac8195f

2022-09-26 04:01:06 +0000

[diff] [blame]

1907

ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1908

MBEDTLS_SSL_DEBUG_MSG(

1909

2, ("Key exchange mode(%s) is not supported.",

1910

ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));

Xiaokang Qian

ac8195f

2022-09-26 04:01:06 +0000

[diff] [blame]

goto cleanup;

}

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1914

MBEDTLS_SSL_DEBUG_MSG(

1915

3, ("Selected key exchange mode: %s",

1916

ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1917

Xiaokang Qian

7892b6c

2023-02-02 06:05:48 +0000

[diff] [blame]

1918

/* Start the TLS 1.3 key scheduling if not already done.

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1919

*

Xiaokang Qian

7892b6c

2023-02-02 06:05:48 +0000

[diff] [blame]

1920

* If we proposed early data then we have already derived an

1921

* early secret using the selected PSK and its associated hash.

1922

* It means that if the negotiated key exchange mode is psk or

1923

* psk_ephemeral, we have already correctly computed the

1924

* early secret and thus we do not do it again. In all other

1925

* cases we compute it here.

Xiaokang Qian

303f82c5

2023-01-04 08:43:46 +0000

[diff] [blame]

1926

*/

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1927

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1928

if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT ||

Xiaokang Qian

e04afdc

2023-02-07 02:19:42 +0000

[diff] [blame]

1929

handshake->key_exchange_mode ==

1930

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1931

#endif

1932

{

Xiaokang Qian

303f82c5

2023-01-04 08:43:46 +0000

[diff] [blame]

1933

ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);

1934

if (ret != 0) {

1935

MBEDTLS_SSL_DEBUG_RET(

1936

1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);

1937

goto cleanup;

1938

}

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1939

}

1940

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1941

ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);

1942

if (ret != 0) {

1943

MBEDTLS_SSL_DEBUG_RET(1,

1944

"mbedtls_ssl_tls13_compute_handshake_transform",

1945

ret);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1946

goto cleanup;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1947

}

1948

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1949

mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);

1950

MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1951

ssl->session_in = ssl->session_negotiate;

1952

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1953

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1954

if (ret != 0) {

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1955

MBEDTLS_SSL_PEND_FATAL_ALERT(

1956

MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1957

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1958

}

Jerry Yu

e110d25

2022-05-05 10:19:22 +0800

[diff] [blame]

1959

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1960

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1961

}

1962

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1963

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1964

static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1965

{

1966

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1967

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1968

mbedtls_ssl_session_reset_msg_layer(ssl, 0);

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1969

XiaokangQian

78b1fa7

2022-01-19 06:56:30 +0000

[diff] [blame]

1970

/*

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1971

* We are going to re-generate a shared secret corresponding to the group

1972

* selected by the server, which is different from the group for which we

1973

* generated a shared secret in the first client hello.

1974

* Thus, reset the shared secret.

XiaokangQian

51eff22

2021-12-10 10:33:56 +0000

[diff] [blame]

1975

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1976

ret = ssl_tls13_reset_key_share(ssl);

1977

if (ret != 0) {

1978

return ret;

1979

}

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1980

Xiaokang Qian

4ef8ba2

2023-02-06 11:06:16 +0000

[diff] [blame]

1981

ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

1982

1983

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1984

if (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1985

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

}

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1989

return 0;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1990

}

1991

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1992

/*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1993

* Wait and parse ServerHello handshake message.

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

1994

* Handler for MBEDTLS_SSL_SERVER_HELLO

1995

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1996

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1997

static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

1998

{

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1999

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

2000

unsigned char *buf = NULL;

2001

size_t buf_len = 0;

XiaokangQian

78b1fa7

2022-01-19 06:56:30 +0000

[diff] [blame]

2002

int is_hrr = 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2003

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2004

MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2005

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2006

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2007

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));

Ronald Cron

db5dfa1

2022-05-31 11:44:38 +0200

[diff] [blame]

2008

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2009

ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);

2010

if (ret < 0) {

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

2011

goto cleanup;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2012

} else {

2013

is_hrr = (ret == SSL_SERVER_HELLO_HRR);

2014

}

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

2015

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2016

if (ret == SSL_SERVER_HELLO_TLS1_2) {

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

ret = 0;

goto cleanup;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2021

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,

buf + buf_len,

is_hrr));

if (is_hrr) {

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2026

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2027

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2028

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2029

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2030

2031

if (is_hrr) {

2032

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));

2033

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2034

/* If not offering early data, the client sends a dummy CCS record

2035

* immediately before its second flight. This may either be before

2036

* its second ClientHello or before its encrypted handshake flight.

2037

*/

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2038

mbedtls_ssl_handshake_set_state(

2039

ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2040

#else

2041

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

2042

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

2043

} else {

2044

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));

2045

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2046

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2047

2048

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2049

MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,

2050

is_hrr ? "HelloRetryRequest" : "ServerHello"));

2051

return ret;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2052

}

2053

2054

/*

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2055

*

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2056

* Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2057

*

2058

* The EncryptedExtensions message contains any extensions which

2059

* should be protected, i.e., any which are not needed to establish

2060

* the cryptographic context.

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2061

*/

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2062

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2063

/* Parse EncryptedExtensions message

2064

* struct {

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2065

* Extension extensions<0..2^16-1>;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2066

* } EncryptedExtensions;

2067

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2068

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2069

static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,

2070

const unsigned char *buf,

2071

const unsigned char *end)

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2072

{

2073

int ret = 0;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2074

size_t extensions_len;

XiaokangQian

140f045

2021-10-08 08:05:53 +0000

[diff] [blame]

2075

const unsigned char *p = buf;

XiaokangQian

8db25ff

2021-10-13 05:56:18 +0000

[diff] [blame]

2076

const unsigned char *extensions_end;

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2077

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2078

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2079

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2080

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2081

p += 2;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2082

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2083

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Ronald Cron

c808359

2022-05-31 16:24:05 +0200

[diff] [blame]

2084

extensions_end = p + extensions_len;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2085

Jan Bruckner

5a3629b

2023-02-23 12:08:09 +0100

[diff] [blame]

2086

MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);

2087

Jerry Yu

9eba750

2022-10-31 13:46:16 +0800

[diff] [blame]

2088

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2089

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2090

while (p < extensions_end) {

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2091

unsigned int extension_type;

2092

size_t extension_data_len;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2093

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2094

/*

2095

* struct {

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2096

* ExtensionType extension_type; (2 bytes)

2097

* opaque extension_data<0..2^16-1>;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2098

* } Extension;

2099

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2100

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

2101

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2102

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2103

p += 4;

2104

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2105

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2106

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2107

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2108

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,

2109

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);

2110

if (ret != 0) {

2111

return ret;

2112

}

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2113

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2114

switch (extension_type) {

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

2115

#if defined(MBEDTLS_SSL_ALPN)

2116

case MBEDTLS_TLS_EXT_ALPN:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2117

MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

2118

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2119

if ((ret = ssl_tls13_parse_alpn_ext(

2120

ssl, p, (size_t) extension_data_len)) != 0) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2121

return ret;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

}

break;

#endif /* MBEDTLS_SSL_ALPN */

Xiaokang Qian

8bee899

2022-10-27 10:21:05 +0000

[diff] [blame]

2126

2127

#if defined(MBEDTLS_SSL_EARLY_DATA)

2128

case MBEDTLS_TLS_EXT_EARLY_DATA:

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2129

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2130

if (extension_data_len != 0) {

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2131

/* The message must be empty. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2132

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2133

MBEDTLS_ERR_SSL_DECODE_ERROR);

2134

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2135

}

2136

Xiaokang Qian

8bee899

2022-10-27 10:21:05 +0000

[diff] [blame]

2137

break;

2138

#endif /* MBEDTLS_SSL_EARLY_DATA */

2139

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

2140

#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)

2141

case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:

2142

MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));

2143

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2144

ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(

2145

ssl, p, p + extension_data_len);

Jan Bruckner

f482dcc

2023-03-15 09:09:06 +0100

[diff] [blame]

2146

if (ret != 0) {

2147

MBEDTLS_SSL_DEBUG_RET(

2148

1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);

2149

return ret;

2150

}

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

2151

break;

2152

#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */

2153

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2154

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2155

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

9eba750

2022-10-31 13:46:16 +0800

[diff] [blame]

2156

3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2157

extension_type, "( ignored )");

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2158

break;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2159

}

2160

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2161

p += extension_data_len;

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2162

}

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2163

Waleed Elmelegy

049cd30

2023-12-20 17:28:31 +0000

[diff] [blame]

2164

if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&

2165

(handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {

Waleed Elmelegy

6a971fd

2023-12-28 17:48:16 +0000

[diff] [blame]

2166

MBEDTLS_SSL_DEBUG_MSG(3,

2167

(

2168

"Record size limit extension cannot be used with max fragment length extension"));

Waleed Elmelegy

049cd30

2023-12-20 17:28:31 +0000

[diff] [blame]

2169

MBEDTLS_SSL_PEND_FATAL_ALERT(

2170

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

2171

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

2172

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

2173

}

2174

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2175

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2176

handshake->received_extensions);

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2177

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2178

/* Check that we consumed all the message. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2179

if (p != end) {

2180

MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));

2181

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2182

MBEDTLS_ERR_SSL_DECODE_ERROR);

2183

return MBEDTLS_ERR_SSL_DECODE_ERROR;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2184

}

2185

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2186

return ret;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2187

}

2188

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2189

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2190

static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

{

int ret;

unsigned char *buf;

size_t buf_len;

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2195

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2196

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2197

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2198

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2199

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2200

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2201

&buf, &buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2202

2203

/* Process the message contents */

2204

MBEDTLS_SSL_PROC_CHK(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2205

ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2206

Xiaokang Qian

b157e91

2022-11-23 08:12:26 +0000

[diff] [blame]

2207

#if defined(MBEDTLS_SSL_EARLY_DATA)

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2208

if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {

2209

/* RFC8446 4.2.11

2210

* If the server supplies an "early_data" extension, the

2211

* client MUST verify that the server's selected_identity

2212

* is 0. If any other value is returned, the client MUST

2213

* abort the handshake with an "illegal_parameter" alert.

2214

*

2215

* RFC 8446 4.2.10

2216

* In order to accept early data, the server MUST have accepted a PSK

2217

* cipher suite and selected the first key offered in the client's

2218

* "pre_shared_key" extension. In addition, it MUST verify that the

2219

* following values are the same as those associated with the

2220

* selected PSK:

2221

* - The TLS version number

2222

* - The selected cipher suite

2223

* - The selected ALPN [RFC7301] protocol, if any

2224

*

Yanray Wang

03a0076

2023-12-01 17:40:19 +0800

[diff] [blame]

2225

* The server has sent an early data extension in its Encrypted

2226

* Extension message thus accepted to receive early data. We

2227

* check here that the additional constraints on the handshake

2228

* parameters, when early data are exchanged, are met,

2229

* namely:

Yanray Wang

744577a

2023-12-01 22:33:59 +0800

[diff] [blame]

2230

* - a PSK has been selected for the handshake

Yanray Wang

03a0076

2023-12-01 17:40:19 +0800

[diff] [blame]

2231

* - the selected PSK for the handshake was the first one proposed

2232

* by the client.

2233

* - the selected ciphersuite for the handshake is the ciphersuite

2234

* associated with the selected PSK.

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2235

*/

Yanray Wang

744577a

2023-12-01 22:33:59 +0800

[diff] [blame]

2236

if ((!mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) ||

2237

handshake->selected_identity != 0 ||

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2238

handshake->ciphersuite_info->id !=

2239

ssl->session_negotiate->ciphersuite) {

2240

2241

MBEDTLS_SSL_PEND_FATAL_ALERT(

2242

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

2243

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

2244

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

2245

}

2246

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2247

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED;

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

2248

} else if (ssl->early_data_state !=

2249

MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2250

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;

Xiaokang Qian

b157e91

2022-11-23 08:12:26 +0000

[diff] [blame]

}

#endif

Yanray Wang

2023-11-30 14:06:14 +0800

[diff] [blame]

2254

/*

Yanray Wang

9ae6534

2023-12-01 17:46:06 +0800

[diff] [blame]

2255

* In case the client has proposed a PSK associated with a ticket,

2256

* `ssl->session_negotiate->ciphersuite` still contains at this point the

2257

* identifier of the ciphersuite associated with the ticket. This is that

2258

* way because, if an exchange of early data is agreed upon, we need

2259

* it to check that the ciphersuite selected for the handshake is the

2260

* ticket ciphersuite (see above). This information is not needed

2261

* anymore thus we can now set it to the identifier of the ciphersuite

2262

* used in this session under negotiation.

Yanray Wang

a29db7d

2023-11-30 14:06:14 +0800

[diff] [blame]

2263

*/

2264

ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;

2265

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2266

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2267

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2268

buf, buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2269

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2270

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2271

if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {

2272

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2273

} else {

2274

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);

2275

}

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2276

#else

2277

((void) ssl);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2278

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2279

#endif

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2283

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));

2284

return ret;

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

}

Ronald Cron

2024-02-21 16:37:16 +0100

[diff] [blame]

2288

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2289

/*

2290

* Handler for MBEDTLS_SSL_END_OF_EARLY_DATA

2291

*

Xiaokang Qian

c81a15a

2022-12-19 02:43:33 +0000

[diff] [blame]

2292

* RFC 8446 section 4.5

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2293

*

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2294

* struct {} EndOfEarlyData;

Xiaokang Qian

c81a15a

2022-12-19 02:43:33 +0000

[diff] [blame]

2295

*

2296

* If the server sent an "early_data" extension in EncryptedExtensions, the

2297

* client MUST send an EndOfEarlyData message after receiving the server

2298

* Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2299

*/

2300

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2301

MBEDTLS_CHECK_RETURN_CRITICAL

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2302

static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)

2303

{

2304

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2305

unsigned char *buf = NULL;

2306

size_t buf_len;

Xiaokang Qian

57a138d

2022-12-19 06:40:47 +0000

[diff] [blame]

2307

MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2308

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2309

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

2310

ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,

2311

&buf, &buf_len));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2312

Manuel Pégourié-Gonnard

63e33dd

2023-02-21 15:45:15 +0100

[diff] [blame]

2313

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(

2314

ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2315

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2316

MBEDTLS_SSL_PROC_CHK(

2317

mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));

Xiaokang Qian

da8402d

2022-12-15 14:55:35 +0000

[diff] [blame]

2318

Xiaokang Qian

19d4416

2023-01-03 03:39:50 +0000

[diff] [blame]

2319

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

cleanup:

MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));

return ret;

}

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2327

int mbedtls_ssl_get_early_data_status(mbedtls_ssl_context *ssl)

2328

{

Ronald Cron

f19989d

2024-02-22 12:05:42 +0100

[diff] [blame]

2329

if ((ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) ||

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2330

(!mbedtls_ssl_is_handshake_over(ssl))) {

2331

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

2332

}

2333

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2334

switch (ssl->early_data_state) {

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

2335

case MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT:

Ronald Cron

840de7f

2024-03-11 17:49:35 +0100

[diff] [blame]

2336

return MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED;

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2337

break;

2338

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2339

case MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED:

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2340

return MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;

2341

break;

2342

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2343

case MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED:

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2344

return MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;

break;

default:

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

2349

}

2350

}

Ronald Cron

e21c2d2

2024-02-21 16:37:16 +0100

[diff] [blame]

2351

#endif /* MBEDTLS_SSL_EARLY_DATA */

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2352

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2353

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2354

/*

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2355

* STATE HANDLING: CertificateRequest

2356

*

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2357

*/

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2358

#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0

2359

#define SSL_CERTIFICATE_REQUEST_SKIP 1

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2360

/* Coordination:

2361

* Deals with the ambiguity of not knowing if a CertificateRequest

2362

* will be sent. Returns a negative code on failure, or

2363

* - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST

2364

* - SSL_CERTIFICATE_REQUEST_SKIP

2365

* indicating if a Certificate Request is expected or not.

2366

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2367

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2368

static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2369

{

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2370

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2371

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2372

if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {

2373

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);

2374

return ret;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2375

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2376

ssl->keep_current_message = 1;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2377

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2378

if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&

2379

(ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {

2380

MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));

2381

return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2382

}

2383

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2384

MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));

Ronald Cron

1938588

2022-06-15 16:26:13 +0200

[diff] [blame]

2385

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2386

return SSL_CERTIFICATE_REQUEST_SKIP;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2387

}

2388

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2389

/*

2390

* ssl_tls13_parse_certificate_request()

2391

* Parse certificate request

2392

* struct {

2393

* opaque certificate_request_context<0..2^8-1>;

2394

* Extension extensions<2..2^16-1>;

2395

* } CertificateRequest;

2396

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2397

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2398

static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,

2399

const unsigned char *buf,

2400

const unsigned char *end)

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2401

{

2402

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2403

const unsigned char *p = buf;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2404

size_t certificate_request_context_len = 0;

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2405

size_t extensions_len = 0;

2406

const unsigned char *extensions_end;

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2407

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2408

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2409

/* ...

2410

* opaque certificate_request_context<0..2^8-1>

2411

* ...

2412

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2413

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2414

certificate_request_context_len = (size_t) p[0];

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2415

p += 1;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2416

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2417

if (certificate_request_context_len > 0) {

2418

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);

2419

MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",

2420

p, certificate_request_context_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2421

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2422

handshake->certificate_request_context =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2423

mbedtls_calloc(1, certificate_request_context_len);

2424

if (handshake->certificate_request_context == NULL) {

2425

MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));

2426

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2427

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2428

memcpy(handshake->certificate_request_context, p,

2429

certificate_request_context_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2430

p += certificate_request_context_len;

2431

}

2432

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2433

/* ...

2434

* Extension extensions<2..2^16-1>;

2435

* ...

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2436

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2437

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2438

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2439

p += 2;

2440

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2441

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2442

extensions_end = p + extensions_len;

2443

Jerry Yu

6d0e78b

2022-10-31 14:13:25 +0800

[diff] [blame]

2444

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2445

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2446

while (p < extensions_end) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2447

unsigned int extension_type;

2448

size_t extension_data_len;

2449

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2450

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

2451

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2452

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2453

p += 4;

2454

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2455

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2456

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2457

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2458

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,

2459

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);

2460

if (ret != 0) {

2461

return ret;

2462

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2463

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2464

switch (extension_type) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2465

case MBEDTLS_TLS_EXT_SIG_ALG:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2466

MBEDTLS_SSL_DEBUG_MSG(3,

2467

("found signature algorithms extension"));

2468

ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,

2469

p + extension_data_len);

2470

if (ret != 0) {

2471

return ret;

2472

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2473

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2474

break;

2475

2476

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2477

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

6d0e78b

2022-10-31 14:13:25 +0800

[diff] [blame]

2478

3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2479

extension_type, "( ignored )");

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2480

break;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2481

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2482

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2483

p += extension_data_len;

2484

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2485

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2486

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2487

handshake->received_extensions);

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2488

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2489

/* Check that we consumed all the message. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2490

if (p != end) {

2491

MBEDTLS_SSL_DEBUG_MSG(1,

2492

("CertificateRequest misaligned"));

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2493

goto decode_error;

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2494

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2495

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

2496

/* RFC 8446 section 4.3.2

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2497

*

2498

* The "signature_algorithms" extension MUST be specified

2499

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2500

if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {

2501

MBEDTLS_SSL_DEBUG_MSG(3,

2502

("no signature algorithms extension found"));

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2503

goto decode_error;

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2504

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2505

Jerry Yu

7840f81

2022-01-29 10:26:51 +0800

[diff] [blame]

2506

ssl->handshake->client_auth = 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2507

return 0;

Xiaofei Bai

51f515a

2022-02-08 07:28:04 +0000

[diff] [blame]

2508

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2509

decode_error:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2510

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2511

MBEDTLS_ERR_SSL_DECODE_ERROR);

2512

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2513

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2514

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2515

/*

2516

* Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST

2517

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2518

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2519

static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2520

{

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2521

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2522

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2523

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2524

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2525

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2526

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2527

if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

unsigned char *buf;

size_t buf_len;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2531

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2532

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2533

&buf, &buf_len));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2534

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2535

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(

2536

ssl, buf, buf + buf_len));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2537

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2538

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2539

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2540

buf, buf_len));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2541

} else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {

Xiaofei Bai

f6d3696

2022-01-16 14:54:35 +0000

[diff] [blame]

2542

ret = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2543

} else {

2544

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

Xiaofei Bai

51f515a

2022-02-08 07:28:04 +0000

[diff] [blame]

2545

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

2546

goto cleanup;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2547

}

2548

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2549

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2550

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2551

cleanup:

2552

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2553

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));

2554

return ret;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2555

}

2556

2557

/*

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2558

* Handler for MBEDTLS_SSL_SERVER_CERTIFICATE

2559

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2560

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2561

static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2562

{

Xiaofei Bai

947571e

2021-09-29 09:12:03 +0000

[diff] [blame]

2563

int ret;

2564

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2565

ret = mbedtls_ssl_tls13_process_certificate(ssl);

2566

if (ret != 0) {

2567

return ret;

2568

}

Xiaofei Bai

947571e

2021-09-29 09:12:03 +0000

[diff] [blame]

2569

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2570

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);

2571

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY

2576

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2577

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2578

static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2579

{

Jerry Yu

30b071c

2021-09-12 20:16:03 +0800

[diff] [blame]

2580

int ret;

2581

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2582

ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);

2583

if (ret != 0) {

2584

return ret;

2585

}

Jerry Yu

30b071c

2021-09-12 20:16:03 +0800

[diff] [blame]

2586

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2587

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2588

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2589

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2590

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Ronald Cron

d4c6402

2021-12-06 09:06:46 +0100

[diff] [blame]

2591

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2592

/*

2593

* Handler for MBEDTLS_SSL_SERVER_FINISHED

2594

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2595

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2596

static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2597

{

XiaokangQian

ac0385c

2021-11-03 06:40:11 +0000

[diff] [blame]

2598

int ret;

2599

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2600

ret = mbedtls_ssl_tls13_process_finished_message(ssl);

2601

if (ret != 0) {

2602

return ret;

2603

}

XiaokangQian

ac0385c

2021-11-03 06:40:11 +0000

[diff] [blame]

2604

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2605

ret = mbedtls_ssl_tls13_compute_application_transform(ssl);

2606

if (ret != 0) {

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2607

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2608

MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

2609

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

2610

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2611

}

2612

Xiaokang Qian

bc75bc0

2022-12-19 06:16:42 +0000

[diff] [blame]

2613

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2614

if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED) {

2615

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED;

Xiaokang Qian

bc75bc0

2022-12-19 06:16:42 +0000

[diff] [blame]

2616

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);

2617

} else

2618

#endif /* MBEDTLS_SSL_EARLY_DATA */

2619

{

2620

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2621

mbedtls_ssl_handshake_set_state(

2622

ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);

2623

#else

2624

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

2625

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

2626

}

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

2627

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2628

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2629

}

2630

2631

/*

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2632

* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE

2633

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2634

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2635

static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2636

{

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2637

int non_empty_certificate_msg = 0;

2638

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2639

MBEDTLS_SSL_DEBUG_MSG(1,

2640

("Switch to handshake traffic keys for outbound traffic"));

2641

mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);

Jerry Yu

5cc3506

2022-01-28 16:16:08 +0800

[diff] [blame]

2642

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2643

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2644

if (ssl->handshake->client_auth) {

2645

int ret = mbedtls_ssl_tls13_write_certificate(ssl);

2646

if (ret != 0) {

2647

return ret;

2648

}

Ronald Cron

5bb8fc8

2022-03-09 07:00:13 +0100

[diff] [blame]

2649

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2650

if (mbedtls_ssl_own_cert(ssl) != NULL) {

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2651

non_empty_certificate_msg = 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2652

}

2653

} else {

2654

MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2655

}

Ronald Cron

9df7c80

2022-03-08 18:38:54 +0100

[diff] [blame]

2656

#endif

Ronald Cron

5bb8fc8

2022-03-09 07:00:13 +0100

[diff] [blame]

2657

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2658

if (non_empty_certificate_msg) {

2659

mbedtls_ssl_handshake_set_state(ssl,

2660

MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);

2661

} else {

2662

MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));

2663

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);

2664

}

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2665

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2666

return 0;

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2667

}

2668

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2669

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2670

/*

2671

* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY

2672

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2673

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2674

static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2675

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2676

int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);

Ronald Cron

a8b3887

2022-03-09 07:59:25 +0100

[diff] [blame]

2677

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2678

if (ret == 0) {

2679

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);

2680

}

Ronald Cron

a8b3887

2022-03-09 07:59:25 +0100

[diff] [blame]

2681

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2682

return ret;

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2683

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2684

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2685

2686

/*

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2687

* Handler for MBEDTLS_SSL_CLIENT_FINISHED

2688

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2689

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2690

static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2691

{

XiaokangQian

0fa6643

2021-11-15 03:33:57 +0000

[diff] [blame]

2692

int ret;

2693

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2694

ret = mbedtls_ssl_tls13_write_finished_message(ssl);

2695

if (ret != 0) {

2696

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2697

}

2698

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2699

ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);

2700

if (ret != 0) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2701

MBEDTLS_SSL_DEBUG_RET(

2702

1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

return ret;

}

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);

2707

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_FLUSH_BUFFERS

2712

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2713

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2714

static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2715

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2716

MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));

2717

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);

2718

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP

2723

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2724

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2725

static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2726

{

Jerry Yu

378254d

2021-10-30 21:44:47 +0800

[diff] [blame]

2727

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2728

mbedtls_ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

378254d

2021-10-30 21:44:47 +0800

[diff] [blame]

2729

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2730

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

2731

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2732

}

2733

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2734

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

2735

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2736

#if defined(MBEDTLS_SSL_EARLY_DATA)

2737

/* From RFC 8446 section 4.2.10

2738

*

2739

* struct {

2740

* select (Handshake.msg_type) {

2741

* case new_session_ticket: uint32 max_early_data_size;

2742

* ...

2743

* };

2744

* } EarlyDataIndication;

2745

*/

2746

MBEDTLS_CHECK_RETURN_CRITICAL

Yanray Wang

b3e207d

2023-11-30 16:49:49 +0800

[diff] [blame]

2747

static int ssl_tls13_parse_new_session_ticket_early_data_ext(

2748

mbedtls_ssl_context *ssl,

2749

const unsigned char *buf,

2750

const unsigned char *end)

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2751

{

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2752

mbedtls_ssl_session *session = ssl->session;

2753

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2754

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2755

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2756

session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

2757

mbedtls_ssl_tls13_session_set_ticket_flags(

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2758

session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);

2759

MBEDTLS_SSL_DEBUG_MSG(

2760

3, ("received max_early_data_size: %u",

2761

(unsigned int) session->max_early_data_size));

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2762

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2763

return 0;

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2764

}

2765

#endif /* MBEDTLS_SSL_EARLY_DATA */

2766

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2767

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2768

static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,

2769

const unsigned char *buf,

2770

const unsigned char *end)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2771

{

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2772

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

af2c0c8

2022-07-12 05:47:21 +0000

[diff] [blame]

2773

const unsigned char *p = buf;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2774

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2775

Jerry Yu

edab637

2022-10-31 14:37:31 +0800

[diff] [blame]

2776

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2777

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2778

while (p < end) {

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2779

unsigned int extension_type;

2780

size_t extension_data_len;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

2781

int ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2782

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2783

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);

2784

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2785

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2786

p += 4;

2787

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2788

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2789

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2790

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2791

ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,

2792

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);

2793

if (ret != 0) {

2794

return ret;

2795

}

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2796

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2797

switch (extension_type) {

Xiaokang Qian

0cc4320

2022-11-16 08:43:50 +0000

[diff] [blame]

2798

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

f447e8a

2022-11-08 07:02:27 +0000

[diff] [blame]

2799

case MBEDTLS_TLS_EXT_EARLY_DATA:

Yanray Wang

b3e207d

2023-11-30 16:49:49 +0800

[diff] [blame]

2800

ret = ssl_tls13_parse_new_session_ticket_early_data_ext(

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2801

ssl, p, p + extension_data_len);

2802

if (ret != 0) {

2803

MBEDTLS_SSL_DEBUG_RET(

Yanray Wang

b3e207d

2023-11-30 16:49:49 +0800

[diff] [blame]

2804

1, "ssl_tls13_parse_new_session_ticket_early_data_ext",

2805

ret);

Xiaokang Qian

2d87a9e

2022-11-09 07:55:48 +0000

[diff] [blame]

2806

}

Xiaokang Qian

f447e8a

2022-11-08 07:02:27 +0000

[diff] [blame]

2807

break;

Xiaokang Qian

0cc4320

2022-11-16 08:43:50 +0000

[diff] [blame]

2808

#endif /* MBEDTLS_SSL_EARLY_DATA */

Xiaokang Qian

f447e8a

2022-11-08 07:02:27 +0000

[diff] [blame]

2809

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2810

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2811

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

edab637

2022-10-31 14:37:31 +0800

[diff] [blame]

2812

3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2813

extension_type, "( ignored )");

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2814

break;

2815

}

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2816

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2817

p += extension_data_len;

2818

}

2819

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2820

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

2821

handshake->received_extensions);

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2822

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2823

return 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2824

}

2825

2826

/*

Jerry Yu

08aed4d

2022-07-20 10:36:12 +0800

[diff] [blame]

2827

* From RFC8446, page 74

2828

*

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2829

* struct {

2830

* uint32 ticket_lifetime;

2831

* uint32 ticket_age_add;

2832

* opaque ticket_nonce<0..255>;

2833

* opaque ticket<1..2^16-1>;

2834

* Extension extensions<0..2^16-2>;

2835

* } NewSessionTicket;

2836

*

2837

*/

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2838

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2839

static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,

2840

unsigned char *buf,

2841

unsigned char *end,

2842

unsigned char **ticket_nonce,

2843

size_t *ticket_nonce_len)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2844

{

2845

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2846

unsigned char *p = buf;

2847

mbedtls_ssl_session *session = ssl->session;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2848

size_t ticket_len;

2849

unsigned char *ticket;

2850

size_t extensions_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2851

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2852

*ticket_nonce = NULL;

2853

*ticket_nonce_len = 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2854

/*

2855

* ticket_lifetime 4 bytes

2856

* ticket_age_add 4 bytes

Jerry Yu

08aed4d

2022-07-20 10:36:12 +0800

[diff] [blame]

2857

* ticket_nonce_len 1 byte

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2858

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2859

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2860

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2861

session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);

2862

MBEDTLS_SSL_DEBUG_MSG(3,

2863

("ticket_lifetime: %u",

2864

(unsigned int) session->ticket_lifetime));

Jerry Yu

8e0174a

2023-11-10 13:58:16 +0800

[diff] [blame]

2865

if (session->ticket_lifetime >

2866

MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {

Jerry Yu

46c7926

2023-11-10 13:58:16 +0800

[diff] [blame]

2867

MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));

Jerry Yu

cf91351

2023-11-14 11:06:52 +0800

[diff] [blame]

2868

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

46c7926

2023-11-10 13:58:16 +0800

[diff] [blame]

2869

}

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2870

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2871

session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);

2872

MBEDTLS_SSL_DEBUG_MSG(3,

2873

("ticket_age_add: %u",

2874

(unsigned int) session->ticket_age_add));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2875

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2876

*ticket_nonce_len = p[8];

2877

p += 9;

2878

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2879

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2880

*ticket_nonce = p;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2881

MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2882

p += *ticket_nonce_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2883

2884

/* Ticket */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2885

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2886

ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2887

p += 2;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2888

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);

2889

MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2890

2891

/* Check if we previously received a ticket already. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2892

if (session->ticket != NULL || session->ticket_len > 0) {

2893

mbedtls_free(session->ticket);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2894

session->ticket = NULL;

2895

session->ticket_len = 0;

2896

}

2897

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2898

if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {

2899

MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));

2900

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2901

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2902

memcpy(ticket, p, ticket_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2903

p += ticket_len;

2904

session->ticket = ticket;

2905

session->ticket_len = ticket_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2906

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2907

/* Clear all flags in ticket_flags */

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

2908

mbedtls_ssl_tls13_session_clear_ticket_flags(

Pengyu Lv

9eacb44

2022-12-09 14:39:19 +0800

[diff] [blame]

2909

session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2910

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2911

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2912

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2913

p += 2;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2914

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2915

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2916

MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2917

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2918

ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);

2919

if (ret != 0) {

2920

MBEDTLS_SSL_DEBUG_RET(1,

2921

"ssl_tls13_parse_new_session_ticket_exts",

2922

ret);

2923

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2924

}

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2925

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2926

return 0;

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2927

}

2928

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

2929

/* Non negative return values for ssl_tls13_postprocess_new_session_ticket().

2930

* - POSTPROCESS_NEW_SESSION_TICKET_SIGNAL, all good, we have to signal the

2931

* application that a valid ticket has been received.

2932

* - POSTPROCESS_NEW_SESSION_TICKET_DISCARD, no fatal error, we keep the

2933

* connection alive but we do not signal the ticket to the application.

2934

*/

2935

#define POSTPROCESS_NEW_SESSION_TICKET_SIGNAL 0

2936

#define POSTPROCESS_NEW_SESSION_TICKET_DISCARD 1

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2937

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2938

static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,

2939

unsigned char *ticket_nonce,

2940

size_t ticket_nonce_len)

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2941

{

2942

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2943

mbedtls_ssl_session *session = ssl->session;

2944

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

2945

psa_algorithm_t psa_hash_alg;

2946

int hash_length;

2947

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

2948

if (session->ticket_lifetime == 0) {

2949

return POSTPROCESS_NEW_SESSION_TICKET_DISCARD;

2950

}

2951

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2952

#if defined(MBEDTLS_HAVE_TIME)

2953

/* Store ticket creation time */

Jerry Yu

342a555

2023-11-10 14:23:39 +0800

[diff] [blame]

2954

session->ticket_reception_time = mbedtls_ms_time();

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2955

#endif

2956

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2957

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);

2958

if (ciphersuite_info == NULL) {

2959

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

2960

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2961

}

2962

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

2963

psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2964

hash_length = PSA_HASH_LENGTH(psa_hash_alg);

2965

if (hash_length == -1 ||

2966

(size_t) hash_length > sizeof(session->resumption_key)) {

2967

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

3afdf36

2022-07-20 17:34:14 +0800

[diff] [blame]

2968

}

2969

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2970

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2971

MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",

2972

session->app_secrets.resumption_master_secret,

2973

hash_length);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2974

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2975

/* Compute resumption key

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2976

*

2977

* HKDF-Expand-Label( resumption_master_secret,

2978

* "resumption", ticket_nonce, Hash.length )

2979

*/

2980

ret = mbedtls_ssl_tls13_hkdf_expand_label(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2981

psa_hash_alg,

2982

session->app_secrets.resumption_master_secret,

2983

hash_length,

2984

MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),

2985

ticket_nonce,

2986

ticket_nonce_len,

2987

session->resumption_key,

2988

hash_length);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2989

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2990

if (ret != 0) {

2991

MBEDTLS_SSL_DEBUG_RET(2,

2992

"Creating the ticket-resumed PSK failed",

2993

ret);

2994

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2995

}

2996

Jerry Yu

0a430c8

2022-07-20 11:02:48 +0800

[diff] [blame]

2997

session->resumption_key_len = hash_length;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2998

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2999

MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",

3000

session->resumption_key,

3001

session->resumption_key_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3002

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

3003

/* Set ticket_flags depends on the selected key exchange modes */

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

3004

mbedtls_ssl_tls13_session_set_ticket_flags(

Pengyu Lv

9eacb44

2022-12-09 14:39:19 +0800

[diff] [blame]

3005

session, ssl->conf->tls13_kex_modes);

Pengyu Lv

4938a56

2023-01-16 11:28:49 +0800

[diff] [blame]

3006

MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

3007

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

3008

return POSTPROCESS_NEW_SESSION_TICKET_SIGNAL;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3009

}

3010

3011

/*

Jerry Yu

a8d3c50

2022-10-30 14:51:23 +0800

[diff] [blame]

3012

* Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3013

*/

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

3014

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3015

static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3016

{

3017

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

3018

unsigned char *buf;

3019

size_t buf_len;

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

3020

unsigned char *ticket_nonce;

3021

size_t ticket_nonce_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3022

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3023

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3024

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3025

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

3026

ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

3027

&buf, &buf_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3028

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

3029

/*

3030

* We are about to update (maybe only partially) ticket data thus block

3031

* any session export for the time being.

3032

*/

3033

ssl->session->exported = 1;

3034

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3035

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(

3036

ssl, buf, buf + buf_len,

3037

&ticket_nonce, &ticket_nonce_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3038

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

3039

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_postprocess_new_session_ticket(

3040

ssl, ticket_nonce, ticket_nonce_len));

3041

3042

switch (ret) {

3043

case POSTPROCESS_NEW_SESSION_TICKET_SIGNAL:

3044

/*

3045

* All good, we have received a new valid ticket, session data can

3046

* be exported now and we signal the ticket to the application.

3047

*/

3048

ssl->session->exported = 0;

3049

ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;

3050

break;

3051

3052

case POSTPROCESS_NEW_SESSION_TICKET_DISCARD:

3053

ret = 0;

3054

MBEDTLS_SSL_DEBUG_MSG(2, ("Discard new session ticket"));

break;

default:

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

3059

}

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3060

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3061

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

3062

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3063

cleanup:

3064

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3065

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));

3066

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3067

}

3068

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

3069

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3070

int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

3071

{

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3072

int ret = 0;

Jerry Yu

c8a392c

2021-08-18 16:46:28 +0800

[diff] [blame]

3073

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3074

switch (ssl->state) {

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3075

case MBEDTLS_SSL_HELLO_REQUEST:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3076

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

Jerry Yu

ddda050

2022-12-01 19:43:12 +0800

[diff] [blame]

3077

break;

3078

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3079

case MBEDTLS_SSL_CLIENT_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3080

ret = mbedtls_ssl_write_client_hello(ssl);

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3081

break;

3082

3083

case MBEDTLS_SSL_SERVER_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3084

ret = ssl_tls13_process_server_hello(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3085

break;

3086

3087

case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3088

ret = ssl_tls13_process_encrypted_extensions(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3089

break;

3090

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3091

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

3092

case MBEDTLS_SSL_CERTIFICATE_REQUEST:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3093

ret = ssl_tls13_process_certificate_request(ssl);

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

3094

break;

3095

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3096

case MBEDTLS_SSL_SERVER_CERTIFICATE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3097

ret = ssl_tls13_process_server_certificate(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3098

break;

3099

3100

case MBEDTLS_SSL_CERTIFICATE_VERIFY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3101

ret = ssl_tls13_process_certificate_verify(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3102

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3103

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3104

3105

case MBEDTLS_SSL_SERVER_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3106

ret = ssl_tls13_process_server_finished(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3107

break;

3108

Ronald Cron

e21c2d2

2024-02-21 16:37:16 +0100

[diff] [blame]

3109

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

3110

case MBEDTLS_SSL_END_OF_EARLY_DATA:

3111

ret = ssl_tls13_write_end_of_early_data(ssl);

3112

break;

Ronald Cron

e21c2d2

2024-02-21 16:37:16 +0100

[diff] [blame]

3113

#endif

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

3114

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3115

case MBEDTLS_SSL_CLIENT_CERTIFICATE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3116

ret = ssl_tls13_write_client_certificate(ssl);

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3117

break;

3118

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3119

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3120

case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3121

ret = ssl_tls13_write_client_certificate_verify(ssl);

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3122

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3123

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3124

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3125

case MBEDTLS_SSL_CLIENT_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3126

ret = ssl_tls13_write_client_finished(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3127

break;

3128

3129

case MBEDTLS_SSL_FLUSH_BUFFERS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3130

ret = ssl_tls13_flush_buffers(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3131

break;

3132

3133

case MBEDTLS_SSL_HANDSHAKE_WRAPUP:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3134

ret = ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3135

break;

3136

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3137

/*

3138

* Injection of dummy-CCS's for middlebox compatibility

3139

*/

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3140

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

XiaokangQian

0b56a8f

2021-12-22 02:39:32 +0000

[diff] [blame]

3141

case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:

Ronald Cron

e273f72

2024-02-13 18:22:26 +0100

[diff] [blame]

3142

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3143

if (ret != 0) {

3144

break;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3145

}

Ronald Cron

fe59ff7

2024-01-24 14:31:50 +0100

[diff] [blame]

3146

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

Ronald Cron

9f55f63

2022-02-02 16:02:47 +0100

[diff] [blame]

3147

break;

3148

3149

case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:

Ronald Cron

e273f72

2024-02-13 18:22:26 +0100

[diff] [blame]

3150

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3151

if (ret != 0) {

3152

break;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3153

}

Ronald Cron

fe59ff7

2024-01-24 14:31:50 +0100

[diff] [blame]

3154

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3155

break;

Xiaokang Qian

f6d8fd3

2023-02-02 02:46:26 +0000

[diff] [blame]

3156

Ronald Cron

297c608

2024-01-19 08:15:33 +0100

[diff] [blame]

3157

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

592021a

2023-01-04 10:47:05 +0000

[diff] [blame]

3158

case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:

3159

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3160

if (ret == 0) {

3161

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);

3162

3163

MBEDTLS_SSL_DEBUG_MSG(

3164

1, ("Switch to early data keys for outbound traffic"));

3165

mbedtls_ssl_set_outbound_transform(

3166

ssl, ssl->handshake->transform_earlydata);

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

3167

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;

Xiaokang Qian

592021a

2023-01-04 10:47:05 +0000

[diff] [blame]

3168

}

3169

break;

Ronald Cron

297c608

2024-01-19 08:15:33 +0100

[diff] [blame]

3170

#endif /* MBEDTLS_SSL_EARLY_DATA */

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3171

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

3172

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3173

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Jerry Yu

a8d3c50

2022-10-30 14:51:23 +0800

[diff] [blame]

3174

case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3175

ret = ssl_tls13_process_new_session_ticket(ssl);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3176

break;

3177

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

3178

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3179

default:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3180

MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));

3181

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3182

}

3183

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3184

return ret;

Jerry Yu