Blame - library/ssl_tls13_client.c - mirror/mbed-tls

2021-08-24 15:59:48 +0800

[diff] [blame]

12

#include <string.h>

13

Valerio Setti

b4f5076

2024-01-17 10:24:52 +0100

[diff] [blame]

14

#include "debug_internal.h"

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

15

#include "mbedtls/error.h"

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

16

#include "mbedtls/platform.h"

Jerry Yu

a13c7e7

2021-08-17 10:44:40 +0800

[diff] [blame]

17

Jerry Yu

bdc7188

2021-09-14 19:30:36 +0800

[diff] [blame]

18

#include "ssl_misc.h"

Ronald Cron

3d580bf

2022-02-18 17:24:56 +0100

[diff] [blame]

19

#include "ssl_client.h"

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

20

#include "ssl_tls13_keys.h"

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

21

#include "ssl_debug_helpers.h"

Valerio Setti

384fbde

2024-01-02 13:26:40 +0100

[diff] [blame]

22

#include "mbedtls/psa_util.h"

Jerry Yu

bdc7188

2021-09-14 19:30:36 +0800

[diff] [blame]

23

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

24

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Andrzej Kurek

0064484

2023-05-30 05:45:00 -0400

[diff] [blame]

25

/* Define a local translating function to save code size by not using too many

26

* arguments in each translating place. */

27

static int local_err_translation(psa_status_t status)

28

{

29

return psa_status_to_mbedtls(status, psa_to_ssl_errors,

Andrzej Kurek

1e4a030

2023-05-30 09:45:17 -0400

[diff] [blame]

30

ARRAY_LENGTH(psa_to_ssl_errors),

Andrzej Kurek

0064484

2023-05-30 05:45:00 -0400

[diff] [blame]

31

psa_generic_status_to_mbedtls);

32

}

33

#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)

Andrzej Kurek

a6033ac

2023-05-30 15:16:34 -0400

[diff] [blame]

34

#endif

35

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

36

/* Write extensions */

37

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

38

/*

39

* ssl_tls13_write_supported_versions_ext():

40

*

41

* struct {

42

* ProtocolVersion versions<2..254>;

43

* } SupportedVersions;

44

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

45

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

46

static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,

47

unsigned char *buf,

48

unsigned char *end,

49

size_t *out_len)

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

50

{

51

unsigned char *p = buf;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

52

unsigned char versions_len = (ssl->handshake->min_tls_version <=

53

MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

54

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

55

*out_len = 0;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

56

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

57

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

58

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

59

/* Check if we have space to write the extension:

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

60

* - extension_type (2 bytes)

61

* - extension_data_length (2 bytes)

62

* - versions_length (1 byte )

Ronald Cron

a77fc27

2022-03-30 17:20:47 +0200

[diff] [blame]

63

* - versions (2 or 4 bytes)

Jerry Yu

159c5a0

2021-08-31 12:51:25 +0800

[diff] [blame]

64

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

65

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

66

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

67

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);

68

MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);

Jerry Yu

eecfbf0

2021-08-30 18:32:07 +0800

[diff] [blame]

69

p += 4;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

70

Jerry Yu

1bc2c1f

2021-09-01 12:57:29 +0800

[diff] [blame]

71

/* Length of versions */

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

72

*p++ = versions_len;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

73

Jerry Yu

0c63af6

2021-09-02 12:59:12 +0800

[diff] [blame]

74

/* Write values of supported versions.

Jerry Yu

0c63af6

2021-09-02 12:59:12 +0800

[diff] [blame]

75

* They are defined by the configuration.

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

76

* Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

77

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

78

mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,

79

MBEDTLS_SSL_VERSION_TLS1_3);

80

MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

81

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

82

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

83

if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {

84

mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,

85

MBEDTLS_SSL_VERSION_TLS1_2);

86

MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));

Ronald Cron

2022-02-10 14:35:27 +0100

[diff] [blame]

87

}

88

89

*out_len = 5 + versions_len;

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

90

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

91

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

92

ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

93

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

94

return 0;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

95

}

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

96

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

97

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

98

static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,

99

const unsigned char *buf,

100

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

101

{

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

102

((void) ssl);

103

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

104

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);

105

if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=

106

MBEDTLS_SSL_VERSION_TLS1_3) {

107

MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

108

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

109

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

110

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

111

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

112

}

113

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

114

if (&buf[2] != end) {

Xiaokang Qian

91bb3f0

2023-04-03 09:07:03 +0000

[diff] [blame]

115

MBEDTLS_SSL_DEBUG_MSG(

116

1, ("supported_versions ext data length incorrect"));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

117

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

118

MBEDTLS_ERR_SSL_DECODE_ERROR);

119

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Ronald Cron

9847338

2022-03-30 20:04:10 +0200

[diff] [blame]

120

}

121

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

122

return 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

123

}

124

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

125

#if defined(MBEDTLS_SSL_ALPN)

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

126

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

127

static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,

128

const unsigned char *buf, size_t len)

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

129

{

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

130

const unsigned char *p = buf;

131

const unsigned char *end = buf + len;

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

132

size_t protocol_name_list_len, protocol_name_len;

133

const unsigned char *protocol_name_list_end;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

134

135

/* If we didn't send it, the server shouldn't send it */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

136

if (ssl->conf->alpn_list == NULL) {

137

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

138

}

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

139

140

/*

141

* opaque ProtocolName<1..2^8-1>;

142

*

143

* struct {

144

* ProtocolName protocol_name_list<2..2^16-1>

145

* } ProtocolNameList;

146

*

147

* the "ProtocolNameList" MUST contain exactly one "ProtocolName"

148

*/

149

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

150

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

151

protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

152

p += 2;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

153

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

154

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

155

protocol_name_list_end = p + protocol_name_list_len;

156

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

157

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);

Ronald Cron

81a334f

2022-05-31 16:04:11 +0200

[diff] [blame]

158

protocol_name_len = *p++;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

159

160

/* Check that the server chosen protocol was in our list and save it */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

161

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);

162

for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {

163

if (protocol_name_len == strlen(*alpn) &&

164

memcmp(p, *alpn, protocol_name_len) == 0) {

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

165

ssl->alpn_chosen = *alpn;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

166

return 0;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

}

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

170

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

171

}

172

#endif /* MBEDTLS_SSL_ALPN */

173

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

174

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

175

static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

176

{

177

uint16_t group_id = ssl->handshake->offered_group_id;

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

178

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

179

if (group_id == 0) {

180

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

181

}

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

182

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

183

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

184

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

185

mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

186

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

187

psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;

188

189

/* Destroy generated private key. */

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

190

status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

191

if (status != PSA_SUCCESS) {

Andrzej Kurek

8a045ce

2022-12-23 11:00:06 -0500

[diff] [blame]

192

ret = PSA_TO_MBEDTLS_ERR(status);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

193

MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);

194

return ret;

Ronald Cron

5b98ac9

2022-03-15 10:19:18 +0100

[diff] [blame]

195

}

196

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

197

ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

198

return 0;

199

} else

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

200

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

201

if (0 /* other KEMs? */) {

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

/* Do something */

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

205

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

206

}

207

208

/*

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

209

* Functions for writing key_share extension.

210

*/

Ronald Cron

766c0cd

2022-10-18 12:17:11 +0200

[diff] [blame]

211

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

212

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

213

static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,

214

uint16_t *group_id)

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

215

{

216

int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

217

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

218

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

219

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

220

const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

221

/* Pick first available ECDHE group compatible with TLS 1.3 */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

222

if (group_list == NULL) {

223

return MBEDTLS_ERR_SSL_BAD_CONFIG;

224

}

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

225

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

226

for (; *group_list != 0; group_list++) {

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

227

#if defined(PSA_WANT_ALG_ECDH)

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

228

if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(

229

*group_list, NULL, NULL) == PSA_SUCCESS) &&

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

230

mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {

Brett Warren

14efd33

2021-10-06 09:32:11 +0100

[diff] [blame]

231

*group_id = *group_list;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

232

return 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

233

}

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

234

#endif

235

#if defined(PSA_WANT_ALG_FFDH)

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

236

if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {

Przemek Stekiel

a05e9c1

2023-06-15 16:58:51 +0200

[diff] [blame]

237

*group_id = *group_list;

238

return 0;

239

}

240

#endif

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

241

}

242

#else

243

((void) ssl);

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

244

((void) group_id);

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

245

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

246

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

247

return ret;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

}

/*

* ssl_tls13_write_key_share_ext

252

*

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

253

* Structure of key_share extension in ClientHello:

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

*

* struct {

* NamedGroup group;

* opaque key_exchange<1..2^16-1>;

258

* } KeyShareEntry;

259

* struct {

260

* KeyShareEntry client_shares<0..2^16-1>;

261

* } KeyShareClientHello;

262

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

263

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

264

static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,

265

unsigned char *buf,

266

unsigned char *end,

267

size_t *out_len)

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

268

{

269

unsigned char *p = buf;

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

270

unsigned char *client_shares; /* Start of client_shares */

271

size_t client_shares_len; /* Length of client_shares */

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

272

uint16_t group_id;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

273

int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

274

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

275

*out_len = 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

276

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

277

/* Check if we have space for header and length fields:

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

278

* - extension_type (2 bytes)

279

* - extension_data_length (2 bytes)

280

* - client_shares_length (2 bytes)

281

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

282

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

283

p += 6;

284

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

285

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

286

287

/* HRR could already have requested something else. */

288

group_id = ssl->handshake->offered_group_id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

289

if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

290

!mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

291

MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,

292

&group_id));

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

}

/*

* Dispatch to type-specific key generation function.

297

*

298

* So far, we're only supporting ECDHE. With the introduction

299

* of PQC KEMs, we'll want to have multiple branches, one per

300

* type of KEM, and dispatch to the corresponding crypto. And

301

* only one key share entry is allowed.

302

*/

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

303

client_shares = p;

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

304

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

305

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

306

mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {

Jerry Yu

2021-09-15 18:41:02 +0800

[diff] [blame]

307

/* Pointer to group */

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

308

unsigned char *group = p;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

309

/* Length of key_exchange */

Przemyslaw Stekiel

4f419e5

2022-02-10 15:56:26 +0100

[diff] [blame]

310

size_t key_exchange_len = 0;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

311

312

/* Check there is space for header of KeyShareEntry

313

* - group (2 bytes)

314

* - key_exchange_length (2 bytes)

315

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

316

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

317

p += 4;

Przemek Stekiel

408569f

2023-07-06 11:26:44 +0200

[diff] [blame]

318

ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

319

ssl, group_id, p, end, &key_exchange_len);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

320

p += key_exchange_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

321

if (ret != 0) {

322

return ret;

323

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

324

325

/* Write group */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

326

MBEDTLS_PUT_UINT16_BE(group_id, group, 0);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

327

/* Write key_exchange_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

328

MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);

329

} else

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

330

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

331

if (0 /* other KEMs? */) {

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

332

/* Do something */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

333

} else {

334

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

335

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

336

Jerry Yu

2021-09-08 16:41:02 +0800

[diff] [blame]

337

/* Length of client_shares */

Xiaofei Bai

2021-11-18 07:29:56 +0000

[diff] [blame]

338

client_shares_len = p - client_shares;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

339

if (client_shares_len == 0) {

340

MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));

341

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

7c522d4

2021-09-08 17:55:09 +0800

[diff] [blame]

342

}

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

343

/* Write extension_type */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

344

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

345

/* Write extension_data_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

346

MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

347

/* Write client_shares_length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

348

MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

349

350

/* Update offered_group_id field */

351

ssl->handshake->offered_group_id = group_id;

352

353

/* Output the total length of key_share extension. */

Xiaofei Bai

d25fab6

2021-12-02 06:36:27 +0000

[diff] [blame]

354

*out_len = p - buf;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

355

Xiaokang Qian

91bb3f0

2023-04-03 09:07:03 +0000

[diff] [blame]

356

MBEDTLS_SSL_DEBUG_BUF(

357

3, "client hello, key_share extension", buf, *out_len);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

358

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

359

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

363

return ret;

Jerry Yu

2021-09-01 17:48:49 +0800

[diff] [blame]

364

}

Ronald Cron

766c0cd

2022-10-18 12:17:11 +0200

[diff] [blame]

365

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

366

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

367

/*

368

* ssl_tls13_parse_hrr_key_share_ext()

369

* Parse key_share extension in Hello Retry Request

370

*

371

* struct {

372

* NamedGroup selected_group;

373

* } KeyShareHelloRetryRequest;

374

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

375

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

376

static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,

377

const unsigned char *buf,

378

const unsigned char *end)

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

379

{

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

380

#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

381

const unsigned char *p = buf;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

382

int selected_group;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

383

int found = 0;

384

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

385

const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);

386

if (group_list == NULL) {

387

return MBEDTLS_ERR_SSL_BAD_CONFIG;

388

}

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

389

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

390

MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

391

392

/* Read selected_group */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

393

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

394

selected_group = MBEDTLS_GET_UINT16_BE(p, 0);

395

MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

396

397

/* Upon receipt of this extension in a HelloRetryRequest, the client

398

* MUST first verify that the selected_group field corresponds to a

399

* group which was provided in the "supported_groups" extension in the

400

* original ClientHello.

401

* The supported_group was based on the info in ssl->conf->group_list.

402

*

403

* If the server provided a key share that was not sent in the ClientHello

404

* then the client MUST abort the handshake with an "illegal_parameter" alert.

405

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

406

for (; *group_list != 0; group_list++) {

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

407

#if defined(PSA_WANT_ALG_ECDH)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

408

if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {

409

if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(

410

*group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||

411

*group_list != selected_group) {

412

found = 1;

413

break;

414

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

415

}

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

416

#endif /* PSA_WANT_ALG_ECDH */

417

#if defined(PSA_WANT_ALG_FFDH)

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

418

if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

419

found = 1;

420

break;

421

}

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

422

#endif /* PSA_WANT_ALG_FFDH */

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

423

}

424

425

/* Client MUST verify that the selected_group field does not

426

* correspond to a group which was provided in the "key_share"

427

* extension in the original ClientHello. If the server sent an

428

* HRR message with a key share already provided in the

429

* ClientHello then the client MUST abort the handshake with

430

* an "illegal_parameter" alert.

431

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

432

if (found == 0 || selected_group == ssl->handshake->offered_group_id) {

433

MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

434

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

435

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

436

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

437

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

438

}

439

440

/* Remember server's preference for next ClientHello */

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

441

ssl->handshake->offered_group_id = selected_group;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

442

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

443

return 0;

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

444

#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

Andrzej Kurek

c19fb08

2022-10-03 10:52:24 -0400

[diff] [blame]

445

(void) ssl;

446

(void) buf;

447

(void) end;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

448

return MBEDTLS_ERR_SSL_BAD_CONFIG;

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

449

#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

450

}

451

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

452

/*

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

453

* ssl_tls13_parse_key_share_ext()

454

* Parse key_share extension in Server Hello

455

*

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

456

* struct {

457

* KeyShareEntry server_share;

458

* } KeyShareServerHello;

459

* struct {

460

* NamedGroup group;

461

* opaque key_exchange<1..2^16-1>;

462

* } KeyShareEntry;

463

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

464

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

465

static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,

466

const unsigned char *buf,

467

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

468

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

469

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

470

const unsigned char *p = buf;

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

471

uint16_t group, offered_group;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

472

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

473

/* ...

474

* NamedGroup group; (2 bytes)

475

* ...

476

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

477

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

478

group = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

479

p += 2;

480

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

481

/* Check that the chosen group matches the one we offered. */

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

482

offered_group = ssl->handshake->offered_group_id;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

483

if (offered_group != group) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

484

MBEDTLS_SSL_DEBUG_MSG(

485

1, ("Invalid server key share, our group %u, their group %u",

486

(unsigned) offered_group, (unsigned) group));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

487

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

488

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

489

return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

490

}

491

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

492

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Przemek Stekiel

2023-05-18 15:45:53 +0200

[diff] [blame]

493

if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||

Przemek Stekiel

2023-06-29 09:08:43 +0200

[diff] [blame]

494

mbedtls_ssl_tls13_named_group_is_ffdh(group)) {

Przemek Stekiel

2023-06-12 11:21:18 +0200

[diff] [blame]

495

MBEDTLS_SSL_DEBUG_MSG(2,

496

("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));

Przemek Stekiel

7ac93be

2023-07-04 10:02:38 +0200

[diff] [blame]

497

ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

if (ret != 0) {

return ret;

}

} else

Valerio Setti

2023-07-25 11:23:50 +0200

[diff] [blame]

502

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

503

if (0 /* other KEMs? */) {

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

504

/* Do something */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

505

} else {

506

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

507

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

508

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

509

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

510

}

511

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

512

/*

513

* ssl_tls13_parse_cookie_ext()

514

* Parse cookie extension in Hello Retry Request

515

*

516

* struct {

517

* opaque cookie<1..2^16-1>;

518

* } Cookie;

519

*

520

* When sending a HelloRetryRequest, the server MAY provide a "cookie"

521

* extension to the client (this is an exception to the usual rule that

522

* the only extensions that may be sent are those that appear in the

523

* ClientHello). When sending the new ClientHello, the client MUST copy

524

* the contents of the extension received in the HelloRetryRequest into

525

* a "cookie" extension in the new ClientHello. Clients MUST NOT use

526

* cookies in their initial ClientHello in subsequent connections.

527

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

528

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

529

static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,

530

const unsigned char *buf,

531

const unsigned char *end)

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

532

{

XiaokangQian

25c9c90

2022-02-08 10:49:53 +0000

[diff] [blame]

533

uint16_t cookie_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

534

const unsigned char *p = buf;

535

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

536

537

/* Retrieve length field of cookie */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

538

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

539

cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

540

p += 2;

541

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

542

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);

543

MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

544

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

545

mbedtls_free(handshake->cookie);

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

546

handshake->cookie_len = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

547

handshake->cookie = mbedtls_calloc(1, cookie_len);

548

if (handshake->cookie == NULL) {

549

MBEDTLS_SSL_DEBUG_MSG(1,

550

("alloc failed ( %ud bytes )",

551

cookie_len));

552

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

553

}

554

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

555

memcpy(handshake->cookie, p, cookie_len);

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

556

handshake->cookie_len = cookie_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

557

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

558

return 0;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

559

}

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

560

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

561

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

562

static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,

563

unsigned char *buf,

564

unsigned char *end,

565

size_t *out_len)

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

566

{

567

unsigned char *p = buf;

XiaokangQian

9deb90f

2022-02-08 10:31:07 +0000

[diff] [blame]

568

*out_len = 0;

XiaokangQian

c02768a

2022-02-10 07:31:25 +0000

[diff] [blame]

569

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

570

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

571

if (handshake->cookie == NULL) {

572

MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));

573

return 0;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

574

}

575

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

576

MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",

577

handshake->cookie,

578

handshake->cookie_len);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

579

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

580

MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

581

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

582

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

583

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

584

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);

585

MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);

586

MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);

XiaokangQian

233397e

2022-02-07 08:32:16 +0000

[diff] [blame]

587

p += 6;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

588

589

/* Cookie */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

590

memcpy(p, handshake->cookie, handshake->cookie_len);

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

591

Jerry Yu

ac5ca5a

2022-03-04 12:50:46 +0800

[diff] [blame]

592

*out_len = handshake->cookie_len + 6;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

593

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

594

mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

595

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

596

return 0;

XiaokangQian

2022-01-27 10:36:51 +0000

[diff] [blame]

597

}

598

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

599

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

600

/*

601

* ssl_tls13_write_psk_key_exchange_modes_ext() structure:

602

*

603

* enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;

604

*

605

* struct {

606

* PskKeyExchangeMode ke_modes<1..255>;

607

* } PskKeyExchangeModes;

608

*/

XiaokangQian

8698195

2022-07-19 09:51:50 +0000

[diff] [blame]

609

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

610

static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,

611

unsigned char *buf,

612

unsigned char *end,

613

size_t *out_len)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

614

{

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

615

unsigned char *p = buf;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

616

int ke_modes_len = 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

617

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

618

((void) ke_modes_len);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

619

*out_len = 0;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

620

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

621

/* Skip writing extension if no PSK key exchange mode

XiaokangQian

7c12d31

2022-07-20 07:25:43 +0000

[diff] [blame]

622

* is enabled in the config.

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

623

*/

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

624

if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

625

MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));

626

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

627

}

628

629

/* Require 7 bytes of data, otherwise fail,

630

* even if extension might be shorter.

631

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

632

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

633

MBEDTLS_SSL_DEBUG_MSG(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

634

3, ("client hello, adding psk_key_exchange_modes extension"));

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

635

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

636

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

637

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

638

/* Skip extension length (2 bytes) and

639

* ke_modes length (1 byte) for now.

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

*/

p += 5;

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

643

if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

644

*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

645

ke_modes_len++;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

646

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

647

MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

648

}

649

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

650

if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {

Ronald Cron

a709a0f

2022-09-27 16:46:11 +0200

[diff] [blame]

651

*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;

652

ke_modes_len++;

653

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

654

MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));

Ronald Cron

a709a0f

2022-09-27 16:46:11 +0200

[diff] [blame]

655

}

656

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

657

/* Now write the extension and ke_modes length */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

658

MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);

XiaokangQian

2022-07-14 07:54:01 +0000

[diff] [blame]

659

buf[4] = ke_modes_len;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

660

661

*out_len = p - buf;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

662

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

663

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

664

ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);

Jerry Yu

2022-10-31 13:31:22 +0800

[diff] [blame]

665

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

666

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

667

}

Jerry Yu

db8c5fa

2022-08-03 12:10:13 +0800

[diff] [blame]

668

Norbert Fabritius

ba1de9f

2023-01-24 17:58:13 +0100

[diff] [blame]

669

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

670

static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

671

{

Jerry Yu

21f9095

2022-10-08 10:30:53 +0800

[diff] [blame]

672

const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

673

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

674

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

675

if (ciphersuite_info != NULL) {

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

676

return mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

677

}

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

678

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

679

return PSA_ALG_NONE;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

680

}

681

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

682

static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)

Xiaokang Qian

b781a23

2022-11-01 07:39:46 +0000

[diff] [blame]

683

{

684

mbedtls_ssl_session *session = ssl->session_negotiate;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

685

return ssl->handshake->resume &&

Pengyu Lv

9356678

2022-12-07 12:10:05 +0800

[diff] [blame]

686

session != NULL && session->ticket != NULL &&

Pengyu Lv

fc2cb96

2023-11-10 10:22:36 +0800

[diff] [blame]

687

mbedtls_ssl_conf_tls13_is_kex_mode_enabled(

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

688

ssl, mbedtls_ssl_tls13_session_get_ticket_flags(

Pengyu Lv

9b84ea7

2023-01-16 14:08:23 +0800

[diff] [blame]

689

session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));

Xiaokang Qian

b781a23

2022-11-01 07:39:46 +0000

[diff] [blame]

690

}

691

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

692

#if defined(MBEDTLS_SSL_EARLY_DATA)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

693

static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

694

{

695

mbedtls_ssl_session *session = ssl->session_negotiate;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

696

return ssl->handshake->resume &&

697

session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

698

mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&

Jerry Yu

c2b1bc4

2023-11-22 10:08:13 +0800

[diff] [blame]

699

mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);

Xiaokang Qian

01323a4

2022-11-03 02:27:35 +0000

[diff] [blame]

}

#endif

Xiaokang Qian

2022-11-01 07:39:46 +0000

[diff] [blame]

703

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

704

static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,

705

psa_algorithm_t *hash_alg,

706

const unsigned char **identity,

707

size_t *identity_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

708

{

709

mbedtls_ssl_session *session = ssl->session_negotiate;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

710

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

711

if (!ssl_tls13_has_configured_ticket(ssl)) {

712

return -1;

713

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

714

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

715

*hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

716

*identity = session->ticket;

717

*identity_len = session->ticket_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

718

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

719

}

720

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

721

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

722

static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,

723

psa_algorithm_t *hash_alg,

724

const unsigned char **psk,

725

size_t *psk_len)

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

726

{

727

728

mbedtls_ssl_session *session = ssl->session_negotiate;

729

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

730

if (!ssl_tls13_has_configured_ticket(ssl)) {

731

return -1;

732

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

733

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

734

*hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

735

*psk = session->resumption_key;

736

*psk_len = session->resumption_key_len;

737

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

738

return 0;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

739

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

740

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

741

742

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

743

static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,

744

psa_algorithm_t *hash_alg,

745

const unsigned char **identity,

746

size_t *identity_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

747

{

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

748

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

749

if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

750

return -1;

751

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

752

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

753

*hash_alg = PSA_ALG_SHA_256;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

754

*identity = ssl->conf->psk_identity;

755

*identity_len = ssl->conf->psk_identity_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

756

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

757

}

758

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

759

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

760

static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,

761

psa_algorithm_t *hash_alg,

762

const unsigned char **psk,

763

size_t *psk_len)

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

764

{

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

765

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

766

if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

767

return -1;

768

}

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

769

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

770

*hash_alg = PSA_ALG_SHA_256;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

771

*psk = ssl->conf->psk;

772

*psk_len = ssl->conf->psk_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

773

return 0;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

774

}

775

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

776

static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

777

{

778

int configured_psk_count = 0;

779

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

780

if (ssl_tls13_has_configured_ticket(ssl)) {

781

MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

782

configured_psk_count++;

783

}

784

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

785

if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

786

MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

787

configured_psk_count++;

788

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

789

return configured_psk_count;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

790

}

791

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

792

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

793

static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,

794

unsigned char *buf,

795

unsigned char *end,

796

const unsigned char *identity,

797

size_t identity_len,

798

uint32_t obfuscated_ticket_age,

799

size_t *out_len)

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

800

{

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

801

((void) ssl);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

802

*out_len = 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

803

804

/*

805

* - identity_len (2 bytes)

806

* - identity (psk_identity_len bytes)

807

* - obfuscated_ticket_age (4 bytes)

808

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

809

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

810

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

811

MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);

812

memcpy(buf + 2, identity, identity_len);

813

MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

814

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

815

MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

816

817

*out_len = 6 + identity_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

818

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

819

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

820

}

821

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

822

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

823

static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,

unsigned char *buf,

unsigned char *end,

int psk_type,

psa_algorithm_t hash_alg,

828

const unsigned char *psk,

829

size_t psk_len,

830

size_t *out_len)

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

831

{

832

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

833

unsigned char binder_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

834

unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

835

size_t transcript_len = 0;

*out_len = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

839

binder_len = PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

840

841

/*

842

* - binder_len (1 bytes)

843

* - binder (binder_len bytes)

844

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

845

MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

846

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

847

buf[0] = binder_len;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

848

849

/* Get current state of handshake transcript. */

850

ret = mbedtls_ssl_get_handshake_transcript(

Manuel Pégourié-Gonnard

2d6d993

2023-03-28 11:38:08 +0200

[diff] [blame]

851

ssl, mbedtls_md_type_from_psa_alg(hash_alg),

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

852

transcript, sizeof(transcript), &transcript_len);

853

if (ret != 0) {

854

return ret;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

855

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

856

857

ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,

858

psk, psk_len, psk_type,

859

transcript, buf + 1);

860

if (ret != 0) {

861

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);

862

return ret;

863

}

864

MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

865

866

*out_len = 1 + binder_len;

867

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

868

return 0;

Jerry Yu

2022-09-30 10:00:20 +0800

[diff] [blame]

}

/*

* mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:

873

*

874

* struct {

875

* opaque identity<1..2^16-1>;

876

* uint32 obfuscated_ticket_age;

877

* } PskIdentity;

878

*

879

* opaque PskBinderEntry<32..255>;

880

*

881

* struct {

882

* PskIdentity identities<7..2^16-1>;

883

* PskBinderEntry binders<33..2^16-1>;

* } OfferedPsks;

*

* struct {

* select (Handshake.msg_type) {

888

* case client_hello: OfferedPsks;

889

* ...

890

* };

891

* } PreSharedKeyExtension;

892

*

893

*/

XiaokangQian

3ad67bf

2022-07-21 02:26:21 +0000

[diff] [blame]

894

int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

895

mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,

896

size_t *out_len, size_t *binders_len)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

897

{

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

898

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

899

int configured_psk_count = 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

900

unsigned char *p = buf;

Xiaokang Qian

854db28

2022-12-19 07:31:27 +0000

[diff] [blame]

901

psa_algorithm_t hash_alg = PSA_ALG_NONE;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

902

const unsigned char *identity;

903

size_t identity_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

904

size_t l_binders_len = 0;

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

905

size_t output_len;

Xiaokang Qian

7179f81

2023-02-03 03:38:44 +0000

[diff] [blame]

906

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

*out_len = 0;

*binders_len = 0;

/* Check if we have any PSKs to offer. If no, skip pre_shared_key */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

911

configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);

912

if (configured_psk_count == 0) {

913

MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));

914

return 0;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

915

}

916

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

917

MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",

918

configured_psk_count));

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

919

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

920

/* Check if we have space to write the extension, binders included.

921

* - extension_type (2 bytes)

922

* - extension_data_len (2 bytes)

923

* - identities_len (2 bytes)

924

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

925

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

926

p += 6;

927

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

928

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

929

if (ssl_tls13_ticket_get_identity(

930

ssl, &hash_alg, &identity, &identity_len) == 0) {

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

931

#if defined(MBEDTLS_HAVE_TIME)

Jerry Yu

cebffc3

2022-12-15 18:00:05 +0800

[diff] [blame]

932

mbedtls_ms_time_t now = mbedtls_ms_time();

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

933

mbedtls_ssl_session *session = ssl->session_negotiate;

Jerry Yu

cf91351

2023-11-14 11:06:52 +0800

[diff] [blame]

934

/* The ticket age has been checked to be smaller than the

Jerry Yu

46c7926

2023-11-10 13:58:16 +0800

[diff] [blame]

935

* `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than

936

* 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the

937

* cast to `uint32_t` of the ticket age is safe. */

Jerry Yu

6916e70

2022-10-10 21:33:51 +0800

[diff] [blame]

938

uint32_t obfuscated_ticket_age =

Jerry Yu

342a555

2023-11-10 14:23:39 +0800

[diff] [blame]

939

(uint32_t) (now - session->ticket_reception_time);

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

940

obfuscated_ticket_age += session->ticket_age_add;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

941

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

942

ret = ssl_tls13_write_identity(ssl, p, end,

943

identity, identity_len,

944

obfuscated_ticket_age,

945

&output_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

946

#else

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

947

ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,

948

0, &output_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

949

#endif /* MBEDTLS_HAVE_TIME */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

950

if (ret != 0) {

951

return ret;

952

}

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

953

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

954

p += output_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

955

l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

956

}

957

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

958

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

959

if (ssl_tls13_psk_get_identity(

960

ssl, &hash_alg, &identity, &identity_len) == 0) {

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

961

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

962

ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-30 10:30:31 +0800

[diff] [blame]

967

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

968

p += output_len;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

969

l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

970

}

971

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

972

MBEDTLS_SSL_DEBUG_MSG(3,

973

("client hello, adding pre_shared_key extension, "

974

"omitting PSK binder list"));

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

975

976

/* Take into account the two bytes for the length of the binders. */

977

l_binders_len += 2;

Jerry Yu

6916e70

2022-10-10 21:33:51 +0800

[diff] [blame]

978

/* Check if there is enough space for binders */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

979

MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

980

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

981

/*

982

* - extension_type (2 bytes)

983

* - extension_data_len (2 bytes)

984

* - identities_len (2 bytes)

985

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

986

MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);

987

MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);

988

MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

989

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

990

*out_len = (p - buf) + l_binders_len;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

991

*binders_len = l_binders_len;

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

992

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

993

MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);

Jerry Yu

2022-09-28 22:09:38 +0800

[diff] [blame]

994

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

995

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

996

}

997

XiaokangQian

8698195

2022-07-19 09:51:50 +0000

[diff] [blame]

998

int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

999

mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1000

{

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1001

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1002

unsigned char *p = buf;

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1003

psa_algorithm_t hash_alg = PSA_ALG_NONE;

1004

const unsigned char *psk;

1005

size_t psk_len;

1006

size_t output_len;

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1007

1008

/* Check if we have space to write binders_len.

1009

* - binders_len (2 bytes)

1010

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1011

MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1012

p += 2;

1013

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1014

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1015

if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1016

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1017

ret = ssl_tls13_write_binder(ssl, p, end,

1018

MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,

1019

hash_alg, psk, psk_len,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1024

p += output_len;

1025

}

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1026

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1027

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1028

if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {

Jerry Yu

2022-09-30 11:08:57 +0800

[diff] [blame]

1029

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1030

ret = ssl_tls13_write_binder(ssl, p, end,

1031

MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,

1032

hash_alg, psk, psk_len,

&output_len);

if (ret != 0) {

return ret;

}

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

p += output_len;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1040

MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1041

1042

/*

1043

* - binders_len (2 bytes)

1044

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1045

MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);

Jerry Yu

2022-09-28 22:11:02 +0800

[diff] [blame]

1046

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1047

MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1048

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

1049

mbedtls_ssl_tls13_set_hs_sent_ext_mask(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1050

ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1051

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1052

return 0;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1053

}

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

/*

* struct {

* opaque identity<1..2^16-1>;

1058

* uint32 obfuscated_ticket_age;

1059

* } PskIdentity;

1060

*

1061

* opaque PskBinderEntry<32..255>;

*

* struct {

*

* select (Handshake.msg_type) {

1066

* ...

1067

* case server_hello: uint16 selected_identity;

1068

* };

1069

*

1070

* } PreSharedKeyExtension;

1071

*

1072

*/

1073

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1074

static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,

1075

const unsigned char *buf,

1076

const unsigned char *end)

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

1077

{

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1078

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1079

int selected_identity;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1080

const unsigned char *psk;

1081

size_t psk_len;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1082

psa_algorithm_t hash_alg;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1083

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1084

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);

1085

selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);

Xiaokang Qian

2a67493

2023-01-04 03:15:09 +0000

[diff] [blame]

1086

ssl->handshake->selected_identity = (uint16_t) selected_identity;

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1087

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1088

MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1089

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1090

if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {

1091

MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1092

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1093

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1094

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1095

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1096

}

Jerry Yu

2022-10-08 11:17:14 +0800

[diff] [blame]

1097

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1098

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1099

if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {

1100

ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);

1101

} else

Jerry Yu

4a69834

2022-09-30 12:22:01 +0800

[diff] [blame]

1102

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1103

if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {

1104

ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);

1105

} else {

1106

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

1107

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1108

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1109

if (ret != 0) {

1110

return ret;

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1111

}

Jerry Yu

2022-09-28 22:12:07 +0800

[diff] [blame]

1112

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

1113

if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac)

Xiaokang Qian

eb31cbc

2023-02-07 02:08:56 +0000

[diff] [blame]

1114

!= hash_alg) {

1115

MBEDTLS_SSL_DEBUG_MSG(

1116

1, ("Invalid ciphersuite for external psk."));

1117

1118

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1119

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1120

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1121

}

1122

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1123

ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);

1124

if (ret != 0) {

1125

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);

return ret;

}

return 0;

Jerry Yu

0c6105b

2022-08-12 17:26:40 +0800

[diff] [blame]

1130

}

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1131

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1132

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1133

int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,

1134

unsigned char *buf,

1135

unsigned char *end,

1136

size_t *out_len)

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1137

{

1138

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1139

unsigned char *p = buf;

size_t ext_len;

*out_len = 0;

Gilles Peskine

2024-08-23 21:55:24 +0200

[diff] [blame]

1144

ret = mbedtls_ssl_tls13_crypto_init(ssl);

if (ret != 0) {

return ret;

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1149

/* Write supported_versions extension

1150

*

1151

* Supported Versions Extension is mandatory with TLS 1.3.

1152

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1153

ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);

1154

if (ret != 0) {

1155

return ret;

1156

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1157

p += ext_len;

1158

1159

/* Echo the cookie if the server provided one in its preceding

1160

* HelloRetryRequest message.

1161

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1162

ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);

1163

if (ret != 0) {

1164

return ret;

1165

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1166

p += ext_len;

1167

Yanray Wang

42017cd

2023-11-08 11:15:23 +0800

[diff] [blame]

1168

#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)

1169

ret = mbedtls_ssl_tls13_write_record_size_limit_ext(

Waleed Elmelegy

148dfb6

2024-01-04 18:02:35 +0000

[diff] [blame]

1170

ssl, p, end, &ext_len);

Yanray Wang

42017cd

2023-11-08 11:15:23 +0800

[diff] [blame]

if (ret != 0) {

return ret;

}

p += ext_len;

#endif

Ronald Cron

2022-10-18 12:17:11 +0200

[diff] [blame]

1177

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1178

if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1179

ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);

1180

if (ret != 0) {

1181

return ret;

1182

}

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1183

p += ext_len;

1184

}

Ronald Cron

766c0cd

2022-10-18 12:17:11 +0200

[diff] [blame]

1185

#endif

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1186

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1187

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

84dfbf4

2024-02-14 10:38:09 +0100

[diff] [blame]

1188

/* In the first ClientHello, write the early data indication extension if

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1189

* necessary and update the early data state.

Ronald Cron

84dfbf4

2024-02-14 10:38:09 +0100

[diff] [blame]

1190

* If an HRR has been received and thus we are currently writing the

1191

* second ClientHello, the second ClientHello must not contain an early

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1192

* data extension and the early data state must stay as it is:

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1193

* MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT or

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1194

* MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED.

Ronald Cron

84dfbf4

2024-02-14 10:38:09 +0100

[diff] [blame]

1195

*/

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1196

if (!ssl->handshake->hello_retry_request_flag) {

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

1197

if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&

1198

ssl_tls13_early_data_has_valid_ticket(ssl) &&

1199

ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {

1200

ret = mbedtls_ssl_tls13_write_early_data_ext(

1201

ssl, 0, p, end, &ext_len);

if (ret != 0) {

return ret;

}

p += ext_len;

Jerry Yu

5233539

2023-11-23 18:06:06 +0800

[diff] [blame]

1206

Ronald Cron

3641df2

2024-03-03 16:10:58 +0100

[diff] [blame]

1207

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT;

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

1208

} else {

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1209

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1210

}

Xiaokang Qian

0e97d4d

2022-10-24 11:12:51 +0000

[diff] [blame]

1211

}

1212

#endif /* MBEDTLS_SSL_EARLY_DATA */

1213

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1214

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1215

/* For PSK-based key exchange we need the pre_shared_key extension

1216

* and the psk_key_exchange_modes extension.

1217

*

1218

* The pre_shared_key extension MUST be the last extension in the

1219

* ClientHello. Servers MUST check that it is the last extension and

1220

* otherwise fail the handshake with an "illegal_parameter" alert.

1221

*

1222

* Add the psk_key_exchange_modes extension.

1223

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1224

ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);

1225

if (ret != 0) {

1226

return ret;

1227

}

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1228

p += ext_len;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1229

#endif

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1230

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1231

*out_len = p - buf;

1232

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1233

return 0;

Ronald Cron

2022-02-18 12:06:07 +0100

[diff] [blame]

1234

}

1235

Xiaokang Qian

934ce6f

2023-02-06 10:23:04 +0000

[diff] [blame]

1236

int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1237

{

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1238

((void) ssl);

Xiaokang Qian

79f7752

2023-01-28 10:35:29 +0000

[diff] [blame]

1239

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1240

#if defined(MBEDTLS_SSL_EARLY_DATA)

1241

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1242

psa_algorithm_t hash_alg = PSA_ALG_NONE;

1243

const unsigned char *psk;

1244

size_t psk_len;

1245

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

Xiaokang Qian

592021a

2023-01-04 10:47:05 +0000

[diff] [blame]

1246

Ronald Cron

3641df2

2024-03-03 16:10:58 +0100

[diff] [blame]

1247

if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT) {

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1248

MBEDTLS_SSL_DEBUG_MSG(

1249

1, ("Set hs psk for early data when writing the first psk"));

1250

1251

ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);

1252

if (ret != 0) {

1253

MBEDTLS_SSL_DEBUG_RET(

1254

1, "ssl_tls13_ticket_get_psk", ret);

return ret;

}

ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);

1259

if (ret != 0) {

1260

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);

return ret;

}

Xiaokang Qian

2023-02-07 02:32:23 +0000

[diff] [blame]

1264

/*

1265

* Early data are going to be encrypted using the ciphersuite

1266

* associated with the pre-shared key used for the handshake.

1267

* Note that if the server rejects early data, the handshake

1268

* based on the pre-shared key may complete successfully

1269

* with a selected ciphersuite different from the ciphersuite

1270

* associated with the pre-shared key. Only the hashes of the

1271

* two ciphersuites have to be the same. In that case, the

1272

* encrypted handshake data and application data are

1273

* encrypted using a different ciphersuite than the one used for

1274

* the rejected early data.

1275

*/

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1276

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(

1277

ssl->session_negotiate->ciphersuite);

1278

ssl->handshake->ciphersuite_info = ciphersuite_info;

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1279

Tom Cosgrove

5c8505f

2023-03-07 11:39:52 +0000

[diff] [blame]

1280

/* Enable psk and psk_ephemeral to make stage early happy */

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1281

ssl->handshake->key_exchange_mode =

1282

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;

1283

1284

/* Start the TLS 1.3 key schedule:

Xiaokang Qian

8dc4ce7

2023-02-07 10:49:50 +0000

[diff] [blame]

1285

* Set the PSK and derive early secret.

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1286

*/

1287

ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);

1288

if (ret != 0) {

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1289

MBEDTLS_SSL_DEBUG_RET(

1290

1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

return ret;

}

/* Derive early data key material */

1295

ret = mbedtls_ssl_tls13_compute_early_transform(ssl);

1296

if (ret != 0) {

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1297

MBEDTLS_SSL_DEBUG_RET(

1298

1, "mbedtls_ssl_tls13_compute_early_transform", ret);

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

return ret;

}

Ronald Cron

2024-01-19 08:15:33 +0100

[diff] [blame]

1302

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

1303

mbedtls_ssl_handshake_set_state(

1304

ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);

1305

#else

1306

MBEDTLS_SSL_DEBUG_MSG(

1307

1, ("Switch to early data keys for outbound traffic"));

1308

mbedtls_ssl_set_outbound_transform(

1309

ssl, ssl->handshake->transform_earlydata);

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1310

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;

Ronald Cron

297c608

2024-01-19 08:15:33 +0100

[diff] [blame]

1311

#endif

Xiaokang Qian

2023-01-03 10:29:41 +0000

[diff] [blame]

1312

}

1313

#endif /* MBEDTLS_SSL_EARLY_DATA */

1314

return 0;

1315

}

Jerry Yu

1bc2c1f

2021-09-01 12:57:29 +0800

[diff] [blame]

1316

/*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1317

* Functions for parsing and processing Server Hello

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1318

*/

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1319

Ronald Cron

da41b38

2022-03-30 09:57:11 +0200

[diff] [blame]

1320

/**

1321

* \brief Detect if the ServerHello contains a supported_versions extension

1322

* or not.

1323

*

1324

* \param[in] ssl SSL context

1325

* \param[in] buf Buffer containing the ServerHello message

1326

* \param[in] end End of the buffer containing the ServerHello message

1327

*

1328

* \return 0 if the ServerHello does not contain a supported_versions extension

1329

* \return 1 if the ServerHello contains a supported_versions extension

1330

* \return A negative value if an error occurred while parsing the ServerHello.

1331

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1332

MBEDTLS_CHECK_RETURN_CRITICAL

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1333

static int ssl_tls13_is_supported_versions_ext_present(

1334

mbedtls_ssl_context *ssl,

1335

const unsigned char *buf,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1336

const unsigned char *end)

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1337

{

1338

const unsigned char *p = buf;

1339

size_t legacy_session_id_echo_len;

Ronald Cron

eff5673

2023-04-03 17:36:31 +0200

[diff] [blame]

1340

const unsigned char *supported_versions_data;

1341

const unsigned char *supported_versions_data_end;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1342

1343

/*

1344

* Check there is enough data to access the legacy_session_id_echo vector

Ronald Cron

da41b38

2022-03-30 09:57:11 +0200

[diff] [blame]

1345

* length:

1346

* - legacy_version 2 bytes

1347

* - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes

1348

* - legacy_session_id_echo length 1 byte

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1349

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1350

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1351

p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;

1352

legacy_session_id_echo_len = *p;

1353

1354

/*

1355

* Jump to the extensions, jumping over:

1356

* - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes

1357

* - cipher_suite 2 bytes

1358

* - legacy_compression_method 1 byte

1359

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1360

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);

1361

p += legacy_session_id_echo_len + 4;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1362

Ronald Cron

47dce63

2023-02-08 17:38:29 +0100

[diff] [blame]

1363

return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(

1364

ssl, p, end,

Ronald Cron

eff5673

2023-04-03 17:36:31 +0200

[diff] [blame]

1365

&supported_versions_data, &supported_versions_data_end);

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1366

}

1367

Jerry Yu

7a186a0

2021-10-15 18:46:14 +0800

[diff] [blame]

1368

/* Returns a negative value on failure, and otherwise

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1369

* - 1 if the last eight bytes of the ServerHello random bytes indicate that

1370

* the server is TLS 1.3 capable but negotiating TLS 1.2 or below.

1371

* - 0 otherwise

1372

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1373

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1374

static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,

1375

const unsigned char *buf,

1376

const unsigned char *end)

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1377

{

1378

/* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */

1379

static const unsigned char magic_downgrade_string[] =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1380

{ 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1381

const unsigned char *last_eight_bytes_of_random;

1382

unsigned char last_byte_of_random;

1383

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1384

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1385

last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;

1386

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1387

if (memcmp(last_eight_bytes_of_random,

1388

magic_downgrade_string,

1389

sizeof(magic_downgrade_string)) == 0) {

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1390

last_byte_of_random = last_eight_bytes_of_random[7];

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1391

return last_byte_of_random == 0 ||

1392

last_byte_of_random == 1;

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1393

}

1394

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1395

return 0;

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1396

}

1397

1398

/* Returns a negative value on failure, and otherwise

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1399

* - SSL_SERVER_HELLO or

1400

* - SSL_SERVER_HELLO_HRR

XiaokangQian

51eff22

2021-12-10 10:33:56 +0000

[diff] [blame]

1401

* to indicate which message is expected and to be parsed next.

1402

*/

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1403

#define SSL_SERVER_HELLO 0

1404

#define SSL_SERVER_HELLO_HRR 1

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1405

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1406

static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,

1407

const unsigned char *buf,

1408

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1409

{

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1410

1411

/* Check whether this message is a HelloRetryRequest ( HRR ) message.

1412

*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1413

* Server Hello and HRR are only distinguished by Random set to the

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1414

* special value of the SHA-256 of "HelloRetryRequest".

1415

*

1416

* struct {

1417

* ProtocolVersion legacy_version = 0x0303;

1418

* Random random;

1419

* opaque legacy_session_id_echo<0..32>;

1420

* CipherSuite cipher_suite;

1421

* uint8 legacy_compression_method = 0;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1422

* Extension extensions<6..2^16-1>;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1423

* } ServerHello;

1424

*

1425

*/

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1426

MBEDTLS_SSL_CHK_BUF_READ_PTR(

1427

buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1428

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1429

if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,

1430

sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {

1431

return SSL_SERVER_HELLO_HRR;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1432

}

1433

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1434

return SSL_SERVER_HELLO;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1435

}

1436

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1437

/*

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1438

* Returns a negative value on failure, and otherwise

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1439

* - SSL_SERVER_HELLO or

1440

* - SSL_SERVER_HELLO_HRR or

1441

* - SSL_SERVER_HELLO_TLS1_2

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1442

*/

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1443

#define SSL_SERVER_HELLO_TLS1_2 2

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1444

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1445

static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,

1446

const unsigned char *buf,

1447

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1448

{

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1449

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1450

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1451

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1452

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(

1453

ssl, buf, end));

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1454

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1455

if (ret == 0) {

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1456

MBEDTLS_SSL_PROC_CHK_NEG(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1457

ssl_tls13_is_downgrade_negotiation(ssl, buf, end));

Ronald Cron

2022-04-05 11:04:20 +0200

[diff] [blame]

1458

1459

/* If the server is negotiating TLS 1.2 or below and:

1460

* . we did not propose TLS 1.2 or

1461

* . the server responded it is TLS 1.3 capable but negotiating a lower

1462

* version of the protocol and thus we are under downgrade attack

1463

* abort the handshake with an "illegal parameter" alert.

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1464

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1465

if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {

1466

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1467

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1468

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1469

}

1470

Ronald Cron

b828c7d

2023-04-03 16:37:22 +0200

[diff] [blame]

1471

/*

1472

* Version 1.2 of the protocol has been negotiated, set the

1473

* ssl->keep_current_message flag for the ServerHello to be kept and

1474

* parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to

1475

* MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()

1476

* will dispatch to the TLS 1.2 state machine.

1477

*/

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1478

ssl->keep_current_message = 1;

Glenn Strauss

60bfe60

2022-03-14 19:04:24 -0400

[diff] [blame]

1479

ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1480

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

1481

ssl, MBEDTLS_SSL_HS_SERVER_HELLO,

1482

buf, (size_t) (end - buf)));

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1483

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1484

if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1485

ret = ssl_tls13_reset_key_share(ssl);

1486

if (ret != 0) {

1487

return ret;

1488

}

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1489

}

1490

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1491

return SSL_SERVER_HELLO_TLS1_2;

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

1492

}

1493

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1494

ssl->session_negotiate->tls_version = ssl->tls_version;

Ronald Cron

17ef8df

2023-11-22 10:29:42 +0100

[diff] [blame]

1495

ssl->session_negotiate->endpoint = ssl->conf->endpoint;

Jerry Yu

a66fece

2022-07-13 14:30:29 +0800

[diff] [blame]

1496

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1497

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Ronald Cron

5afb904

2022-05-31 12:11:39 +0200

[diff] [blame]

1498

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1499

ret = ssl_server_hello_is_hrr(ssl, buf, end);

1500

switch (ret) {

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1501

case SSL_SERVER_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1502

MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1503

break;

Ronald Cron

2022-05-31 12:04:31 +0200

[diff] [blame]

1504

case SSL_SERVER_HELLO_HRR:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1505

MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1506

/* If a client receives a second HelloRetryRequest in the same

1507

* connection (i.e., where the ClientHello was itself in response

1508

* to a HelloRetryRequest), it MUST abort the handshake with an

1509

* "unexpected_message" alert.

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1510

*/

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1511

if (handshake->hello_retry_request_flag) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1512

MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1513

MBEDTLS_SSL_PEND_FATAL_ALERT(

1514

MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,

1515

MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1516

return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1517

}

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1518

/*

1519

* Clients must abort the handshake with an "illegal_parameter"

1520

* alert if the HelloRetryRequest would not result in any change

1521

* in the ClientHello.

1522

* In a PSK only key exchange that what we expect.

1523

*/

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1524

if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1525

MBEDTLS_SSL_DEBUG_MSG(1,

1526

("Unexpected HRR in pure PSK key exchange."));

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1527

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1528

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1529

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

1530

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

XiaokangQian

2b01dc3

2022-01-21 02:53:13 +0000

[diff] [blame]

1531

}

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1532

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1533

handshake->hello_retry_request_flag = 1;

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

1534

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1535

break;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

}

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1540

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1541

}

1542

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1543

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1544

static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,

1545

const unsigned char **buf,

1546

const unsigned char *end)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1547

{

1548

const unsigned char *p = *buf;

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1549

size_t legacy_session_id_echo_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1550

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1551

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

1552

legacy_session_id_echo_len = *p++;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1553

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1554

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1555

1556

/* legacy_session_id_echo */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1557

if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||

1558

memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {

1559

MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",

1560

ssl->session_negotiate->id,

1561

ssl->session_negotiate->id_len);

1562

MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,

1563

legacy_session_id_echo_len);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1564

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1565

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1566

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1567

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1568

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1569

}

1570

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1571

p += legacy_session_id_echo_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1572

*buf = p;

1573

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1574

MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,

1575

ssl->session_negotiate->id_len);

1576

return 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1577

}

1578

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1579

/* Parse ServerHello message and configure context

1580

*

1581

* struct {

1582

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

1583

* Random random;

1584

* opaque legacy_session_id_echo<0..32>;

1585

* CipherSuite cipher_suite;

1586

* uint8 legacy_compression_method = 0;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1587

* Extension extensions<6..2^16-1>;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1588

* } ServerHello;

1589

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1590

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1591

static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,

1592

const unsigned char *buf,

1593

const unsigned char *end,

1594

int is_hrr)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1595

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1596

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1597

const unsigned char *p = buf;

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1598

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1599

size_t extensions_len;

1600

const unsigned char *extensions_end;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1601

uint16_t cipher_suite;

Jerry Yu

de4fb2c

2021-09-19 18:05:08 +0800

[diff] [blame]

1602

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

XiaokangQian

b119a35

2022-01-26 03:29:10 +0000

[diff] [blame]

1603

int fatal_alert = 0;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1604

uint32_t allowed_extensions_mask;

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1605

int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1606

MBEDTLS_SSL_HS_SERVER_HELLO;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1607

1608

/*

1609

* Check there is space for minimal fields

1610

*

1611

* - legacy_version ( 2 bytes)

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1612

* - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1613

* - legacy_session_id_echo ( 1 byte ), minimum size

1614

* - cipher_suite ( 2 bytes)

1615

* - legacy_compression_method ( 1 byte )

1616

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1617

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1618

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1619

MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);

1620

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1621

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1622

/* ...

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1623

* ProtocolVersion legacy_version = 0x0303; // TLS 1.2

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1624

* ...

1625

* with ProtocolVersion defined as:

1626

* uint16 ProtocolVersion;

1627

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1628

if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=

1629

MBEDTLS_SSL_VERSION_TLS1_2) {

1630

MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));

1631

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,

1632

MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1633

ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;

1634

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1635

}

1636

p += 2;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1637

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1638

/* ...

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1639

* Random random;

1640

* ...

1641

* with Random defined as:

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1642

* opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1643

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1644

if (!is_hrr) {

1645

memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,

1646

MBEDTLS_SERVER_HELLO_RANDOM_LEN);

1647

MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",

1648

p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1649

}

Jerry Yu

2021-10-26 10:44:32 +0800

[diff] [blame]

1650

p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1651

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1652

/* ...

1653

* opaque legacy_session_id_echo<0..32>;

1654

* ...

1655

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1656

if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1657

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1658

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1659

}

1660

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1661

/* ...

1662

* CipherSuite cipher_suite;

1663

* ...

1664

* with CipherSuite defined as:

1665

* uint8 CipherSuite[2];

1666

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1667

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

1668

cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1669

p += 2;

1670

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1671

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1672

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1673

/*

Ronald Cron

ba120bb

2022-03-30 22:09:48 +0200

[diff] [blame]

1674

* Check whether this ciphersuite is valid and offered.

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1675

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1676

if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,

1677

ssl->tls_version,

1678

ssl->tls_version) != 0) ||

1679

!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1680

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1681

}

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1682

/*

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1683

* If we received an HRR before and that the proposed selected

1684

* ciphersuite in this server hello is not the same as the one

1685

* proposed in the HRR, we abort the handshake and send an

1686

* "illegal_parameter" alert.

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1687

*/

Ronald Cron

2024-02-14 10:03:36 +0100

[diff] [blame]

1688

else if ((!is_hrr) && handshake->hello_retry_request_flag &&

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1689

(cipher_suite != ssl->session_negotiate->ciphersuite)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1690

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1691

}

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1692

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1693

if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {

1694

MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",

1695

cipher_suite));

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1696

goto cleanup;

XiaokangQian

2022-01-18 10:47:33 +0000

[diff] [blame]

1697

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1698

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1699

/* Configure ciphersuites */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1700

mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1701

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1702

handshake->ciphersuite_info = ciphersuite_info;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1703

MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",

1704

cipher_suite, ciphersuite_info->name));

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1705

1706

#if defined(MBEDTLS_HAVE_TIME)

YxC

da60913

2023-05-22 12:08:12 -0700

[diff] [blame]

1707

ssl->session_negotiate->start = mbedtls_time(NULL);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1708

#endif /* MBEDTLS_HAVE_TIME */

1709

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1710

/* ...

1711

* uint8 legacy_compression_method = 0;

1712

* ...

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1713

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1714

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

1715

if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {

1716

MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1717

fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1718

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

}

p++;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1722

/* ...

1723

* Extension extensions<6..2^16-1>;

1724

* ...

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1725

* struct {

1726

* ExtensionType extension_type; (2 bytes)

1727

* opaque extension_data<0..2^16-1>;

1728

* } Extension;

1729

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1730

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

1731

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1732

p += 2;

Jerry Yu

de4fb2c

2021-09-19 18:05:08 +0800

[diff] [blame]

1733

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1734

/* Check extensions do not go beyond the buffer of data. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1735

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1736

extensions_end = p + extensions_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1737

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1738

MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1739

Jerry Yu

50e00e3

2022-10-31 14:45:01 +0800

[diff] [blame]

1740

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

1741

allowed_extensions_mask = is_hrr ?

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1742

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :

1743

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1744

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1745

while (p < extensions_end) {

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1746

unsigned int extension_type;

1747

size_t extension_data_len;

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

1748

const unsigned char *extension_data_end;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1749

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1750

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

1751

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

1752

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1753

p += 4;

1754

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1755

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

XiaokangQian

2022-01-21 04:32:58 +0000

[diff] [blame]

1756

extension_data_end = p + extension_data_len;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1757

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

1758

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1759

ssl, hs_msg_type, extension_type, allowed_extensions_mask);

1760

if (ret != 0) {

1761

return ret;

1762

}

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1763

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1764

switch (extension_type) {

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1765

case MBEDTLS_TLS_EXT_COOKIE:

1766

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1767

ret = ssl_tls13_parse_cookie_ext(ssl,

1768

p, extension_data_end);

1769

if (ret != 0) {

1770

MBEDTLS_SSL_DEBUG_RET(1,

1771

"ssl_tls13_parse_cookie_ext",

1772

ret);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1773

goto cleanup;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1774

}

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1775

break;

XiaokangQian

2022-01-14 04:03:11 +0000

[diff] [blame]

1776

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1777

case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1778

ret = ssl_tls13_parse_supported_versions_ext(ssl,

1779

p,

1780

extension_data_end);

1781

if (ret != 0) {

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1782

goto cleanup;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1783

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1784

break;

1785

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1786

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1787

case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1788

MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1789

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1790

if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(

1791

ssl, p, extension_data_end)) != 0) {

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1792

MBEDTLS_SSL_DEBUG_RET(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1793

1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);

1794

return ret;

XiaokangQian

2022-07-05 08:21:43 +0000

[diff] [blame]

1795

}

1796

break;

Ronald Cron

2022-10-04 16:38:25 +0200

[diff] [blame]

1797

#endif

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1798

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1799

case MBEDTLS_TLS_EXT_KEY_SHARE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1800

MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));

Pengyu Lv

2023-11-14 11:03:32 +0800

[diff] [blame]

1801

if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {

XiaokangQian

2022-01-26 09:49:29 +0000

[diff] [blame]

1802

fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

goto cleanup;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1806

if (is_hrr) {

1807

ret = ssl_tls13_parse_hrr_key_share_ext(ssl,

1808

p, extension_data_end);

1809

} else {

1810

ret = ssl_tls13_parse_key_share_ext(ssl,

1811

p, extension_data_end);

1812

}

1813

if (ret != 0) {

1814

MBEDTLS_SSL_DEBUG_RET(1,

1815

"ssl_tls13_parse_key_share_ext",

1816

ret);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1817

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1818

}

1819

break;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1820

1821

default:

Jerry Yu

9872eb2

2022-08-29 13:42:01 +0800

[diff] [blame]

1822

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

1823

goto cleanup;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1824

}

1825

1826

p += extension_data_len;

1827

}

1828

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1829

MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);

Jerry Yu

2c5363e

2022-08-04 17:42:49 +0800

[diff] [blame]

1830

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1831

cleanup:

1832

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1833

if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {

1834

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,

1835

MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1836

ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1837

} else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {

1838

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

1839

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

1840

ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

1841

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1842

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1843

}

1844

Xiaokang Qian

cb6e963

2022-09-26 11:59:32 +0000

[diff] [blame]

1845

#if defined(MBEDTLS_DEBUG_C)

1846

static const char *ssl_tls13_get_kex_mode_str(int mode)

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1847

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1848

switch (mode) {

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1849

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:

1850

return "psk";

1851

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:

1852

return "ephemeral";

1853

case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:

1854

return "psk_ephemeral";

1855

default:

1856

return "unknown mode";

1857

}

1858

}

Xiaokang Qian

cb6e963

2022-09-26 11:59:32 +0000

[diff] [blame]

1859

#endif /* MBEDTLS_DEBUG_C */

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1860

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1861

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1862

static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1863

{

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1864

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1865

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1866

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1867

/* Determine the key exchange mode:

1868

* 1) If both the pre_shared_key and key_share extensions were received

1869

* then the key exchange mode is PSK with EPHEMERAL.

1870

* 2) If only the pre_shared_key extension was received then the key

1871

* exchange mode is PSK-only.

1872

* 3) If only the key_share extension was received then the key

1873

* exchange mode is EPHEMERAL-only.

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1874

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1875

switch (handshake->received_extensions &

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1876

(MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

1877

MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1878

/* Only the pre_shared_key extension was received */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1879

case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1880

handshake->key_exchange_mode =

1881

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1882

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1883

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1884

/* Only the key_share extension was received */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1885

case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1886

handshake->key_exchange_mode =

1887

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1888

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1889

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1890

/* Both the pre_shared_key and key_share extensions were received */

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1891

case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |

1892

MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):

1893

handshake->key_exchange_mode =

1894

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1895

break;

Jerry Yu

2021-10-13 13:36:05 +0800

[diff] [blame]

1896

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1897

/* Neither pre_shared_key nor key_share extension was received */

1898

default:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1899

MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));

Jerry Yu

2021-10-13 22:01:04 +0800

[diff] [blame]

1900

ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

1901

goto cleanup;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1902

}

1903

Pengyu Lv

fc2cb96

2023-11-10 10:22:36 +0800

[diff] [blame]

1904

if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

1905

ssl, handshake->key_exchange_mode)) {

Xiaokang Qian

ac8195f

2022-09-26 04:01:06 +0000

[diff] [blame]

1906

ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1907

MBEDTLS_SSL_DEBUG_MSG(

1908

2, ("Key exchange mode(%s) is not supported.",

1909

ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));

Xiaokang Qian

ac8195f

2022-09-26 04:01:06 +0000

[diff] [blame]

goto cleanup;

}

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

1913

MBEDTLS_SSL_DEBUG_MSG(

1914

3, ("Selected key exchange mode: %s",

1915

ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));

Xiaokang Qian

2022-09-26 08:23:45 +0000

[diff] [blame]

1916

Xiaokang Qian

7892b6c

2023-02-02 06:05:48 +0000

[diff] [blame]

1917

/* Start the TLS 1.3 key scheduling if not already done.

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1918

*

Xiaokang Qian

7892b6c

2023-02-02 06:05:48 +0000

[diff] [blame]

1919

* If we proposed early data then we have already derived an

1920

* early secret using the selected PSK and its associated hash.

1921

* It means that if the negotiated key exchange mode is psk or

1922

* psk_ephemeral, we have already correctly computed the

1923

* early secret and thus we do not do it again. In all other

1924

* cases we compute it here.

Xiaokang Qian

303f82c5

2023-01-04 08:43:46 +0000

[diff] [blame]

1925

*/

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1926

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1927

if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT ||

Xiaokang Qian

e04afdc

2023-02-07 02:19:42 +0000

[diff] [blame]

1928

handshake->key_exchange_mode ==

1929

MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)

Xiaokang Qian

9074613

2023-01-06 05:54:59 +0000

[diff] [blame]

1930

#endif

1931

{

Xiaokang Qian

303f82c5

2023-01-04 08:43:46 +0000

[diff] [blame]

1932

ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);

1933

if (ret != 0) {

1934

MBEDTLS_SSL_DEBUG_RET(

1935

1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);

1936

goto cleanup;

1937

}

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1938

}

1939

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1940

ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);

1941

if (ret != 0) {

1942

MBEDTLS_SSL_DEBUG_RET(1,

1943

"mbedtls_ssl_tls13_compute_handshake_transform",

1944

ret);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1945

goto cleanup;

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1946

}

1947

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1948

mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);

1949

MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));

Jerry Yu

2021-09-05 19:41:30 +0800

[diff] [blame]

1950

ssl->session_in = ssl->session_negotiate;

1951

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1952

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1953

if (ret != 0) {

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1954

MBEDTLS_SSL_PEND_FATAL_ALERT(

1955

MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1956

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1957

}

Jerry Yu

e110d25

2022-05-05 10:19:22 +0800

[diff] [blame]

1958

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1959

return ret;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1960

}

1961

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1962

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1963

static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1964

{

1965

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

1966

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1967

mbedtls_ssl_session_reset_msg_layer(ssl, 0);

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1968

XiaokangQian

78b1fa7

2022-01-19 06:56:30 +0000

[diff] [blame]

1969

/*

XiaokangQian

2022-01-20 11:14:50 +0000

[diff] [blame]

1970

* We are going to re-generate a shared secret corresponding to the group

1971

* selected by the server, which is different from the group for which we

1972

* generated a shared secret in the first client hello.

1973

* Thus, reset the shared secret.

XiaokangQian

51eff22

2021-12-10 10:33:56 +0000

[diff] [blame]

1974

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1975

ret = ssl_tls13_reset_key_share(ssl);

1976

if (ret != 0) {

1977

return ret;

1978

}

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1979

Xiaokang Qian

4ef8ba2

2023-02-06 11:06:16 +0000

[diff] [blame]

1980

ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

1981

1982

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

1983

if (ssl->early_data_state != MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

1984

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;

Ronald Cron

2024-01-22 15:24:21 +0100

[diff] [blame]

}

#endif

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1988

return 0;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1989

}

1990

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

1991

/*

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1992

* Wait and parse ServerHello handshake message.

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

1993

* Handler for MBEDTLS_SSL_SERVER_HELLO

1994

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

1995

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

1996

static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

1997

{

Jerry Yu

2021-10-11 21:45:31 +0800

[diff] [blame]

1998

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

XiaokangQian

2021-12-07 09:16:29 +0000

[diff] [blame]

1999

unsigned char *buf = NULL;

2000

size_t buf_len = 0;

XiaokangQian

78b1fa7

2022-01-19 06:56:30 +0000

[diff] [blame]

2001

int is_hrr = 0;

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2002

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2003

MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2004

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2005

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2006

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));

Ronald Cron

db5dfa1

2022-05-31 11:44:38 +0200

[diff] [blame]

2007

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2008

ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);

2009

if (ret < 0) {

XiaokangQian

2022-01-14 07:35:47 +0000

[diff] [blame]

2010

goto cleanup;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2011

} else {

2012

is_hrr = (ret == SSL_SERVER_HELLO_HRR);

2013

}

XiaokangQian

2022-01-24 10:12:51 +0000

[diff] [blame]

2014

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2015

if (ret == SSL_SERVER_HELLO_TLS1_2) {

Ronald Cron

2022-02-10 16:45:15 +0100

[diff] [blame]

ret = 0;

goto cleanup;

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2020

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,

buf + buf_len,

is_hrr));

if (is_hrr) {

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2025

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2026

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2027

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2028

ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2029

2030

if (is_hrr) {

2031

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));

2032

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2033

/* If not offering early data, the client sends a dummy CCS record

2034

* immediately before its second flight. This may either be before

2035

* its second ClientHello or before its encrypted handshake flight.

2036

*/

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2037

mbedtls_ssl_handshake_set_state(

2038

ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2039

#else

2040

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

2041

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

2042

} else {

2043

MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));

2044

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2045

}

Jerry Yu

2021-09-10 10:08:31 +0800

[diff] [blame]

2046

2047

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2048

MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,

2049

is_hrr ? "HelloRetryRequest" : "ServerHello"));

2050

return ret;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2051

}

2052

2053

/*

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2054

*

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2055

* Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2056

*

2057

* The EncryptedExtensions message contains any extensions which

2058

* should be protected, i.e., any which are not needed to establish

2059

* the cryptographic context.

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2060

*/

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2061

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2062

/* Parse EncryptedExtensions message

2063

* struct {

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2064

* Extension extensions<0..2^16-1>;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2065

* } EncryptedExtensions;

2066

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2067

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2068

static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,

2069

const unsigned char *buf,

2070

const unsigned char *end)

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2071

{

2072

int ret = 0;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2073

size_t extensions_len;

XiaokangQian

140f045

2021-10-08 08:05:53 +0000

[diff] [blame]

2074

const unsigned char *p = buf;

XiaokangQian

8db25ff

2021-10-13 05:56:18 +0000

[diff] [blame]

2075

const unsigned char *extensions_end;

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2076

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2077

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2078

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2079

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2080

p += 2;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2081

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2082

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Ronald Cron

c808359

2022-05-31 16:24:05 +0200

[diff] [blame]

2083

extensions_end = p + extensions_len;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2084

Jan Bruckner

5a3629b

2023-02-23 12:08:09 +0100

[diff] [blame]

2085

MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);

2086

Jerry Yu

9eba750

2022-10-31 13:46:16 +0800

[diff] [blame]

2087

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2088

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2089

while (p < extensions_end) {

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2090

unsigned int extension_type;

2091

size_t extension_data_len;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2092

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2093

/*

2094

* struct {

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2095

* ExtensionType extension_type; (2 bytes)

2096

* opaque extension_data<0..2^16-1>;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2097

* } Extension;

2098

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2099

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

2100

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2101

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2102

p += 4;

2103

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2104

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2105

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2106

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2107

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,

2108

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);

2109

if (ret != 0) {

2110

return ret;

2111

}

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2112

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2113

switch (extension_type) {

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

2114

#if defined(MBEDTLS_SSL_ALPN)

2115

case MBEDTLS_TLS_EXT_ALPN:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2116

MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

2117

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2118

if ((ret = ssl_tls13_parse_alpn_ext(

2119

ssl, p, (size_t) extension_data_len)) != 0) {

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2120

return ret;

lhuang04

2022-01-21 07:34:27 -0800

[diff] [blame]

}

break;

#endif /* MBEDTLS_SSL_ALPN */

Xiaokang Qian

8bee899

2022-10-27 10:21:05 +0000

[diff] [blame]

2125

2126

#if defined(MBEDTLS_SSL_EARLY_DATA)

2127

case MBEDTLS_TLS_EXT_EARLY_DATA:

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2128

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2129

if (extension_data_len != 0) {

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2130

/* The message must be empty. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2131

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2132

MBEDTLS_ERR_SSL_DECODE_ERROR);

2133

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaokang Qian

ca09afc

2022-11-22 10:05:19 +0000

[diff] [blame]

2134

}

2135

Xiaokang Qian

8bee899

2022-10-27 10:21:05 +0000

[diff] [blame]

2136

break;

2137

#endif /* MBEDTLS_SSL_EARLY_DATA */

2138

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

2139

#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)

2140

case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:

2141

MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));

2142

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2143

ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(

2144

ssl, p, p + extension_data_len);

Jan Bruckner

f482dcc

2023-03-15 09:09:06 +0100

[diff] [blame]

2145

if (ret != 0) {

2146

MBEDTLS_SSL_DEBUG_RET(

2147

1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);

2148

return ret;

2149

}

Jan Bruckner

151f642

2023-02-10 12:45:19 +0100

[diff] [blame]

2150

break;

2151

#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */

2152

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2153

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2154

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

9eba750

2022-10-31 13:46:16 +0800

[diff] [blame]

2155

3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2156

extension_type, "( ignored )");

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2157

break;

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2158

}

2159

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2160

p += extension_data_len;

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2161

}

XiaokangQian

2021-10-09 10:12:11 +0000

[diff] [blame]

2162

Waleed Elmelegy

049cd30

2023-12-20 17:28:31 +0000

[diff] [blame]

2163

if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&

2164

(handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {

Waleed Elmelegy

6a971fd

2023-12-28 17:48:16 +0000

[diff] [blame]

2165

MBEDTLS_SSL_DEBUG_MSG(3,

2166

(

2167

"Record size limit extension cannot be used with max fragment length extension"));

Waleed Elmelegy

049cd30

2023-12-20 17:28:31 +0000

[diff] [blame]

2168

MBEDTLS_SSL_PEND_FATAL_ALERT(

2169

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

2170

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

2171

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

2172

}

2173

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2174

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2175

handshake->received_extensions);

Jerry Yu

2022-08-04 16:55:10 +0800

[diff] [blame]

2176

XiaokangQian

2021-10-11 10:05:54 +0000

[diff] [blame]

2177

/* Check that we consumed all the message. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2178

if (p != end) {

2179

MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));

2180

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2181

MBEDTLS_ERR_SSL_DECODE_ERROR);

2182

return MBEDTLS_ERR_SSL_DECODE_ERROR;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2183

}

2184

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2185

return ret;

XiaokangQian

2021-09-13 07:30:09 +0000

[diff] [blame]

2186

}

2187

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2188

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2189

static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

{

int ret;

unsigned char *buf;

size_t buf_len;

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2194

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2195

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2196

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2197

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2198

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2199

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2200

&buf, &buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2201

2202

/* Process the message contents */

2203

MBEDTLS_SSL_PROC_CHK(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2204

ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2205

Xiaokang Qian

b157e91

2022-11-23 08:12:26 +0000

[diff] [blame]

2206

#if defined(MBEDTLS_SSL_EARLY_DATA)

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2207

if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {

2208

/* RFC8446 4.2.11

2209

* If the server supplies an "early_data" extension, the

2210

* client MUST verify that the server's selected_identity

2211

* is 0. If any other value is returned, the client MUST

2212

* abort the handshake with an "illegal_parameter" alert.

2213

*

2214

* RFC 8446 4.2.10

2215

* In order to accept early data, the server MUST have accepted a PSK

2216

* cipher suite and selected the first key offered in the client's

2217

* "pre_shared_key" extension. In addition, it MUST verify that the

2218

* following values are the same as those associated with the

2219

* selected PSK:

2220

* - The TLS version number

2221

* - The selected cipher suite

2222

* - The selected ALPN [RFC7301] protocol, if any

2223

*

Yanray Wang

03a0076

2023-12-01 17:40:19 +0800

[diff] [blame]

2224

* The server has sent an early data extension in its Encrypted

2225

* Extension message thus accepted to receive early data. We

2226

* check here that the additional constraints on the handshake

2227

* parameters, when early data are exchanged, are met,

2228

* namely:

Yanray Wang

744577a

2023-12-01 22:33:59 +0800

[diff] [blame]

2229

* - a PSK has been selected for the handshake

Yanray Wang

03a0076

2023-12-01 17:40:19 +0800

[diff] [blame]

2230

* - the selected PSK for the handshake was the first one proposed

2231

* by the client.

2232

* - the selected ciphersuite for the handshake is the ciphersuite

2233

* associated with the selected PSK.

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2234

*/

Yanray Wang

744577a

2023-12-01 22:33:59 +0800

[diff] [blame]

2235

if ((!mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) ||

2236

handshake->selected_identity != 0 ||

Jerry Yu

2023-10-31 16:40:01 +0800

[diff] [blame]

2237

handshake->ciphersuite_info->id !=

2238

ssl->session_negotiate->ciphersuite) {

2239

2240

MBEDTLS_SSL_PEND_FATAL_ALERT(

2241

MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,

2242

MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);

2243

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

2244

}

2245

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2246

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED;

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

2247

} else if (ssl->early_data_state !=

2248

MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2249

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED;

Xiaokang Qian

b157e91

2022-11-23 08:12:26 +0000

[diff] [blame]

}

#endif

Yanray Wang

2023-11-30 14:06:14 +0800

[diff] [blame]

2253

/*

Yanray Wang

9ae6534

2023-12-01 17:46:06 +0800

[diff] [blame]

2254

* In case the client has proposed a PSK associated with a ticket,

2255

* `ssl->session_negotiate->ciphersuite` still contains at this point the

2256

* identifier of the ciphersuite associated with the ticket. This is that

2257

* way because, if an exchange of early data is agreed upon, we need

2258

* it to check that the ciphersuite selected for the handshake is the

2259

* ticket ciphersuite (see above). This information is not needed

2260

* anymore thus we can now set it to the identifier of the ciphersuite

2261

* used in this session under negotiation.

Yanray Wang

a29db7d

2023-11-30 14:06:14 +0800

[diff] [blame]

2262

*/

2263

ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;

2264

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2265

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2266

ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,

2267

buf, buf_len));

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

2268

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2269

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2270

if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {

2271

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2272

} else {

2273

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);

2274

}

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2275

#else

2276

((void) ssl);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2277

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

Ronald Cron

2022-05-31 14:49:55 +0200

[diff] [blame]

2278

#endif

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

cleanup:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2282

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));

2283

return ret;

Ronald Cron

2022-05-30 16:05:38 +0200

[diff] [blame]

}

Ronald Cron

2024-02-21 16:37:16 +0100

[diff] [blame]

2287

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2288

/*

2289

* Handler for MBEDTLS_SSL_END_OF_EARLY_DATA

2290

*

Xiaokang Qian

c81a15a

2022-12-19 02:43:33 +0000

[diff] [blame]

2291

* RFC 8446 section 4.5

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2292

*

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2293

* struct {} EndOfEarlyData;

Xiaokang Qian

c81a15a

2022-12-19 02:43:33 +0000

[diff] [blame]

2294

*

2295

* If the server sent an "early_data" extension in EncryptedExtensions, the

2296

* client MUST send an EndOfEarlyData message after receiving the server

2297

* Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2298

*/

2299

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2300

MBEDTLS_CHECK_RETURN_CRITICAL

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2301

static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)

2302

{

2303

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2304

unsigned char *buf = NULL;

2305

size_t buf_len;

Xiaokang Qian

57a138d

2022-12-19 06:40:47 +0000

[diff] [blame]

2306

MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2307

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2308

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(

Xiaokang Qian

2023-02-08 06:04:50 +0000

[diff] [blame]

2309

ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,

2310

&buf, &buf_len));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2311

Manuel Pégourié-Gonnard

63e33dd

2023-02-21 15:45:15 +0100

[diff] [blame]

2312

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(

2313

ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

2314

Xiaokang Qian

742578c

2022-12-19 06:34:44 +0000

[diff] [blame]

2315

MBEDTLS_SSL_PROC_CHK(

2316

mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));

Xiaokang Qian

da8402d

2022-12-15 14:55:35 +0000

[diff] [blame]

2317

Xiaokang Qian

19d4416

2023-01-03 03:39:50 +0000

[diff] [blame]

2318

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

cleanup:

MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));

return ret;

}

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2326

int mbedtls_ssl_get_early_data_status(mbedtls_ssl_context *ssl)

2327

{

Ronald Cron

f19989d

2024-02-22 12:05:42 +0100

[diff] [blame]

2328

if ((ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) ||

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2329

(!mbedtls_ssl_is_handshake_over(ssl))) {

2330

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

2331

}

2332

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2333

switch (ssl->early_data_state) {

Ronald Cron

2024-03-03 15:46:57 +0100

[diff] [blame]

2334

case MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT:

Ronald Cron

840de7f

2024-03-11 17:49:35 +0100

[diff] [blame]

2335

return MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED;

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2336

break;

2337

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2338

case MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED:

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2339

return MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;

2340

break;

2341

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2342

case MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED:

Ronald Cron

2024-02-21 17:03:22 +0100

[diff] [blame]

2343

return MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;

break;

default:

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

2348

}

2349

}

Ronald Cron

e21c2d2

2024-02-21 16:37:16 +0100

[diff] [blame]

2350

#endif /* MBEDTLS_SSL_EARLY_DATA */

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2351

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2352

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2353

/*

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2354

* STATE HANDLING: CertificateRequest

2355

*

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2356

*/

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2357

#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0

2358

#define SSL_CERTIFICATE_REQUEST_SKIP 1

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2359

/* Coordination:

2360

* Deals with the ambiguity of not knowing if a CertificateRequest

2361

* will be sent. Returns a negative code on failure, or

2362

* - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST

2363

* - SSL_CERTIFICATE_REQUEST_SKIP

2364

* indicating if a Certificate Request is expected or not.

2365

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2366

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2367

static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2368

{

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2369

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2370

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2371

if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {

2372

MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);

2373

return ret;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2374

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2375

ssl->keep_current_message = 1;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2376

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2377

if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&

2378

(ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {

2379

MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));

2380

return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2381

}

2382

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2383

MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));

Ronald Cron

1938588

2022-06-15 16:26:13 +0200

[diff] [blame]

2384

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2385

return SSL_CERTIFICATE_REQUEST_SKIP;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2386

}

2387

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2388

/*

2389

* ssl_tls13_parse_certificate_request()

2390

* Parse certificate request

2391

* struct {

2392

* opaque certificate_request_context<0..2^8-1>;

2393

* Extension extensions<2..2^16-1>;

2394

* } CertificateRequest;

2395

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2396

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2397

static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,

2398

const unsigned char *buf,

2399

const unsigned char *end)

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2400

{

2401

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2402

const unsigned char *p = buf;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2403

size_t certificate_request_context_len = 0;

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2404

size_t extensions_len = 0;

2405

const unsigned char *extensions_end;

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2406

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2407

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2408

/* ...

2409

* opaque certificate_request_context<0..2^8-1>

2410

* ...

2411

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2412

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2413

certificate_request_context_len = (size_t) p[0];

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2414

p += 1;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2415

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2416

if (certificate_request_context_len > 0) {

2417

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);

2418

MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",

2419

p, certificate_request_context_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2420

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2421

handshake->certificate_request_context =

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2422

mbedtls_calloc(1, certificate_request_context_len);

2423

if (handshake->certificate_request_context == NULL) {

2424

MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));

2425

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2426

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2427

memcpy(handshake->certificate_request_context, p,

2428

certificate_request_context_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2429

p += certificate_request_context_len;

2430

}

2431

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2432

/* ...

2433

* Extension extensions<2..2^16-1>;

2434

* ...

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2435

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2436

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2437

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2438

p += 2;

2439

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2440

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2441

extensions_end = p + extensions_len;

2442

Jerry Yu

6d0e78b

2022-10-31 14:13:25 +0800

[diff] [blame]

2443

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2444

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2445

while (p < extensions_end) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2446

unsigned int extension_type;

2447

size_t extension_data_len;

2448

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2449

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);

2450

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2451

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2452

p += 4;

2453

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2454

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2455

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2456

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2457

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,

2458

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);

2459

if (ret != 0) {

2460

return ret;

2461

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2462

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2463

switch (extension_type) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2464

case MBEDTLS_TLS_EXT_SIG_ALG:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2465

MBEDTLS_SSL_DEBUG_MSG(3,

2466

("found signature algorithms extension"));

2467

ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,

2468

p + extension_data_len);

2469

if (ret != 0) {

2470

return ret;

2471

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2472

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2473

break;

2474

2475

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2476

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

6d0e78b

2022-10-31 14:13:25 +0800

[diff] [blame]

2477

3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2478

extension_type, "( ignored )");

Xiaofei Bai

2022-01-26 09:21:54 +0000

[diff] [blame]

2479

break;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2480

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2481

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2482

p += extension_data_len;

2483

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2484

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2485

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2486

handshake->received_extensions);

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2487

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2488

/* Check that we consumed all the message. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2489

if (p != end) {

2490

MBEDTLS_SSL_DEBUG_MSG(1,

2491

("CertificateRequest misaligned"));

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2492

goto decode_error;

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2493

}

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2494

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

2495

/* RFC 8446 section 4.3.2

Jerry Yu

2022-08-04 17:01:21 +0800

[diff] [blame]

2496

*

2497

* The "signature_algorithms" extension MUST be specified

2498

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2499

if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {

2500

MBEDTLS_SSL_DEBUG_MSG(3,

2501

("no signature algorithms extension found"));

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2502

goto decode_error;

Xiaofei Bai

2022-01-20 08:25:00 +0000

[diff] [blame]

2503

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2504

Jerry Yu

7840f81

2022-01-29 10:26:51 +0800

[diff] [blame]

2505

ssl->handshake->client_auth = 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2506

return 0;

Xiaofei Bai

51f515a

2022-02-08 07:28:04 +0000

[diff] [blame]

2507

Xiaofei Bai

c234ecf

2022-02-08 09:59:23 +0000

[diff] [blame]

2508

decode_error:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2509

MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,

2510

MBEDTLS_ERR_SSL_DECODE_ERROR);

2511

return MBEDTLS_ERR_SSL_DECODE_ERROR;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2512

}

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2513

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2514

/*

2515

* Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST

2516

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2517

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2518

static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2519

{

Xiaofei Bai

de3f13e

2022-01-18 05:47:05 +0000

[diff] [blame]

2520

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2521

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2522

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2523

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2524

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2525

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2526

if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

unsigned char *buf;

size_t buf_len;

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2530

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

2531

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2532

&buf, &buf_len));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2533

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2534

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(

2535

ssl, buf, buf + buf_len));

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2536

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2537

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(

2538

ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,

2539

buf, buf_len));

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2540

} else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {

Xiaofei Bai

f6d3696

2022-01-16 14:54:35 +0000

[diff] [blame]

2541

ret = 0;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2542

} else {

2543

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

Xiaofei Bai

51f515a

2022-02-08 07:28:04 +0000

[diff] [blame]

2544

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

2545

goto cleanup;

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2546

}

2547

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2548

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2549

Xiaofei Bai

2022-01-16 12:14:45 +0000

[diff] [blame]

2550

cleanup:

2551

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2552

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));

2553

return ret;

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

2554

}

2555

2556

/*

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2557

* Handler for MBEDTLS_SSL_SERVER_CERTIFICATE

2558

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2559

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2560

static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2561

{

Xiaofei Bai

947571e

2021-09-29 09:12:03 +0000

[diff] [blame]

2562

int ret;

2563

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2564

ret = mbedtls_ssl_tls13_process_certificate(ssl);

2565

if (ret != 0) {

2566

return ret;

2567

}

Xiaofei Bai

947571e

2021-09-29 09:12:03 +0000

[diff] [blame]

2568

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2569

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);

2570

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY

2575

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2576

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2577

static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2578

{

Jerry Yu

30b071c

2021-09-12 20:16:03 +0800

[diff] [blame]

2579

int ret;

2580

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2581

ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);

2582

if (ret != 0) {

2583

return ret;

2584

}

Jerry Yu

30b071c

2021-09-12 20:16:03 +0800

[diff] [blame]

2585

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2586

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);

2587

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2588

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2589

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Ronald Cron

d4c6402

2021-12-06 09:06:46 +0100

[diff] [blame]

2590

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2591

/*

2592

* Handler for MBEDTLS_SSL_SERVER_FINISHED

2593

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2594

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2595

static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2596

{

XiaokangQian

ac0385c

2021-11-03 06:40:11 +0000

[diff] [blame]

2597

int ret;

2598

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2599

ret = mbedtls_ssl_tls13_process_finished_message(ssl);

2600

if (ret != 0) {

2601

return ret;

2602

}

XiaokangQian

ac0385c

2021-11-03 06:40:11 +0000

[diff] [blame]

2603

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2604

ret = mbedtls_ssl_tls13_compute_application_transform(ssl);

2605

if (ret != 0) {

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2606

MBEDTLS_SSL_PEND_FATAL_ALERT(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2607

MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,

2608

MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);

2609

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2610

}

2611

Xiaokang Qian

bc75bc0

2022-12-19 06:16:42 +0000

[diff] [blame]

2612

#if defined(MBEDTLS_SSL_EARLY_DATA)

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

2613

if (ssl->early_data_state == MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED) {

2614

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED;

Xiaokang Qian

bc75bc0

2022-12-19 06:16:42 +0000

[diff] [blame]

2615

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);

2616

} else

2617

#endif /* MBEDTLS_SSL_EARLY_DATA */

2618

{

2619

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

2620

mbedtls_ssl_handshake_set_state(

2621

ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);

2622

#else

2623

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

2624

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

2625

}

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

2626

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2627

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2628

}

2629

2630

/*

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2631

* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE

2632

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2633

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2634

static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2635

{

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2636

int non_empty_certificate_msg = 0;

2637

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2638

MBEDTLS_SSL_DEBUG_MSG(1,

2639

("Switch to handshake traffic keys for outbound traffic"));

2640

mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);

Jerry Yu

5cc3506

2022-01-28 16:16:08 +0800

[diff] [blame]

2641

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2642

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2643

if (ssl->handshake->client_auth) {

2644

int ret = mbedtls_ssl_tls13_write_certificate(ssl);

2645

if (ret != 0) {

2646

return ret;

2647

}

Ronald Cron

5bb8fc8

2022-03-09 07:00:13 +0100

[diff] [blame]

2648

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2649

if (mbedtls_ssl_own_cert(ssl) != NULL) {

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2650

non_empty_certificate_msg = 1;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2651

}

2652

} else {

2653

MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2654

}

Ronald Cron

9df7c80

2022-03-08 18:38:54 +0100

[diff] [blame]

2655

#endif

Ronald Cron

5bb8fc8

2022-03-09 07:00:13 +0100

[diff] [blame]

2656

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2657

if (non_empty_certificate_msg) {

2658

mbedtls_ssl_handshake_set_state(ssl,

2659

MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);

2660

} else {

2661

MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));

2662

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);

2663

}

Ronald Cron

2022-03-09 07:44:27 +0100

[diff] [blame]

2664

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2665

return 0;

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2666

}

2667

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2668

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2669

/*

2670

* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY

2671

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2672

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2673

static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2674

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2675

int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);

Ronald Cron

a8b3887

2022-03-09 07:59:25 +0100

[diff] [blame]

2676

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2677

if (ret == 0) {

2678

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);

2679

}

Ronald Cron

a8b3887

2022-03-09 07:59:25 +0100

[diff] [blame]

2680

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2681

return ret;

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2682

}

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

2683

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

2684

2685

/*

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2686

* Handler for MBEDTLS_SSL_CLIENT_FINISHED

2687

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2688

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2689

static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2690

{

XiaokangQian

0fa6643

2021-11-15 03:33:57 +0000

[diff] [blame]

2691

int ret;

2692

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2693

ret = mbedtls_ssl_tls13_write_finished_message(ssl);

2694

if (ret != 0) {

2695

return ret;

Jerry Yu

e3d67cb

2022-05-19 15:33:10 +0800

[diff] [blame]

2696

}

2697

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2698

ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);

2699

if (ret != 0) {

Xiaokang Qian

2023-03-29 10:37:35 +0000

[diff] [blame]

2700

MBEDTLS_SSL_DEBUG_RET(

2701

1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

return ret;

}

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);

2706

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_FLUSH_BUFFERS

2711

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2712

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2713

static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2714

{

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2715

MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));

2716

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);

2717

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

}

/*

* Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP

2722

*/

Manuel Pégourié-Gonnard

2022-06-17 10:52:54 +0200

[diff] [blame]

2723

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2724

static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2725

{

Jerry Yu

378254d

2021-10-30 21:44:47 +0800

[diff] [blame]

2726

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2727

mbedtls_ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

378254d

2021-10-30 21:44:47 +0800

[diff] [blame]

2728

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2729

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

2730

return 0;

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

2731

}

2732

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2733

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

2734

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2735

#if defined(MBEDTLS_SSL_EARLY_DATA)

2736

/* From RFC 8446 section 4.2.10

2737

*

2738

* struct {

2739

* select (Handshake.msg_type) {

2740

* case new_session_ticket: uint32 max_early_data_size;

2741

* ...

2742

* };

2743

* } EarlyDataIndication;

2744

*/

2745

MBEDTLS_CHECK_RETURN_CRITICAL

Yanray Wang

b3e207d

2023-11-30 16:49:49 +0800

[diff] [blame]

2746

static int ssl_tls13_parse_new_session_ticket_early_data_ext(

2747

mbedtls_ssl_context *ssl,

2748

const unsigned char *buf,

2749

const unsigned char *end)

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2750

{

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2751

mbedtls_ssl_session *session = ssl->session;

2752

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2753

MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2754

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2755

session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

2756

mbedtls_ssl_tls13_session_set_ticket_flags(

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2757

session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);

2758

MBEDTLS_SSL_DEBUG_MSG(

2759

3, ("received max_early_data_size: %u",

2760

(unsigned int) session->max_early_data_size));

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2761

Yanray Wang

2023-11-23 16:35:54 +0800

[diff] [blame]

2762

return 0;

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2763

}

2764

#endif /* MBEDTLS_SSL_EARLY_DATA */

2765

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2766

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2767

static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,

2768

const unsigned char *buf,

2769

const unsigned char *end)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2770

{

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2771

mbedtls_ssl_handshake_params *handshake = ssl->handshake;

Jerry Yu

af2c0c8

2022-07-12 05:47:21 +0000

[diff] [blame]

2772

const unsigned char *p = buf;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2773

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2774

Jerry Yu

edab637

2022-10-31 14:37:31 +0800

[diff] [blame]

2775

handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2776

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2777

while (p < end) {

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2778

unsigned int extension_type;

2779

size_t extension_data_len;

Jerry Yu

2022-08-29 15:25:36 +0800

[diff] [blame]

2780

int ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2781

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2782

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);

2783

extension_type = MBEDTLS_GET_UINT16_BE(p, 0);

2784

extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2785

p += 4;

2786

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2787

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2788

Jerry Yu

2022-10-29 09:08:47 +0800

[diff] [blame]

2789

ret = mbedtls_ssl_tls13_check_received_extension(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2790

ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,

2791

MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);

2792

if (ret != 0) {

2793

return ret;

2794

}

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2795

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2796

switch (extension_type) {

Xiaokang Qian

0cc4320

2022-11-16 08:43:50 +0000

[diff] [blame]

2797

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

f447e8a

2022-11-08 07:02:27 +0000

[diff] [blame]

2798

case MBEDTLS_TLS_EXT_EARLY_DATA:

Yanray Wang

b3e207d

2023-11-30 16:49:49 +0800

[diff] [blame]

2799

ret = ssl_tls13_parse_new_session_ticket_early_data_ext(

Yanray Wang

2023-11-14 17:20:16 +0800

[diff] [blame]

2800

ssl, p, p + extension_data_len);

2801

if (ret != 0) {

2802

MBEDTLS_SSL_DEBUG_RET(

Yanray Wang

b3e207d

2023-11-30 16:49:49 +0800

[diff] [blame]

2803

1, "ssl_tls13_parse_new_session_ticket_early_data_ext",

2804

ret);

Xiaokang Qian

2d87a9e

2022-11-09 07:55:48 +0000

[diff] [blame]

2805

}

Xiaokang Qian

f447e8a

2022-11-08 07:02:27 +0000

[diff] [blame]

2806

break;

Xiaokang Qian

0cc4320

2022-11-16 08:43:50 +0000

[diff] [blame]

2807

#endif /* MBEDTLS_SSL_EARLY_DATA */

Xiaokang Qian

f447e8a

2022-11-08 07:02:27 +0000

[diff] [blame]

2808

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2809

default:

Jerry Yu

79aa721

2022-11-08 21:30:21 +0800

[diff] [blame]

2810

MBEDTLS_SSL_PRINT_EXT(

Jerry Yu

edab637

2022-10-31 14:37:31 +0800

[diff] [blame]

2811

3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2812

extension_type, "( ignored )");

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2813

break;

2814

}

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2815

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2816

p += extension_data_len;

2817

}

2818

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2819

MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

2820

handshake->received_extensions);

Jerry Yu

2022-08-04 17:53:25 +0800

[diff] [blame]

2821

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2822

return 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2823

}

2824

2825

/*

Jerry Yu

08aed4d

2022-07-20 10:36:12 +0800

[diff] [blame]

2826

* From RFC8446, page 74

2827

*

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2828

* struct {

2829

* uint32 ticket_lifetime;

2830

* uint32 ticket_age_add;

2831

* opaque ticket_nonce<0..255>;

2832

* opaque ticket<1..2^16-1>;

2833

* Extension extensions<0..2^16-2>;

2834

* } NewSessionTicket;

2835

*

2836

*/

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2837

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2838

static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,

2839

unsigned char *buf,

2840

unsigned char *end,

2841

unsigned char **ticket_nonce,

2842

size_t *ticket_nonce_len)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2843

{

2844

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2845

unsigned char *p = buf;

2846

mbedtls_ssl_session *session = ssl->session;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2847

size_t ticket_len;

2848

unsigned char *ticket;

2849

size_t extensions_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2850

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2851

*ticket_nonce = NULL;

2852

*ticket_nonce_len = 0;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2853

/*

2854

* ticket_lifetime 4 bytes

2855

* ticket_age_add 4 bytes

Jerry Yu

08aed4d

2022-07-20 10:36:12 +0800

[diff] [blame]

2856

* ticket_nonce_len 1 byte

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2857

*/

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2858

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2859

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2860

session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);

2861

MBEDTLS_SSL_DEBUG_MSG(3,

2862

("ticket_lifetime: %u",

2863

(unsigned int) session->ticket_lifetime));

Jerry Yu

8e0174a

2023-11-10 13:58:16 +0800

[diff] [blame]

2864

if (session->ticket_lifetime >

2865

MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {

Jerry Yu

46c7926

2023-11-10 13:58:16 +0800

[diff] [blame]

2866

MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));

Jerry Yu

cf91351

2023-11-14 11:06:52 +0800

[diff] [blame]

2867

return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;

Jerry Yu

46c7926

2023-11-10 13:58:16 +0800

[diff] [blame]

2868

}

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2869

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2870

session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);

2871

MBEDTLS_SSL_DEBUG_MSG(3,

2872

("ticket_age_add: %u",

2873

(unsigned int) session->ticket_age_add));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2874

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2875

*ticket_nonce_len = p[8];

2876

p += 9;

2877

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2878

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2879

*ticket_nonce = p;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2880

MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2881

p += *ticket_nonce_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2882

2883

/* Ticket */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2884

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2885

ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2886

p += 2;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2887

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);

2888

MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2889

2890

/* Check if we previously received a ticket already. */

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2891

if (session->ticket != NULL || session->ticket_len > 0) {

2892

mbedtls_free(session->ticket);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2893

session->ticket = NULL;

2894

session->ticket_len = 0;

2895

}

2896

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2897

if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {

2898

MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));

2899

return MBEDTLS_ERR_SSL_ALLOC_FAILED;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2900

}

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2901

memcpy(ticket, p, ticket_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2902

p += ticket_len;

2903

session->ticket = ticket;

2904

session->ticket_len = ticket_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2905

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2906

/* Clear all flags in ticket_flags */

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

2907

mbedtls_ssl_tls13_session_clear_ticket_flags(

Pengyu Lv

9eacb44

2022-12-09 14:39:19 +0800

[diff] [blame]

2908

session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

2909

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2910

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);

2911

extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2912

p += 2;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2913

MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2914

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2915

MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2916

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2917

ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);

2918

if (ret != 0) {

2919

MBEDTLS_SSL_DEBUG_RET(1,

2920

"ssl_tls13_parse_new_session_ticket_exts",

2921

ret);

2922

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2923

}

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2924

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2925

return 0;

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2926

}

2927

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

2928

/* Non negative return values for ssl_tls13_postprocess_new_session_ticket().

2929

* - POSTPROCESS_NEW_SESSION_TICKET_SIGNAL, all good, we have to signal the

2930

* application that a valid ticket has been received.

2931

* - POSTPROCESS_NEW_SESSION_TICKET_DISCARD, no fatal error, we keep the

2932

* connection alive but we do not signal the ticket to the application.

2933

*/

2934

#define POSTPROCESS_NEW_SESSION_TICKET_SIGNAL 0

2935

#define POSTPROCESS_NEW_SESSION_TICKET_DISCARD 1

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

2936

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2937

static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,

2938

unsigned char *ticket_nonce,

2939

size_t ticket_nonce_len)

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

2940

{

2941

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

2942

mbedtls_ssl_session *session = ssl->session;

2943

const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

2944

psa_algorithm_t psa_hash_alg;

2945

int hash_length;

2946

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

2947

if (session->ticket_lifetime == 0) {

2948

return POSTPROCESS_NEW_SESSION_TICKET_DISCARD;

2949

}

2950

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2951

#if defined(MBEDTLS_HAVE_TIME)

2952

/* Store ticket creation time */

Jerry Yu

342a555

2023-11-10 14:23:39 +0800

[diff] [blame]

2953

session->ticket_reception_time = mbedtls_ms_time();

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2954

#endif

2955

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2956

ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);

2957

if (ciphersuite_info == NULL) {

2958

MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

2959

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2960

}

2961

Dave Rodgman

2eab462

2023-10-05 13:30:37 +0100

[diff] [blame]

2962

psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2963

hash_length = PSA_HASH_LENGTH(psa_hash_alg);

2964

if (hash_length == -1 ||

2965

(size_t) hash_length > sizeof(session->resumption_key)) {

2966

return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

Jerry Yu

3afdf36

2022-07-20 17:34:14 +0800

[diff] [blame]

2967

}

2968

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2969

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2970

MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",

2971

session->app_secrets.resumption_master_secret,

2972

hash_length);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2973

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

2974

/* Compute resumption key

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2975

*

2976

* HKDF-Expand-Label( resumption_master_secret,

2977

* "resumption", ticket_nonce, Hash.length )

2978

*/

2979

ret = mbedtls_ssl_tls13_hkdf_expand_label(

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2980

psa_hash_alg,

2981

session->app_secrets.resumption_master_secret,

2982

hash_length,

2983

MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),

2984

ticket_nonce,

2985

ticket_nonce_len,

2986

session->resumption_key,

2987

hash_length);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2988

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2989

if (ret != 0) {

2990

MBEDTLS_SSL_DEBUG_RET(2,

2991

"Creating the ticket-resumed PSK failed",

2992

ret);

2993

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2994

}

2995

Jerry Yu

0a430c8

2022-07-20 11:02:48 +0800

[diff] [blame]

2996

session->resumption_key_len = hash_length;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

2997

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

2998

MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",

2999

session->resumption_key,

3000

session->resumption_key_len);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3001

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

3002

/* Set ticket_flags depends on the selected key exchange modes */

Pengyu Lv

2023-12-06 10:04:17 +0800

[diff] [blame]

3003

mbedtls_ssl_tls13_session_set_ticket_flags(

Pengyu Lv

9eacb44

2022-12-09 14:39:19 +0800

[diff] [blame]

3004

session, ssl->conf->tls13_kex_modes);

Pengyu Lv

4938a56

2023-01-16 11:28:49 +0800

[diff] [blame]

3005

MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);

Pengyu Lv

2022-11-17 15:22:33 +0800

[diff] [blame]

3006

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

3007

return POSTPROCESS_NEW_SESSION_TICKET_SIGNAL;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3008

}

3009

3010

/*

Jerry Yu

a8d3c50

2022-10-30 14:51:23 +0800

[diff] [blame]

3011

* Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3012

*/

Jerry Yu

2022-07-13 11:22:55 +0800

[diff] [blame]

3013

MBEDTLS_CHECK_RETURN_CRITICAL

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3014

static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3015

{

3016

int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

3017

unsigned char *buf;

3018

size_t buf_len;

Jerry Yu

2022-07-12 06:09:38 +0000

[diff] [blame]

3019

unsigned char *ticket_nonce;

3020

size_t ticket_nonce_len;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3021

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3022

MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3023

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3024

MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(

3025

ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,

3026

&buf, &buf_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3027

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

3028

/*

3029

* We are about to update (maybe only partially) ticket data thus block

3030

* any session export for the time being.

3031

*/

3032

ssl->session->exported = 1;

3033

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3034

MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(

3035

ssl, buf, buf + buf_len,

3036

&ticket_nonce, &ticket_nonce_len));

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3037

Ronald Cron

2024-03-08 17:51:23 +0100

[diff] [blame]

3038

MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_postprocess_new_session_ticket(

3039

ssl, ticket_nonce, ticket_nonce_len));

3040

3041

switch (ret) {

3042

case POSTPROCESS_NEW_SESSION_TICKET_SIGNAL:

3043

/*

3044

* All good, we have received a new valid ticket, session data can

3045

* be exported now and we signal the ticket to the application.

3046

*/

3047

ssl->session->exported = 0;

3048

ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;

3049

break;

3050

3051

case POSTPROCESS_NEW_SESSION_TICKET_DISCARD:

3052

ret = 0;

3053

MBEDTLS_SSL_DEBUG_MSG(2, ("Discard new session ticket"));

break;

default:

ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;

3058

}

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3059

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3060

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);

Jerry Yu

2022-07-13 11:16:51 +0800

[diff] [blame]

3061

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3062

cleanup:

3063

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3064

MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));

3065

return ret;

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3066

}

3067

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

3068

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3069

int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)

Jerry Yu

2021-08-24 15:59:48 +0800

[diff] [blame]

3070

{

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3071

int ret = 0;

Jerry Yu

c8a392c

2021-08-18 16:46:28 +0800

[diff] [blame]

3072

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3073

switch (ssl->state) {

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3074

case MBEDTLS_SSL_HELLO_REQUEST:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3075

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

Jerry Yu

ddda050

2022-12-01 19:43:12 +0800

[diff] [blame]

3076

break;

3077

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3078

case MBEDTLS_SSL_CLIENT_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3079

ret = mbedtls_ssl_write_client_hello(ssl);

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3080

break;

3081

3082

case MBEDTLS_SSL_SERVER_HELLO:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3083

ret = ssl_tls13_process_server_hello(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3084

break;

3085

3086

case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3087

ret = ssl_tls13_process_encrypted_extensions(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3088

break;

3089

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3090

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

3091

case MBEDTLS_SSL_CERTIFICATE_REQUEST:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3092

ret = ssl_tls13_process_certificate_request(ssl);

Jerry Yu

2021-10-29 10:08:19 +0800

[diff] [blame]

3093

break;

3094

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3095

case MBEDTLS_SSL_SERVER_CERTIFICATE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3096

ret = ssl_tls13_process_server_certificate(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3097

break;

3098

3099

case MBEDTLS_SSL_CERTIFICATE_VERIFY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3100

ret = ssl_tls13_process_certificate_verify(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3101

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3102

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3103

3104

case MBEDTLS_SSL_SERVER_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3105

ret = ssl_tls13_process_server_finished(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3106

break;

3107

Ronald Cron

e21c2d2

2024-02-21 16:37:16 +0100

[diff] [blame]

3108

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

3109

case MBEDTLS_SSL_END_OF_EARLY_DATA:

3110

ret = ssl_tls13_write_end_of_early_data(ssl);

3111

break;

Ronald Cron

e21c2d2

2024-02-21 16:37:16 +0100

[diff] [blame]

3112

#endif

Xiaokang Qian

2022-10-28 06:04:06 +0000

[diff] [blame]

3113

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3114

case MBEDTLS_SSL_CLIENT_CERTIFICATE:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3115

ret = ssl_tls13_write_client_certificate(ssl);

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3116

break;

3117

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3118

#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3119

case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3120

ret = ssl_tls13_write_client_certificate_verify(ssl);

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3121

break;

Ronald Cron

2022-10-04 16:14:26 +0200

[diff] [blame]

3122

#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */

Jerry Yu

2022-01-26 15:41:22 +0800

[diff] [blame]

3123

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3124

case MBEDTLS_SSL_CLIENT_FINISHED:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3125

ret = ssl_tls13_write_client_finished(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3126

break;

3127

3128

case MBEDTLS_SSL_FLUSH_BUFFERS:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3129

ret = ssl_tls13_flush_buffers(ssl);

Jerry Yu

2021-09-14 16:03:56 +0800

[diff] [blame]

3130

break;

3131

3132

case MBEDTLS_SSL_HANDSHAKE_WRAPUP:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3133

ret = ssl_tls13_handshake_wrapup(ssl);

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3134

break;

3135

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3136

/*

3137

* Injection of dummy-CCS's for middlebox compatibility

3138

*/

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3139

#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)

XiaokangQian

0b56a8f

2021-12-22 02:39:32 +0000

[diff] [blame]

3140

case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:

Ronald Cron

e273f72

2024-02-13 18:22:26 +0100

[diff] [blame]

3141

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3142

if (ret != 0) {

3143

break;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3144

}

Ronald Cron

fe59ff7

2024-01-24 14:31:50 +0100

[diff] [blame]

3145

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);

Ronald Cron

9f55f63

2022-02-02 16:02:47 +0100

[diff] [blame]

3146

break;

3147

3148

case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:

Ronald Cron

e273f72

2024-02-13 18:22:26 +0100

[diff] [blame]

3149

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3150

if (ret != 0) {

3151

break;

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3152

}

Ronald Cron

fe59ff7

2024-01-24 14:31:50 +0100

[diff] [blame]

3153

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3154

break;

Xiaokang Qian

f6d8fd3

2023-02-02 02:46:26 +0000

[diff] [blame]

3155

Ronald Cron

297c608

2024-01-19 08:15:33 +0100

[diff] [blame]

3156

#if defined(MBEDTLS_SSL_EARLY_DATA)

Xiaokang Qian

592021a

2023-01-04 10:47:05 +0000

[diff] [blame]

3157

case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:

3158

ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);

3159

if (ret == 0) {

3160

mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);

3161

3162

MBEDTLS_SSL_DEBUG_MSG(

3163

1, ("Switch to early data keys for outbound traffic"));

3164

mbedtls_ssl_set_outbound_transform(

3165

ssl, ssl->handshake->transform_earlydata);

Ronald Cron

2024-03-03 15:03:22 +0100

[diff] [blame]

3166

ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE;

Xiaokang Qian

592021a

2023-01-04 10:47:05 +0000

[diff] [blame]

3167

}

3168

break;

Ronald Cron

297c608

2024-01-19 08:15:33 +0100

[diff] [blame]

3169

#endif /* MBEDTLS_SSL_EARLY_DATA */

Ronald Cron

2021-11-24 16:25:31 +0100

[diff] [blame]

3170

#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

3171

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3172

#if defined(MBEDTLS_SSL_SESSION_TICKETS)

Jerry Yu

a8d3c50

2022-10-30 14:51:23 +0800

[diff] [blame]

3173

case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3174

ret = ssl_tls13_process_new_session_ticket(ssl);

Jerry Yu

2022-07-07 11:32:32 +0000

[diff] [blame]

3175

break;

3176

#endif /* MBEDTLS_SSL_SESSION_TICKETS */

3177

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3178

default:

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3179

MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));

3180

return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;

Jerry Yu

2021-08-27 16:59:09 +0800

[diff] [blame]

3181

}

3182

Gilles Peskine

2023-01-11 14:50:10 +0100

[diff] [blame]

3183

return ret;

Jerry Yu