TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 08037553479dff14665ec646089dcf8c8912a161 / . / library / ssl_tls13_server.c
blob: f2e7862e108d2a9cf34c6ad007bde9b3cc881e53 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18*/
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]23
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]24#include "mbedtls/debug.h"
25
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]26#include "ssl_misc.h"
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]27#include "ssl_client.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]28#include "ssl_tls13_keys.h"
Gilles Peskine923d5c92021-12-15 12:56:54 +0100[diff] [blame]29#include "ssl_debug_helpers.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]30#include <string.h>
31#if defined(MBEDTLS_ECP_C)
32#include "mbedtls/ecp.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]33#endif /* MBEDTLS_ECP_C */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]34
XiaokangQiana9c58412022-02-17 09:41:26 +0000[diff] [blame]35#if defined(MBEDTLS_PLATFORM_C)
36#include "mbedtls/platform.h"
37#else
38#include <stdlib.h>
39#define mbedtls_calloc calloc
40#define mbedtls_free free
41#endif /* MBEDTLS_PLATFORM_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]42
43/* From RFC 8446:
44 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]45 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]46 * } SupportedVersions;
47 */
48static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
49 const unsigned char *buf,
50 const unsigned char *end )
51{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]52 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]53 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]54 const unsigned char *versions_end;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]55 int major_ver, minor_ver;
56 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]57
58 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]59 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]60 p += 1;
61
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]62 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, versions_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]63 versions_end = p + versions_len;
64 while( p < versions_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]65 {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]66 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, versions_end, 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]67 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]68 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]69
70 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
71 if( major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
72 minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
73 {
74 tls13_supported = 1;
75 break;
76 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]77 }
78
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]79 if( !tls13_supported )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]80 {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]81 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 is not supported by the client" ) );
82
83 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
84 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
85 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
86 }
87
88 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%d:%d]",
89 major_ver, minor_ver ) );
90
91 ssl->major_ver = major_ver;
92 ssl->minor_ver = minor_ver;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]93 return( 0 );
94}
95
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]96#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]97/* This function parses the TLS 1.3 supported_groups extension and
98 * stores the received groups in ssl->handshake->curves.
99 *
100 * From RFC 8446:
101 * enum {
102 * ... (0xFFFF)
103 * } NamedGroup;
104 * struct {
105 * NamedGroup named_group_list<2..2^16-1>;
106 * } NamedGroupList;
107 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]108static int ssl_tls13_parse_supported_groups_ext(
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]109 mbedtls_ssl_context *ssl,
110 const unsigned char *buf, const unsigned char *end )
111{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]112 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000[diff] [blame]113 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]114 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]115
116 MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", p, end - buf );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]117 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]118 named_group_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]119 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]120 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]121 named_group_list_end = p + named_group_list_len;
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]122 ssl->handshake->hrr_selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]123
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]124 while( p < named_group_list_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]125 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]126 uint16_t named_group;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]127 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, named_group_list_end, 2 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]128 named_group = MBEDTLS_GET_UINT16_BE( p, 0 );
129 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]130
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]131 MBEDTLS_SSL_DEBUG_MSG(
132 2, ( "got named group: %d",
133 named_group ) );
134
135 if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
136 ! mbedtls_ssl_named_group_is_supported( named_group ) ||
137 ssl->handshake->hrr_selected_group != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]138 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]139 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]140 }
141
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]142 MBEDTLS_SSL_DEBUG_MSG(
143 2, ( "add named group (%04x) into received list.",
144 named_group ) );
145 ssl->handshake->hrr_selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]146 }
147
148 return( 0 );
149
150}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]151#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]152
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]153#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
154
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]155#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]156/*
157 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
158 * extension is correct and stores the provided key shares. Whether this is an
159 * acceptable key share depends on the selected ciphersuite.
160 *
161 * Possible return values are:
162 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]163 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]164 * does not match a group supported by the server. A HelloRetryRequest will
165 * be needed.
166 * - Another negative return value for fatal errors.
167*/
168
169static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
170 const unsigned char *buf,
171 const unsigned char *end )
172{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]173 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]174 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]175 unsigned char const *client_shares_end;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]176 size_t client_shares_len, key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]177 int match_found = 0;
178
179 /* From RFC 8446:
180 *
181 * struct {
182 * KeyShareEntry client_shares<0..2^16-1>;
183 * } KeyShareClientHello;
184 *
185 */
186
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]187 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]188 client_shares_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]189 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]190 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, client_shares_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]191
192 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]193 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]194
195 /* We try to find a suitable key share entry and copy it to the
196 * handshake context. Later, we have to find out whether we can do
197 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]198 * dismiss it and send a HelloRetryRequest message.
199 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]200
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]201 for( ; p < client_shares_end; p += key_exchange_len )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]202 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]203 uint16_t group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]204
205 /*
206 * struct {
207 * NamedGroup group;
208 * opaque key_exchange<1..2^16-1>;
209 * } KeyShareEntry;
210 */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]211 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, 4 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]212 group = MBEDTLS_GET_UINT16_BE( p, 0 );
213 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]214 key_exchange_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]215 p += 2;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]216 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, key_exchange_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]217
218 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]219 * for input validation purposes.
220 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]221 if( match_found == 1 )
222 continue;
223
224 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]225 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]226 */
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]227 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
228 {
229 const mbedtls_ecp_curve_info *curve_info =
230 mbedtls_ecp_curve_info_from_tls_id( group );
231 if( curve_info == NULL )
232 {
233 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]234 continue;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]235 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]236
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]237 match_found = 1;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]238 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]239 ret = psa_crypto_init();
240 if( ret != PSA_SUCCESS )
241 {
242 MBEDTLS_SSL_DEBUG_RET( 1, "psa_crypto_init()", ret );
243 return( ret );
244 }
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]245 ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ssl, p - 2, key_exchange_len + 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]246 if( ret != 0 )
247 return( ret );
248 }
249 else
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]250 {
251 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]252 (unsigned) group ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]253 continue;
254 }
255
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]256 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]257 }
258
259 if( match_found == 0 )
260 {
261 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching key share" ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]262 return( SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]263 }
264 return( 0 );
265}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]266#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]267
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]268#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]269static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]270{
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]271 ((void) ssl);
272
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]273 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]274 MBEDTLS_SSL_DEBUG_MSG( 3,
275 ( "- KEY_SHARE_EXTENSION ( %s )",
276 ( ( ssl->handshake->extensions_present
277 & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
278 MBEDTLS_SSL_DEBUG_MSG( 3,
279 ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
280 ( ( ssl->handshake->extensions_present
281 & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
282 "TRUE" : "FALSE" ) );
283 MBEDTLS_SSL_DEBUG_MSG( 3,
284 ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
285 ( ( ssl->handshake->extensions_present
286 & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
287 MBEDTLS_SSL_DEBUG_MSG( 3,
288 ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
289 ( ( ssl->handshake->extensions_present
290 & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
291 MBEDTLS_SSL_DEBUG_MSG( 3,
292 ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
293 ( ( ssl->handshake->extensions_present
294 & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
295 "TRUE" : "FALSE" ) );
296 MBEDTLS_SSL_DEBUG_MSG( 3,
297 ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
298 ( ( ssl->handshake->extensions_present
299 & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
300 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]301#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]302 MBEDTLS_SSL_DEBUG_MSG( 3,
303 ( "- SERVERNAME_EXTENSION ( %s )",
304 ( ( ssl->handshake->extensions_present
305 & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
306 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]307#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]308}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]309#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]310
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]311static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]312 int exts_mask )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]313{
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]314 int masked = ssl->handshake->extensions_present & exts_mask;
315 return( masked == exts_mask );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]316}
317
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]318static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
319 mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]320{
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]321 return( ssl_tls13_client_hello_has_exts( ssl,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]322 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
323 MBEDTLS_SSL_EXT_KEY_SHARE |
324 MBEDTLS_SSL_EXT_SIG_ALG ) );
325}
326
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]327static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]328{
329 if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) )
330 return( 0 );
331
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]332 if( !ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]333 return( 0 );
334
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]335 ssl->handshake->tls13_kex_modes =
336 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]337 return( 1 );
338}
339
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]340/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]341 *
342 * STATE HANDLING: ClientHello
343 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]344 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]345 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]346 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]347 *
348 * In this case, the server progresses to sending its ServerHello.
349 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]350 * 2) The ClientHello was well-formed but didn't match the server's
351 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]352 *
353 * For example, the client might not have offered a key share which
354 * the server supports, or the server might require a cookie.
355 *
356 * In this case, the server sends a HelloRetryRequest.
357 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]358 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]359 *
360 * In this case, we abort the handshake.
361 *
362 */
363
364/*
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]365 * Structure of this message:
366 *
367 * uint16 ProtocolVersion;
368 * opaque Random[32];
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]369 * uint8 CipherSuite[2]; // Cryptographic suite selector
370 *
371 * struct {
372 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
373 * Random random;
374 * opaque legacy_session_id<0..32>;
375 * CipherSuite cipher_suites<2..2^16-2>;
376 * opaque legacy_compression_methods<1..2^8-1>;
377 * Extension extensions<8..2^16-1>;
378 * } ClientHello;
379 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]380
381#define SSL_CLIENT_HELLO_OK 0
382#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
383
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]384static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
385 const unsigned char *buf,
386 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]387{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]388 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
389 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]390 size_t legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]391 size_t cipher_suites_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]392 const unsigned char *cipher_suites_start;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]393 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]394 const unsigned char *extensions_end;
395
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]396 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]397 int hrr_required = 0;
398
399 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
400
401 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]402 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]403 * 0 . 1 protocol version
404 * 2 . 33 random bytes ( starting with 4 bytes of Unix time )
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]405 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]406 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]407 * .. . .. ciphersuite list length ( 2 bytes )
408 * .. . .. ciphersuite list
409 * .. . .. compression alg. list length ( 1 byte )
410 * .. . .. compression alg. list
411 * .. . .. extensions length ( 2 bytes, optional )
412 * .. . .. extensions ( optional )
413 */
414
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]415 /*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]416 * Minimal length ( with everything empty and extensions ommitted ) is
417 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
418 * read at least up to session id length without worrying.
419 */
420 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 38 );
421
422 /* ...
423 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
424 * ...
425 * with ProtocolVersion defined as:
426 * uint16 ProtocolVersion;
427 */
428 if( !( p[0] == MBEDTLS_SSL_MAJOR_VERSION_3 &&
429 p[1] == MBEDTLS_SSL_MINOR_VERSION_3 ) )
430 {
431 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
432 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
433 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]434 return ( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]435 }
436 p += 2;
437
438 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]439 * Only support TLS 1.3 currently, temporarily set the version.
440 */
441 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
442 ssl->minor_ver = MBEDTLS_SSL_MINOR_VERSION_4;
443
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]444 /* ---
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]445 * Random random;
446 * ---
447 * with Random defined as:
448 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]449 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]450 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]451 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]452
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]453 memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
454 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]455
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]456 /* ---
457 * opaque legacy_session_id<0..32>;
458 * ---
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]459 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]460 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]461 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]462
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]463 if( legacy_session_id_len > sizeof( ssl->session_negotiate->id ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]464 {
465 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
466 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
467 }
468
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]469 ssl->session_negotiate->id_len = legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]470 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
471 buf, legacy_session_id_len );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]472 /*
473 * Check we have enough data for the legacy session identifier
474 * and the ciphersuite list length.
475 */
476 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]477
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]478 memcpy( &ssl->session_negotiate->id[0], p, legacy_session_id_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]479 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]480
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]481 cipher_suites_len = MBEDTLS_GET_UINT16_BE( p, 0 );
482 p += 2;
483
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]484 /* Check we have enough data for the ciphersuite list, the legacy
485 * compression methods and the length of the extensions.
486 */
487 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]488
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]489 /* ---
490 * CipherSuite cipher_suites<2..2^16-2>;
491 * ---
492 * with CipherSuite defined as:
493 * uint8 CipherSuite[2];
494 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]495 cipher_suites_start = p;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]496 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
497 p, cipher_suites_len );
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]498 /*
499 * Search for a matching ciphersuite
500 */
501 size_t ciphersuite_exist = 0;
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]502 uint16_t cipher_suite;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]503 ciphersuite_info = NULL;
504 for ( size_t j = 0; j < cipher_suites_len;
505 j += 2, p += 2 )
506 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]507 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
508 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
509 cipher_suite );
510 /*
511 * Check whether this ciphersuite is valid and offered.
512 */
513 if( ( mbedtls_ssl_validate_ciphersuite(
514 ssl, ciphersuite_info, ssl->minor_ver, ssl->minor_ver ) != 0 ) ||
515 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
516 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]517
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]518 ssl->session_negotiate->ciphersuite = cipher_suite;
519 ssl->handshake->ciphersuite_info = ciphersuite_info;
520 ciphersuite_exist = 1;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]521
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]522 break;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]523
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]524 }
525
526 if( !ciphersuite_exist )
527 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
528
529 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
530 ciphersuite_info->name ) );
531
532 p = cipher_suites_start + cipher_suites_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]533 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]534 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]535 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]536 */
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]537 if( p[0] != 1 || p[1] != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]538 {
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]539 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
540 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
541 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
542 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]543 }
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]544 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]545
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]546 /* ---
547 * Extension extensions<8..2^16-1>;
548 * ---
549 * with Extension defined as:
550 * struct {
551 * ExtensionType extension_type;
552 * opaque extension_data<0..2^16-1>;
553 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]554 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]555 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]556 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]557 extensions_end = p + extensions_len;
558 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]559
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]560 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]561
562 while( p < extensions_end )
563 {
564 unsigned int extension_type;
565 size_t extension_data_len;
566 const unsigned char *extension_data_end;
567
568 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
569 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
570 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
571 p += 4;
572
573 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
574 extension_data_end = p + extension_data_len;
575
576 switch( extension_type )
577 {
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]578#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]579 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
580 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
581
582 /* Supported Groups Extension
583 *
584 * When sent by the client, the "supported_groups" extension
585 * indicates the named groups which the client supports,
586 * ordered from most preferred to least preferred.
587 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]588 ret = ssl_tls13_parse_supported_groups_ext( ssl, p,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]589 extension_data_end );
590 if( ret != 0 )
591 {
592 MBEDTLS_SSL_DEBUG_RET( 1,
593 "mbedtls_ssl_parse_supported_groups_ext", ret );
594 return( ret );
595 }
596
597 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
598 break;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]599#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]600
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]601#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]602 case MBEDTLS_TLS_EXT_KEY_SHARE:
603 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) );
604
605 /*
606 * Key Share Extension
607 *
608 * When sent by the client, the "key_share" extension
609 * contains the endpoint's cryptographic parameters for
610 * ECDHE/DHE key establishment methods.
611 */
612 ret = ssl_tls13_parse_key_shares_ext( ssl, p, extension_data_end );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]613 if( ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]614 {
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]615 MBEDTLS_SSL_DEBUG_MSG( 2, ( "HRR needed " ) );
616 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]617 }
618
619 if( ret != 0 )
620 return( ret );
621
622 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
623 break;
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]624#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]625
626 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
627 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) );
628
629 ret = ssl_tls13_parse_supported_versions_ext(
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]630 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]631 if( ret != 0 )
632 {
633 MBEDTLS_SSL_DEBUG_RET( 1,
634 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
635 return( ret );
636 }
637 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
638 break;
639
640#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
641 case MBEDTLS_TLS_EXT_SIG_ALG:
642 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
643
644 ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ssl, p,
645 extension_data_end );
646 if( ret != 0 )
647 {
648 MBEDTLS_SSL_DEBUG_MSG( 1,
649 ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
650 ret ) );
651 return( ret );
652 }
653 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
654 break;
655#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
656
657 default:
658 MBEDTLS_SSL_DEBUG_MSG( 3,
659 ( "unknown extension found: %ud ( ignoring )",
660 extension_type ) );
661 }
662
663 p += extension_data_len;
664 }
665
666 /* Update checksum with either
667 * - The entire content of the CH message, if no PSK extension is present
668 * - The content up to but excluding the PSK extension, if present.
669 */
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]670 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
XiaokangQianc4b8c992022-04-07 11:31:38 +0000[diff] [blame]671 buf, p - buf );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]672
673 /* List all the extensions we have received */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]674#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]675 ssl_tls13_debug_print_client_hello_exts( ssl );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]676#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]677
678 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]679 * Here we only support the ephemeral or (EC)DHE key echange mode
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]680 */
681
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]682 if( !ssl_tls13_check_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]683 {
684 MBEDTLS_SSL_DEBUG_MSG(
685 1,
686 ( "ClientHello message misses mandatory extensions." ) );
687 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ,
688 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
689 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
690 }
691
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]692 if( hrr_required == 1 )
693 return( SSL_CLIENT_HELLO_HRR_REQUIRED );
694
695 return( 0 );
696}
697
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]698/* Update the handshake state machine */
699
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]700static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]701{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]702 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]703
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]704 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
705 if( ret != 0 )
706 {
707 MBEDTLS_SSL_DEBUG_RET( 1,
708 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret );
709 return( ret );
710 }
711
712 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
713 return( 0 );
714
715}
716
717/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]718 * Main entry point from the state machine; orchestrates the otherfunctions.
719 */
720
721static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
722{
723
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]724 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]725 unsigned char* buf = NULL;
726 size_t buflen = 0;
727 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
728
729 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
730 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
731 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
732 &buf, &buflen ) );
733
734 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_parse_client_hello( ssl, buf,
735 buf + buflen ) );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]736 MBEDTLS_SSL_DEBUG_MSG( 1, ( "postprocess" ) );
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]737 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_client_hello( ssl ) );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]738
739cleanup:
740
741 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
742 return( ret );
743}
744
745/*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]746 * TLS and DTLS 1.3 State Maschine -- server side
747 */
Jerry Yu27561932021-08-27 17:07:38 +0800[diff] [blame]748int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]749{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]750 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]751
752 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
753 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
754
Jerry Yue3b34122021-09-28 17:53:35 +0800[diff] [blame]755 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)",
756 mbedtls_ssl_states_str( ssl->state ),
757 ssl->state ) );
Jerry Yu6e81b272021-09-27 11:16:17 +0800[diff] [blame]758
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]759 switch( ssl->state )
760 {
761 /* start state */
762 case MBEDTLS_SSL_HELLO_REQUEST:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]763 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
764
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame^]765 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]766 break;
767
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]768 case MBEDTLS_SSL_CLIENT_HELLO:
769
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]770 ret = ssl_tls13_process_client_hello( ssl );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]771 if( ret != 0 )
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]772 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_client_hello", ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]773
774 break;
775
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]776 case MBEDTLS_SSL_SERVER_HELLO:
777 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSL - The requested feature is not available" ) );
778 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
779
780 break;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]781 default:
782 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
783 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
784 }
785
786 return( ret );
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]787}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]788
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]789#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */