TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ffa15827933a9fcc5af5fb39155a4650e56bb48d / . / library / ssl_tls13_client.c
blob: 2e0599d0085f3ecdd584ac3daef863563aeafa0c [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS ( https://tls.mbed.org )
20 */
21
22#include "common.h"
23
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]24#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]25
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]26#include <string.h>
27
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]30#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]31
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]32#include "ssl_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]33#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]34#include "ssl_tls13_keys.h"
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]35#include "ssl_debug_helpers.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]36
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]37/* Write extensions */
38
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]39/*
40 * ssl_tls13_write_supported_versions_ext():
41 *
42 * struct {
43 * ProtocolVersion versions<2..254>;
44 * } SupportedVersions;
45 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]46MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]47static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]48 unsigned char *buf,
49 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]50 size_t *out_len )
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]51{
52 unsigned char *p = buf;
Glenn Strausscd78df62022-04-07 19:07:11 -0400[diff] [blame]53 unsigned char versions_len = ( ssl->handshake->min_tls_version <=
54 MBEDTLS_SSL_VERSION_TLS1_2 ) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]55
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]56 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]57
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]58 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported versions extension" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]59
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]60 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]61 * - extension_type (2 bytes)
62 * - extension_data_length (2 bytes)
63 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]64 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]65 */
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]66 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + versions_len );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]67
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]68 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]69 MBEDTLS_PUT_UINT16_BE( versions_len + 1, p, 2 );
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]70 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]71
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]72 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]73 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]74
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]76 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]77 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]78 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]79 mbedtls_ssl_write_version( p, MBEDTLS_SSL_TRANSPORT_STREAM,
80 MBEDTLS_SSL_VERSION_TLS1_3 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]81 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:4]" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]83
Glenn Strausscd78df62022-04-07 19:07:11 -0400[diff] [blame]84 if( ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 )
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]85 {
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]86 mbedtls_ssl_write_version( p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
87 MBEDTLS_SSL_VERSION_TLS1_2 );
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]88 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:3]" ) );
89 }
90
91 *out_len = 5 + versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]92
93 return( 0 );
94}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]95
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]96MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]97static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
98 const unsigned char *buf,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]99 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]100{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]101 ((void) ssl);
102
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]103 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]104 if( mbedtls_ssl_read_version( buf, ssl->conf->transport ) !=
105 MBEDTLS_SSL_VERSION_TLS1_3 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]106 {
107 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]108
109 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
110 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
111 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]112 }
113
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]114 if( &buf[2] != end )
115 {
116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions ext data length incorrect" ) );
117 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
118 MBEDTLS_ERR_SSL_DECODE_ERROR );
119 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
120 }
121
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]122 return( 0 );
123}
124
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]125#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]126MBEDTLS_CHECK_RETURN_CRITICAL
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]127static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl,
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]128 const unsigned char *buf, size_t len )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]129{
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]130 const unsigned char *p = buf;
131 const unsigned char *end = buf + len;
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]132 size_t protocol_name_list_len, protocol_name_len;
133 const unsigned char *protocol_name_list_end;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]134
135 /* If we didn't send it, the server shouldn't send it */
136 if( ssl->conf->alpn_list == NULL )
137 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
138
139 /*
140 * opaque ProtocolName<1..2^8-1>;
141 *
142 * struct {
143 * ProtocolName protocol_name_list<2..2^16-1>
144 * } ProtocolNameList;
145 *
146 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
147 */
148
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]149 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
150 protocol_name_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]151 p += 2;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]152
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]153 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, protocol_name_list_len );
154 protocol_name_list_end = p + protocol_name_list_len;
155
156 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, 1 );
157 protocol_name_len = *p++;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]158
159 /* Check that the server chosen protocol was in our list and save it */
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]160 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, protocol_name_len );
161 for( const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++ )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]162 {
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]163 if( protocol_name_len == strlen( *alpn ) &&
164 memcmp( p, *alpn, protocol_name_len ) == 0 )
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]165 {
166 ssl->alpn_chosen = *alpn;
167 return( 0 );
168 }
169 }
170
171 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
172}
173#endif /* MBEDTLS_SSL_ALPN */
174
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]175MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]176static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]177{
178 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]179
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]180 if( group_id == 0 )
181 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
182
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]183#if defined(MBEDTLS_ECDH_C)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]184 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]185 {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
187 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
188
189 /* Destroy generated private key. */
190 status = psa_destroy_key( ssl->handshake->ecdh_psa_privkey );
191 if( status != PSA_SUCCESS )
192 {
193 ret = psa_ssl_status_to_mbedtls( status );
194 MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
195 return( ret );
196 }
197
198 ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]199 return( 0 );
200 }
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]201 else
202#endif /* MBEDTLS_ECDH_C */
203 if( 0 /* other KEMs? */ )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]204 {
205 /* Do something */
206 }
207
208 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
209}
210
211/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]212 * Functions for writing key_share extension.
213 */
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]214#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]215MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]216static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
217 uint16_t *group_id )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]218{
219 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
220
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]221
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]222#if defined(MBEDTLS_ECDH_C)
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]223 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]224 /* Pick first available ECDHE group compatible with TLS 1.3 */
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]225 if( group_list == NULL )
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]226 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
227
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]228 for ( ; *group_list != 0; group_list++ )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]229 {
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]230 const mbedtls_ecp_curve_info *curve_info;
231 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
232 if( curve_info != NULL &&
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]233 mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]234 {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]235 *group_id = *group_list;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]236 return( 0 );
237 }
238 }
239#else
240 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]241 ((void) group_id);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]242#endif /* MBEDTLS_ECDH_C */
243
244 /*
245 * Add DHE named groups here.
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]246 * Pick first available DHE group compatible with TLS 1.3
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]247 */
248
249 return( ret );
250}
251
252/*
253 * ssl_tls13_write_key_share_ext
254 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]255 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]256 *
257 * struct {
258 * NamedGroup group;
259 * opaque key_exchange<1..2^16-1>;
260 * } KeyShareEntry;
261 * struct {
262 * KeyShareEntry client_shares<0..2^16-1>;
263 * } KeyShareClientHello;
264 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]265MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]266static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
267 unsigned char *buf,
268 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]269 size_t *out_len )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]270{
271 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]272 unsigned char *client_shares; /* Start of client_shares */
273 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]274 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]275 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
276
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]277 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]278
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]279 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]280 * - extension_type (2 bytes)
281 * - extension_data_length (2 bytes)
282 * - client_shares_length (2 bytes)
283 */
284 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
285 p += 6;
286
287 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello: adding key share extension" ) );
288
289 /* HRR could already have requested something else. */
290 group_id = ssl->handshake->offered_group_id;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]291 if( !mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) &&
292 !mbedtls_ssl_tls13_named_group_is_dhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]293 {
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]294 MBEDTLS_SSL_PROC_CHK( ssl_tls13_get_default_group_id( ssl,
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]295 &group_id ) );
296 }
297
298 /*
299 * Dispatch to type-specific key generation function.
300 *
301 * So far, we're only supporting ECDHE. With the introduction
302 * of PQC KEMs, we'll want to have multiple branches, one per
303 * type of KEM, and dispatch to the corresponding crypto. And
304 * only one key share entry is allowed.
305 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]306 client_shares = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]307#if defined(MBEDTLS_ECDH_C)
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]308 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]309 {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]310 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]311 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]312 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]313 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]314
315 /* Check there is space for header of KeyShareEntry
316 * - group (2 bytes)
317 * - key_exchange_length (2 bytes)
318 */
319 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
320 p += 4;
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]321 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
322 ssl, group_id, p, end, &key_exchange_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]323 p += key_exchange_len;
324 if( ret != 0 )
325 return( ret );
326
327 /* Write group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]328 MBEDTLS_PUT_UINT16_BE( group_id, group, 0 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]329 /* Write key_exchange_length */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]330 MBEDTLS_PUT_UINT16_BE( key_exchange_len, group, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]331 }
332 else
333#endif /* MBEDTLS_ECDH_C */
334 if( 0 /* other KEMs? */ )
335 {
336 /* Do something */
337 }
338 else
339 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
340
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]341 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]342 client_shares_len = p - client_shares;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]343 if( client_shares_len == 0)
344 {
345 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No key share defined." ) );
346 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]347 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]348 /* Write extension_type */
349 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
350 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]351 MBEDTLS_PUT_UINT16_BE( client_shares_len + 2, buf, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]352 /* Write client_shares_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]353 MBEDTLS_PUT_UINT16_BE( client_shares_len, buf, 4 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]354
355 /* Update offered_group_id field */
356 ssl->handshake->offered_group_id = group_id;
357
358 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]359 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]360
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]361 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]362
363 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
364
365cleanup:
366
367 return( ret );
368}
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]369#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]370
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]371/*
372 * ssl_tls13_parse_hrr_key_share_ext()
373 * Parse key_share extension in Hello Retry Request
374 *
375 * struct {
376 * NamedGroup selected_group;
377 * } KeyShareHelloRetryRequest;
378 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]379MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]380static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]381 const unsigned char *buf,
382 const unsigned char *end )
383{
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400[diff] [blame]384#if defined(MBEDTLS_ECDH_C)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]385 const mbedtls_ecp_curve_info *curve_info = NULL;
386 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]387 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]388 int found = 0;
389
390 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
391 if( group_list == NULL )
392 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
393
394 MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", p, end - buf );
395
396 /* Read selected_group */
XiaokangQianb48894e2022-01-17 02:05:52 +0000[diff] [blame]397 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]398 selected_group = MBEDTLS_GET_UINT16_BE( p, 0 );
399 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", selected_group ) );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]400
401 /* Upon receipt of this extension in a HelloRetryRequest, the client
402 * MUST first verify that the selected_group field corresponds to a
403 * group which was provided in the "supported_groups" extension in the
404 * original ClientHello.
405 * The supported_group was based on the info in ssl->conf->group_list.
406 *
407 * If the server provided a key share that was not sent in the ClientHello
408 * then the client MUST abort the handshake with an "illegal_parameter" alert.
409 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]410 for( ; *group_list != 0; group_list++ )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]411 {
412 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]413 if( curve_info == NULL || curve_info->tls_id != selected_group )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]414 continue;
415
416 /* We found a match */
417 found = 1;
418 break;
419 }
420
421 /* Client MUST verify that the selected_group field does not
422 * correspond to a group which was provided in the "key_share"
423 * extension in the original ClientHello. If the server sent an
424 * HRR message with a key share already provided in the
425 * ClientHello then the client MUST abort the handshake with
426 * an "illegal_parameter" alert.
427 */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]428 if( found == 0 || selected_group == ssl->handshake->offered_group_id )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]429 {
430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) );
431 MBEDTLS_SSL_PEND_FATAL_ALERT(
432 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
433 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
434 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
435 }
436
437 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]438 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]439
440 return( 0 );
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400[diff] [blame]441#else
442 (void) ssl;
443 (void) buf;
444 (void) end;
445 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
446#endif
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]447}
448
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]449/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]450 * ssl_tls13_parse_key_share_ext()
451 * Parse key_share extension in Server Hello
452 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]453 * struct {
454 * KeyShareEntry server_share;
455 * } KeyShareServerHello;
456 * struct {
457 * NamedGroup group;
458 * opaque key_exchange<1..2^16-1>;
459 * } KeyShareEntry;
460 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]461MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]462static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]463 const unsigned char *buf,
464 const unsigned char *end )
465{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]466 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]467 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]468 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]469
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]470 /* ...
471 * NamedGroup group; (2 bytes)
472 * ...
473 */
474 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
475 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]476 p += 2;
477
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]478 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]479 offered_group = ssl->handshake->offered_group_id;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]480 if( offered_group != group )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]481 {
482 MBEDTLS_SSL_DEBUG_MSG( 1,
483 ( "Invalid server key share, our group %u, their group %u",
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]484 (unsigned) offered_group, (unsigned) group ) );
485 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
486 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
487 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]488 }
489
490#if defined(MBEDTLS_ECDH_C)
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]491 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]492 {
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100[diff] [blame]493 const mbedtls_ecp_curve_info *curve_info =
494 mbedtls_ecp_curve_info_from_tls_id( group );
495 if( curve_info == NULL )
496 {
497 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
498 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
499 }
500
501 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
502
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]503 ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ssl, p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]504 if( ret != 0 )
505 return( ret );
506 }
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]507 else
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]508#endif /* MBEDTLS_ECDH_C */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]509 if( 0 /* other KEMs? */ )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]510 {
511 /* Do something */
512 }
513 else
514 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
515
516 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
517 return( ret );
518}
519
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]520/*
521 * ssl_tls13_parse_cookie_ext()
522 * Parse cookie extension in Hello Retry Request
523 *
524 * struct {
525 * opaque cookie<1..2^16-1>;
526 * } Cookie;
527 *
528 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
529 * extension to the client (this is an exception to the usual rule that
530 * the only extensions that may be sent are those that appear in the
531 * ClientHello). When sending the new ClientHello, the client MUST copy
532 * the contents of the extension received in the HelloRetryRequest into
533 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
534 * cookies in their initial ClientHello in subsequent connections.
535 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]536MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]537static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
538 const unsigned char *buf,
539 const unsigned char *end )
540{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]541 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]542 const unsigned char *p = buf;
543 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
544
545 /* Retrieve length field of cookie */
546 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
547 cookie_len = MBEDTLS_GET_UINT16_BE( p, 0 );
548 p += 2;
549
550 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
551 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
552
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]553 mbedtls_free( handshake->cookie );
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]554 handshake->hrr_cookie_len = 0;
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]555 handshake->cookie = mbedtls_calloc( 1, cookie_len );
556 if( handshake->cookie == NULL )
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]557 {
558 MBEDTLS_SSL_DEBUG_MSG( 1,
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]559 ( "alloc failed ( %ud bytes )",
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]560 cookie_len ) );
561 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
562 }
563
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000[diff] [blame]564 memcpy( handshake->cookie, p, cookie_len );
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]565 handshake->hrr_cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]566
567 return( 0 );
568}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]569
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]570MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]571static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]572 unsigned char *buf,
573 unsigned char *end,
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]574 size_t *out_len )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]575{
576 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]577 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]578 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]579
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]580 if( handshake->cookie == NULL )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]581 {
582 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) );
583 return( 0 );
584 }
585
586 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]587 handshake->cookie,
588 handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]589
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]590 MBEDTLS_SSL_CHK_BUF_PTR( p, end, handshake->hrr_cookie_len + 6 );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]591
592 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) );
593
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]594 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 );
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]595 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len + 2, p, 2 );
596 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len, p, 4 );
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]597 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]598
599 /* Cookie */
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]600 memcpy( p, handshake->cookie, handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]601
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]602 *out_len = handshake->hrr_cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]603
604 return( 0 );
605}
606
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]607#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]608/*
609 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
610 *
611 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
612 *
613 * struct {
614 * PskKeyExchangeMode ke_modes<1..255>;
615 * } PskKeyExchangeModes;
616 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]617MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]618static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
619 unsigned char *buf,
620 unsigned char *end,
621 size_t *out_len )
622{
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]623 unsigned char *p = buf;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]624 int ke_modes_len = 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]625
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]626 ((void) ke_modes_len );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]627 *out_len = 0;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]628
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]629 /* Skip writing extension if no PSK key exchange mode
XiaokangQian7c12d312022-07-20 07:25:43 +0000[diff] [blame]630 * is enabled in the config.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]631 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]632 if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]633 {
634 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip psk_key_exchange_modes extension" ) );
635 return( 0 );
636 }
637
638 /* Require 7 bytes of data, otherwise fail,
639 * even if extension might be shorter.
640 */
641 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 );
642 MBEDTLS_SSL_DEBUG_MSG(
643 3, ( "client hello, adding psk_key_exchange_modes extension" ) );
644
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]645 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0 );
646
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]647 /* Skip extension length (2 bytes) and
648 * ke_modes length (1 byte) for now.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]649 */
650 p += 5;
651
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]652 if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
653 {
654 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]655 ke_modes_len++;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]656
657 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
658 }
659
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]660 if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
661 {
662 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
663 ke_modes_len++;
664
665 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
666 }
667
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]668 /* Now write the extension and ke_modes length */
669 MBEDTLS_PUT_UINT16_BE( ke_modes_len + 1, buf, 2 );
670 buf[4] = ke_modes_len;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]671
672 *out_len = p - buf;
673 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
674 return ( 0 );
675}
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]676
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]677static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]678{
Jerry Yu21f90952022-10-08 10:30:53 +0800[diff] [blame]679 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
680 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]681
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]682 if( ciphersuite_info != NULL )
683 return( mbedtls_psa_translate_md( ciphersuite_info->mac ) );
684
Jerry Yu21f90952022-10-08 10:30:53 +0800[diff] [blame]685 return( PSA_ALG_NONE );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]686}
687
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]688#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]689static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
690{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]691 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu4f77ecf2022-10-10 22:10:08 +0800[diff] [blame]692 return( ssl->handshake->resume &&
693 session != NULL && session->ticket != NULL );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]694}
695
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]696MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]697static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]698 psa_algorithm_t *hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]699 const unsigned char **identity,
700 size_t *identity_len )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]701{
702 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]703
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]704 if( !ssl_tls13_has_configured_ticket( ssl ) )
705 return( -1 );
706
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]707 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]708 *identity = session->ticket;
709 *identity_len = session->ticket_len;
710 return( 0 );
711}
712
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]713MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]714static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]715 psa_algorithm_t *hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]716 const unsigned char **psk,
717 size_t *psk_len )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]718{
719
720 mbedtls_ssl_session *session = ssl->session_negotiate;
721
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]722 if( !ssl_tls13_has_configured_ticket( ssl ) )
723 return( -1 );
724
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]725 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]726 *psk = session->resumption_key;
727 *psk_len = session->resumption_key_len;
728
729 return( 0 );
730}
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]731#endif /* MBEDTLS_SSL_SESSION_TICKETS */
732
733MBEDTLS_CHECK_RETURN_CRITICAL
734static int ssl_tls13_psk_get_identity( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]735 psa_algorithm_t *hash_alg,
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]736 const unsigned char **identity,
737 size_t *identity_len )
738{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]739
Ronald Cron083da8e2022-10-20 15:53:51 +0200[diff] [blame]740 if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]741 return( -1 );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]742
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]743 *hash_alg = PSA_ALG_SHA_256;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]744 *identity = ssl->conf->psk_identity;
745 *identity_len = ssl->conf->psk_identity_len;
746 return( 0 );
747}
748
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]749MBEDTLS_CHECK_RETURN_CRITICAL
750static int ssl_tls13_psk_get_psk( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]751 psa_algorithm_t *hash_alg,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]752 const unsigned char **psk,
753 size_t *psk_len )
754{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]755
Ronald Cron083da8e2022-10-20 15:53:51 +0200[diff] [blame]756 if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]757 return( -1 );
758
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]759 *hash_alg = PSA_ALG_SHA_256;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]760 *psk = ssl->conf->psk;
761 *psk_len = ssl->conf->psk_len;
762 return( 0 );
763}
764
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]765static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl )
766{
767 int configured_psk_count = 0;
768#if defined(MBEDTLS_SSL_SESSION_TICKETS)
769 if( ssl_tls13_has_configured_ticket( ssl ) )
770 {
771 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket is configured" ) );
772 configured_psk_count++;
773 }
774#endif
Ronald Crond29e13e2022-10-19 10:33:48 +0200[diff] [blame]775 if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]776 {
777 MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK is configured" ) );
778 configured_psk_count++;
779 }
780 return( configured_psk_count );
781}
782
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]783MBEDTLS_CHECK_RETURN_CRITICAL
784static int ssl_tls13_write_identity( mbedtls_ssl_context *ssl,
785 unsigned char *buf,
786 unsigned char *end,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]787 const unsigned char *identity,
788 size_t identity_len,
789 uint32_t obfuscated_ticket_age,
790 size_t *out_len )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]791{
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]792 ((void) ssl);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]793 *out_len = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]794
795 /*
796 * - identity_len (2 bytes)
797 * - identity (psk_identity_len bytes)
798 * - obfuscated_ticket_age (4 bytes)
799 */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]800 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]801
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]802 MBEDTLS_PUT_UINT16_BE( identity_len, buf, 0 );
803 memcpy( buf + 2, identity, identity_len );
804 MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, buf, 2 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]805
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]806 MBEDTLS_SSL_DEBUG_BUF( 4, "write identity", buf, 6 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]807
808 *out_len = 6 + identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]809
810 return( 0 );
811}
812
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]813MBEDTLS_CHECK_RETURN_CRITICAL
814static int ssl_tls13_write_binder( mbedtls_ssl_context *ssl,
815 unsigned char *buf,
816 unsigned char *end,
817 int psk_type,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]818 psa_algorithm_t hash_alg,
819 const unsigned char *psk,
820 size_t psk_len,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]821 size_t *out_len )
822{
823 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]824 unsigned char binder_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]825 unsigned char transcript[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]826 size_t transcript_len = 0;
827
828 *out_len = 0;
829
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]830 binder_len = PSA_HASH_LENGTH( hash_alg );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]831
832 /*
833 * - binder_len (1 bytes)
834 * - binder (binder_len bytes)
835 */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]836 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 + binder_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]837
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]838 buf[0] = binder_len;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]839
840 /* Get current state of handshake transcript. */
841 ret = mbedtls_ssl_get_handshake_transcript(
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]842 ssl, mbedtls_hash_info_md_from_psa( hash_alg ),
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]843 transcript, sizeof( transcript ), &transcript_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]844 if( ret != 0 )
845 return( ret );
846
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]847 ret = mbedtls_ssl_tls13_create_psk_binder( ssl, hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]848 psk, psk_len, psk_type,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]849 transcript, buf + 1 );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]850 if( ret != 0 )
851 {
852 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret );
853 return( ret );
854 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]855 MBEDTLS_SSL_DEBUG_BUF( 4, "write binder", buf, 1 + binder_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]856
857 *out_len = 1 + binder_len;
858
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]859 return( 0 );
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]860}
861
862/*
863 * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
864 *
865 * struct {
866 * opaque identity<1..2^16-1>;
867 * uint32 obfuscated_ticket_age;
868 * } PskIdentity;
869 *
870 * opaque PskBinderEntry<32..255>;
871 *
872 * struct {
873 * PskIdentity identities<7..2^16-1>;
874 * PskBinderEntry binders<33..2^16-1>;
875 * } OfferedPsks;
876 *
877 * struct {
878 * select (Handshake.msg_type) {
879 * case client_hello: OfferedPsks;
880 * ...
881 * };
882 * } PreSharedKeyExtension;
883 *
884 */
XiaokangQian3ad67bf2022-07-21 02:26:21 +0000[diff] [blame]885int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]886 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
887 size_t *out_len, size_t *binders_len )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]888{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]889 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]890 int configured_psk_count = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]891 unsigned char *p = buf;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]892 psa_algorithm_t hash_alg;
893 const unsigned char *identity;
894 size_t identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]895 size_t l_binders_len = 0;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]896 size_t output_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]897
898 *out_len = 0;
899 *binders_len = 0;
900
901 /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]902 configured_psk_count = ssl_tls13_get_configured_psk_count( ssl );
903 if( configured_psk_count == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]904 {
905 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) );
906 return( 0 );
907 }
908
909 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Pre-configured PSK number = %d",
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]910 configured_psk_count ) );
911
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]912 /* Check if we have space to write the extension, binders included.
913 * - extension_type (2 bytes)
914 * - extension_data_len (2 bytes)
915 * - identities_len (2 bytes)
916 */
917 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
918 p += 6;
919
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]920#if defined(MBEDTLS_SSL_SESSION_TICKETS)
921 if( ssl_tls13_ticket_get_identity(
922 ssl, &hash_alg, &identity, &identity_len ) == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]923 {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]924#if defined(MBEDTLS_HAVE_TIME)
925 mbedtls_time_t now = mbedtls_time( NULL );
926 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]927 uint32_t obfuscated_ticket_age =
928 (uint32_t)( now - session->ticket_received );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]929
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]930 obfuscated_ticket_age *= 1000;
931 obfuscated_ticket_age += session->ticket_age_add;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]932
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]933 ret = ssl_tls13_write_identity( ssl, p, end,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]934 identity, identity_len,
935 obfuscated_ticket_age,
936 &output_len );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]937#else
938 ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len,
939 0, &output_len );
940#endif /* MBEDTLS_HAVE_TIME */
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]941 if( ret != 0 )
942 return( ret );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]943
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]944 p += output_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]945 l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg );
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]946 }
947#endif /* MBEDTLS_SSL_SESSION_TICKETS */
948
949 if( ssl_tls13_psk_get_identity(
950 ssl, &hash_alg, &identity, &identity_len ) == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]951 {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]952
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]953 ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len, 0,
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]954 &output_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]955 if( ret != 0 )
956 return( ret );
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]957
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]958 p += output_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]959 l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]960 }
961
962 MBEDTLS_SSL_DEBUG_MSG( 3,
963 ( "client hello, adding pre_shared_key extension, "
964 "omitting PSK binder list" ) );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]965
966 /* Take into account the two bytes for the length of the binders. */
967 l_binders_len += 2;
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]968 /* Check if there is enough space for binders */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]969 MBEDTLS_SSL_CHK_BUF_PTR( p, end, l_binders_len );
970
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]971 /*
972 * - extension_type (2 bytes)
973 * - extension_data_len (2 bytes)
974 * - identities_len (2 bytes)
975 */
976 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0 );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]977 MBEDTLS_PUT_UINT16_BE( p - buf - 4 + l_binders_len , buf, 2 );
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]978 MBEDTLS_PUT_UINT16_BE( p - buf - 6 , buf, 4 );
979
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]980 *out_len = ( p - buf ) + l_binders_len;
981 *binders_len = l_binders_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]982
983 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key identities", buf, p - buf );
984
985 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
986
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]987 return( 0 );
988}
989
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]990int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]991 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]992{
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]993 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
994 unsigned char *p = buf;
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]995 psa_algorithm_t hash_alg = PSA_ALG_NONE;
996 const unsigned char *psk;
997 size_t psk_len;
998 size_t output_len;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]999
1000 /* Check if we have space to write binders_len.
1001 * - binders_len (2 bytes)
1002 */
1003 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1004 p += 2;
1005
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1006#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1007 if( ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1008 {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1009
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1010 ret = ssl_tls13_write_binder( ssl, p, end,
1011 MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1012 hash_alg, psk, psk_len,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1013 &output_len );
1014 if( ret != 0 )
1015 return( ret );
1016 p += output_len;
1017 }
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1018#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1019
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1020 if( ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1021 {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1022
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1023 ret = ssl_tls13_write_binder( ssl, p, end,
1024 MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1025 hash_alg, psk, psk_len,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1026 &output_len );
1027 if( ret != 0 )
1028 return( ret );
1029 p += output_len;
1030 }
1031
1032 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list." ) );
1033
1034 /*
1035 * - binders_len (2 bytes)
1036 */
1037 MBEDTLS_PUT_UINT16_BE( p - buf - 2, buf, 0 );
1038
1039 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key binders", buf, p - buf );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1040
1041 return( 0 );
1042}
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1043
1044/*
1045 * struct {
1046 * opaque identity<1..2^16-1>;
1047 * uint32 obfuscated_ticket_age;
1048 * } PskIdentity;
1049 *
1050 * opaque PskBinderEntry<32..255>;
1051 *
1052 * struct {
1053 *
1054 * select (Handshake.msg_type) {
1055 * ...
1056 * case server_hello: uint16 selected_identity;
1057 * };
1058 *
1059 * } PreSharedKeyExtension;
1060 *
1061 */
1062MBEDTLS_CHECK_RETURN_CRITICAL
1063static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
1064 const unsigned char *buf,
1065 const unsigned char *end )
1066{
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1067 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1068 int selected_identity;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1069 const unsigned char *psk;
1070 size_t psk_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1071 psa_algorithm_t hash_alg;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1072
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1073 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1074 selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1075
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1076 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_identity = %d", selected_identity ) );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1077
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1078 if( selected_identity >= ssl_tls13_get_configured_psk_count( ssl ) )
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1079 {
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1080 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid PSK identity." ) );
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1081
1082 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1083 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1084 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1085 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1086
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1087#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1088 if( selected_identity == 0 && ssl_tls13_has_configured_ticket( ssl ) )
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1089 {
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1090 ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len );
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1091 }
1092 else
1093#endif
Ronald Crond29e13e2022-10-19 10:33:48 +0200[diff] [blame]1094 if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1095 {
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1096 ret = ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1097 }
1098 else
1099 {
1100 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1101 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1102 }
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1103 if( ret != 0 )
1104 return( ret );
1105
1106 ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len );
1107 if( ret != 0 )
1108 {
1109 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret );
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]1110 return( ret );
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1111 }
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1112
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]1113 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
1114
1115 return( 0 );
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1116}
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1117#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1118
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]1119int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
1120 unsigned char *buf,
1121 unsigned char *end,
1122 size_t *out_len )
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1123{
1124 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1125 unsigned char *p = buf;
1126 size_t ext_len;
1127
1128 *out_len = 0;
1129
1130 /* Write supported_versions extension
1131 *
1132 * Supported Versions Extension is mandatory with TLS 1.3.
1133 */
1134 ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &ext_len );
1135 if( ret != 0 )
1136 return( ret );
1137 p += ext_len;
1138
1139 /* Echo the cookie if the server provided one in its preceding
1140 * HelloRetryRequest message.
1141 */
1142 ret = ssl_tls13_write_cookie_ext( ssl, p, end, &ext_len );
1143 if( ret != 0 )
1144 return( ret );
1145 p += ext_len;
1146
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1147#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1148 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1149 {
1150 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &ext_len );
1151 if( ret != 0 )
1152 return( ret );
1153 p += ext_len;
1154 }
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1155#endif
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1156
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1157#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1158 /* For PSK-based key exchange we need the pre_shared_key extension
1159 * and the psk_key_exchange_modes extension.
1160 *
1161 * The pre_shared_key extension MUST be the last extension in the
1162 * ClientHello. Servers MUST check that it is the last extension and
1163 * otherwise fail the handshake with an "illegal_parameter" alert.
1164 *
1165 * Add the psk_key_exchange_modes extension.
1166 */
1167 ret = ssl_tls13_write_psk_key_exchange_modes_ext( ssl, p, end, &ext_len );
1168 if( ret != 0 )
1169 return( ret );
1170 p += ext_len;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1171#endif
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1172
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1173 *out_len = p - buf;
1174
1175 return( 0 );
1176}
1177
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]1178/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1179 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1180 */
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1181
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1182/**
1183 * \brief Detect if the ServerHello contains a supported_versions extension
1184 * or not.
1185 *
1186 * \param[in] ssl SSL context
1187 * \param[in] buf Buffer containing the ServerHello message
1188 * \param[in] end End of the buffer containing the ServerHello message
1189 *
1190 * \return 0 if the ServerHello does not contain a supported_versions extension
1191 * \return 1 if the ServerHello contains a supported_versions extension
1192 * \return A negative value if an error occurred while parsing the ServerHello.
1193 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1194MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1195static int ssl_tls13_is_supported_versions_ext_present(
1196 mbedtls_ssl_context *ssl,
1197 const unsigned char *buf,
1198 const unsigned char *end )
1199{
1200 const unsigned char *p = buf;
1201 size_t legacy_session_id_echo_len;
1202 size_t extensions_len;
1203 const unsigned char *extensions_end;
1204
1205 /*
1206 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1207 * length:
1208 * - legacy_version 2 bytes
1209 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1210 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1211 */
1212 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3 );
1213 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1214 legacy_session_id_echo_len = *p;
1215
1216 /*
1217 * Jump to the extensions, jumping over:
1218 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1219 * - cipher_suite 2 bytes
1220 * - legacy_compression_method 1 byte
1221 */
Ronald Cron28271062022-06-10 14:43:55 +0200[diff] [blame]1222 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len + 4 );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1223 p += legacy_session_id_echo_len + 4;
1224
1225 /* Case of no extension */
1226 if( p == end )
1227 return( 0 );
1228
1229 /* ...
1230 * Extension extensions<6..2^16-1>;
1231 * ...
1232 * struct {
1233 * ExtensionType extension_type; (2 bytes)
1234 * opaque extension_data<0..2^16-1>;
1235 * } Extension;
1236 */
1237 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1238 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1239 p += 2;
1240
1241 /* Check extensions do not go beyond the buffer of data. */
1242 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1243 extensions_end = p + extensions_len;
1244
1245 while( p < extensions_end )
1246 {
1247 unsigned int extension_type;
1248 size_t extension_data_len;
1249
1250 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
1251 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1252 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1253 p += 4;
1254
1255 if( extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS )
1256 return( 1 );
1257
1258 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1259 p += extension_data_len;
1260 }
1261
1262 return( 0 );
1263}
1264
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]1265/* Returns a negative value on failure, and otherwise
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1266 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1267 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1268 * - 0 otherwise
1269 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1270MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1271static int ssl_tls13_is_downgrade_negotiation( mbedtls_ssl_context *ssl,
1272 const unsigned char *buf,
1273 const unsigned char *end )
1274{
1275 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1276 static const unsigned char magic_downgrade_string[] =
1277 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
1278 const unsigned char *last_eight_bytes_of_random;
1279 unsigned char last_byte_of_random;
1280
1281 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2 );
1282 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1283
1284 if( memcmp( last_eight_bytes_of_random,
1285 magic_downgrade_string,
1286 sizeof( magic_downgrade_string ) ) == 0 )
1287 {
1288 last_byte_of_random = last_eight_bytes_of_random[7];
1289 return( last_byte_of_random == 0 ||
1290 last_byte_of_random == 1 );
1291 }
1292
1293 return( 0 );
1294}
1295
1296/* Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1297 * - SSL_SERVER_HELLO or
1298 * - SSL_SERVER_HELLO_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1299 * to indicate which message is expected and to be parsed next.
1300 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1301#define SSL_SERVER_HELLO 0
1302#define SSL_SERVER_HELLO_HRR 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1303MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1304static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
1305 const unsigned char *buf,
1306 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1307{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1308
1309 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1310 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1311 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1312 * special value of the SHA-256 of "HelloRetryRequest".
1313 *
1314 * struct {
1315 * ProtocolVersion legacy_version = 0x0303;
1316 * Random random;
1317 * opaque legacy_session_id_echo<0..32>;
1318 * CipherSuite cipher_suite;
1319 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1320 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1321 * } ServerHello;
1322 *
1323 */
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]1324 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end,
1325 2 + sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1326
Jerry Yu93a13f22022-04-11 23:00:01 +0800[diff] [blame]1327 if( memcmp( buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1328 sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) ) == 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1329 {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1330 return( SSL_SERVER_HELLO_HRR );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1331 }
1332
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1333 return( SSL_SERVER_HELLO );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1334}
1335
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1336/*
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1337 * Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1338 * - SSL_SERVER_HELLO or
1339 * - SSL_SERVER_HELLO_HRR or
1340 * - SSL_SERVER_HELLO_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1341 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1342#define SSL_SERVER_HELLO_TLS1_2 2
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1343MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1344static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl,
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1345 const unsigned char *buf,
1346 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1347{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1348 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1349 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1350
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1351 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_is_supported_versions_ext_present(
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1352 ssl, buf, end ) );
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1353
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1354 if( ret == 0 )
1355 {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1356 MBEDTLS_SSL_PROC_CHK_NEG(
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1357 ssl_tls13_is_downgrade_negotiation( ssl, buf, end ) );
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1358
1359 /* If the server is negotiating TLS 1.2 or below and:
1360 * . we did not propose TLS 1.2 or
1361 * . the server responded it is TLS 1.3 capable but negotiating a lower
1362 * version of the protocol and thus we are under downgrade attack
1363 * abort the handshake with an "illegal parameter" alert.
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1364 */
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1365 if( handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret )
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1366 {
1367 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1368 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1369 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1370 }
1371
1372 ssl->keep_current_message = 1;
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1373 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1374 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1375 buf, (size_t)(end - buf) );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1376
1377 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1378 {
1379 ret = ssl_tls13_reset_key_share( ssl );
1380 if( ret != 0 )
1381 return( ret );
1382 }
1383
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1384 return( SSL_SERVER_HELLO_TLS1_2 );
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1385 }
1386
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1387#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1388 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1389 ssl->session_negotiate->tls_version = ssl->tls_version;
1390#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1391
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1392 handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
1393
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1394 ret = ssl_server_hello_is_hrr( ssl, buf, end );
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1395 switch( ret )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1396 {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1397 case SSL_SERVER_HELLO:
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1398 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) );
1399 break;
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1400 case SSL_SERVER_HELLO_HRR:
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1401 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1402 /* If a client receives a second
1403 * HelloRetryRequest in the same connection (i.e., where the ClientHello
1404 * was itself in response to a HelloRetryRequest), it MUST abort the
1405 * handshake with an "unexpected_message" alert.
1406 */
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1407 if( handshake->hello_retry_request_count > 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1408 {
1409 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) );
1410 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1411 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1412 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1413 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1414 /*
1415 * Clients must abort the handshake with an "illegal_parameter"
1416 * alert if the HelloRetryRequest would not result in any change
1417 * in the ClientHello.
1418 * In a PSK only key exchange that what we expect.
1419 */
1420 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1421 {
1422 MBEDTLS_SSL_DEBUG_MSG( 1,
1423 ( "Unexpected HRR in pure PSK key exchange." ) );
1424 MBEDTLS_SSL_PEND_FATAL_ALERT(
1425 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1426 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1427 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1428 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1429
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1430 handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1431
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1432 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1433 }
1434
1435cleanup:
1436
1437 return( ret );
1438}
1439
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1440MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1441static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl,
1442 const unsigned char **buf,
1443 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1444{
1445 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1446 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1447
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1448 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1449 legacy_session_id_echo_len = *p++ ;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1450
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1451 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1452
1453 /* legacy_session_id_echo */
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1454 if( ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1455 memcmp( ssl->session_negotiate->id, p , legacy_session_id_echo_len ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1456 {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1457 MBEDTLS_SSL_DEBUG_BUF( 3, "Expected Session ID",
1458 ssl->session_negotiate->id,
1459 ssl->session_negotiate->id_len );
1460 MBEDTLS_SSL_DEBUG_BUF( 3, "Received Session ID", p,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1461 legacy_session_id_echo_len );
1462
1463 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1464 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1465
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1466 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1467 }
1468
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1469 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1470 *buf = p;
1471
1472 MBEDTLS_SSL_DEBUG_BUF( 3, "Session ID", ssl->session_negotiate->id,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1473 ssl->session_negotiate->id_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1474 return( 0 );
1475}
1476
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1477/* Parse ServerHello message and configure context
1478 *
1479 * struct {
1480 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1481 * Random random;
1482 * opaque legacy_session_id_echo<0..32>;
1483 * CipherSuite cipher_suite;
1484 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1485 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1486 * } ServerHello;
1487 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1488MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1489static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
1490 const unsigned char *buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1491 const unsigned char *end,
1492 int is_hrr )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1493{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1494 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1495 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1496 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1497 size_t extensions_len;
1498 const unsigned char *extensions_end;
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1499 uint32_t extensions_present, allowed_extension_mask;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1500 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1501 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1502 int fatal_alert = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1503
1504 /*
1505 * Check there is space for minimal fields
1506 *
1507 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1508 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1509 * - legacy_session_id_echo ( 1 byte ), minimum size
1510 * - cipher_suite ( 2 bytes)
1511 * - legacy_compression_method ( 1 byte )
1512 */
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1513 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1514
1515 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello", p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1516 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", p, 2 );
1517
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1518 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1519 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1520 * ...
1521 * with ProtocolVersion defined as:
1522 * uint16 ProtocolVersion;
1523 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400[diff] [blame]1524 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
1525 MBEDTLS_SSL_VERSION_TLS1_2 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1526 {
1527 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1528 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1529 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1530 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1531 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1532 }
1533 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1534
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1535 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1536 * Random random;
1537 * ...
1538 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1539 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1540 */
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1541 if( !is_hrr )
1542 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1543 memcpy( &handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1544 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1545 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
1546 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1547 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1548 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1549
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1550 /* ...
1551 * opaque legacy_session_id_echo<0..32>;
1552 * ...
1553 */
1554 if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1555 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1556 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1557 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1558 }
1559
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1560 /* ...
1561 * CipherSuite cipher_suite;
1562 * ...
1563 * with CipherSuite defined as:
1564 * uint8 CipherSuite[2];
1565 */
1566 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1567 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
1568 p += 2;
1569
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1570
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1571 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1572 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1573 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1574 */
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1575 if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
1576 ssl->tls_version,
1577 ssl->tls_version ) != 0 ) ||
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1578 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1579 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1580 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1581 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1582 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1583 * If we received an HRR before and that the proposed selected
1584 * ciphersuite in this server hello is not the same as the one
1585 * proposed in the HRR, we abort the handshake and send an
1586 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1587 */
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1588 else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
1589 ( cipher_suite != ssl->session_negotiate->ciphersuite ) )
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1590 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1591 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1592 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1593
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1594 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1595 {
1596 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
1597 cipher_suite ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1598 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1599 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1600
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1601 /* Configure ciphersuites */
1602 mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info );
1603
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1604 handshake->ciphersuite_info = ciphersuite_info;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1605 ssl->session_negotiate->ciphersuite = cipher_suite;
1606
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1607 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s",
1608 cipher_suite, ciphersuite_info->name ) );
1609
1610#if defined(MBEDTLS_HAVE_TIME)
1611 ssl->session_negotiate->start = time( NULL );
1612#endif /* MBEDTLS_HAVE_TIME */
1613
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1614 /* ...
1615 * uint8 legacy_compression_method = 0;
1616 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1617 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1618 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Thomas Daubney31e03a82022-07-25 15:59:25 +0100[diff] [blame]1619 if( p[0] != MBEDTLS_SSL_COMPRESS_NULL )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1620 {
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1621 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1622 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1623 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1624 }
1625 p++;
1626
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1627 /* ...
1628 * Extension extensions<6..2^16-1>;
1629 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1630 * struct {
1631 * ExtensionType extension_type; (2 bytes)
1632 * opaque extension_data<0..2^16-1>;
1633 * } Extension;
1634 */
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1635 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1636 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1637 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1638
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1639 /* Check extensions do not go beyond the buffer of data. */
1640 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1641 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1642
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1643 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1644
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1645 extensions_present = MBEDTLS_SSL_EXT_NONE;
1646 allowed_extension_mask = is_hrr ?
1647 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
1648 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
1649
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1650 while( p < extensions_end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1651 {
1652 unsigned int extension_type;
1653 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1654 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1655
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1656 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1657 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1658 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1659 p += 4;
1660
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1661 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1662 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1663
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1664 /* RFC 8446 page 35
1665 *
1666 * If an implementation receives an extension which it recognizes and which
1667 * is not specified for the message in which it appears, it MUST abort the
1668 * handshake with an "illegal_parameter" alert.
1669 */
1670 extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
1671 MBEDTLS_SSL_DEBUG_MSG( 3,
1672 ( "%s: received %s(%u) extension",
1673 is_hrr ? "hello retry request" : "server hello",
1674 mbedtls_tls13_get_extension_name( extension_type ),
1675 extension_type ) );
1676 if( ( extensions_present & allowed_extension_mask ) == 0 )
1677 {
1678 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
1679 goto cleanup;
1680 }
1681
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1682 switch( extension_type )
1683 {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1684 case MBEDTLS_TLS_EXT_COOKIE:
1685
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1686 ret = ssl_tls13_parse_cookie_ext( ssl,
1687 p, extension_data_end );
1688 if( ret != 0 )
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1689 {
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1690 MBEDTLS_SSL_DEBUG_RET( 1,
1691 "ssl_tls13_parse_cookie_ext",
1692 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1693 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1694 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1695 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1696
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1697 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1698 ret = ssl_tls13_parse_supported_versions_ext( ssl,
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1699 p,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1700 extension_data_end );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1701 if( ret != 0 )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1702 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1703 break;
1704
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1705#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1706 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1707 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1708
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1709 if( ( ret = ssl_tls13_parse_server_pre_shared_key_ext(
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]1710 ssl, p, extension_data_end ) ) != 0 )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1711 {
1712 MBEDTLS_SSL_DEBUG_RET(
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1713 1, ( "ssl_tls13_parse_server_pre_shared_key_ext" ), ret );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1714 return( ret );
1715 }
1716 break;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1717#endif
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1718
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1719 case MBEDTLS_TLS_EXT_KEY_SHARE:
1720 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1721 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1722 {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1723 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1724 goto cleanup;
1725 }
1726
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1727 if( is_hrr )
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1728 ret = ssl_tls13_parse_hrr_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1729 p, extension_data_end );
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1730 else
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1731 ret = ssl_tls13_parse_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1732 p, extension_data_end );
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1733 if( ret != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1734 {
1735 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1736 "ssl_tls13_parse_key_share_ext",
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1737 ret );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1738 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1739 }
1740 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1741
1742 default:
Jerry Yu9872eb22022-08-29 13:42:01 +0800[diff] [blame]1743 MBEDTLS_SSL_DEBUG_MSG( 2,
1744 ( "%s: unexpected extension (%s(%u)) received .",
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1745 is_hrr ? "hello retry request" : "server hello",
1746 mbedtls_tls13_get_extension_name( extension_type ),
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1747 extension_type ) );
Jerry Yu9872eb22022-08-29 13:42:01 +0800[diff] [blame]1748 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1749 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1750 }
1751
1752 p += extension_data_len;
1753 }
1754
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1755 MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
1756 3, is_hrr ? "HelloRetryRequest" : "ServerHello", extensions_present );
1757
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1758cleanup:
1759
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1760 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1761 {
1762 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1763 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1764 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1765 }
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1766 else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1767 {
1768 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1769 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1770 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1771 }
1772 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1773}
1774
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1775#if defined(MBEDTLS_DEBUG_C)
1776static const char *ssl_tls13_get_kex_mode_str(int mode)
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1777{
1778 switch( mode )
1779 {
1780 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1781 return "psk";
1782 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1783 return "ephemeral";
1784 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1785 return "psk_ephemeral";
1786 default:
1787 return "unknown mode";
1788 }
1789}
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1790#endif /* MBEDTLS_DEBUG_C */
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1791
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1792MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1793static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1794{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1795 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1796 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1797
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1798 /* Determine the key exchange mode:
1799 * 1) If both the pre_shared_key and key_share extensions were received
1800 * then the key exchange mode is PSK with EPHEMERAL.
1801 * 2) If only the pre_shared_key extension was received then the key
1802 * exchange mode is PSK-only.
1803 * 3) If only the key_share extension was received then the key
1804 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1805 */
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1806 switch( handshake->extensions_present &
1807 ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) )
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1808 {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1809 /* Only the pre_shared_key extension was received */
1810 case MBEDTLS_SSL_EXT_PRE_SHARED_KEY:
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1811 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1812 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1813
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1814 /* Only the key_share extension was received */
1815 case MBEDTLS_SSL_EXT_KEY_SHARE:
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1816 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1817 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1818
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1819 /* Both the pre_shared_key and key_share extensions were received */
1820 case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ):
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1821 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1822 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1823
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1824 /* Neither pre_shared_key nor key_share extension was received */
1825 default:
1826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) );
1827 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1828 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1829 }
1830
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1831 if( !mbedtls_ssl_conf_tls13_check_kex_modes( ssl, handshake->key_exchange_mode ) )
1832 {
1833 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1834 MBEDTLS_SSL_DEBUG_MSG( 2,
Xiaokang Qianca343ae2022-09-28 02:07:54 +0000[diff] [blame]1835 ( "Key exchange mode(%s) is not supported.",
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1836 ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1837 goto cleanup;
1838 }
1839
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1840 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaokang Qianca343ae2022-09-28 02:07:54 +0000[diff] [blame]1841 ( "Selected key exchange mode: %s",
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1842 ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1843
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1844 /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
1845 *
1846 * TODO: We don't have to do this in case we offered 0-RTT and the
1847 * server accepted it. In this case, we could skip generating
1848 * the early secret. */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1849 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1850 if( ret != 0 )
1851 {
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1852 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_key_schedule_stage_early",
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1853 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1854 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1855 }
1856
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1857 ret = mbedtls_ssl_tls13_compute_handshake_transform( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1858 if( ret != 0 )
1859 {
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1860 MBEDTLS_SSL_DEBUG_RET( 1,
1861 "mbedtls_ssl_tls13_compute_handshake_transform",
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1862 ret );
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1863 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1864 }
1865
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1866 mbedtls_ssl_set_inbound_transform( ssl, handshake->transform_handshake );
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1867 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
1868 ssl->session_in = ssl->session_negotiate;
1869
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1870cleanup:
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1871 if( ret != 0 )
1872 {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1873 MBEDTLS_SSL_PEND_FATAL_ALERT(
1874 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1875 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1876 }
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1877
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1878 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1879}
1880
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1881MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1882static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1883{
1884 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1885
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1886 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1887
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1888 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1889 * We are going to re-generate a shared secret corresponding to the group
1890 * selected by the server, which is different from the group for which we
1891 * generated a shared secret in the first client hello.
1892 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1893 */
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1894 ret = ssl_tls13_reset_key_share( ssl );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1895 if( ret != 0 )
1896 return( ret );
1897
1898 return( 0 );
1899}
1900
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1901/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1902 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1903 * Handler for MBEDTLS_SSL_SERVER_HELLO
1904 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1905MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1906static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1907{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1908 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1909 unsigned char *buf = NULL;
1910 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1911 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1912
1913 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
1914
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1915 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
1916 MBEDTLS_SSL_HS_SERVER_HELLO,
1917 &buf, &buf_len ) );
1918
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1919 ret = ssl_tls13_preprocess_server_hello( ssl, buf, buf + buf_len );
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1920 if( ret < 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1921 goto cleanup;
1922 else
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1923 is_hrr = ( ret == SSL_SERVER_HELLO_HRR );
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1924
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1925 if( ret == SSL_SERVER_HELLO_TLS1_2 )
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1926 {
1927 ret = 0;
1928 goto cleanup;
1929 }
1930
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1931 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1932 buf + buf_len,
1933 is_hrr ) );
1934 if( is_hrr )
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1935 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) );
1936
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]1937 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1938 buf, buf_len );
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1939
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1940 if( is_hrr )
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1941 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1942 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1943#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1944 /* If not offering early data, the client sends a dummy CCS record
1945 * immediately before its second flight. This may either be before
1946 * its second ClientHello or before its encrypted handshake flight.
1947 */
1948 mbedtls_ssl_handshake_set_state( ssl,
1949 MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
1950#else
1951 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
1952#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1953 }
XiaokangQiand9e068e2022-01-18 06:23:32 +0000[diff] [blame]1954 else
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1955 {
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1956 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1957 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
1958 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1959
1960cleanup:
XiaokangQiana9090612022-01-27 03:48:27 +0000[diff] [blame]1961 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__,
1962 is_hrr?"HelloRetryRequest":"ServerHello" ) );
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1963 return( ret );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1964}
1965
1966/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1967 *
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]1968 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1969 *
1970 * The EncryptedExtensions message contains any extensions which
1971 * should be protected, i.e., any which are not needed to establish
1972 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1973 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1974
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1975/* Parse EncryptedExtensions message
1976 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1977 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1978 * } EncryptedExtensions;
1979 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1980MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1981static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
1982 const unsigned char *buf,
1983 const unsigned char *end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1984{
1985 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1986 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]1987 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1988 const unsigned char *extensions_end;
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]1989 uint32_t extensions_present;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1990
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1991 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1992 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]1993 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1994
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]1995 MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len );
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]1996 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
Ronald Cronc8083592022-05-31 16:24:05 +0200[diff] [blame]1997 extensions_end = p + extensions_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]1998
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]1999 extensions_present = MBEDTLS_SSL_EXT_NONE;
2000
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2001 while( p < extensions_end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2002 {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2003 unsigned int extension_type;
2004 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2005
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2006 /*
2007 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2008 * ExtensionType extension_type; (2 bytes)
2009 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2010 * } Extension;
2011 */
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2012 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2013 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2014 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2015 p += 4;
2016
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2017 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2018
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2019 /* RFC 8446 page 35
2020 *
2021 * If an implementation receives an extension which it recognizes and which
2022 * is not specified for the message in which it appears, it MUST abort the
2023 * handshake with an "illegal_parameter" alert.
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2024 */
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2025 extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
2026 MBEDTLS_SSL_DEBUG_MSG( 3,
2027 ( "encrypted extensions : received %s(%u) extension",
2028 mbedtls_tls13_get_extension_name( extension_type ),
2029 extension_type ) );
2030 if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE ) == 0 )
2031 {
2032 MBEDTLS_SSL_DEBUG_MSG(
2033 3, ( "forbidden extension received." ) );
2034 MBEDTLS_SSL_PEND_FATAL_ALERT(
2035 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2036 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2037 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2038 }
2039
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2040 switch( extension_type )
2041 {
Jerry Yu661dd942022-08-03 14:50:01 +0800[diff] [blame]2042 case MBEDTLS_TLS_EXT_SERVERNAME:
2043 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found server_name extension" ) );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2044
Jerry Yu661dd942022-08-03 14:50:01 +0800[diff] [blame]2045 /* The server_name extension should be an empty extension */
2046
2047 break;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2048 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
2049 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extensions supported groups" ) );
2050 break;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2051
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2052#if defined(MBEDTLS_SSL_ALPN)
2053 case MBEDTLS_TLS_EXT_ALPN:
2054 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
2055
2056 if( ( ret = ssl_tls13_parse_alpn_ext( ssl, p, (size_t)extension_data_len ) ) != 0 )
2057 {
2058 return( ret );
2059 }
2060
2061 break;
2062#endif /* MBEDTLS_SSL_ALPN */
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2063 default:
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2064 MBEDTLS_SSL_DEBUG_MSG( 3,
2065 ( "encrypted extensions: received %s(%u) extension ( ignored )",
2066 mbedtls_tls13_get_extension_name( extension_type ),
2067 extension_type ) );
2068 break;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2069 }
2070
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2071 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2072 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2073
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2074 MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "EncrypedExtensions", extensions_present );
2075
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2076 /* Check that we consumed all the message. */
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]2077 if( p != end )
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2078 {
2079 MBEDTLS_SSL_DEBUG_MSG( 1, ( "EncryptedExtension lengths misaligned" ) );
Jerry Yu7aa71862021-10-28 21:41:30 +0800[diff] [blame]2080 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQian7b2d4ef2021-10-13 10:19:02 +0000[diff] [blame]2081 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2082 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2083 }
2084
2085 return( ret );
2086}
2087
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2088MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2089static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
2090{
2091 int ret;
2092 unsigned char *buf;
2093 size_t buf_len;
2094
2095 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) );
2096
2097 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
2098 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2099 &buf, &buf_len ) );
2100
2101 /* Process the message contents */
2102 MBEDTLS_SSL_PROC_CHK(
2103 ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
2104
2105 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2106 buf, buf_len );
2107
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2108#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]2109 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2110 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2111 else
2112 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
2113#else
2114 ((void) ssl);
2115 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2116#endif
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2117
2118cleanup:
2119
2120 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) );
2121 return( ret );
2122
2123}
2124
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2125#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2126/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2127 * STATE HANDLING: CertificateRequest
2128 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2129 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2130#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2131#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2132/* Coordination:
2133 * Deals with the ambiguity of not knowing if a CertificateRequest
2134 * will be sent. Returns a negative code on failure, or
2135 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2136 * - SSL_CERTIFICATE_REQUEST_SKIP
2137 * indicating if a Certificate Request is expected or not.
2138 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2139MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2140static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2141{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2142 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2143
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2144 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2145 {
2146 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2147 return( ret );
2148 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2149 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2150
2151 if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) &&
2152 ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) )
2153 {
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2154 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got a certificate request" ) );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2155 return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2156 }
2157
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2158 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got no certificate request" ) );
2159
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2160 return( SSL_CERTIFICATE_REQUEST_SKIP );
2161}
2162
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2163/*
2164 * ssl_tls13_parse_certificate_request()
2165 * Parse certificate request
2166 * struct {
2167 * opaque certificate_request_context<0..2^8-1>;
2168 * Extension extensions<2..2^16-1>;
2169 * } CertificateRequest;
2170 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2171MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2172static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
2173 const unsigned char *buf,
2174 const unsigned char *end )
2175{
2176 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2177 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2178 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2179 size_t extensions_len = 0;
2180 const unsigned char *extensions_end;
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2181 uint32_t extensions_present;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2182
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2183 /* ...
2184 * opaque certificate_request_context<0..2^8-1>
2185 * ...
2186 */
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2187 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
2188 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2189 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2190
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2191 if( certificate_request_context_len > 0 )
2192 {
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2193 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2194 MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context",
2195 p, certificate_request_context_len );
2196
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2197 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2198 handshake->certificate_request_context =
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]2199 mbedtls_calloc( 1, certificate_request_context_len );
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2200 if( handshake->certificate_request_context == NULL )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2201 {
2202 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2203 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2204 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2205 memcpy( handshake->certificate_request_context, p,
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2206 certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2207 p += certificate_request_context_len;
2208 }
2209
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2210 /* ...
2211 * Extension extensions<2..2^16-1>;
2212 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2213 */
2214 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
2215 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2216 p += 2;
2217
2218 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2219 extensions_end = p + extensions_len;
2220
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2221 extensions_present = MBEDTLS_SSL_EXT_NONE;
2222
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2223 while( p < extensions_end )
2224 {
2225 unsigned int extension_type;
2226 size_t extension_data_len;
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2227 uint32_t extension_mask;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2228
2229 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
2230 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2231 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2232 p += 4;
2233
2234 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
2235
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2236 /* RFC 8446 page 35
2237 *
2238 * If an implementation receives an extension which it recognizes and which
2239 * is not specified for the message in which it appears, it MUST abort the
2240 * handshake with an "illegal_parameter" alert.
2241 */
2242 extension_mask = mbedtls_tls13_get_extension_mask( extension_type );
2243
2244 MBEDTLS_SSL_DEBUG_MSG( 3,
2245 ( "encrypted extensions : received %s(%u) extension",
2246 mbedtls_tls13_get_extension_name( extension_type ),
2247 extension_type ) );
2248 if( ( extension_mask & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR ) == 0 )
2249 {
2250 MBEDTLS_SSL_DEBUG_MSG(
2251 3, ( "forbidden extension received." ) );
2252 MBEDTLS_SSL_PEND_FATAL_ALERT(
2253 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2254 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2255 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2256 }
2257
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2258 extensions_present |= extension_mask;
2259
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2260 switch( extension_type )
2261 {
2262 case MBEDTLS_TLS_EXT_SIG_ALG:
2263 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2264 ( "found signature algorithms extension" ) );
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]2265 ret = mbedtls_ssl_parse_sig_alg_ext( ssl, p,
Gabor Mezei696956d2022-05-13 16:27:29 +0200[diff] [blame]2266 p + extension_data_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2267 if( ret != 0 )
2268 return( ret );
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2269
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2270 break;
2271
2272 default:
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2273 MBEDTLS_SSL_DEBUG_MSG( 3,
2274 ( "certificate request: received %s(%u) extension ( ignored )",
2275 mbedtls_tls13_get_extension_name( extension_type ),
2276 extension_type ) );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2277 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2278 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2279
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2280 p += extension_data_len;
2281 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2282
2283 MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "CertificateRequest", extensions_present );
2284
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2285 /* Check that we consumed all the message. */
2286 if( p != end )
2287 {
2288 MBEDTLS_SSL_DEBUG_MSG( 1,
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2289 ( "CertificateRequest misaligned" ) );
2290 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2291 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2292
2293 /* RFC 8446 page 60
2294 *
2295 * The "signature_algorithms" extension MUST be specified
2296 */
2297 if( ( extensions_present & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 )
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2298 {
Xiaofei Bai6d42bb42022-01-28 08:52:13 +0000[diff] [blame]2299 MBEDTLS_SSL_DEBUG_MSG( 3,
2300 ( "no signature algorithms extension found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2301 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2302 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2303
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]2304 ssl->handshake->client_auth = 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2305 return( 0 );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2306
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2307decode_error:
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2308 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2309 MBEDTLS_ERR_SSL_DECODE_ERROR );
2310 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2311}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2312
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2313/*
2314 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2315 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2316MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2317static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2318{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2319 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2320
2321 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2322
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2323 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
2324
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2325 if( ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST )
2326 {
2327 unsigned char *buf;
2328 size_t buf_len;
2329
2330 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
2331 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2332 &buf, &buf_len ) );
2333
2334 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_request( ssl,
2335 buf, buf + buf_len ) );
2336
Ronald Cron8f6d39a2022-03-10 18:56:50 +0100[diff] [blame]2337 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2338 buf, buf_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2339 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2340 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2341 {
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]2342 ret = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2343 }
2344 else
2345 {
2346 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2347 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2348 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2349 }
2350
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2351 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
2352
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2353cleanup:
2354
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2355 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
2356 return( ret );
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2357}
2358
2359/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2360 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2361 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2362MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2363static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2364{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2365 int ret;
2366
2367 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]2368 if( ret != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2369 return( ret );
2370
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2371 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
2372 return( 0 );
2373}
2374
2375/*
2376 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2377 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2378MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2379static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2380{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2381 int ret;
2382
2383 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
2384 if( ret != 0 )
2385 return( ret );
2386
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2387 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2388 return( 0 );
2389}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2390#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]2391
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2392/*
2393 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2394 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2395MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2396static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2397{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2398 int ret;
2399
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]2400 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2401 if( ret != 0 )
2402 return( ret );
2403
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2404 ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
2405 if( ret != 0 )
2406 {
2407 MBEDTLS_SSL_PEND_FATAL_ALERT(
2408 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2409 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2410 return( ret );
2411 }
2412
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2413#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2414 mbedtls_ssl_handshake_set_state(
2415 ssl,
2416 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED );
2417#else
Jerry Yuca133a32022-02-15 14:22:05 +0800[diff] [blame]2418 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2419#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2420
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2421 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2422}
2423
2424/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2425 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2426 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2427MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2428static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
2429{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2430 int non_empty_certificate_msg = 0;
2431
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2432 MBEDTLS_SSL_DEBUG_MSG( 1,
2433 ( "Switch to handshake traffic keys for outbound traffic" ) );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2434 mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2435
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2436#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2437 if( ssl->handshake->client_auth )
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2438 {
2439 int ret = mbedtls_ssl_tls13_write_certificate( ssl );
2440 if( ret != 0 )
2441 return( ret );
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2442
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2443 if( mbedtls_ssl_own_cert( ssl ) != NULL )
2444 non_empty_certificate_msg = 1;
2445 }
2446 else
2447 {
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]2448 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2449 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2450#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2451
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2452 if( non_empty_certificate_msg )
2453 {
2454 mbedtls_ssl_handshake_set_state( ssl,
2455 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
2456 }
2457 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2458 {
2459 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate verify" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2460 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2461 }
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2462
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2463 return( 0 );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2464}
2465
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2466#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2467/*
2468 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2469 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2470MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2471static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
2472{
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2473 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
2474
2475 if( ret == 0 )
2476 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
2477
2478 return( ret );
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2479}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2480#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2481
2482/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2483 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2484 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2485MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2486static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2487{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2488 int ret;
2489
2490 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
2491 if( ret != 0 )
2492 return( ret );
2493
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2494 ret = mbedtls_ssl_tls13_compute_resumption_master_secret( ssl );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2495 if( ret != 0 )
2496 {
2497 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2498 "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2499 return ( ret );
2500 }
2501
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2502 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
2503 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2504}
2505
2506/*
2507 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2508 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2509MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2510static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2511{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2512 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
Jerry Yuad8d0ba2021-09-28 17:58:26 +0800[diff] [blame]2513 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2514 return( 0 );
2515}
2516
2517/*
2518 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2519 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2520MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2521static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2522{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2523
2524 mbedtls_ssl_tls13_handshake_wrapup( ssl );
2525
2526 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2527 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2528}
2529
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2530#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2531
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2532MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2533static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
2534 const unsigned char *buf,
2535 const unsigned char *end )
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2536{
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2537 const unsigned char *p = buf;
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2538 uint32_t extensions_present;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2539
2540 ((void) ssl);
2541
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2542 extensions_present = MBEDTLS_SSL_EXT_NONE;
2543
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2544 while( p < end )
2545 {
2546 unsigned int extension_type;
2547 size_t extension_data_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2548
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2549 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
2550 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2551 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2552 p += 4;
2553
2554 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2555
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2556 /* RFC 8446 page 35
2557 *
2558 * If an implementation receives an extension which it recognizes and which
2559 * is not specified for the message in which it appears, it MUST abort the
2560 * handshake with an "illegal_parameter" alert.
2561 */
2562 extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
2563 MBEDTLS_SSL_DEBUG_MSG( 3,
2564 ( "NewSessionTicket : received %s(%u) extension",
2565 mbedtls_tls13_get_extension_name( extension_type ),
2566 extension_type ) );
2567 if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST ) == 0 )
2568 {
2569 MBEDTLS_SSL_DEBUG_MSG(
2570 3, ( "forbidden extension received." ) );
2571 MBEDTLS_SSL_PEND_FATAL_ALERT(
2572 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2573 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2574 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2575 }
2576
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2577 switch( extension_type )
2578 {
2579 case MBEDTLS_TLS_EXT_EARLY_DATA:
2580 MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) );
2581 break;
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2582
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2583 default:
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2584 MBEDTLS_SSL_DEBUG_MSG( 3,
2585 ( "NewSessionTicket : received %s(%u) extension ( ignored )",
2586 mbedtls_tls13_get_extension_name( extension_type ),
2587 extension_type ) );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2588 break;
2589 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2590
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2591 p += extension_data_len;
2592 }
2593
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2594 MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "NewSessionTicket", extensions_present );
2595
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2596 return( 0 );
2597}
2598
2599/*
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2600 * From RFC8446, page 74
2601 *
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2602 * struct {
2603 * uint32 ticket_lifetime;
2604 * uint32 ticket_age_add;
2605 * opaque ticket_nonce<0..255>;
2606 * opaque ticket<1..2^16-1>;
2607 * Extension extensions<0..2^16-2>;
2608 * } NewSessionTicket;
2609 *
2610 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2611MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2612static int ssl_tls13_parse_new_session_ticket( mbedtls_ssl_context *ssl,
2613 unsigned char *buf,
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2614 unsigned char *end,
2615 unsigned char **ticket_nonce,
2616 size_t *ticket_nonce_len )
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2617{
2618 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2619 unsigned char *p = buf;
2620 mbedtls_ssl_session *session = ssl->session;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2621 size_t ticket_len;
2622 unsigned char *ticket;
2623 size_t extensions_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2624
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2625 *ticket_nonce = NULL;
2626 *ticket_nonce_len = 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2627 /*
2628 * ticket_lifetime 4 bytes
2629 * ticket_age_add 4 bytes
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2630 * ticket_nonce_len 1 byte
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2631 */
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2632 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 9 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2633
2634 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE( p, 0 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2635 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2636 ( "ticket_lifetime: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2637 ( unsigned int )session->ticket_lifetime ) );
2638
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2639 session->ticket_age_add = MBEDTLS_GET_UINT32_BE( p, 4 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2640 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2641 ( "ticket_age_add: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2642 ( unsigned int )session->ticket_age_add ) );
2643
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2644 *ticket_nonce_len = p[8];
2645 p += 9;
2646
2647 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, *ticket_nonce_len );
2648 *ticket_nonce = p;
2649 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len );
2650 p += *ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2651
2652 /* Ticket */
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2653 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2654 ticket_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2655 p += 2;
2656 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ticket_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2657 MBEDTLS_SSL_DEBUG_BUF( 3, "received ticket", p, ticket_len ) ;
2658
2659 /* Check if we previously received a ticket already. */
2660 if( session->ticket != NULL || session->ticket_len > 0 )
2661 {
2662 mbedtls_free( session->ticket );
2663 session->ticket = NULL;
2664 session->ticket_len = 0;
2665 }
2666
2667 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
2668 {
2669 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
2670 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2671 }
2672 memcpy( ticket, p, ticket_len );
2673 p += ticket_len;
2674 session->ticket = ticket;
2675 session->ticket_len = ticket_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2676
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2677 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2678 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2679 p += 2;
2680 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2681
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2682 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket extension", p, extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2683
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2684 ret = ssl_tls13_parse_new_session_ticket_exts( ssl, p, p + extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2685 if( ret != 0 )
2686 {
2687 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2688 "ssl_tls13_parse_new_session_ticket_exts",
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2689 ret );
2690 return( ret );
2691 }
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2692
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]2693 /* session has been updated, allow export */
2694 session->exported = 0;
2695
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2696 return( 0 );
2697}
2698
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2699MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2700static int ssl_tls13_postprocess_new_session_ticket( mbedtls_ssl_context *ssl,
2701 unsigned char *ticket_nonce,
2702 size_t ticket_nonce_len )
2703{
2704 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2705 mbedtls_ssl_session *session = ssl->session;
2706 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2707 psa_algorithm_t psa_hash_alg;
2708 int hash_length;
2709
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2710#if defined(MBEDTLS_HAVE_TIME)
2711 /* Store ticket creation time */
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2712 session->ticket_received = mbedtls_time( NULL );
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2713#endif
2714
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2715 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( session->ciphersuite );
2716 if( ciphersuite_info == NULL )
2717 {
2718 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2719 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2720 }
2721
2722 psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
2723 hash_length = PSA_HASH_LENGTH( psa_hash_alg );
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2724 if( hash_length == -1 ||
2725 ( size_t )hash_length > sizeof( session->resumption_key ) )
2726 {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2727 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2728 }
2729
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2730
2731 MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
2732 session->app_secrets.resumption_master_secret,
2733 hash_length );
2734
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2735 /* Compute resumption key
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2736 *
2737 * HKDF-Expand-Label( resumption_master_secret,
2738 * "resumption", ticket_nonce, Hash.length )
2739 */
2740 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2741 psa_hash_alg,
2742 session->app_secrets.resumption_master_secret,
2743 hash_length,
2744 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
2745 ticket_nonce,
2746 ticket_nonce_len,
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2747 session->resumption_key,
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2748 hash_length );
2749
2750 if( ret != 0 )
2751 {
2752 MBEDTLS_SSL_DEBUG_RET( 2,
2753 "Creating the ticket-resumed PSK failed",
2754 ret );
2755 return( ret );
2756 }
2757
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2758 session->resumption_key_len = hash_length;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2759
2760 MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2761 session->resumption_key,
2762 session->resumption_key_len );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2763
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2764 return( 0 );
2765}
2766
2767/*
Jerry Yua357cf42022-07-12 05:36:45 +0000[diff] [blame]2768 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2769 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2770MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2771static int ssl_tls13_process_new_session_ticket( mbedtls_ssl_context *ssl )
2772{
2773 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2774 unsigned char *buf;
2775 size_t buf_len;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2776 unsigned char *ticket_nonce;
2777 size_t ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2778
2779 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2780
2781 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
2782 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2783 &buf, &buf_len ) );
2784
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2785 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_new_session_ticket(
2786 ssl, buf, buf + buf_len,
2787 &ticket_nonce, &ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2788
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2789 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_new_session_ticket(
2790 ssl, ticket_nonce, ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2791
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2792 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2793
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2794cleanup:
2795
2796 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2797 return( ret );
2798}
2799#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2800
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2801int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]2802{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2803 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]2804
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2805 switch( ssl->state )
2806 {
2807 /*
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]2808 * ssl->state is initialized as HELLO_REQUEST. It is the same
2809 * as CLIENT_HELLO state.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2810 */
2811 case MBEDTLS_SSL_HELLO_REQUEST:
2812 case MBEDTLS_SSL_CLIENT_HELLO:
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]2813 ret = mbedtls_ssl_write_client_hello( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2814 break;
2815
2816 case MBEDTLS_SSL_SERVER_HELLO:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2817 ret = ssl_tls13_process_server_hello( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2818 break;
2819
2820 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2821 ret = ssl_tls13_process_encrypted_extensions( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2822 break;
2823
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2824#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2825 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
2826 ret = ssl_tls13_process_certificate_request( ssl );
2827 break;
2828
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2829 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2830 ret = ssl_tls13_process_server_certificate( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2831 break;
2832
2833 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2834 ret = ssl_tls13_process_certificate_verify( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2835 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2836#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2837
2838 case MBEDTLS_SSL_SERVER_FINISHED:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2839 ret = ssl_tls13_process_server_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2840 break;
2841
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2842 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2843 ret = ssl_tls13_write_client_certificate( ssl );
2844 break;
2845
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2846#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2847 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2848 ret = ssl_tls13_write_client_certificate_verify( ssl );
2849 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2850#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2851
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2852 case MBEDTLS_SSL_CLIENT_FINISHED:
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]2853 ret = ssl_tls13_write_client_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2854 break;
2855
2856 case MBEDTLS_SSL_FLUSH_BUFFERS:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2857 ret = ssl_tls13_flush_buffers( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2858 break;
2859
2860 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]2861 ret = ssl_tls13_handshake_wrapup( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2862 break;
2863
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2864 /*
2865 * Injection of dummy-CCS's for middlebox compatibility
2866 */
2867#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]2868 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]2869 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2870 if( ret == 0 )
2871 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2872 break;
2873
2874 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
2875 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2876 if( ret == 0 )
2877 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2878 break;
2879#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2880
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2881#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua357cf42022-07-12 05:36:45 +0000[diff] [blame]2882 case MBEDTLS_SSL_NEW_SESSION_TICKET:
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2883 ret = ssl_tls13_process_new_session_ticket( ssl );
2884 if( ret != 0 )
2885 break;
2886 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
2887 break;
2888#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2889
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2890 default:
2891 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2892 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2893 }
2894
2895 return( ret );
2896}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]2897
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2898#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]2899
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]2900