TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 281fd1bdd8aacc3c68ea42e305a5ed2469635571 / . / library / ssl_tls13_server.c
blob: 60b1e05f4386c1b618dd24ba4abf9f638e53837d [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18*/
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]23
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]24#include "mbedtls/debug.h"
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]25#include "mbedtls/error.h"
26#include "mbedtls/platform.h"
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]27#include "mbedtls/constant_time.h"
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]28
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]29#include "ssl_misc.h"
30#include "ssl_tls13_keys.h"
31#include "ssl_debug_helpers.h"
32
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]33#if defined(MBEDTLS_ECP_C)
34#include "mbedtls/ecp.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]35#endif /* MBEDTLS_ECP_C */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]36
XiaokangQiana9c58412022-02-17 09:41:26 +0000[diff] [blame]37#if defined(MBEDTLS_PLATFORM_C)
38#include "mbedtls/platform.h"
39#else
40#include <stdlib.h>
41#define mbedtls_calloc calloc
42#define mbedtls_free free
43#endif /* MBEDTLS_PLATFORM_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]44
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]45#include "ssl_misc.h"
46#include "ssl_tls13_keys.h"
47#include "ssl_debug_helpers.h"
48
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]49
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]50static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]51 mbedtls_ssl_context *ssl,
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]52 unsigned int cipher_suite )
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]53{
54 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
55 if( ! mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
56 return( NULL );
57
58 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
59 if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
60 ssl->tls_version,
61 ssl->tls_version ) != 0 ) )
62 {
63 return( NULL );
64 }
65 return( ciphersuite_info );
66}
67
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]68#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
69/* From RFC 8446:
70 *
71 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
72 * struct {
73 * PskKeyExchangeMode ke_modes<1..255>;
74 * } PskKeyExchangeModes;
75 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]76MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]77static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
78 const unsigned char *buf,
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]79 const unsigned char *end )
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]80{
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]81 const unsigned char *p = buf;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]82 size_t ke_modes_len;
83 int ke_modes = 0;
84
Jerry Yu854dd9e2022-07-15 14:28:27 +0800[diff] [blame]85 /* Read ke_modes length (1 Byte) */
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]86 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
87 ke_modes_len = *p++;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]88 /* Currently, there are only two PSK modes, so even without looking
89 * at the content, something's wrong if the list has more than 2 items. */
90 if( ke_modes_len > 2 )
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]91 {
92 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
93 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]94 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]95 }
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]96
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]97 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ke_modes_len );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]98
99 while( ke_modes_len-- != 0 )
100 {
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]101 switch( *p++ )
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]102 {
103 case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
104 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
105 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK KEX MODE" ) );
106 break;
107 case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:
108 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
109 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK_EPHEMERAL KEX MODE" ) );
110 break;
111 default:
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]112 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
113 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]114 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
115 }
116 }
117
118 ssl->handshake->tls13_kex_modes = ke_modes;
119 return( 0 );
120}
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]121
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]122#define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1
123#define SSL_TLS1_3_OFFERED_PSK_MATCH 0
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]124
125#if defined(MBEDTLS_SSL_SESSION_TICKETS)
126
127MBEDTLS_CHECK_RETURN_CRITICAL
128static int ssl_tls13_offered_psks_check_identity_match_ticket(
129 mbedtls_ssl_context *ssl,
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]130 const unsigned char *identity,
131 size_t identity_len,
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]132 uint32_t obfuscated_ticket_age,
133 mbedtls_ssl_session *session )
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]134{
Jerry Yufd310eb2022-09-06 09:16:35 +0800[diff] [blame]135 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]136 unsigned char *ticket_buffer;
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]137#if defined(MBEDTLS_HAVE_TIME)
138 mbedtls_time_t now;
Jerry Yuacff8232022-09-14 14:35:11 +0800[diff] [blame]139 uint64_t age_in_s;
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800[diff] [blame]140 int64_t age_diff_in_ms;
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]141#endif
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]142
143 ((void) obfuscated_ticket_age);
144
145 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> check_identity_match_ticket" ) );
146
Jerry Yufd310eb2022-09-06 09:16:35 +0800[diff] [blame]147 /* Ticket parser is not configured, Skip */
148 if( ssl->conf->f_ticket_parse == NULL || identity_len == 0 )
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]149 return( 0 );
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]150
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]151 /* We create a copy of the encrypted ticket since the ticket parsing
152 * function is allowed to use its input buffer as an output buffer
153 * (in-place decryption). We do, however, need the original buffer for
154 * computing the PSK binder value.
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]155 */
156 ticket_buffer = mbedtls_calloc( 1, identity_len );
157 if( ticket_buffer == NULL )
158 {
159 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
160 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
161 }
162 memcpy( ticket_buffer, identity, identity_len );
163
164 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket,
165 session,
166 ticket_buffer, identity_len ) ) != 0 )
167 {
168 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
169 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
170 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
171 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
172 else
173 MBEDTLS_SSL_DEBUG_RET( 1, "ticket_parse", ret );
174 }
175
176 /* We delete the temporary buffer */
177 mbedtls_free( ticket_buffer );
178
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]179 if( ret != 0 )
180 goto exit;
181
182 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
183#if defined(MBEDTLS_HAVE_TIME)
184 now = mbedtls_time( NULL );
185
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]186 if( now < session->start )
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]187 {
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]188 MBEDTLS_SSL_DEBUG_MSG(
Jerry Yu03aa1742022-10-10 21:48:37 +0800[diff] [blame]189 3, ( "Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]190 ", start=%" MBEDTLS_PRINTF_LONGLONG " )",
191 (long long)now, (long long)session->start ) );
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]192 goto exit;
193 }
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]194
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]195 age_in_s = (uint64_t)( now - session->start );
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]196
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]197 /* RFC 8446 section 4.6.1
198 *
199 * Servers MUST NOT use any value greater than 604800 seconds (7 days).
200 *
201 * RFC 8446 section 4.2.11.1
202 *
203 * Clients MUST NOT attempt to use tickets which have ages greater than
204 * the "ticket_lifetime" value which was provided with the ticket.
205 *
206 * For time being, the age MUST be less than 604800 seconds (7 days).
207 */
208 if( age_in_s > 604800 )
209 {
210 MBEDTLS_SSL_DEBUG_MSG(
Jerry Yuc2bfaf02022-10-11 15:55:52 +0800[diff] [blame]211 3, ( "Ticket age exceeds limitation ticket_age=%lu",
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]212 (long unsigned int)age_in_s ) );
213 goto exit;
214 }
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]215
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]216 /* RFC 8446 section 4.2.10
217 *
218 * For PSKs provisioned via NewSessionTicket, a server MUST validate that
219 * the ticket age for the selected PSK identity (computed by subtracting
220 * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
221 * within a small tolerance of the time since the ticket was issued.
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800[diff] [blame]222 *
Jerry Yu0a55cc62022-09-15 16:15:06 +0800[diff] [blame]223 * NOTE: When `now == session->start`, `age_diff_in_ms` may be negative
224 * as the age units are different on the server (s) and in the
225 * client (ms) side. Add a -1000 ms tolerance window to take this
226 * into account.
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]227 */
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800[diff] [blame]228 age_diff_in_ms = age_in_s * 1000;
229 age_diff_in_ms -= ( obfuscated_ticket_age - session->ticket_age_add );
230 if( age_diff_in_ms <= -1000 ||
231 age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE )
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]232 {
233 MBEDTLS_SSL_DEBUG_MSG(
Jerry Yu03aa1742022-10-10 21:48:37 +0800[diff] [blame]234 3, ( "Ticket age outside tolerance window ( diff=%d )",
235 (int)age_diff_in_ms ) );
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]236 goto exit;
237 }
Xiaokang Qian281fd1b2022-09-20 11:35:41 +0000[diff] [blame^]238#if 0
239#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
240 if( ssl->session_negotiate->hostname != NULL &&
241 ssl->session_negotiate->hostname_len != 0 &&
242 memcmp( ssl->session_negotiate->hostname,
243 ssl->session->hostname, ssl->session->hostname_len ) != 0 )
244 {
245 MBEDTLS_SSL_DEBUG_MSG(
246 3, ( "Session hostname not matched with stored session ticket" ) );
247 goto exit;
248 }
249
250#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
251#endif
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]252
253 ret = 0;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]254
255#endif /* MBEDTLS_HAVE_TIME */
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]256
257exit:
258 if( ret != 0 )
259 mbedtls_ssl_session_free( session );
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]260
261 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= check_identity_match_ticket" ) );
262 return( ret );
263}
264#endif /* MBEDTLS_SSL_SESSION_TICKETS */
265
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]266MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]267static int ssl_tls13_offered_psks_check_identity_match(
268 mbedtls_ssl_context *ssl,
269 const unsigned char *identity,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]270 size_t identity_len,
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]271 uint32_t obfuscated_ticket_age,
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]272 int *psk_type,
273 mbedtls_ssl_session *session )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]274{
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]275 ((void) session);
276 ((void) obfuscated_ticket_age);
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]277 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]278
279 MBEDTLS_SSL_DEBUG_BUF( 4, "identity", identity, identity_len );
280 ssl->handshake->resume = 0;
281
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]282#if defined(MBEDTLS_SSL_SESSION_TICKETS)
283 if( ssl_tls13_offered_psks_check_identity_match_ticket(
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame]284 ssl, identity, identity_len, obfuscated_ticket_age,
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800[diff] [blame]285 session ) == SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]286 {
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]287 ssl->handshake->resume = 1;
288 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
289 mbedtls_ssl_set_hs_psk( ssl,
Jerry Yu0a55cc62022-09-15 16:15:06 +0800[diff] [blame]290 session->resumption_key,
291 session->resumption_key_len );
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]292
293 MBEDTLS_SSL_DEBUG_BUF( 4, "Ticket-resumed PSK:",
Jerry Yu0a55cc62022-09-15 16:15:06 +0800[diff] [blame]294 session->resumption_key,
295 session->resumption_key_len );
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]296 MBEDTLS_SSL_DEBUG_MSG( 4, ( "ticket: obfuscated_ticket_age: %u",
297 (unsigned)obfuscated_ticket_age ) );
298 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
299 }
300#endif /* MBEDTLS_SSL_SESSION_TICKETS */
301
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]302 /* Check identity with external configured function */
303 if( ssl->conf->f_psk != NULL )
304 {
305 if( ssl->conf->f_psk(
306 ssl->conf->p_psk, ssl, identity, identity_len ) == 0 )
307 {
308 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
309 }
310 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
311 }
312
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]313 MBEDTLS_SSL_DEBUG_BUF( 5, "identity", identity, identity_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]314 /* Check identity with pre-configured psk */
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]315 if( ssl->conf->psk_identity != NULL &&
316 identity_len == ssl->conf->psk_identity_len &&
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]317 mbedtls_ct_memcmp( ssl->conf->psk_identity,
318 identity, identity_len ) == 0 )
319 {
320 mbedtls_ssl_set_hs_psk( ssl, ssl->conf->psk, ssl->conf->psk_len );
321 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
322 }
323
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]324 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
325}
326
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]327MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]328static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl,
329 const unsigned char *binder,
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]330 size_t binder_len,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]331 int psk_type,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]332 psa_algorithm_t psk_hash_alg )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]333{
334 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]335
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]336 unsigned char transcript[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]337 size_t transcript_len;
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]338 unsigned char *psk;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]339 size_t psk_len;
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]340 unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]341
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]342 /* Get current state of handshake transcript. */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]343 ret = mbedtls_ssl_get_handshake_transcript(
344 ssl, mbedtls_hash_info_md_from_psa( psk_hash_alg ),
345 transcript, sizeof( transcript ), &transcript_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]346 if( ret != 0 )
347 return( ret );
348
Jerry Yu40f37712022-07-26 16:58:57 +0800[diff] [blame]349 ret = mbedtls_ssl_tls13_export_handshake_psk( ssl, &psk, &psk_len );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]350 if( ret != 0 )
351 return( ret );
352
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]353 ret = mbedtls_ssl_tls13_create_psk_binder( ssl, psk_hash_alg,
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]354 psk, psk_len, psk_type,
355 transcript,
356 server_computed_binder );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]357#if defined(MBEDTLS_USE_PSA_CRYPTO)
358 mbedtls_free( (void*)psk );
359#endif
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]360 if( ret != 0 )
361 {
362 MBEDTLS_SSL_DEBUG_MSG( 1, ( "PSK binder calculation failed." ) );
363 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
364 }
365
366 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( computed ): ",
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]367 server_computed_binder, transcript_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]368 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( received ): ", binder, binder_len );
369
370 if( mbedtls_ct_memcmp( server_computed_binder, binder, binder_len ) == 0 )
371 {
372 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
373 }
374
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]375 mbedtls_platform_zeroize( server_computed_binder,
376 sizeof( server_computed_binder ) );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]377 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
378}
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]379
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]380MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]381static int ssl_tls13_select_ciphersuite_for_psk(
382 mbedtls_ssl_context *ssl,
383 const unsigned char *cipher_suites,
384 const unsigned char *cipher_suites_end,
385 uint16_t *selected_ciphersuite,
386 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]387{
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]388 psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]389
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]390 *selected_ciphersuite = 0;
391 *selected_ciphersuite_info = NULL;
392
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]393 /* RFC 8446, page 55.
394 *
395 * For externally established PSKs, the Hash algorithm MUST be set when the
396 * PSK is established or default to SHA-256 if no such algorithm is defined.
397 *
398 */
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]399
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]400 /*
401 * Search for a matching ciphersuite
402 */
Jerry Yu1e05b6d2022-08-31 10:35:52 +0800[diff] [blame]403 for ( const unsigned char *p = cipher_suites;
404 p < cipher_suites_end; p += 2 )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]405 {
406 uint16_t cipher_suite;
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]407 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]408
409 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]410 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl,
411 cipher_suite );
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]412 if( ciphersuite_info == NULL )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]413 continue;
414
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]415 /* MAC of selected ciphersuite MUST be same with PSK binder if exist.
416 * Otherwise, client should reject.
417 */
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]418 if( psk_hash_alg == mbedtls_psa_translate_md( ciphersuite_info->mac ) )
419 {
420 *selected_ciphersuite = cipher_suite;
421 *selected_ciphersuite_info = ciphersuite_info;
422 return( 0 );
423 }
424 }
425 MBEDTLS_SSL_DEBUG_MSG( 2, ( "No matched ciphersuite" ) );
426 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
427}
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]428
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]429#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]430MBEDTLS_CHECK_RETURN_CRITICAL
431static int ssl_tls13_select_ciphersuite_for_resumption(
432 mbedtls_ssl_context *ssl,
433 const unsigned char *cipher_suites,
434 const unsigned char *cipher_suites_end,
435 mbedtls_ssl_session *session,
436 uint16_t *selected_ciphersuite,
437 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info )
438{
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]439
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]440 *selected_ciphersuite = 0;
441 *selected_ciphersuite_info = NULL;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]442 for( const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2 )
443 {
444 uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
445 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
446
447 if( cipher_suite != session->ciphersuite )
448 continue;
449
450 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl,
451 cipher_suite );
452 if( ciphersuite_info == NULL )
453 continue;
454
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]455 *selected_ciphersuite = cipher_suite;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]456 *selected_ciphersuite_info = ciphersuite_info;
457
458 return( 0 );
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]459 }
460
461 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]462}
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]463
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]464MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]465static int ssl_tls13_session_copy_ticket( mbedtls_ssl_session *dst,
466 const mbedtls_ssl_session *src )
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]467{
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]468 dst->ticket_age_add = src->ticket_age_add;
469 dst->ticket_flags = src->ticket_flags;
470 dst->resumption_key_len = src->resumption_key_len;
471 if( src->resumption_key_len == 0 )
472 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
473 memcpy( dst->resumption_key, src->resumption_key, src->resumption_key_len );
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]474
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]475 return( 0 );
476}
477#endif /* MBEDTLS_SSL_SESSION_TICKETS */
478
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]479/* Parser for pre_shared_key extension in client hello
480 * struct {
481 * opaque identity<1..2^16-1>;
482 * uint32 obfuscated_ticket_age;
483 * } PskIdentity;
484 *
485 * opaque PskBinderEntry<32..255>;
486 *
487 * struct {
488 * PskIdentity identities<7..2^16-1>;
489 * PskBinderEntry binders<33..2^16-1>;
490 * } OfferedPsks;
491 *
492 * struct {
493 * select (Handshake.msg_type) {
494 * case client_hello: OfferedPsks;
495 * ....
496 * };
497 * } PreSharedKeyExtension;
498 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]499MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]500static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]501 const unsigned char *pre_shared_key_ext,
502 const unsigned char *pre_shared_key_ext_end,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]503 const unsigned char *ciphersuites,
504 const unsigned char *ciphersuites_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]505{
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]506 const unsigned char *identities = pre_shared_key_ext;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]507 const unsigned char *p_identity_len;
508 size_t identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]509 const unsigned char *identities_end;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]510 const unsigned char *binders;
511 const unsigned char *p_binder_len;
512 size_t binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]513 const unsigned char *binders_end;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]514 int matched_identity = -1;
515 int identity_id = -1;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]516
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]517 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key extension",
518 pre_shared_key_ext,
519 pre_shared_key_ext_end - pre_shared_key_ext );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]520
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]521 /* identities_len 2 bytes
522 * identities_data >= 7 bytes
523 */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]524 MBEDTLS_SSL_CHK_BUF_READ_PTR( identities, pre_shared_key_ext_end, 7 + 2 );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]525 identities_len = MBEDTLS_GET_UINT16_BE( identities, 0 );
526 p_identity_len = identities + 2;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]527 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, pre_shared_key_ext_end,
528 identities_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]529 identities_end = p_identity_len + identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]530
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]531 /* binders_len 2 bytes
532 * binders >= 33 bytes
533 */
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]534 binders = identities_end;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]535 MBEDTLS_SSL_CHK_BUF_READ_PTR( binders, pre_shared_key_ext_end, 33 + 2 );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]536 binders_len = MBEDTLS_GET_UINT16_BE( binders, 0 );
537 p_binder_len = binders + 2;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]538 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, pre_shared_key_ext_end, binders_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]539 binders_end = p_binder_len + binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]540
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]541 ssl->handshake->update_checksum( ssl, pre_shared_key_ext,
542 identities_end - pre_shared_key_ext );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]543
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]544 while( p_identity_len < identities_end && p_binder_len < binders_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]545 {
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]546 const unsigned char *identity;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]547 size_t identity_len;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]548 uint32_t obfuscated_ticket_age;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]549 const unsigned char *binder;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]550 size_t binder_len;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]551 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]552 int psk_type;
553 uint16_t cipher_suite;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]554 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]555#if defined(MBEDTLS_SSL_SESSION_TICKETS)
556 mbedtls_ssl_session session;
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]557 mbedtls_ssl_session_init( &session );
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]558#endif
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]559
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]560 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, identities_end, 2 + 1 + 4 );
561 identity_len = MBEDTLS_GET_UINT16_BE( p_identity_len, 0 );
562 identity = p_identity_len + 2;
563 MBEDTLS_SSL_CHK_BUF_READ_PTR( identity, identities_end, identity_len + 4 );
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]564 obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE( identity , identity_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]565 p_identity_len += identity_len + 6;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]566
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]567 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, binders_end, 1 + 32 );
568 binder_len = *p_binder_len;
569 binder = p_binder_len + 1;
570 MBEDTLS_SSL_CHK_BUF_READ_PTR( binder, binders_end, binder_len );
571 p_binder_len += binder_len + 1;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]572
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]573 identity_id++;
574 if( matched_identity != -1 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]575 continue;
576
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]577 ret = ssl_tls13_offered_psks_check_identity_match(
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]578 ssl, identity, identity_len, obfuscated_ticket_age,
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]579 &psk_type, &session );
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]580 if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]581 continue;
582
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]583 MBEDTLS_SSL_DEBUG_MSG( 4, ( "found matched identity" ) );
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]584 switch( psk_type )
585 {
586 case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
587 ret = ssl_tls13_select_ciphersuite_for_psk(
588 ssl, ciphersuites, ciphersuites_end,
589 &cipher_suite, &ciphersuite_info );
590 break;
591 case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]592#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]593 ret = ssl_tls13_select_ciphersuite_for_resumption(
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]594 ssl, ciphersuites, ciphersuites_end, &session,
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]595 &cipher_suite, &ciphersuite_info );
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]596 if( ret != 0 )
597 mbedtls_ssl_session_free( &session );
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]598#else
599 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
600#endif
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]601 break;
602 default:
603 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
604 }
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]605 if( ret != 0 )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]606 {
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]607 /* See below, no cipher_suite available, abort handshake */
608 MBEDTLS_SSL_PEND_FATAL_ALERT(
609 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
610 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
611 MBEDTLS_SSL_DEBUG_RET(
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]612 2, "ssl_tls13_select_ciphersuite", ret );
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]613 return( ret );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]614 }
615
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]616 ret = ssl_tls13_offered_psks_check_binder_match(
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]617 ssl, binder, binder_len, psk_type,
618 mbedtls_psa_translate_md( ciphersuite_info->mac ) );
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]619 if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]620 {
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]621 /* For security reasons, the handshake should be aborted when we
622 * fail to validate a binder value. See RFC 8446 section 4.2.11.2
623 * and appendix E.6. */
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]624#if defined(MBEDTLS_SSL_SESSION_TICKETS)
625 mbedtls_ssl_session_free( &session );
626#endif
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]627 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Invalid binder." ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]628 MBEDTLS_SSL_DEBUG_RET( 1,
629 "ssl_tls13_offered_psks_check_binder_match" , ret );
630 MBEDTLS_SSL_PEND_FATAL_ALERT(
631 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
632 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
633 return( ret );
634 }
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]635
636 matched_identity = identity_id;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]637
638 /* Update handshake parameters */
Jerry Yue5834fd2022-08-29 20:16:09 +0800[diff] [blame]639 ssl->handshake->ciphersuite_info = ciphersuite_info;
Jerry Yu4746b102022-09-13 11:11:48 +0800[diff] [blame]640 ssl->session_negotiate->ciphersuite = cipher_suite;
Jerry Yue5834fd2022-08-29 20:16:09 +0800[diff] [blame]641 MBEDTLS_SSL_DEBUG_MSG( 2, ( "overwrite ciphersuite: %04x - %s",
642 cipher_suite, ciphersuite_info->name ) );
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]643#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]644 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
645 {
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800[diff] [blame]646 ret = ssl_tls13_session_copy_ticket( ssl->session_negotiate,
647 &session );
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]648 mbedtls_ssl_session_free( &session );
649 if( ret != 0 )
650 return( ret );
651 }
652#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]653 }
654
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]655 if( p_identity_len != identities_end || p_binder_len != binders_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]656 {
657 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extesion decode error" ) );
658 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
659 MBEDTLS_ERR_SSL_DECODE_ERROR );
660 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
661 }
662
Jerry Yu6f1db3f2022-07-22 23:05:59 +0800[diff] [blame]663 /* Update the handshake transcript with the binder list. */
664 ssl->handshake->update_checksum( ssl,
665 identities_end,
666 (size_t)( binders_end - identities_end ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]667 if( matched_identity == -1 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]668 {
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]669 MBEDTLS_SSL_DEBUG_MSG( 3, ( "No matched PSK or ticket." ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]670 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]671 }
672
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]673 ssl->handshake->selected_identity = (uint16_t)matched_identity;
674 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Pre shared key found" ) );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]675
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]676 return( 0 );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]677}
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]678
679/*
680 * struct {
681 * select ( Handshake.msg_type ) {
682 * ....
683 * case server_hello:
684 * uint16 selected_identity;
685 * }
686 * } PreSharedKeyExtension;
687 */
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]688static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
689 unsigned char *buf,
690 unsigned char *end,
691 size_t *olen )
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]692{
693 unsigned char *p = (unsigned char*)buf;
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]694
695 *olen = 0;
696
697#if defined(MBEDTLS_USE_PSA_CRYPTO)
698 if( mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
699#else
700 if( ssl->handshake->psk == NULL )
701#endif
702 {
703 /* We shouldn't have called this extension writer unless we've
704 * chosen to use a PSK. */
705 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
706 }
707
708 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding pre_shared_key extension" ) );
709 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
710
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]711 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]712 MBEDTLS_PUT_UINT16_BE( 2, p, 2 );
713
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]714 MBEDTLS_PUT_UINT16_BE( ssl->handshake->selected_identity, p, 4 );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]715
716 *olen = 6;
717
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]718 MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent selected_identity: %u",
719 ssl->handshake->selected_identity ) );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]720
721 return( 0 );
722}
723
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]724#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
725
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]726/* From RFC 8446:
727 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]728 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]729 * } SupportedVersions;
730 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]731MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]732static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
733 const unsigned char *buf,
734 const unsigned char *end )
735{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]736 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]737 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]738 const unsigned char *versions_end;
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]739 uint16_t tls_version;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]740 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]741
742 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]743 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]744 p += 1;
745
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]746 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, versions_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]747 versions_end = p + versions_len;
748 while( p < versions_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]749 {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]750 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, versions_end, 2 );
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]751 tls_version = mbedtls_ssl_read_version( p, ssl->conf->transport );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]752 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]753
754 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]755 if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]756 {
757 tls13_supported = 1;
758 break;
759 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]760 }
761
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]762 if( !tls13_supported )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]763 {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]764 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 is not supported by the client" ) );
765
766 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
767 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
768 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
769 }
770
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]771 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%04x]",
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]772 (unsigned int)tls_version ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]773
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]774 return( 0 );
775}
776
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]777#if defined(MBEDTLS_ECDH_C)
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]778/*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]779 *
780 * From RFC 8446:
781 * enum {
782 * ... (0xFFFF)
783 * } NamedGroup;
784 * struct {
785 * NamedGroup named_group_list<2..2^16-1>;
786 * } NamedGroupList;
787 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]788MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]789static int ssl_tls13_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
790 const unsigned char *buf,
791 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]792{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]793 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000[diff] [blame]794 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]795 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]796
797 MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", p, end - buf );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]798 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]799 named_group_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]800 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]801 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]802 named_group_list_end = p + named_group_list_len;
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]803 ssl->handshake->hrr_selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]804
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]805 while( p < named_group_list_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]806 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]807 uint16_t named_group;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]808 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, named_group_list_end, 2 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]809 named_group = MBEDTLS_GET_UINT16_BE( p, 0 );
810 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]811
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]812 MBEDTLS_SSL_DEBUG_MSG( 2,
813 ( "got named group: %s(%04x)",
814 mbedtls_ssl_named_group_to_str( named_group ),
815 named_group ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]816
817 if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
818 ! mbedtls_ssl_named_group_is_supported( named_group ) ||
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]819 ssl->handshake->hrr_selected_group != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]820 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]821 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]822 }
823
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]824 MBEDTLS_SSL_DEBUG_MSG( 2,
825 ( "add named group %s(%04x) into received list.",
826 mbedtls_ssl_named_group_to_str( named_group ),
827 named_group ) );
828
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]829 ssl->handshake->hrr_selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]830 }
831
832 return( 0 );
833
834}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]835#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]836
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]837#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
838
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]839#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]840/*
841 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]842 * extension is correct and stores the first acceptable key share and its associated group.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]843 *
844 * Possible return values are:
845 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]846 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]847 * does not match a group supported by the server. A HelloRetryRequest will
848 * be needed.
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]849 * - A negative value for fatal errors.
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]850 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]851MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]852static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
853 const unsigned char *buf,
854 const unsigned char *end )
855{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]856 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]857 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]858 unsigned char const *client_shares_end;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]859 size_t client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]860
861 /* From RFC 8446:
862 *
863 * struct {
864 * KeyShareEntry client_shares<0..2^16-1>;
865 * } KeyShareClientHello;
866 *
867 */
868
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]869 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]870 client_shares_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]871 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]872 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, client_shares_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]873
874 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]875 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]876
877 /* We try to find a suitable key share entry and copy it to the
878 * handshake context. Later, we have to find out whether we can do
879 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]880 * dismiss it and send a HelloRetryRequest message.
881 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]882
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]883 while( p < client_shares_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]884 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]885 uint16_t group;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]886 size_t key_exchange_len;
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]887 const unsigned char *key_exchange;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]888
889 /*
890 * struct {
891 * NamedGroup group;
892 * opaque key_exchange<1..2^16-1>;
893 * } KeyShareEntry;
894 */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]895 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, 4 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]896 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]897 key_exchange_len = MBEDTLS_GET_UINT16_BE( p, 2 );
898 p += 4;
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]899 key_exchange = p;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]900 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, key_exchange_len );
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]901 p += key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]902
903 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]904 * for input validation purposes.
905 */
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]906 if( ! mbedtls_ssl_named_group_is_offered( ssl, group ) ||
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]907 ! mbedtls_ssl_named_group_is_supported( group ) ||
908 ssl->handshake->offered_group_id != 0 )
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]909 {
910 continue;
911 }
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]912
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]913 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]914 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]915 */
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]916 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
917 {
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]918 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH group: %s (%04x)",
919 mbedtls_ssl_named_group_to_str( group ),
920 group ) );
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]921 ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]922 ssl, key_exchange - 2, key_exchange_len + 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]923 if( ret != 0 )
924 return( ret );
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]925
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]926 }
927 else
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]928 {
929 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]930 (unsigned) group ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]931 continue;
932 }
933
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]934 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]935 }
936
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]937
938 if( ssl->handshake->offered_group_id == 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]939 {
940 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching key share" ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]941 return( SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]942 }
943 return( 0 );
944}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]945#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]946
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]947#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]948static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]949{
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]950 ((void) ssl);
951
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]952 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]953 MBEDTLS_SSL_DEBUG_MSG( 3,
954 ( "- KEY_SHARE_EXTENSION ( %s )",
955 ( ( ssl->handshake->extensions_present
956 & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
957 MBEDTLS_SSL_DEBUG_MSG( 3,
958 ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
959 ( ( ssl->handshake->extensions_present
960 & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
961 "TRUE" : "FALSE" ) );
962 MBEDTLS_SSL_DEBUG_MSG( 3,
963 ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
964 ( ( ssl->handshake->extensions_present
965 & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
966 MBEDTLS_SSL_DEBUG_MSG( 3,
967 ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
968 ( ( ssl->handshake->extensions_present
969 & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
970 MBEDTLS_SSL_DEBUG_MSG( 3,
971 ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
972 ( ( ssl->handshake->extensions_present
973 & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
974 "TRUE" : "FALSE" ) );
975 MBEDTLS_SSL_DEBUG_MSG( 3,
976 ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
977 ( ( ssl->handshake->extensions_present
978 & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
979 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]980#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]981 MBEDTLS_SSL_DEBUG_MSG( 3,
982 ( "- SERVERNAME_EXTENSION ( %s )",
983 ( ( ssl->handshake->extensions_present
984 & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
985 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]986#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]987#if defined ( MBEDTLS_SSL_ALPN )
988 MBEDTLS_SSL_DEBUG_MSG( 3,
989 ( "- ALPN_EXTENSION ( %s )",
990 ( ( ssl->handshake->extensions_present
991 & MBEDTLS_SSL_EXT_ALPN ) > 0 ) ?
992 "TRUE" : "FALSE" ) );
993#endif /* MBEDTLS_SSL_ALPN */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]994}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]995#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]996
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]997MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]998static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]999 int exts_mask )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1000{
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]1001 int masked = ssl->handshake->extensions_present & exts_mask;
1002 return( masked == exts_mask );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1003}
1004
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1005MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1006static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
1007 mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1008{
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1009 return( ssl_tls13_client_hello_has_exts(
1010 ssl,
1011 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
1012 MBEDTLS_SSL_EXT_KEY_SHARE |
1013 MBEDTLS_SSL_EXT_SIG_ALG ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1014}
1015
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1016#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1017MBEDTLS_CHECK_RETURN_CRITICAL
1018static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
1019 mbedtls_ssl_context *ssl )
1020{
1021 return( ssl_tls13_client_hello_has_exts(
1022 ssl,
1023 MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
1024 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
1025}
1026
1027MBEDTLS_CHECK_RETURN_CRITICAL
1028static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
1029 mbedtls_ssl_context *ssl )
1030{
1031 return( ssl_tls13_client_hello_has_exts(
1032 ssl,
1033 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
1034 MBEDTLS_SSL_EXT_KEY_SHARE |
1035 MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
1036 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
1037}
1038#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1039
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1040MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1041static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1042{
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1043 return( mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) &&
1044 ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) );
1045}
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1046
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1047MBEDTLS_CHECK_RETURN_CRITICAL
1048static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
1049{
1050#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1051 return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) &&
1052 mbedtls_ssl_tls13_psk_enabled( ssl ) &&
1053 ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) );
1054#else
1055 ((void) ssl);
1056 return( 0 );
1057#endif
1058}
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1059
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1060MBEDTLS_CHECK_RETURN_CRITICAL
1061static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
1062{
1063#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1064 return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) &&
1065 mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) &&
1066 ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) );
1067#else
1068 ((void) ssl);
1069 return( 0 );
1070#endif
1071}
1072
1073static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl )
1074{
1075 /*
1076 * Determine the key exchange algorithm to use.
1077 * There are three types of key exchanges supported in TLS 1.3:
1078 * - (EC)DH with ECDSA,
1079 * - (EC)DH with PSK,
1080 * - plain PSK.
1081 *
1082 * The PSK-based key exchanges may additionally be used with 0-RTT.
1083 *
1084 * Our built-in order of preference is
Jerry Yuce6ed702022-07-22 21:49:53 +0800[diff] [blame]1085 * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
1086 * 2 ) Certificate Mode ( ephemeral )
1087 * 3 ) Plain PSK Mode ( psk )
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1088 */
1089
1090 ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
1091
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1092 if( ssl_tls13_check_psk_ephemeral_key_exchange( ssl ) )
1093 {
1094 ssl->handshake->key_exchange_mode =
1095 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1096 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk_ephemeral" ) );
1097 }
1098 else
1099 if( ssl_tls13_check_ephemeral_key_exchange( ssl ) )
1100 {
1101 ssl->handshake->key_exchange_mode =
1102 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
1103 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: ephemeral" ) );
1104 }
1105 else
Jerry Yuce6ed702022-07-22 21:49:53 +0800[diff] [blame]1106 if( ssl_tls13_check_psk_key_exchange( ssl ) )
1107 {
1108 ssl->handshake->key_exchange_mode =
1109 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1110 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk" ) );
1111 }
1112 else
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1113 {
1114 MBEDTLS_SSL_DEBUG_MSG(
1115 1,
1116 ( "ClientHello message misses mandatory extensions." ) );
1117 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ,
1118 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1119 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1120 }
1121
1122 return( 0 );
1123
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1124}
1125
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1126#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1127 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1128
1129#if defined(MBEDTLS_USE_PSA_CRYPTO)
1130static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg( uint16_t sig_alg )
1131{
1132 switch( sig_alg )
1133 {
1134 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
1135 return( PSA_ALG_ECDSA( PSA_ALG_SHA_256 ) );
1136 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
1137 return( PSA_ALG_ECDSA( PSA_ALG_SHA_384 ) );
1138 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
1139 return( PSA_ALG_ECDSA( PSA_ALG_SHA_512 ) );
1140 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
1141 return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 ) );
1142 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
1143 return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_384 ) );
1144 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
1145 return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_512 ) );
1146 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
Ronald Cronb72dac42022-09-27 08:56:47 +0200[diff] [blame]1147 return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_256 ) );
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1148 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
Ronald Cronb72dac42022-09-27 08:56:47 +0200[diff] [blame]1149 return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_384 ) );
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1150 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
Ronald Cronb72dac42022-09-27 08:56:47 +0200[diff] [blame]1151 return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_512 ) );
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1152 default:
1153 return( PSA_ALG_NONE );
1154 }
1155}
1156#endif /* MBEDTLS_USE_PSA_CRYPTO */
1157
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1158/*
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1159 * Pick best ( private key, certificate chain ) pair based on the signature
1160 * algorithms supported by the client.
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1161 */
Ronald Cronce7d76e2022-07-08 18:56:49 +0200[diff] [blame]1162MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian07aad072022-06-14 05:35:09 +0000[diff] [blame]1163static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1164{
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1165 mbedtls_ssl_key_cert *key_cert, *key_cert_list;
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1166 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1167
1168#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1169 if( ssl->handshake->sni_key_cert != NULL )
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1170 key_cert_list = ssl->handshake->sni_key_cert;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1171 else
1172#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1173 key_cert_list = ssl->conf->key_cert;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1174
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1175 if( key_cert_list == NULL )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1176 {
1177 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
1178 return( -1 );
1179 }
1180
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1181 for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1182 {
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1183 if( !mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) )
1184 continue;
1185
1186 if( !mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) )
1187 continue;
1188
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1189 for( key_cert = key_cert_list; key_cert != NULL;
1190 key_cert = key_cert->next )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1191 {
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1192#if defined(MBEDTLS_USE_PSA_CRYPTO)
1193 psa_algorithm_t psa_alg = PSA_ALG_NONE;
1194#endif /* MBEDTLS_USE_PSA_CRYPTO */
1195
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1196 MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate",
1197 key_cert->cert );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1198
1199 /*
1200 * This avoids sending the client a cert it'll reject based on
1201 * keyUsage or other extensions.
1202 */
1203 if( mbedtls_x509_crt_check_key_usage(
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1204 key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE ) != 0 ||
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1205 mbedtls_x509_crt_check_extended_key_usage(
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1206 key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
1207 MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ) ) != 0 )
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1208 {
1209 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1210 "(extended) key usage extension" ) );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1211 continue;
1212 }
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1213
Jerry Yucc539102022-06-27 16:27:35 +0800[diff] [blame]1214 MBEDTLS_SSL_DEBUG_MSG( 3,
1215 ( "ssl_tls13_pick_key_cert:"
1216 "check signature algorithm %s [%04x]",
1217 mbedtls_ssl_sig_alg_to_str( *sig_alg ),
1218 *sig_alg ) );
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1219#if defined(MBEDTLS_USE_PSA_CRYPTO)
1220 psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg( *sig_alg );
1221#endif /* MBEDTLS_USE_PSA_CRYPTO */
1222
Jerry Yufb526692022-06-19 11:22:49 +0800[diff] [blame]1223 if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]1224 *sig_alg, &key_cert->cert->pk )
1225#if defined(MBEDTLS_USE_PSA_CRYPTO)
1226 && psa_alg != PSA_ALG_NONE &&
1227 mbedtls_pk_can_do_ext( &key_cert->cert->pk, psa_alg,
1228 PSA_KEY_USAGE_SIGN_HASH ) == 1
1229#endif /* MBEDTLS_USE_PSA_CRYPTO */
1230 )
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1231 {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1232 ssl->handshake->key_cert = key_cert;
Jerry Yucc539102022-06-27 16:27:35 +0800[diff] [blame]1233 MBEDTLS_SSL_DEBUG_MSG( 3,
1234 ( "ssl_tls13_pick_key_cert:"
1235 "selected signature algorithm"
1236 " %s [%04x]",
1237 mbedtls_ssl_sig_alg_to_str( *sig_alg ),
1238 *sig_alg ) );
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1239 MBEDTLS_SSL_DEBUG_CRT(
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1240 3, "selected certificate (chain)",
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1241 ssl->handshake->key_cert->cert );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1242 return( 0 );
1243 }
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1244 }
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1245 }
1246
Jerry Yu9d3e2fa2022-06-27 22:14:01 +0800[diff] [blame]1247 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert:"
1248 "no suitable certificate found" ) );
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1249 return( -1 );
1250}
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1251#endif /* MBEDTLS_X509_CRT_PARSE_C &&
1252 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1253
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1254/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1255 *
1256 * STATE HANDLING: ClientHello
1257 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1258 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1259 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1260 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1261 *
1262 * In this case, the server progresses to sending its ServerHello.
1263 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1264 * 2) The ClientHello was well-formed but didn't match the server's
1265 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1266 *
1267 * For example, the client might not have offered a key share which
1268 * the server supports, or the server might require a cookie.
1269 *
1270 * In this case, the server sends a HelloRetryRequest.
1271 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1272 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1273 *
1274 * In this case, we abort the handshake.
1275 *
1276 */
1277
1278/*
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1279 * Structure of this message:
1280 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1281 * uint16 ProtocolVersion;
1282 * opaque Random[32];
1283 * uint8 CipherSuite[2]; // Cryptographic suite selector
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1284 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1285 * struct {
1286 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1287 * Random random;
1288 * opaque legacy_session_id<0..32>;
1289 * CipherSuite cipher_suites<2..2^16-2>;
1290 * opaque legacy_compression_methods<1..2^8-1>;
1291 * Extension extensions<8..2^16-1>;
1292 * } ClientHello;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1293 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1294
1295#define SSL_CLIENT_HELLO_OK 0
1296#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
1297
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1298MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1299static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
1300 const unsigned char *buf,
1301 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1302{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1303 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1304 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1305 size_t legacy_session_id_len;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]1306 size_t cipher_suites_len;
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1307 const unsigned char *cipher_suites_end;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1308 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1309 const unsigned char *extensions_end;
Jerry Yu49ca9282022-05-05 11:05:22 +0800[diff] [blame]1310 int hrr_required = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1311
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1312#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1313 const unsigned char *cipher_suites;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1314 const unsigned char *pre_shared_key_ext = NULL;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1315 const unsigned char *pre_shared_key_ext_end = NULL;
1316#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1317
1318 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
1319
1320 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1321 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1322 * 0 . 1 protocol version
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1323 * 2 . 33 random bytes
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]1324 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1325 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1326 * .. . .. ciphersuite list length ( 2 bytes )
1327 * .. . .. ciphersuite list
1328 * .. . .. compression alg. list length ( 1 byte )
1329 * .. . .. compression alg. list
1330 * .. . .. extensions length ( 2 bytes, optional )
1331 * .. . .. extensions ( optional )
1332 */
1333
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1334 /*
bootstrap-prime6dbbf442022-05-17 19:30:44 -0400[diff] [blame]1335 * Minimal length ( with everything empty and extensions omitted ) is
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1336 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1337 * read at least up to session id length without worrying.
1338 */
1339 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 38 );
1340
1341 /* ...
1342 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1343 * ...
1344 * with ProtocolVersion defined as:
1345 * uint16 ProtocolVersion;
1346 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]1347 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
1348 MBEDTLS_SSL_VERSION_TLS1_2 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1349 {
1350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1351 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1352 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1353 return ( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1354 }
1355 p += 2;
1356
1357 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]1358 * Only support TLS 1.3 currently, temporarily set the version.
1359 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]1360 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]1361
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]1362#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1363 /* Store minor version for later use with ticket serialization. */
1364 ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1365 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]1366#endif
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]1367
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1368 /* ...
1369 * Random random;
1370 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1371 * with Random defined as:
1372 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1373 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1374 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1375 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1376
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1377 memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
1378 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1379
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1380 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1381 * opaque legacy_session_id<0..32>;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1382 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1383 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1384 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]1385 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1386
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1387 if( legacy_session_id_len > sizeof( ssl->session_negotiate->id ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1388 {
1389 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1390 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1391 }
1392
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1393 ssl->session_negotiate->id_len = legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1394 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1395 p, legacy_session_id_len );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1396 /*
1397 * Check we have enough data for the legacy session identifier
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1398 * and the ciphersuite list length.
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1399 */
1400 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1401
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1402 memcpy( &ssl->session_negotiate->id[0], p, legacy_session_id_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1403 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1404
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1405 cipher_suites_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1406 p += 2;
1407
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1408 /* Check we have enough data for the ciphersuite list, the legacy
1409 * compression methods and the length of the extensions.
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1410 *
1411 * cipher_suites cipher_suites_len bytes
1412 * legacy_compression_methods 2 bytes
1413 * extensions_len 2 bytes
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1414 */
1415 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1416
Jerry Yu24b8c812022-08-20 19:06:56 +0800[diff] [blame]1417 /* ...
1418 * CipherSuite cipher_suites<2..2^16-2>;
1419 * ...
1420 * with CipherSuite defined as:
1421 * uint8 CipherSuite[2];
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1422 */
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1423#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1424 cipher_suites = p;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1425#endif
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1426 cipher_suites_end = p + cipher_suites_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1427 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1428 p, cipher_suites_len );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1429
1430 /*
1431 * Search for a matching ciphersuite
1432 */
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1433 for ( ; p < cipher_suites_end; p += 2 )
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]1434 {
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1435 uint16_t cipher_suite;
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1436 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1437
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1438 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, cipher_suites_end, 2 );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1439
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1440 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]1441 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
Jerry Yudd1bef72022-08-23 17:57:02 +0800[diff] [blame]1442 ssl,cipher_suite );
1443 if( ciphersuite_info == NULL )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1444 continue;
1445
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1446 ssl->session_negotiate->ciphersuite = cipher_suite;
1447 ssl->handshake->ciphersuite_info = ciphersuite_info;
1448 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %04x - %s",
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1449 cipher_suite,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1450 ciphersuite_info->name ) );
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]1451 }
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1452
1453 if( ssl->handshake->ciphersuite_info == NULL )
1454 {
1455 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1456 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1457 return ( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1458 }
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1459
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1460 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1461 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1462 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1463 */
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]1464 if( p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1465 {
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
1467 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1468 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1469 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1470 }
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1471 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1472
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1473 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1474 * Extension extensions<8..2^16-1>;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1475 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1476 * with Extension defined as:
1477 * struct {
1478 * ExtensionType extension_type;
1479 * opaque extension_data<0..2^16-1>;
1480 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1481 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1482 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1483 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1484 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1485 extensions_end = p + extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1486
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1487 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1488
1489 while( p < extensions_end )
1490 {
1491 unsigned int extension_type;
1492 size_t extension_data_len;
1493 const unsigned char *extension_data_end;
1494
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1495 /* RFC 8446, page 57
1496 *
1497 * The "pre_shared_key" extension MUST be the last extension in the
1498 * ClientHello (this facilitates implementation as described below).
1499 * Servers MUST check that it is the last extension and otherwise fail
1500 * the handshake with an "illegal_parameter" alert.
1501 */
1502 if( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY )
1503 {
1504 MBEDTLS_SSL_DEBUG_MSG(
1505 3, ( "pre_shared_key is not last extension." ) );
1506 MBEDTLS_SSL_PEND_FATAL_ALERT(
1507 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1508 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1509 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1510 }
1511
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]1512 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1513 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1514 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1515 p += 4;
1516
1517 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1518 extension_data_end = p + extension_data_len;
1519
1520 switch( extension_type )
1521 {
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1522#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1523 case MBEDTLS_TLS_EXT_SERVERNAME:
1524 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
XiaokangQian9b2b7712022-05-17 02:57:00 +0000[diff] [blame]1525 ret = mbedtls_ssl_parse_server_name_ext( ssl, p,
1526 extension_data_end );
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1527 if( ret != 0 )
1528 {
1529 MBEDTLS_SSL_DEBUG_RET(
1530 1, "mbedtls_ssl_parse_servername_ext", ret );
1531 return( ret );
1532 }
1533 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SERVERNAME;
1534 break;
1535#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1536
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1537#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1538 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1539 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
1540
1541 /* Supported Groups Extension
1542 *
1543 * When sent by the client, the "supported_groups" extension
1544 * indicates the named groups which the client supports,
1545 * ordered from most preferred to least preferred.
1546 */
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1547 ret = ssl_tls13_parse_supported_groups_ext(
1548 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1549 if( ret != 0 )
1550 {
1551 MBEDTLS_SSL_DEBUG_RET( 1,
1552 "mbedtls_ssl_parse_supported_groups_ext", ret );
1553 return( ret );
1554 }
1555
1556 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
1557 break;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1558#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1559
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1560#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1561 case MBEDTLS_TLS_EXT_KEY_SHARE:
1562 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) );
1563
1564 /*
1565 * Key Share Extension
1566 *
1567 * When sent by the client, the "key_share" extension
1568 * contains the endpoint's cryptographic parameters for
1569 * ECDHE/DHE key establishment methods.
1570 */
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1571 ret = ssl_tls13_parse_key_shares_ext(
1572 ssl, p, extension_data_end );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1573 if( ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1574 {
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1575 MBEDTLS_SSL_DEBUG_MSG( 2, ( "HRR needed " ) );
Jerry Yu49ca9282022-05-05 11:05:22 +0800[diff] [blame]1576 hrr_required = 1;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1577 }
1578
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1579 if( ret < 0 )
1580 {
1581 MBEDTLS_SSL_DEBUG_RET(
1582 1, "ssl_tls13_parse_key_shares_ext", ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1583 return( ret );
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1584 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1585
1586 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
1587 break;
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1588#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1589
1590 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1591 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) );
1592
1593 ret = ssl_tls13_parse_supported_versions_ext(
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1594 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1595 if( ret != 0 )
1596 {
1597 MBEDTLS_SSL_DEBUG_RET( 1,
1598 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
1599 return( ret );
1600 }
1601 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
1602 break;
1603
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]1604#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1605 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
1606 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found psk key exchange modes extension" ) );
1607
1608 ret = ssl_tls13_parse_key_exchange_modes_ext(
1609 ssl, p, extension_data_end );
1610 if( ret != 0 )
1611 {
1612 MBEDTLS_SSL_DEBUG_RET(
1613 1, "ssl_tls13_parse_key_exchange_modes_ext", ret );
1614 return( ret );
1615 }
1616
1617 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
1618 break;
1619#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1620
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1621 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1622 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
Jerry Yu13ab81d2022-07-22 23:17:11 +0800[diff] [blame]1623 if( ( ssl->handshake->extensions_present &
1624 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 )
1625 {
1626 MBEDTLS_SSL_PEND_FATAL_ALERT(
1627 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1628 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1629 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1630 }
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1631#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1632 /* Delay processing of the PSK identity once we have
1633 * found out which algorithms to use. We keep a pointer
1634 * to the buffer and the size for later processing.
1635 */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1636 pre_shared_key_ext = p;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1637 pre_shared_key_ext_end = extension_data_end;
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1638#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1639 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
1640 break;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1641
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]1642#if defined(MBEDTLS_SSL_ALPN)
1643 case MBEDTLS_TLS_EXT_ALPN:
1644 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1645
1646 ret = mbedtls_ssl_parse_alpn_ext( ssl, p, extension_data_end );
1647 if( ret != 0 )
1648 {
1649 MBEDTLS_SSL_DEBUG_RET(
1650 1, ( "mbedtls_ssl_parse_alpn_ext" ), ret );
1651 return( ret );
1652 }
1653 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_ALPN;
1654 break;
1655#endif /* MBEDTLS_SSL_ALPN */
1656
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1657#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1658 case MBEDTLS_TLS_EXT_SIG_ALG:
1659 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1660
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1661 ret = mbedtls_ssl_parse_sig_alg_ext(
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1662 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1663 if( ret != 0 )
1664 {
1665 MBEDTLS_SSL_DEBUG_MSG( 1,
1666 ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
1667 ret ) );
1668 return( ret );
1669 }
1670 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
1671 break;
1672#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1673
1674 default:
1675 MBEDTLS_SSL_DEBUG_MSG( 3,
1676 ( "unknown extension found: %ud ( ignoring )",
1677 extension_type ) );
1678 }
1679
1680 p += extension_data_len;
1681 }
1682
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1683#if defined(MBEDTLS_DEBUG_C)
1684 /* List all the extensions we have received */
1685 ssl_tls13_debug_print_client_hello_exts( ssl );
1686#endif /* MBEDTLS_DEBUG_C */
1687
1688 mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
1689 MBEDTLS_SSL_HS_CLIENT_HELLO,
1690 p - buf );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]1691
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1692#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1693 /* Update checksum with either
1694 * - The entire content of the CH message, if no PSK extension is present
1695 * - The content up to but excluding the PSK extension, if present.
1696 */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1697 /* If we've settled on a PSK-based exchange, parse PSK identity ext */
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1698 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) &&
Jerry Yu32e13702022-07-29 13:04:08 +0800[diff] [blame]1699 mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1700 ( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1701 {
1702 ssl->handshake->update_checksum( ssl, buf,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1703 pre_shared_key_ext - buf );
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]1704 ret = ssl_tls13_parse_pre_shared_key_ext( ssl,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1705 pre_shared_key_ext,
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1706 pre_shared_key_ext_end,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1707 cipher_suites,
1708 cipher_suites_end );
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]1709 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1710 {
1711 ssl->handshake->extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
Jerry Yu6f1db3f2022-07-22 23:05:59 +0800[diff] [blame]1712 }
1713 else if( ret != 0 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1714 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]1715 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_pre_shared_key_ext" ),
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1716 ret );
1717 return( ret );
1718 }
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1719 }
1720 else
1721#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1722 {
1723 ssl->handshake->update_checksum( ssl, buf, p - buf );
1724 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1725
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1726 ret = ssl_tls13_determine_key_exchange_mode( ssl );
1727 if( ret < 0 )
1728 return( ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1729
Jerry Yue5834fd2022-08-29 20:16:09 +0800[diff] [blame]1730 mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info );
1731
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1732 return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK );
1733}
1734
1735/* Update the handshake state machine */
1736
Ronald Cronce7d76e2022-07-08 18:56:49 +0200[diff] [blame]1737MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1738static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
1739{
1740 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1741
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1742 /*
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1743 * Server certificate selection
1744 */
1745 if( ssl->conf->f_cert_cb && ( ret = ssl->conf->f_cert_cb( ssl ) ) != 0 )
1746 {
1747 MBEDTLS_SSL_DEBUG_RET( 1, "f_cert_cb", ret );
1748 return( ret );
1749 }
1750#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1751 ssl->handshake->sni_name = NULL;
1752 ssl->handshake->sni_name_len = 0;
1753#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1754
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1755 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
1756 if( ret != 0 )
1757 {
1758 MBEDTLS_SSL_DEBUG_RET( 1,
1759 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret );
1760 return( ret );
1761 }
1762
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1763 return( 0 );
1764
1765}
1766
1767/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1768 * Main entry point from the state machine; orchestrates the otherfunctions.
1769 */
1770
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1771MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1772static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
1773{
1774
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1775 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1776 unsigned char* buf = NULL;
1777 size_t buflen = 0;
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1778 int parse_client_hello_ret;
1779
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1780 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1781
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1782 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
1783 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
1784 &buf, &buflen ) );
1785
1786 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_parse_client_hello( ssl, buf,
1787 buf + buflen ) );
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]1788 parse_client_hello_ret = ret; /* Store return value of parse_client_hello,
1789 * only SSL_CLIENT_HELLO_OK or
1790 * SSL_CLIENT_HELLO_HRR_REQUIRED at this
1791 * stage as negative error codes are handled
1792 * by MBEDTLS_SSL_PROC_CHK_NEG. */
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1793
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1794 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_client_hello( ssl ) );
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1795
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1796 if( parse_client_hello_ret == SSL_CLIENT_HELLO_OK )
1797 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
1798 else
1799 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1800
1801cleanup:
1802
1803 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1804 return( ret );
1805}
1806
1807/*
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1808 * Handler for MBEDTLS_SSL_SERVER_HELLO
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]1809 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1810MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1811static int ssl_tls13_prepare_server_hello( mbedtls_ssl_context *ssl )
1812{
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1813 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1814 unsigned char *server_randbytes =
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1815 ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1816 if( ssl->conf->f_rng == NULL )
1817 {
1818 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
1819 return( MBEDTLS_ERR_SSL_NO_RNG );
1820 }
1821
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1822 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, server_randbytes,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1823 MBEDTLS_SERVER_HELLO_RANDOM_LEN ) ) != 0 )
1824 {
1825 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
1826 return( ret );
1827 }
1828
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1829 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", server_randbytes,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1830 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1831
1832#if defined(MBEDTLS_HAVE_TIME)
1833 ssl->session_negotiate->start = time( NULL );
1834#endif /* MBEDTLS_HAVE_TIME */
1835
1836 return( ret );
1837}
1838
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1839/*
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]1840 * ssl_tls13_write_server_hello_supported_versions_ext ():
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1841 *
1842 * struct {
Jerry Yufb9f54d2022-04-06 10:08:34 +0800[diff] [blame]1843 * ProtocolVersion selected_version;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1844 * } SupportedVersions;
1845 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1846MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]1847static int ssl_tls13_write_server_hello_supported_versions_ext(
1848 mbedtls_ssl_context *ssl,
1849 unsigned char *buf,
1850 unsigned char *end,
1851 size_t *out_len )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1852{
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1853 *out_len = 0;
1854
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1855 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, write selected version" ) );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1856
1857 /* Check if we have space to write the extension:
1858 * - extension_type (2 bytes)
1859 * - extension_data_length (2 bytes)
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1860 * - selected_version (2 bytes)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1861 */
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1862 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1863
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1864 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1865
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1866 MBEDTLS_PUT_UINT16_BE( 2, buf, 2 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1867
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1868 mbedtls_ssl_write_version( buf + 4,
1869 ssl->conf->transport,
1870 ssl->tls_version );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1871
1872 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [%04x]",
1873 ssl->tls_version ) );
1874
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1875 *out_len = 6;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1876
1877 return( 0 );
1878}
1879
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1880
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1881
1882/* Generate and export a single key share. For hybrid KEMs, this can
1883 * be called multiple times with the different components of the hybrid. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1884MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1885static int ssl_tls13_generate_and_write_key_share( mbedtls_ssl_context *ssl,
1886 uint16_t named_group,
1887 unsigned char *buf,
1888 unsigned char *end,
1889 size_t *out_len )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1890{
1891 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1892
1893 *out_len = 0;
1894
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1895#if defined(MBEDTLS_ECDH_C)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1896 if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) )
1897 {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1898 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
1899 ssl, named_group, buf, end, out_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1900 if( ret != 0 )
1901 {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1902 MBEDTLS_SSL_DEBUG_RET(
1903 1, "mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange",
1904 ret );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1905 return( ret );
1906 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1907 }
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1908 else
1909#endif /* MBEDTLS_ECDH_C */
1910 if( 0 /* Other kinds of KEMs */ )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1911 {
1912 }
1913 else
1914 {
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1915 ((void) ssl);
1916 ((void) named_group);
1917 ((void) buf);
1918 ((void) end);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1919 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1920 }
1921
1922 return( ret );
1923}
1924
1925/*
1926 * ssl_tls13_write_key_share_ext
1927 *
1928 * Structure of key_share extension in ServerHello:
1929 *
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1930 * struct {
1931 * NamedGroup group;
1932 * opaque key_exchange<1..2^16-1>;
1933 * } KeyShareEntry;
1934 * struct {
1935 * KeyShareEntry server_share;
1936 * } KeyShareServerHello;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1937 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1938MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1939static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
1940 unsigned char *buf,
1941 unsigned char *end,
1942 size_t *out_len )
1943{
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1944 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1945 unsigned char *p = buf;
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1946 uint16_t group = ssl->handshake->offered_group_id;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1947 unsigned char *server_share = buf + 4;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1948 size_t key_exchange_length;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1949
1950 *out_len = 0;
1951
1952 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding key share extension" ) );
1953
Jerry Yu58af2332022-09-06 11:19:31 +0800[diff] [blame]1954 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, write selected_group: %s (%04x)",
1955 mbedtls_ssl_named_group_to_str( group ),
1956 group ) );
1957
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1958 /* Check if we have space for header and length fields:
1959 * - extension_type (2 bytes)
1960 * - extension_data_length (2 bytes)
1961 * - group (2 bytes)
1962 * - key_exchange_length (2 bytes)
1963 */
1964 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 8 );
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1965 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, p, 0 );
1966 MBEDTLS_PUT_UINT16_BE( group, server_share, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1967 p += 8;
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1968
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1969 /* When we introduce PQC-ECDHE hybrids, we'll want to call this
1970 * function multiple times. */
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1971 ret = ssl_tls13_generate_and_write_key_share(
Jerry Yue65d8012022-04-23 10:34:35 +0800[diff] [blame]1972 ssl, group, server_share + 4, end, &key_exchange_length );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1973 if( ret != 0 )
1974 return( ret );
1975 p += key_exchange_length;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1976
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1977 MBEDTLS_PUT_UINT16_BE( key_exchange_length, server_share + 2, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1978
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1979 MBEDTLS_PUT_UINT16_BE( p - server_share, buf, 2 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1980
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1981 *out_len = p - buf;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1982
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1983 return( 0 );
1984}
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1985
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1986MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1987static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl,
1988 unsigned char *buf,
1989 unsigned char *end,
1990 size_t *out_len )
1991{
1992 uint16_t selected_group = ssl->handshake->hrr_selected_group;
1993 /* key_share Extension
1994 *
1995 * struct {
1996 * select (Handshake.msg_type) {
1997 * ...
1998 * case hello_retry_request:
1999 * NamedGroup selected_group;
2000 * ...
2001 * };
2002 * } KeyShare;
2003 */
2004
2005 *out_len = 0;
2006
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]2007 /*
2008 * For a pure PSK key exchange, there is no group to agree upon. The purpose
2009 * of the HRR is then to transmit a cookie to force the client to demonstrate
2010 * reachability at their apparent network address (primarily useful for DTLS).
2011 */
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]2012 if( ! mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2013 return( 0 );
2014
2015 /* We should only send the key_share extension if the client's initial
2016 * key share was not acceptable. */
2017 if( ssl->handshake->offered_group_id != 0 )
2018 {
2019 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Skip key_share extension in HRR" ) );
2020 return( 0 );
2021 }
2022
2023 if( selected_group == 0 )
2024 {
2025 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching named group found" ) );
2026 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2027 }
2028
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]2029 /* Check if we have enough space:
2030 * - extension_type (2 bytes)
2031 * - extension_data_length (2 bytes)
2032 * - selected_group (2 bytes)
2033 */
Ronald Cron154d1b62022-06-01 15:33:26 +0200[diff] [blame]2034 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2035
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2036 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2037 MBEDTLS_PUT_UINT16_BE( 2, buf, 2 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2038 MBEDTLS_PUT_UINT16_BE( selected_group, buf, 4 );
2039
2040 MBEDTLS_SSL_DEBUG_MSG( 3,
2041 ( "HRR selected_group: %s (%x)",
2042 mbedtls_ssl_named_group_to_str( selected_group ),
2043 selected_group ) );
2044
2045 *out_len = 6;
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2046
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]2047 return( 0 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2048}
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2049
2050/*
2051 * Structure of ServerHello message:
2052 *
2053 * struct {
2054 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
2055 * Random random;
2056 * opaque legacy_session_id_echo<0..32>;
2057 * CipherSuite cipher_suite;
2058 * uint8 legacy_compression_method = 0;
2059 * Extension extensions<6..2^16-1>;
2060 * } ServerHello;
2061 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2062MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2063static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]2064 unsigned char *buf,
2065 unsigned char *end,
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2066 size_t *out_len,
2067 int is_hrr )
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]2068{
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2069 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2070 unsigned char *p = buf;
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2071 unsigned char *p_extensions_len;
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]2072 size_t output_len;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2073
2074 *out_len = 0;
2075
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2076 /* ...
2077 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
2078 * ...
2079 * with ProtocolVersion defined as:
2080 * uint16 ProtocolVersion;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2081 */
2082 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2083 MBEDTLS_PUT_UINT16_BE( 0x0303, p, 0 );
2084 p += 2;
2085
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]2086 /* ...
2087 * Random random;
2088 * ...
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2089 * with Random defined as:
2090 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]2091 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2092 MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2093 if( is_hrr )
2094 {
2095 memcpy( p, mbedtls_ssl_tls13_hello_retry_request_magic,
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]2096 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2097 }
2098 else
2099 {
2100 memcpy( p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]2101 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2102 }
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2103 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2104 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
2105 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
2106
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2107 /* ...
2108 * opaque legacy_session_id_echo<0..32>;
2109 * ...
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2110 */
2111 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 + ssl->session_negotiate->id_len );
2112 *p++ = (unsigned char)ssl->session_negotiate->id_len;
2113 if( ssl->session_negotiate->id_len > 0 )
2114 {
2115 memcpy( p, &ssl->session_negotiate->id[0],
2116 ssl->session_negotiate->id_len );
2117 p += ssl->session_negotiate->id_len;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2118
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2119 MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id,
2120 ssl->session_negotiate->id_len );
2121 }
2122
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2123 /* ...
2124 * CipherSuite cipher_suite;
2125 * ...
2126 * with CipherSuite defined as:
2127 * uint8 CipherSuite[2];
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2128 */
2129 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2130 MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 );
2131 p += 2;
2132 MBEDTLS_SSL_DEBUG_MSG( 3,
2133 ( "server hello, chosen ciphersuite: %s ( id=%d )",
2134 mbedtls_ssl_get_ciphersuite_name(
2135 ssl->session_negotiate->ciphersuite ),
2136 ssl->session_negotiate->ciphersuite ) );
2137
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2138 /* ...
2139 * uint8 legacy_compression_method = 0;
2140 * ...
2141 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2142 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
Thomas Daubney31e03a82022-07-25 15:59:25 +0100[diff] [blame]2143 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2144
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2145 /* ...
2146 * Extension extensions<6..2^16-1>;
2147 * ...
2148 * struct {
2149 * ExtensionType extension_type; (2 bytes)
2150 * opaque extension_data<0..2^16-1>;
2151 * } Extension;
2152 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2153 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2154 p_extensions_len = p;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2155 p += 2;
2156
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]2157 if( ( ret = ssl_tls13_write_server_hello_supported_versions_ext(
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2158 ssl, p, end, &output_len ) ) != 0 )
2159 {
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2160 MBEDTLS_SSL_DEBUG_RET(
2161 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2162 return( ret );
2163 }
2164 p += output_len;
2165
Jerry Yu56acc942022-07-30 23:02:36 +0800[diff] [blame]2166 if( mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2167 {
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2168 if( is_hrr )
2169 ret = ssl_tls13_write_hrr_key_share_ext( ssl, p, end, &output_len );
2170 else
2171 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2172 if( ret != 0 )
2173 return( ret );
2174 p += output_len;
2175 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2176
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2177#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yuad4d2bb2022-09-14 22:40:35 +0800[diff] [blame]2178 if( !is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2179 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]2180 ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, p, end, &output_len );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2181 if( ret != 0 )
2182 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]2183 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_server_pre_shared_key_ext",
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2184 ret );
2185 return( ret );
2186 }
2187 p += output_len;
2188 }
2189#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
2190
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2191 MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2192
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2193 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello extensions",
2194 p_extensions_len, p - p_extensions_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2195
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2196 *out_len = p - buf;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2197
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2198 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", buf, *out_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2199
2200 return( ret );
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]2201}
2202
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2203MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2204static int ssl_tls13_finalize_write_server_hello( mbedtls_ssl_context *ssl )
2205{
2206 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]2207 ret = mbedtls_ssl_tls13_compute_handshake_transform( ssl );
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2208 if( ret != 0 )
2209 {
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]2210 MBEDTLS_SSL_DEBUG_RET( 1,
2211 "mbedtls_ssl_tls13_compute_handshake_transform",
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2212 ret );
2213 return( ret );
2214 }
2215
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2216 return( ret );
2217}
2218
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2219MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2220static int ssl_tls13_write_server_hello( mbedtls_ssl_context *ssl )
2221{
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]2222 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2223 unsigned char *buf;
2224 size_t buf_len, msg_len;
2225
2226 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2227
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2228 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_server_hello( ssl ) );
2229
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2230 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2231 MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len ) );
2232
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2233 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
2234 buf + buf_len,
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2235 &msg_len,
2236 0 ) );
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2237
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2238 mbedtls_ssl_add_hs_msg_to_checksum(
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2239 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
2240
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2241 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2242 ssl, buf_len, msg_len ) );
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]2243
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2244 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_server_hello( ssl ) );
2245
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2246#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2247 /* The server sends a dummy change_cipher_spec record immediately
2248 * after its first handshake message. This may either be after
2249 * a ServerHello or a HelloRetryRequest.
2250 */
Gabor Mezei96ae9262022-06-28 11:45:18 +0200[diff] [blame]2251 mbedtls_ssl_handshake_set_state(
2252 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2253#else
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]2254 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2255#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2256
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2257cleanup:
2258
2259 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2260 return( ret );
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2261}
2262
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2263
2264/*
2265 * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
2266 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2267MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron7b840462022-06-01 17:05:53 +0200[diff] [blame]2268static int ssl_tls13_prepare_hello_retry_request( mbedtls_ssl_context *ssl )
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2269{
2270 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2271 if( ssl->handshake->hello_retry_request_count > 0 )
2272 {
2273 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) );
2274 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2275 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2276 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2277 }
2278
2279 /*
2280 * Create stateless transcript hash for HRR
2281 */
2282 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) );
2283 ret = mbedtls_ssl_reset_transcript_for_hrr( ssl );
2284 if( ret != 0 )
2285 {
2286 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret );
2287 return( ret );
2288 }
2289 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
2290
2291 return( 0 );
2292}
2293
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2294MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2295static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl )
2296{
2297 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2298 unsigned char *buf;
2299 size_t buf_len, msg_len;
2300
2301 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) );
2302
Ronald Cron7b840462022-06-01 17:05:53 +0200[diff] [blame]2303 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_hello_retry_request( ssl ) );
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2304
2305 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg(
2306 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
2307 &buf, &buf_len ) );
2308
2309 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
2310 buf + buf_len,
2311 &msg_len,
2312 1 ) );
2313 mbedtls_ssl_add_hs_msg_to_checksum(
2314 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
2315
2316
2317 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len,
2318 msg_len ) );
2319
2320 ssl->handshake->hello_retry_request_count++;
2321
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2322#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2323 /* The server sends a dummy change_cipher_spec record immediately
2324 * after its first handshake message. This may either be after
2325 * a ServerHello or a HelloRetryRequest.
2326 */
Gabor Mezei96ae9262022-06-28 11:45:18 +0200[diff] [blame]2327 mbedtls_ssl_handshake_set_state(
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]2328 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2329#else
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2330 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2331#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2332
2333cleanup:
2334 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) );
2335 return( ret );
2336}
2337
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2338/*
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2339 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2340 */
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2341
2342/*
2343 * struct {
2344 * Extension extensions<0..2 ^ 16 - 1>;
2345 * } EncryptedExtensions;
2346 *
2347 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2348MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2349static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl,
2350 unsigned char *buf,
2351 unsigned char *end,
2352 size_t *out_len )
2353{
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2354 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2355 unsigned char *p = buf;
2356 size_t extensions_len = 0;
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2357 unsigned char *p_extensions_len;
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2358 size_t output_len;
Jerry Yu9da5e5a2022-05-03 15:46:09 +0800[diff] [blame]2359
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2360 *out_len = 0;
2361
2362 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2363 p_extensions_len = p;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2364 p += 2;
2365
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2366 ((void) ssl);
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2367 ((void) ret);
2368 ((void) output_len);
2369
2370#if defined(MBEDTLS_SSL_ALPN)
2371 ret = mbedtls_ssl_write_alpn_ext( ssl, p, end, &output_len );
2372 if( ret != 0 )
2373 return( ret );
XiaokangQian95d5f542022-06-24 02:29:26 +0000[diff] [blame]2374 p += output_len;
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2375#endif /* MBEDTLS_SSL_ALPN */
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2376
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2377 extensions_len = ( p - p_extensions_len ) - 2;
2378 MBEDTLS_PUT_UINT16_BE( extensions_len, p_extensions_len, 0 );
2379
2380 *out_len = p - buf;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2381
2382 MBEDTLS_SSL_DEBUG_BUF( 4, "encrypted extensions", buf, *out_len );
2383
2384 return( 0 );
2385}
2386
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2387MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2388static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl )
2389{
2390 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2391 unsigned char *buf;
Jerry Yu39730a72022-05-03 12:14:04 +0800[diff] [blame]2392 size_t buf_len, msg_len;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2393
Gabor Mezei54719122022-06-28 11:34:56 +0200[diff] [blame]2394 mbedtls_ssl_set_outbound_transform( ssl,
2395 ssl->handshake->transform_handshake );
2396 MBEDTLS_SSL_DEBUG_MSG(
2397 3, ( "switching to handshake transform for outbound data" ) );
2398
Jerry Yuab452cc2022-04-28 15:27:08 +0800[diff] [blame]2399 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write encrypted extensions" ) );
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2400
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2401 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2402 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf, &buf_len ) );
2403
2404 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_encrypted_extensions_body(
2405 ssl, buf, buf + buf_len, &msg_len ) );
2406
2407 mbedtls_ssl_add_hs_msg_to_checksum(
2408 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len );
2409
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2410 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2411 ssl, buf_len, msg_len ) );
2412
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2413#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]2414 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2415 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2416 else
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2417 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2418#else
2419 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2420#endif
2421
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2422cleanup:
2423
Jerry Yuab452cc2022-04-28 15:27:08 +0800[diff] [blame]2424 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write encrypted extensions" ) );
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2425 return( ret );
2426}
2427
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2428#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2429#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
2430#define SSL_CERTIFICATE_REQUEST_SKIP 1
2431/* Coordination:
2432 * Check whether a CertificateRequest message should be written.
2433 * Returns a negative code on failure, or
2434 * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
2435 * - SSL_CERTIFICATE_REQUEST_SKIP
2436 * indicating if the writing of the CertificateRequest
2437 * should be skipped or not.
2438 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2439MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2440static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
2441{
2442 int authmode;
2443
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]2444#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2445 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
2446 authmode = ssl->handshake->sni_authmode;
2447 else
2448#endif
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2449 authmode = ssl->conf->authmode;
2450
2451 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
2452 return( SSL_CERTIFICATE_REQUEST_SKIP );
2453
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]2454 ssl->handshake->certificate_request_sent = 1;
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2455
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2456 return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST );
2457}
2458
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2459/*
2460 * struct {
2461 * opaque certificate_request_context<0..2^8-1>;
2462 * Extension extensions<2..2^16-1>;
2463 * } CertificateRequest;
2464 *
2465 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2466MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2467static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl,
2468 unsigned char *buf,
2469 const unsigned char *end,
2470 size_t *out_len )
2471{
2472 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2473 unsigned char *p = buf;
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2474 size_t output_len = 0;
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2475 unsigned char *p_extensions_len;
2476
2477 *out_len = 0;
2478
2479 /* Check if we have enough space:
2480 * - certificate_request_context (1 byte)
2481 * - extensions length (2 bytes)
2482 */
2483 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
2484
2485 /*
2486 * Write certificate_request_context
2487 */
2488 /*
2489 * We use a zero length context for the normal handshake
2490 * messages. For post-authentication handshake messages
2491 * this request context would be set to a non-zero value.
2492 */
2493 *p++ = 0x0;
2494
2495 /*
2496 * Write extensions
2497 */
2498 /* The extensions must contain the signature_algorithms. */
2499 p_extensions_len = p;
2500 p += 2;
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2501 ret = mbedtls_ssl_write_sig_alg_ext( ssl, p, end, &output_len );
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2502 if( ret != 0 )
2503 return( ret );
2504
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2505 p += output_len;
XiaokangQianaad9b0a2022-05-09 01:11:21 +0000[diff] [blame]2506 MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2507
2508 *out_len = p - buf;
2509
2510 return( 0 );
2511}
2512
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2513MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2514static int ssl_tls13_write_certificate_request( mbedtls_ssl_context *ssl )
2515{
2516 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2517
2518 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2519
2520 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
2521
2522 if( ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST )
2523 {
2524 unsigned char *buf;
2525 size_t buf_len, msg_len;
2526
2527 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2528 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, &buf, &buf_len ) );
2529
2530 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_request_body(
2531 ssl, buf, buf + buf_len, &msg_len ) );
2532
2533 mbedtls_ssl_add_hs_msg_to_checksum(
2534 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len );
2535
2536 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2537 ssl, buf_len, msg_len ) );
2538 }
2539 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
2540 {
2541 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2542 ret = 0;
2543 }
2544 else
2545 {
2546 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2547 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2548 goto cleanup;
2549 }
2550
2551 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
2552cleanup:
2553
2554 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2555 return( ret );
2556}
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2557
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2558/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2559 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2560 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2561MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2562static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2563{
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2564 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]2565
2566#if defined(MBEDTLS_X509_CRT_PARSE_C)
2567 if( ( ssl_tls13_pick_key_cert( ssl ) != 0 ) ||
2568 mbedtls_ssl_own_cert( ssl ) == NULL )
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2569 {
Jerry Yub89125b2022-05-13 15:45:49 +0800[diff] [blame]2570 MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate available." ) );
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2571 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2572 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2573 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2574 }
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]2575#endif /* MBEDTLS_X509_CRT_PARSE_C */
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2576
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2577 ret = mbedtls_ssl_tls13_write_certificate( ssl );
2578 if( ret != 0 )
Jerry Yu1bff7112022-04-16 14:29:11 +0800[diff] [blame]2579 return( ret );
Jerry Yu1bff7112022-04-16 14:29:11 +0800[diff] [blame]2580 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
2581 return( 0 );
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2582}
2583
2584/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2585 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2586 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2587MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2588static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2589{
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2590 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2591 if( ret != 0 )
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2592 return( ret );
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2593 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2594 return( 0 );
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2595}
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2596#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2597
2598/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2599 * Handler for MBEDTLS_SSL_SERVER_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2600 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2601MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2602static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2603{
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2604 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu27bdc7c2022-04-16 13:33:27 +0800[diff] [blame]2605
2606 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
2607 if( ret != 0 )
2608 return( ret );
2609
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2610 ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
2611 if( ret != 0 )
2612 {
2613 MBEDTLS_SSL_PEND_FATAL_ALERT(
2614 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2615 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2616 return( ret );
2617 }
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]2618
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2619 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
2620 mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2621
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2622 if( ssl->handshake->certificate_request_sent )
2623 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2624 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2625 {
2626 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate" ) );
2627 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2628 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2629 }
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2630
Jerry Yu27bdc7c2022-04-16 13:33:27 +0800[diff] [blame]2631 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2632}
2633
2634/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2635 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2636 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2637MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2638static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2639{
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2640 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2641
Jerry Yuff226982022-04-16 16:52:57 +0800[diff] [blame]2642 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
2643 if( ret != 0 )
2644 return( ret );
2645
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2646 ret = mbedtls_ssl_tls13_compute_resumption_master_secret( ssl );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2647 if( ret != 0 )
2648 {
2649 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2650 "mbedtls_ssl_tls13_compute_resumption_master_secret", ret );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2651 }
2652
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2653 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yuff226982022-04-16 16:52:57 +0800[diff] [blame]2654 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2655}
2656
2657/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2658 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2659 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2660MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2661static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2662{
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2663 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2664
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2665 mbedtls_ssl_tls13_handshake_wrapup( ssl );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2666
2667#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2668 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
2669#else
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2670 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2671#endif
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2672 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2673}
2674
2675/*
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2676 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
2677 */
2678#define SSL_NEW_SESSION_TICKET_SKIP 0
2679#define SSL_NEW_SESSION_TICKET_WRITE 1
2680MBEDTLS_CHECK_RETURN_CRITICAL
2681static int ssl_tls13_write_new_session_ticket_coordinate( mbedtls_ssl_context *ssl )
2682{
2683 /* Check whether the use of session tickets is enabled */
2684 if( ssl->conf->f_ticket_write == NULL )
2685 {
Jerry Yud0766ec2022-09-22 10:46:57 +0800[diff] [blame]2686 MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: disabled,"
2687 " callback is not set" ) );
2688 return( SSL_NEW_SESSION_TICKET_SKIP );
2689 }
2690 if( ssl->conf->new_session_tickets_count == 0 )
2691 {
2692 MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: disabled,"
2693 " configured count is zero" ) );
2694 return( SSL_NEW_SESSION_TICKET_SKIP );
2695 }
2696
2697 if( ssl->handshake->new_session_tickets_count == 0 )
2698 {
2699 MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: all tickets have "
2700 "been sent." ) );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2701 return( SSL_NEW_SESSION_TICKET_SKIP );
2702 }
2703
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2704 return( SSL_NEW_SESSION_TICKET_WRITE );
2705}
2706
2707#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2708MBEDTLS_CHECK_RETURN_CRITICAL
2709static int ssl_tls13_prepare_new_session_ticket( mbedtls_ssl_context *ssl,
2710 unsigned char *ticket_nonce,
2711 size_t ticket_nonce_size )
2712{
2713 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2714 mbedtls_ssl_session *session = ssl->session;
2715 mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2716 psa_algorithm_t psa_hash_alg;
2717 int hash_length;
2718
2719 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> prepare NewSessionTicket msg" ) );
2720
2721#if defined(MBEDTLS_HAVE_TIME)
2722 session->start = mbedtls_time( NULL );
2723#endif
2724
2725 /* Generate ticket_age_add */
2726 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng,
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2727 (unsigned char *) &session->ticket_age_add,
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2728 sizeof( session->ticket_age_add ) ) != 0 ) )
2729 {
2730 MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_age_add", ret );
2731 return( ret );
2732 }
2733 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2734 (unsigned int)session->ticket_age_add ) );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2735
2736 /* Generate ticket_nonce */
2737 ret = ssl->conf->f_rng( ssl->conf->p_rng, ticket_nonce, ticket_nonce_size );
2738 if( ret != 0 )
2739 {
2740 MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_nonce", ret );
2741 return( ret );
2742 }
2743 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:",
2744 ticket_nonce, ticket_nonce_size );
2745
2746 ciphersuite_info =
2747 (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
2748 psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
2749 hash_length = PSA_HASH_LENGTH( psa_hash_alg );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2750 if( hash_length == -1 ||
Jerry Yu61197152022-07-21 16:28:02 +0800[diff] [blame]2751 (size_t)hash_length > sizeof( session->resumption_key ) )
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2752 {
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2753 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2754 }
2755
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2756 /* In this code the psk key length equals the length of the hash */
2757 session->resumption_key_len = hash_length;
2758 session->ciphersuite = ciphersuite_info->id;
2759
2760 /* Compute resumption key
2761 *
2762 * HKDF-Expand-Label( resumption_master_secret,
2763 * "resumption", ticket_nonce, Hash.length )
2764 */
2765 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2766 psa_hash_alg,
2767 session->app_secrets.resumption_master_secret,
2768 hash_length,
2769 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
2770 ticket_nonce,
2771 ticket_nonce_size,
2772 session->resumption_key,
2773 hash_length );
2774
2775 if( ret != 0 )
2776 {
2777 MBEDTLS_SSL_DEBUG_RET( 2,
2778 "Creating the ticket-resumed PSK failed",
2779 ret );
2780 return ( ret );
2781 }
2782 MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
2783 session->resumption_key,
2784 session->resumption_key_len );
2785
2786 MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
2787 session->app_secrets.resumption_master_secret,
2788 hash_length );
2789
2790 return( 0 );
2791}
2792
2793/* This function creates a NewSessionTicket message in the following format:
2794 *
2795 * struct {
2796 * uint32 ticket_lifetime;
2797 * uint32 ticket_age_add;
2798 * opaque ticket_nonce<0..255>;
2799 * opaque ticket<1..2^16-1>;
2800 * Extension extensions<0..2^16-2>;
2801 * } NewSessionTicket;
2802 *
2803 * The ticket inside the NewSessionTicket message is an encrypted container
2804 * carrying the necessary information so that the server is later able to
2805 * re-start the communication.
2806 *
2807 * The following fields are placed inside the ticket by the
2808 * f_ticket_write() function:
2809 *
2810 * - creation time (start)
2811 * - flags (flags)
2812 * - age add (ticket_age_add)
2813 * - key (key)
2814 * - key length (key_len)
2815 * - ciphersuite (ciphersuite)
2816 */
2817MBEDTLS_CHECK_RETURN_CRITICAL
2818static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl,
2819 unsigned char *buf,
2820 unsigned char *end,
2821 size_t *out_len,
2822 unsigned char *ticket_nonce,
2823 size_t ticket_nonce_size )
2824{
2825 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2826 unsigned char *p = buf;
2827 mbedtls_ssl_session *session = ssl->session;
2828 size_t ticket_len;
2829 uint32_t ticket_lifetime;
2830
2831 *out_len = 0;
2832 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write NewSessionTicket msg" ) );
2833
2834 /*
2835 * ticket_lifetime 4 bytes
2836 * ticket_age_add 4 bytes
2837 * ticket_nonce 1 + ticket_nonce_size bytes
2838 * ticket >=2 bytes
2839 */
2840 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + 4 + 1 + ticket_nonce_size + 2 );
2841
2842 /* Generate ticket and ticket_lifetime */
2843 ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
2844 session,
2845 p + 9 + ticket_nonce_size + 2,
2846 end,
2847 &ticket_len,
2848 &ticket_lifetime);
2849 if( ret != 0 )
2850 {
2851 MBEDTLS_SSL_DEBUG_RET( 1, "write_ticket", ret );
2852 return( ret );
2853 }
2854 /* RFC 8446 4.6.1
2855 * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
2856 * unsigned integer in network byte order from the time of ticket
2857 * issuance. Servers MUST NOT use any value greater than
2858 * 604800 seconds (7 days). The value of zero indicates that the
2859 * ticket should be discarded immediately. Clients MUST NOT cache
2860 * tickets for longer than 7 days, regardless of the ticket_lifetime,
2861 * and MAY delete tickets earlier based on local policy. A server
2862 * MAY treat a ticket as valid for a shorter period of time than what
2863 * is stated in the ticket_lifetime.
2864 */
2865 ticket_lifetime %= 604800;
2866 MBEDTLS_PUT_UINT32_BE( ticket_lifetime, p, 0 );
2867 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_lifetime: %u",
2868 ( unsigned int )ticket_lifetime ) );
2869
2870 /* Write ticket_age_add */
2871 MBEDTLS_PUT_UINT32_BE( session->ticket_age_add, p, 4 );
2872 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
2873 ( unsigned int )session->ticket_age_add ) );
2874
2875 /* Write ticket_nonce */
2876 p[8] = ( unsigned char )ticket_nonce_size;
2877 if( ticket_nonce_size > 0 )
2878 {
2879 memcpy( p + 9, ticket_nonce, ticket_nonce_size );
2880 }
2881 p += 9 + ticket_nonce_size;
2882
2883 /* Write ticket */
2884 MBEDTLS_PUT_UINT16_BE( ticket_len, p, 0 );
2885 p += 2;
2886 MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", p, ticket_len);
2887 p += ticket_len;
2888
2889 /* Ticket Extensions
2890 *
2891 * Note: We currently don't have any extensions.
2892 * Set length to zero.
2893 */
2894 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2895 MBEDTLS_PUT_UINT16_BE( 0, p, 0 );
2896 p += 2;
2897
2898 *out_len = p - buf;
2899 MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len );
2900 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2901
2902 return( 0 );
2903}
2904
2905/*
2906 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
2907 */
2908static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl )
2909{
2910 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2911
2912 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_new_session_ticket_coordinate( ssl ) );
2913
2914 if( ret == SSL_NEW_SESSION_TICKET_WRITE )
2915 {
2916 unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
2917 unsigned char *buf;
2918 size_t buf_len, msg_len;
2919
2920 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_new_session_ticket(
2921 ssl, ticket_nonce, sizeof( ticket_nonce ) ) );
2922
2923 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2924 MBEDTLS_SSL_HS_NEW_SESSION_TICKET, &buf, &buf_len ) );
2925
2926 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_new_session_ticket_body(
2927 ssl, buf, buf + buf_len, &msg_len,
2928 ticket_nonce, sizeof( ticket_nonce ) ) );
2929
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2930 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2931 ssl, buf_len, msg_len ) );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2932
Jerry Yu359e65f2022-09-22 23:47:43 +0800[diff] [blame]2933 /* Limit session tickets count to one when resumption connection.
2934 *
2935 * See document of mbedtls_ssl_conf_new_session_tickets.
2936 */
2937 if( ssl->handshake->resume == 1 )
2938 ssl->handshake->new_session_tickets_count = 0;
2939 else
2940 ssl->handshake->new_session_tickets_count--;
Jerry Yub7e3fa72022-09-22 11:07:18 +0800[diff] [blame]2941
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2942 mbedtls_ssl_handshake_set_state( ssl,
2943 MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2944 }
2945 else
2946 {
2947 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2948 }
2949
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2950cleanup:
2951
2952 return( ret );
2953}
2954#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2955
2956/*
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]2957 * TLS 1.3 State Machine -- server side
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2958 */
Jerry Yu27561932021-08-27 17:07:38 +0800[diff] [blame]2959int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2960{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]2961 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2962
2963 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
2964 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2965
Jerry Yue3b34122021-09-28 17:53:35 +0800[diff] [blame]2966 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)",
2967 mbedtls_ssl_states_str( ssl->state ),
2968 ssl->state ) );
Jerry Yu6e81b272021-09-27 11:16:17 +0800[diff] [blame]2969
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2970 switch( ssl->state )
2971 {
2972 /* start state */
2973 case MBEDTLS_SSL_HELLO_REQUEST:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2974 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]2975 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2976 break;
2977
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2978 case MBEDTLS_SSL_CLIENT_HELLO:
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]2979 ret = ssl_tls13_process_client_hello( ssl );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2980 if( ret != 0 )
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]2981 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_client_hello", ret );
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]2982 break;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2983
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]2984 case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
2985 ret = ssl_tls13_write_hello_retry_request( ssl );
2986 if( ret != 0 )
2987 {
2988 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_hello_retry_request", ret );
2989 return( ret );
2990 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2991 break;
2992
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2993 case MBEDTLS_SSL_SERVER_HELLO:
2994 ret = ssl_tls13_write_server_hello( ssl );
2995 break;
2996
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2997 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2998 ret = ssl_tls13_write_encrypted_extensions( ssl );
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2999 if( ret != 0 )
3000 {
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]3001 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_encrypted_extensions", ret );
3002 return( ret );
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]3003 }
Jerry Yu48330562022-05-06 21:35:44 +0800[diff] [blame]3004 break;
Jerry Yu6a2cd9e2022-05-05 11:14:19 +0800[diff] [blame]3005
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]3006#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
3007 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Xiaofei Bai5ee73d82022-03-14 02:48:30 +0000[diff] [blame]3008 ret = ssl_tls13_write_certificate_request( ssl );
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]3009 break;
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]3010
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]3011 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3012 ret = ssl_tls13_write_server_certificate( ssl );
3013 break;
3014
3015 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3016 ret = ssl_tls13_write_certificate_verify( ssl );
3017 break;
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]3018#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]3019
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]3020 /*
3021 * Injection of dummy-CCS's for middlebox compatibility
3022 */
3023#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]3024 case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]3025 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
3026 if( ret == 0 )
3027 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
3028 break;
3029
3030 case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
3031 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
3032 if( ret == 0 )
3033 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
3034 break;
3035#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3036
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]3037 case MBEDTLS_SSL_SERVER_FINISHED:
3038 ret = ssl_tls13_write_server_finished( ssl );
3039 break;
3040
3041 case MBEDTLS_SSL_CLIENT_FINISHED:
3042 ret = ssl_tls13_process_client_finished( ssl );
3043 break;
3044
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]3045 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3046 ret = ssl_tls13_handshake_wrapup( ssl );
3047 break;
3048
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]3049 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3050 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]3051 if( ret == 0 )
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]3052 {
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]3053 if( ssl->session_negotiate->peer_cert != NULL )
3054 {
3055 mbedtls_ssl_handshake_set_state(
3056 ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
3057 }
3058 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]3059 {
3060 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]3061 mbedtls_ssl_handshake_set_state(
3062 ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]3063 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]3064 }
3065 break;
3066
3067 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
3068 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
3069 if( ret == 0 )
3070 {
3071 mbedtls_ssl_handshake_set_state(
3072 ssl, MBEDTLS_SSL_CLIENT_FINISHED );
3073 }
3074 break;
3075
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]3076#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3077 case MBEDTLS_SSL_NEW_SESSION_TICKET:
3078 ret = ssl_tls13_write_new_session_ticket( ssl );
3079 if( ret != 0 )
3080 {
3081 MBEDTLS_SSL_DEBUG_RET( 1,
3082 "ssl_tls13_write_new_session_ticket ",
3083 ret );
3084 }
3085 break;
3086 case MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH:
3087 /* This state is necessary to do the flush of the New Session
3088 * Ticket message written in MBEDTLS_SSL_NEW_SESSION_TICKET
3089 * as part of ssl_prepare_handshake_step.
3090 */
3091 ret = 0;
Jerry Yud4e75002022-08-09 13:33:50 +0800[diff] [blame]3092
Jerry Yud0766ec2022-09-22 10:46:57 +0800[diff] [blame]3093 if( ssl->handshake->new_session_tickets_count == 0 )
Jerry Yud4e75002022-08-09 13:33:50 +0800[diff] [blame]3094 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
3095 else
3096 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]3097 break;
3098
3099#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3100
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]3101 default:
3102 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]3103 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]3104 }
3105
3106 return( ret );
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]3107}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3108
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3109#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */