TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / abf20c756462b39fc9dc1559ba99f97058c788ec / . / library / ssl_tls13_server.c
blob: acd536abee5a7c798cb27f0a41b97b828e9d45fa [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18*/
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]23
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]24#include "mbedtls/debug.h"
25
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]26#include "ssl_misc.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]27#include "ssl_tls13_keys.h"
Gilles Peskine923d5c92021-12-15 12:56:54 +0100[diff] [blame]28#include "ssl_debug_helpers.h"
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]29#include "ecdh_misc.h"
30
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]31#if defined(MBEDTLS_ECP_C)
32#include "mbedtls/ecp.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]33#endif /* MBEDTLS_ECP_C */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]34
XiaokangQiana9c58412022-02-17 09:41:26 +0000[diff] [blame]35#if defined(MBEDTLS_PLATFORM_C)
36#include "mbedtls/platform.h"
37#else
38#include <stdlib.h>
39#define mbedtls_calloc calloc
40#define mbedtls_free free
41#endif /* MBEDTLS_PLATFORM_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]42
43/* From RFC 8446:
44 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]45 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]46 * } SupportedVersions;
47 */
48static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
49 const unsigned char *buf,
50 const unsigned char *end )
51{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]52 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]53 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]54 const unsigned char *versions_end;
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]55 uint16_t tls_version;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]56 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]57
58 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]59 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]60 p += 1;
61
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]62 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, versions_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]63 versions_end = p + versions_len;
64 while( p < versions_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]65 {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]66 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, versions_end, 2 );
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]67 tls_version = mbedtls_ssl_read_version( p, ssl->conf->transport );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]68 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]69
70 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]71 if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]72 {
73 tls13_supported = 1;
74 break;
75 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]76 }
77
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]78 if( !tls13_supported )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]79 {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]80 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 is not supported by the client" ) );
81
82 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
83 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
84 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
85 }
86
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]87 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%04x]",
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]88 (unsigned int)tls_version ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]89
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]90 return( 0 );
91}
92
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]93#if defined(MBEDTLS_ECDH_C)
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]94/*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]95 *
96 * From RFC 8446:
97 * enum {
98 * ... (0xFFFF)
99 * } NamedGroup;
100 * struct {
101 * NamedGroup named_group_list<2..2^16-1>;
102 * } NamedGroupList;
103 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]104static int ssl_tls13_parse_supported_groups_ext(
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]105 mbedtls_ssl_context *ssl,
106 const unsigned char *buf, const unsigned char *end )
107{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]108 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000[diff] [blame]109 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]110 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]111
112 MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", p, end - buf );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]113 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]114 named_group_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]115 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]116 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]117 named_group_list_end = p + named_group_list_len;
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]118 ssl->handshake->hrr_selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]119
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]120 while( p < named_group_list_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]121 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]122 uint16_t named_group;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]123 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, named_group_list_end, 2 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]124 named_group = MBEDTLS_GET_UINT16_BE( p, 0 );
125 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]126
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]127 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got named group: %d", named_group ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]128
129 if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
130 ! mbedtls_ssl_named_group_is_supported( named_group ) ||
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]131 ssl->handshake->hrr_selected_group != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]132 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]133 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]134 }
135
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]136 MBEDTLS_SSL_DEBUG_MSG(
137 2, ( "add named group (%04x) into received list.",
138 named_group ) );
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]139 ssl->handshake->hrr_selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]140 }
141
142 return( 0 );
143
144}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]145#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]146
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]147#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
148
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]149#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]150/*
151 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]152 * extension is correct and stores the first acceptable key share and its associated group.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]153 *
154 * Possible return values are:
155 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]156 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]157 * does not match a group supported by the server. A HelloRetryRequest will
158 * be needed.
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]159 * - A negative value for fatal errors.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]160*/
161
162static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
163 const unsigned char *buf,
164 const unsigned char *end )
165{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]166 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]167 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]168 unsigned char const *client_shares_end;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]169 size_t client_shares_len, key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]170 int match_found = 0;
171
172 /* From RFC 8446:
173 *
174 * struct {
175 * KeyShareEntry client_shares<0..2^16-1>;
176 * } KeyShareClientHello;
177 *
178 */
179
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]180 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]181 client_shares_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]182 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]183 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, client_shares_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]184
185 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]186 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]187
188 /* We try to find a suitable key share entry and copy it to the
189 * handshake context. Later, we have to find out whether we can do
190 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]191 * dismiss it and send a HelloRetryRequest message.
192 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]193
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]194 for( ; p < client_shares_end; p += key_exchange_len )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]195 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]196 uint16_t group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]197
198 /*
199 * struct {
200 * NamedGroup group;
201 * opaque key_exchange<1..2^16-1>;
202 * } KeyShareEntry;
203 */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]204 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, 4 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]205 group = MBEDTLS_GET_UINT16_BE( p, 0 );
206 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]207 key_exchange_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]208 p += 2;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]209 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, key_exchange_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]210
211 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]212 * for input validation purposes.
213 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]214 if( match_found == 1 )
215 continue;
216
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]217 if( ! mbedtls_ssl_named_group_is_offered( ssl, group ) ||
218 ! mbedtls_ssl_named_group_is_supported( group ) )
219 {
220 continue;
221 }
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]222
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]223 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]224 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]225 */
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]226 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
227 {
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]228 const mbedtls_ecp_curve_info *curve_info =
229 mbedtls_ecp_curve_info_from_tls_id( group );
230 ((void) curve_info);
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]231 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]232 ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
233 ssl, p - 2, key_exchange_len + 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]234 if( ret != 0 )
235 return( ret );
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]236
237 match_found = 1;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]238 }
239 else
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]240 {
241 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]242 (unsigned) group ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]243 continue;
244 }
245
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]246 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]247 }
248
249 if( match_found == 0 )
250 {
251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching key share" ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]252 return( SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]253 }
254 return( 0 );
255}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]256#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]257
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]258#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]259static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]260{
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]261 ((void) ssl);
262
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]264 MBEDTLS_SSL_DEBUG_MSG( 3,
265 ( "- KEY_SHARE_EXTENSION ( %s )",
266 ( ( ssl->handshake->extensions_present
267 & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
268 MBEDTLS_SSL_DEBUG_MSG( 3,
269 ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
270 ( ( ssl->handshake->extensions_present
271 & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
272 "TRUE" : "FALSE" ) );
273 MBEDTLS_SSL_DEBUG_MSG( 3,
274 ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
275 ( ( ssl->handshake->extensions_present
276 & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
277 MBEDTLS_SSL_DEBUG_MSG( 3,
278 ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
279 ( ( ssl->handshake->extensions_present
280 & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
281 MBEDTLS_SSL_DEBUG_MSG( 3,
282 ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
283 ( ( ssl->handshake->extensions_present
284 & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
285 "TRUE" : "FALSE" ) );
286 MBEDTLS_SSL_DEBUG_MSG( 3,
287 ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
288 ( ( ssl->handshake->extensions_present
289 & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
290 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]291#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]292 MBEDTLS_SSL_DEBUG_MSG( 3,
293 ( "- SERVERNAME_EXTENSION ( %s )",
294 ( ( ssl->handshake->extensions_present
295 & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
296 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]297#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]298}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]299#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]300
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]301static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]302 int exts_mask )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]303{
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]304 int masked = ssl->handshake->extensions_present & exts_mask;
305 return( masked == exts_mask );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]306}
307
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]308static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
309 mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]310{
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]311 return( ssl_tls13_client_hello_has_exts( ssl,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]312 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
313 MBEDTLS_SSL_EXT_KEY_SHARE |
314 MBEDTLS_SSL_EXT_SIG_ALG ) );
315}
316
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]317static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]318{
319 if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) )
320 return( 0 );
321
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]322 if( !ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]323 return( 0 );
324
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]325 ssl->handshake->tls13_kex_modes =
326 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]327 return( 1 );
328}
329
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]330/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]331 *
332 * STATE HANDLING: ClientHello
333 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]334 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]335 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]336 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]337 *
338 * In this case, the server progresses to sending its ServerHello.
339 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]340 * 2) The ClientHello was well-formed but didn't match the server's
341 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]342 *
343 * For example, the client might not have offered a key share which
344 * the server supports, or the server might require a cookie.
345 *
346 * In this case, the server sends a HelloRetryRequest.
347 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]348 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]349 *
350 * In this case, we abort the handshake.
351 *
352 */
353
354/*
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]355 * Structure of this message:
356 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]357 * uint16 ProtocolVersion;
358 * opaque Random[32];
359 * uint8 CipherSuite[2]; // Cryptographic suite selector
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]360 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]361 * struct {
362 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
363 * Random random;
364 * opaque legacy_session_id<0..32>;
365 * CipherSuite cipher_suites<2..2^16-2>;
366 * opaque legacy_compression_methods<1..2^8-1>;
367 * Extension extensions<8..2^16-1>;
368 * } ClientHello;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]369 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]370
371#define SSL_CLIENT_HELLO_OK 0
372#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
373
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]374static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
375 const unsigned char *buf,
376 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]377{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]378 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
379 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]380 size_t legacy_session_id_len;
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]381 const unsigned char *cipher_suites;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]382 size_t cipher_suites_len;
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]383 const unsigned char *cipher_suites_end;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]384 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]385 const unsigned char *extensions_end;
386
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]387 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]388
389 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
390
391 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]392 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]393 * 0 . 1 protocol version
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]394 * 2 . 33 random bytes
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]395 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]396 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]397 * .. . .. ciphersuite list length ( 2 bytes )
398 * .. . .. ciphersuite list
399 * .. . .. compression alg. list length ( 1 byte )
400 * .. . .. compression alg. list
401 * .. . .. extensions length ( 2 bytes, optional )
402 * .. . .. extensions ( optional )
403 */
404
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]405 /*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]406 * Minimal length ( with everything empty and extensions ommitted ) is
407 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
408 * read at least up to session id length without worrying.
409 */
410 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 38 );
411
412 /* ...
413 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
414 * ...
415 * with ProtocolVersion defined as:
416 * uint16 ProtocolVersion;
417 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]418 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
419 MBEDTLS_SSL_VERSION_TLS1_2 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]420 {
421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
422 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
423 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]424 return ( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]425 }
426 p += 2;
427
428 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]429 * Only support TLS 1.3 currently, temporarily set the version.
430 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]431 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]432
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]433 /* ---
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]434 * Random random;
435 * ---
436 * with Random defined as:
437 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]438 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]439 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]440 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]441
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]442 memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
443 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]444
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]445 /* ---
446 * opaque legacy_session_id<0..32>;
447 * ---
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]448 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]449 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]450 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]451
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]452 if( legacy_session_id_len > sizeof( ssl->session_negotiate->id ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]453 {
454 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
455 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
456 }
457
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]458 ssl->session_negotiate->id_len = legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]459 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]460 p, legacy_session_id_len );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]461 /*
462 * Check we have enough data for the legacy session identifier
463 * and the ciphersuite list length.
464 */
465 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]466
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]467 memcpy( &ssl->session_negotiate->id[0], p, legacy_session_id_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]468 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]469
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]470 cipher_suites_len = MBEDTLS_GET_UINT16_BE( p, 0 );
471 p += 2;
472
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]473 /* Check we have enough data for the ciphersuite list, the legacy
474 * compression methods and the length of the extensions.
475 */
476 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]477
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]478 /* ---
479 * CipherSuite cipher_suites<2..2^16-2>;
480 * ---
481 * with CipherSuite defined as:
482 * uint8 CipherSuite[2];
483 */
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]484 cipher_suites = p;
485 cipher_suites_end = p + cipher_suites_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]486 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
487 p, cipher_suites_len );
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]488 /*
489 * Search for a matching ciphersuite
490 */
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]491 int ciphersuite_match = 0;
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]492 for ( ; p < cipher_suites_end; p += 2 )
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]493 {
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]494 uint16_t cipher_suite;
495 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, cipher_suites_end, 2 );
496 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
497 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]498 /*
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]499 * Check whether this ciphersuite is valid and offered.
500 */
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]501 if( ( mbedtls_ssl_validate_ciphersuite(
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]502 ssl, ciphersuite_info, ssl->tls_version,
503 ssl->tls_version ) != 0 ) ||
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]504 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
505 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]506
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]507 ssl->session_negotiate->ciphersuite = cipher_suite;
508 ssl->handshake->ciphersuite_info = ciphersuite_info;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]509 ciphersuite_match = 1;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]510
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]511 break;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]512
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]513 }
514
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]515 if( !ciphersuite_match )
516 {
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]517 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
518 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
519 return ( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]520 }
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]521
522 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
523 ciphersuite_info->name ) );
524
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]525 p = cipher_suites + cipher_suites_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]526 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]527 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]528 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]529 */
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]530 if( p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]531 {
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
533 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
534 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
535 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]536 }
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]537 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]538
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]539 /* ---
540 * Extension extensions<8..2^16-1>;
541 * ---
542 * with Extension defined as:
543 * struct {
544 * ExtensionType extension_type;
545 * opaque extension_data<0..2^16-1>;
546 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]547 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]548 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]549 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]550 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]551 extensions_end = p + extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]552
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]553 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]554
555 while( p < extensions_end )
556 {
557 unsigned int extension_type;
558 size_t extension_data_len;
559 const unsigned char *extension_data_end;
560
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]561 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]562 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
563 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
564 p += 4;
565
566 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
567 extension_data_end = p + extension_data_len;
568
569 switch( extension_type )
570 {
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]571#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]572 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
573 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
574
575 /* Supported Groups Extension
576 *
577 * When sent by the client, the "supported_groups" extension
578 * indicates the named groups which the client supports,
579 * ordered from most preferred to least preferred.
580 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]581 ret = ssl_tls13_parse_supported_groups_ext( ssl, p,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]582 extension_data_end );
583 if( ret != 0 )
584 {
585 MBEDTLS_SSL_DEBUG_RET( 1,
586 "mbedtls_ssl_parse_supported_groups_ext", ret );
587 return( ret );
588 }
589
590 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
591 break;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]592#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]593
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]594#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]595 case MBEDTLS_TLS_EXT_KEY_SHARE:
596 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) );
597
598 /*
599 * Key Share Extension
600 *
601 * When sent by the client, the "key_share" extension
602 * contains the endpoint's cryptographic parameters for
603 * ECDHE/DHE key establishment methods.
604 */
605 ret = ssl_tls13_parse_key_shares_ext( ssl, p, extension_data_end );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]606 if( ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]607 {
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]608 MBEDTLS_SSL_DEBUG_MSG( 2, ( "HRR needed " ) );
609 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]610 }
611
612 if( ret != 0 )
613 return( ret );
614
615 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
616 break;
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]617#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]618
619 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
620 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) );
621
622 ret = ssl_tls13_parse_supported_versions_ext(
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]623 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]624 if( ret != 0 )
625 {
626 MBEDTLS_SSL_DEBUG_RET( 1,
627 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
628 return( ret );
629 }
630 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
631 break;
632
633#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
634 case MBEDTLS_TLS_EXT_SIG_ALG:
635 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
636
637 ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ssl, p,
638 extension_data_end );
639 if( ret != 0 )
640 {
641 MBEDTLS_SSL_DEBUG_MSG( 1,
642 ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
643 ret ) );
644 return( ret );
645 }
646 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
647 break;
648#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
649
650 default:
651 MBEDTLS_SSL_DEBUG_MSG( 3,
652 ( "unknown extension found: %ud ( ignoring )",
653 extension_type ) );
654 }
655
656 p += extension_data_len;
657 }
658
659 /* Update checksum with either
660 * - The entire content of the CH message, if no PSK extension is present
661 * - The content up to but excluding the PSK extension, if present.
662 */
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]663 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
XiaokangQianc4b8c992022-04-07 11:31:38 +0000[diff] [blame]664 buf, p - buf );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]665
666 /* List all the extensions we have received */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]667#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]668 ssl_tls13_debug_print_client_hello_exts( ssl );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]669#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]670
671 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]672 * Here we only support the ephemeral or (EC)DHE key echange mode
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]673 */
674
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]675 if( !ssl_tls13_check_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]676 {
677 MBEDTLS_SSL_DEBUG_MSG(
678 1,
679 ( "ClientHello message misses mandatory extensions." ) );
680 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ,
681 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
682 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
683 }
684
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]685 return( 0 );
686}
687
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]688static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]689{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]690 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]691
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]692 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
693 if( ret != 0 )
694 {
695 MBEDTLS_SSL_DEBUG_RET( 1,
696 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret );
697 return( ret );
698 }
699
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]700 return( 0 );
701
702}
703
704/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]705 * Main entry point from the state machine; orchestrates the otherfunctions.
706 */
707
708static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
709{
710
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]711 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]712 unsigned char* buf = NULL;
713 size_t buflen = 0;
714 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
715
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]716 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
717 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
718 &buf, &buflen ) );
719
720 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_parse_client_hello( ssl, buf,
721 buf + buflen ) );
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]722 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_client_hello( ssl ) );
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]723 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]724
725cleanup:
726
727 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
728 return( ret );
729}
730
731/*
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]732 * StateHanler: MBEDTLS_SSL_SERVER_HELLO
733 */
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]734static int ssl_tls13_prepare_server_hello( mbedtls_ssl_context *ssl )
735{
736 int ret = 0;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]737 unsigned char *server_randbyes =
738 ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]739 if( ssl->conf->f_rng == NULL )
740 {
741 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
742 return( MBEDTLS_ERR_SSL_NO_RNG );
743 }
744
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]745 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, server_randbyes,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]746 MBEDTLS_SERVER_HELLO_RANDOM_LEN ) ) != 0 )
747 {
748 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
749 return( ret );
750 }
751
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]752 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", server_randbyes,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]753 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
754
755#if defined(MBEDTLS_HAVE_TIME)
756 ssl->session_negotiate->start = time( NULL );
757#endif /* MBEDTLS_HAVE_TIME */
758
759 return( ret );
760}
761
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]762/*
763 * ssl_tls13_write_supported_versions_ext():
764 *
765 * struct {
Jerry Yufb9f54d2022-04-06 10:08:34 +0800[diff] [blame]766 * ProtocolVersion selected_version;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]767 * } SupportedVersions;
768 */
769static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
770 unsigned char *buf,
771 unsigned char *end,
772 size_t *out_len )
773{
774 unsigned char *p = buf;
775
776 *out_len = 0;
777
778 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, write supported versions extension" ) );
779
780 /* Check if we have space to write the extension:
781 * - extension_type (2 bytes)
782 * - extension_data_length (2 bytes)
783 * - versions_length (1 byte )
784 * - versions (2 bytes)
785 */
786 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 );
787
788 /* Write extension_type */
789 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
790
791 /* Write extension_data_length */
792 MBEDTLS_PUT_UINT16_BE( 3, p, 2 );
793 p += 4;
794
795 /* Length of versions */
796 *p++ = 0x2;
797
798 /* Write values of supported versions.
799 *
800 * They are defined by the configuration.
801 *
802 * Currently, only one version is advertised.
803 */
804 mbedtls_ssl_write_version( p, ssl->tls_version, ssl->conf->transport );
805
806 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [%04x]",
807 ssl->tls_version ) );
808
809 *out_len = 7;
810
811 return( 0 );
812}
813
814#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
815
816/* Generate and export a single key share. For hybrid KEMs, this can
817 * be called multiple times with the different components of the hybrid. */
818static int ssl_tls13_key_share_encapsulate( mbedtls_ssl_context *ssl,
819 uint16_t named_group,
820 unsigned char *buf,
821 unsigned char *end,
822 size_t *out_len )
823{
824 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]825 ((void) ssl);
826 ((void) named_group);
827 ((void) buf);
828 ((void) end);
829 ((void) out_len);
830#if defined(MBEDTLS_ECDH_C)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]831 if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) )
832 {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]833 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
834 ssl, named_group, buf, end, out_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]835 if( ret != 0 )
836 {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]837 MBEDTLS_SSL_DEBUG_RET(
838 1, "mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange",
839 ret );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]840 return( ret );
841 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]842 }
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]843 else
844#endif /* MBEDTLS_ECDH_C */
845 if( 0 /* Other kinds of KEMs */ )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]846 {
847 }
848 else
849 {
850 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
851 }
852
853 return( ret );
854}
855
856/*
857 * ssl_tls13_write_key_share_ext
858 *
859 * Structure of key_share extension in ServerHello:
860 *
861 * struct {
862 * NamedGroup group;
863 * opaque key_exchange<1..2^16-1>;
864 * } KeyShareEntry;
865 * struct {
866 * KeyShareEntry server_share;
867 * } KeyShareServerHello;
868 */
869static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
870 unsigned char *buf,
871 unsigned char *end,
872 size_t *out_len )
873{
874 unsigned char *p = buf;
875 unsigned char *start = buf;
876 uint16_t group = ssl->handshake->offered_group_id ;
877 unsigned char *server_share = buf + 4;
878 unsigned char *key_exchange = buf + 6;
879 size_t key_exchange_length;
880 int ret;
881
882 *out_len = 0;
883
884 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding key share extension" ) );
885
886 /* Check if we have space for header and length fields:
887 * - extension_type (2 bytes)
888 * - extension_data_length (2 bytes)
889 * - group (2 bytes)
890 * - key_exchange_length (2 bytes)
891 */
892 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 8 );
893
894 p += 8;
895 /* When we introduce PQC-ECDHE hybrids, we'll want to call this
896 * function multiple times. */
897 ret = ssl_tls13_key_share_encapsulate( ssl, group, key_exchange + 2,
898 end, &key_exchange_length );
899 if( ret != 0 )
900 return( ret );
901 p += key_exchange_length;
902 /* Write length of key_exchange */
903 MBEDTLS_PUT_UINT16_BE( key_exchange_length, key_exchange, 0 );
904
905 *out_len = p - start;
906
907 /* Write group ID */
908 MBEDTLS_PUT_UINT16_BE( group, server_share, 0 );
909
910 /* Write extension header */
911 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, start, 0 );
912
913 /* Write total extension length */
914 MBEDTLS_PUT_UINT16_BE( p - server_share, start, 2 );
915
916 return( 0 );
917}
918#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
919
920/*
921 * Structure of ServerHello message:
922 *
923 * struct {
924 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
925 * Random random;
926 * opaque legacy_session_id_echo<0..32>;
927 * CipherSuite cipher_suite;
928 * uint8 legacy_compression_method = 0;
929 * Extension extensions<6..2^16-1>;
930 * } ServerHello;
931 */
932static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]933 unsigned char *buf,
934 unsigned char *end,
935 size_t *out_len )
936{
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]937 int ret = 0;
938 size_t output_len; /* Length of buffer used by function */
939 unsigned char *server_randbyes =
940 ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
941
942 /* Buffer management */
943 unsigned char *p = buf;
944 unsigned char *start = buf;
945 unsigned char *extension_start;
946
947 *out_len = 0;
948
949 /*
950 * Write legacy_version
951 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
952 *
953 * For TLS 1.3 we use the legacy version number {0x03, 0x03}
954 * instead of the true version number.
955 */
956 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
957 MBEDTLS_PUT_UINT16_BE( 0x0303, p, 0 );
958 p += 2;
959
960 /* Write the random bytes ( random ).*/
961 MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
962 memcpy( p, server_randbyes, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
963 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
964 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
965 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
966
967#if defined(MBEDTLS_HAVE_TIME)
968 ssl->session_negotiate->start = time( NULL );
969#endif /* MBEDTLS_HAVE_TIME */
970
971 /*
972 * Write legacy_session_id_echo
973 */
974 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 + ssl->session_negotiate->id_len );
975 *p++ = (unsigned char)ssl->session_negotiate->id_len;
976 if( ssl->session_negotiate->id_len > 0 )
977 {
978 memcpy( p, &ssl->session_negotiate->id[0],
979 ssl->session_negotiate->id_len );
980 p += ssl->session_negotiate->id_len;
981 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session id length ( %"
982 MBEDTLS_PRINTF_SIZET " )",
983 ssl->session_negotiate->id_len ) );
984 MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id,
985 ssl->session_negotiate->id_len );
986 }
987
988 /*
989 * Write ciphersuite
990 */
991 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
992 MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 );
993 p += 2;
994 MBEDTLS_SSL_DEBUG_MSG( 3,
995 ( "server hello, chosen ciphersuite: %s ( id=%d )",
996 mbedtls_ssl_get_ciphersuite_name(
997 ssl->session_negotiate->ciphersuite ),
998 ssl->session_negotiate->ciphersuite ) );
999
1000 /* write legacy_compression_method = ( 0 ) */
1001 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
1002 *p++ = 0x0;
1003
1004 /* Extensions */
1005 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1006 extension_start = p;
1007 p += 2;
1008
1009 /* Add supported_version extension */
1010 if( ( ret = ssl_tls13_write_supported_versions_ext(
1011 ssl, p, end, &output_len ) ) != 0 )
1012 {
1013 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_supported_versions_ext",
1014 ret );
1015 return( ret );
1016 }
1017 p += output_len;
1018
1019#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1020 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1021 {
1022 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
1023 if( ret != 0 )
1024 return( ret );
1025 p += output_len;
1026 }
1027#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1028
1029 /* Write length information */
1030 MBEDTLS_PUT_UINT16_BE( p - extension_start - 2, extension_start, 0 );
1031
1032 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello extensions", extension_start, p - extension_start );
1033
1034 *out_len = p - start;
1035
1036 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", start, *out_len );
1037
1038 return( ret );
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]1039}
1040
1041
1042static int ssl_tls13_finalize_server_hello( mbedtls_ssl_context *ssl )
1043{
1044 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
1045 return( 0 );
1046}
1047
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]1048static int ssl_tls13_write_server_hello( mbedtls_ssl_context *ssl )
1049{
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1050 int ret = 0;
1051 unsigned char *buf;
1052 size_t buf_len, msg_len;
1053
1054 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
1055
1056 /* Preprocessing */
1057
1058 /* This might lead to ssl_tls13_process_server_hello() being called
1059 * multiple times. The implementation of
1060 * ssl_tls13_process_server_hello_preprocess() must either be safe to be
1061 * called multiple times, or we need to add state to omit this call once
1062 * we're calling ssl_tls13_process_server_hello() multiple times.
1063 */
1064 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_server_hello( ssl ) );
1065
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1066 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1067 MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len ) );
1068
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1069 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
1070 buf + buf_len,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1071 &msg_len ) );
1072
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1073 mbedtls_ssl_add_hs_msg_to_checksum(
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1074 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
1075
1076 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_server_hello( ssl ) );
1077
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1078 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1079 ssl, buf_len, msg_len ) );
1080cleanup:
1081
1082 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
1083 return( ret );
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]1084}
1085
1086/*
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1087 * TLS 1.3 State Machine -- server side
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1088 */
Jerry Yu27561932021-08-27 17:07:38 +0800[diff] [blame]1089int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]1090{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1091 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1092
1093 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
1094 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1095
Jerry Yue3b34122021-09-28 17:53:35 +0800[diff] [blame]1096 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)",
1097 mbedtls_ssl_states_str( ssl->state ),
1098 ssl->state ) );
Jerry Yu6e81b272021-09-27 11:16:17 +0800[diff] [blame]1099
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1100 switch( ssl->state )
1101 {
1102 /* start state */
1103 case MBEDTLS_SSL_HELLO_REQUEST:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1104 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
1105
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1106 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1107 break;
1108
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1109 case MBEDTLS_SSL_CLIENT_HELLO:
1110
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1111 ret = ssl_tls13_process_client_hello( ssl );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1112 if( ret != 0 )
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1113 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_client_hello", ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1114
1115 break;
1116
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]1117 case MBEDTLS_SSL_SERVER_HELLO:
1118 ret = ssl_tls13_write_server_hello( ssl );
1119 break;
1120
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1121 default:
1122 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1123 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1124 }
1125
1126 return( ret );
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]1127}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1128
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]1129#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */