TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 46bffe0e821638908f76530e1570376d5d3eb5f1 / . / library / ssl_tls13_server.c
blob: 080415202a35f22eb2450b4d07c1988e9573f18d [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18*/
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]23
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]24#include "mbedtls/debug.h"
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]25#include "mbedtls/error.h"
26#include "mbedtls/platform.h"
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]27#include "mbedtls/constant_time.h"
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]28
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]29#include "ssl_misc.h"
30#include "ssl_tls13_keys.h"
31#include "ssl_debug_helpers.h"
32
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]33#if defined(MBEDTLS_ECP_C)
34#include "mbedtls/ecp.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]35#endif /* MBEDTLS_ECP_C */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]36
XiaokangQiana9c58412022-02-17 09:41:26 +0000[diff] [blame]37#if defined(MBEDTLS_PLATFORM_C)
38#include "mbedtls/platform.h"
39#else
40#include <stdlib.h>
41#define mbedtls_calloc calloc
42#define mbedtls_free free
43#endif /* MBEDTLS_PLATFORM_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]44
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]45#include "ssl_misc.h"
46#include "ssl_tls13_keys.h"
47#include "ssl_debug_helpers.h"
48
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]49
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]50static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]51 mbedtls_ssl_context *ssl,
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]52 unsigned int cipher_suite )
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]53{
54 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
55 if( ! mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
56 return( NULL );
57
58 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
59 if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
60 ssl->tls_version,
61 ssl->tls_version ) != 0 ) )
62 {
63 return( NULL );
64 }
65 return( ciphersuite_info );
66}
67
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]68#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
69/* From RFC 8446:
70 *
71 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
72 * struct {
73 * PskKeyExchangeMode ke_modes<1..255>;
74 * } PskKeyExchangeModes;
75 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]76MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]77static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
78 const unsigned char *buf,
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]79 const unsigned char *end )
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]80{
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]81 const unsigned char *p = buf;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]82 size_t ke_modes_len;
83 int ke_modes = 0;
84
Jerry Yu854dd9e2022-07-15 14:28:27 +0800[diff] [blame]85 /* Read ke_modes length (1 Byte) */
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]86 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
87 ke_modes_len = *p++;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]88 /* Currently, there are only two PSK modes, so even without looking
89 * at the content, something's wrong if the list has more than 2 items. */
90 if( ke_modes_len > 2 )
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]91 {
92 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
93 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]94 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]95 }
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]96
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]97 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ke_modes_len );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]98
99 while( ke_modes_len-- != 0 )
100 {
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]101 switch( *p++ )
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]102 {
103 case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
104 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
105 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK KEX MODE" ) );
106 break;
107 case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:
108 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
109 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK_EPHEMERAL KEX MODE" ) );
110 break;
111 default:
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]112 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
113 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]114 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
115 }
116 }
117
118 ssl->handshake->tls13_kex_modes = ke_modes;
119 return( 0 );
120}
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]121
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]122#define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1
123#define SSL_TLS1_3_OFFERED_PSK_MATCH 0
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]124
125#if defined(MBEDTLS_SSL_SESSION_TICKETS)
126
127MBEDTLS_CHECK_RETURN_CRITICAL
128static int ssl_tls13_offered_psks_check_identity_match_ticket(
129 mbedtls_ssl_context *ssl,
130 mbedtls_ssl_session *session,
131 const unsigned char *identity,
132 size_t identity_len,
133 uint32_t obfuscated_ticket_age )
134{
Jerry Yufd310eb2022-09-06 09:16:35 +0800[diff] [blame]135 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]136 unsigned char *ticket_buffer;
137
138 ((void) obfuscated_ticket_age);
139
140 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> check_identity_match_ticket" ) );
141
142 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %" MBEDTLS_PRINTF_SIZET
143 ". ticket_parse is %sconfigured. "
144 "ticket_write is %sconfigured.",
145 identity_len,
146 ssl->conf->f_ticket_parse == NULL ? "NOT " : "",
147 ssl->conf->f_ticket_write == NULL ? "NOT " : "" ) );
148
Jerry Yufd310eb2022-09-06 09:16:35 +0800[diff] [blame]149 /* Ticket parser is not configured, Skip */
150 if( ssl->conf->f_ticket_parse == NULL || identity_len == 0 )
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]151 return( 0 );
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]152
153 /* We create a copy of the encrypted ticket since decrypting
154 * it into the same buffer will wipe-out the original content.
155 * We do, however, need the original buffer for computing the
156 * psk binder value.
157 */
158 ticket_buffer = mbedtls_calloc( 1, identity_len );
159 if( ticket_buffer == NULL )
160 {
161 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
162 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
163 }
164 memcpy( ticket_buffer, identity, identity_len );
165
166 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket,
167 session,
168 ticket_buffer, identity_len ) ) != 0 )
169 {
170 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
171 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
172 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
173 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
174 else
175 MBEDTLS_SSL_DEBUG_RET( 1, "ticket_parse", ret );
176 }
177
178 /* We delete the temporary buffer */
179 mbedtls_free( ticket_buffer );
180
181 if( ret == 0 )
182 {
183#if defined(MBEDTLS_HAVE_TIME)
184 mbedtls_time_t now;
185 int64_t diff;
186#endif
187 ret = SSL_TLS1_3_OFFERED_PSK_MATCH;
188#if defined(MBEDTLS_HAVE_TIME)
189 now = mbedtls_time( NULL );
190
191 /* Check #1:
192 * Is the time when the ticket was issued later than now?
193 */
194 if( now < session->start )
195 {
196 MBEDTLS_SSL_DEBUG_MSG(
197 3, ( "Ticket expired: now=%" MBEDTLS_PRINTF_LONGLONG
198 ", start=%" MBEDTLS_PRINTF_LONGLONG,
199 (long long)now, (long long)session->start ) );
200 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
201 }
202
203 /* Check #2:
204 * Is the ticket age for the selected PSK identity
205 * (computed by subtracting ticket_age_add from
206 * PskIdentity.obfuscated_ticket_age modulo 2^32 )
207 * within a small tolerance of the time since the
208 * ticket was issued?
209 */
210 diff = ( now - session->start ) -
211 ( obfuscated_ticket_age - session->ticket_age_add );
212
213 if( diff > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE )
214 {
215 MBEDTLS_SSL_DEBUG_MSG( 3,
216 ( "Ticket age outside tolerance window ( diff=%"
217 MBEDTLS_PRINTF_LONGLONG" )",
218 (long long)diff ) );
219 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
220 }
221
222#endif /* MBEDTLS_HAVE_TIME */
223 }
224
225 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= check_identity_match_ticket" ) );
226 return( ret );
227}
228#endif /* MBEDTLS_SSL_SESSION_TICKETS */
229
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]230MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]231static int ssl_tls13_offered_psks_check_identity_match(
232 mbedtls_ssl_context *ssl,
233 const unsigned char *identity,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]234 size_t identity_len,
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]235 uint32_t obfuscated_ticket_age,
236 void *session,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]237 int *psk_type )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]238{
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]239 ((void) session);
240 ((void) obfuscated_ticket_age);
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]241 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]242
243 MBEDTLS_SSL_DEBUG_BUF( 4, "identity", identity, identity_len );
244 ssl->handshake->resume = 0;
245
246
247
248#if defined(MBEDTLS_SSL_SESSION_TICKETS)
249 if( ssl_tls13_offered_psks_check_identity_match_ticket(
250 ssl, (mbedtls_ssl_session *)session,
251 identity, identity_len,
252 obfuscated_ticket_age ) == SSL_TLS1_3_OFFERED_PSK_MATCH )
253 {
254 mbedtls_ssl_session *i_session=(mbedtls_ssl_session *)session;
255 ssl->handshake->resume = 1;
256 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
257 mbedtls_ssl_set_hs_psk( ssl,
258 i_session->resumption_key,
259 i_session->resumption_key_len );
260
261 MBEDTLS_SSL_DEBUG_BUF( 4, "Ticket-resumed PSK:",
262 i_session->resumption_key,
263 i_session->resumption_key_len );
264 MBEDTLS_SSL_DEBUG_MSG( 4, ( "ticket: obfuscated_ticket_age: %u",
265 (unsigned)obfuscated_ticket_age ) );
266 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
267 }
268#endif /* MBEDTLS_SSL_SESSION_TICKETS */
269
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]270 /* Check identity with external configured function */
271 if( ssl->conf->f_psk != NULL )
272 {
273 if( ssl->conf->f_psk(
274 ssl->conf->p_psk, ssl, identity, identity_len ) == 0 )
275 {
276 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
277 }
278 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
279 }
280
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]281 MBEDTLS_SSL_DEBUG_BUF( 5, "identity", identity, identity_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]282 /* Check identity with pre-configured psk */
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]283 if( ssl->conf->psk_identity != NULL &&
284 identity_len == ssl->conf->psk_identity_len &&
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]285 mbedtls_ct_memcmp( ssl->conf->psk_identity,
286 identity, identity_len ) == 0 )
287 {
288 mbedtls_ssl_set_hs_psk( ssl, ssl->conf->psk, ssl->conf->psk_len );
289 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
290 }
291
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]292 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
293}
294
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]295MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]296static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl,
297 const unsigned char *binder,
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]298 size_t binder_len,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]299 int psk_type,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]300 psa_algorithm_t psk_hash_alg )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]301{
302 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]303
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]304 unsigned char transcript[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]305 size_t transcript_len;
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]306 unsigned char *psk;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]307 size_t psk_len;
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]308 unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]309
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]310 /* Get current state of handshake transcript. */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]311 ret = mbedtls_ssl_get_handshake_transcript(
312 ssl, mbedtls_hash_info_md_from_psa( psk_hash_alg ),
313 transcript, sizeof( transcript ), &transcript_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]314 if( ret != 0 )
315 return( ret );
316
Jerry Yu40f37712022-07-26 16:58:57 +0800[diff] [blame]317 ret = mbedtls_ssl_tls13_export_handshake_psk( ssl, &psk, &psk_len );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]318 if( ret != 0 )
319 return( ret );
320
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]321 ret = mbedtls_ssl_tls13_create_psk_binder( ssl, psk_hash_alg,
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]322 psk, psk_len, psk_type,
323 transcript,
324 server_computed_binder );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]325#if defined(MBEDTLS_USE_PSA_CRYPTO)
326 mbedtls_free( (void*)psk );
327#endif
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]328 if( ret != 0 )
329 {
330 MBEDTLS_SSL_DEBUG_MSG( 1, ( "PSK binder calculation failed." ) );
331 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
332 }
333
334 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( computed ): ",
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]335 server_computed_binder, transcript_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]336 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( received ): ", binder, binder_len );
337
338 if( mbedtls_ct_memcmp( server_computed_binder, binder, binder_len ) == 0 )
339 {
340 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
341 }
342
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]343 mbedtls_platform_zeroize( server_computed_binder,
344 sizeof( server_computed_binder ) );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]345 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
346}
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]347
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]348MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]349static int ssl_tls13_select_ciphersuite_for_psk(
350 mbedtls_ssl_context *ssl,
351 const unsigned char *cipher_suites,
352 const unsigned char *cipher_suites_end,
353 uint16_t *selected_ciphersuite,
354 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]355{
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]356 psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]357
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]358 *selected_ciphersuite = 0;
359 *selected_ciphersuite_info = NULL;
360
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]361 /* RFC 8446, page 55.
362 *
363 * For externally established PSKs, the Hash algorithm MUST be set when the
364 * PSK is established or default to SHA-256 if no such algorithm is defined.
365 *
366 */
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]367
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]368 /*
369 * Search for a matching ciphersuite
370 */
Jerry Yu1e05b6d2022-08-31 10:35:52 +0800[diff] [blame]371 for ( const unsigned char *p = cipher_suites;
372 p < cipher_suites_end; p += 2 )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]373 {
374 uint16_t cipher_suite;
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]375 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]376
377 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]378 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl,
379 cipher_suite );
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]380 if( ciphersuite_info == NULL )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]381 continue;
382
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]383 /* MAC of selected ciphersuite MUST be same with PSK binder if exist.
384 * Otherwise, client should reject.
385 */
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]386 if( psk_hash_alg == mbedtls_psa_translate_md( ciphersuite_info->mac ) )
387 {
388 *selected_ciphersuite = cipher_suite;
389 *selected_ciphersuite_info = ciphersuite_info;
390 return( 0 );
391 }
392 }
393 MBEDTLS_SSL_DEBUG_MSG( 2, ( "No matched ciphersuite" ) );
394 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
395}
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]396
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]397#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]398MBEDTLS_CHECK_RETURN_CRITICAL
399static int ssl_tls13_select_ciphersuite_for_resumption(
400 mbedtls_ssl_context *ssl,
401 const unsigned char *cipher_suites,
402 const unsigned char *cipher_suites_end,
403 mbedtls_ssl_session *session,
404 uint16_t *selected_ciphersuite,
405 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info )
406{
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]407
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]408 *selected_ciphersuite = 0;
409 *selected_ciphersuite_info = NULL;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]410 for( const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2 )
411 {
412 uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
413 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
414
415 if( cipher_suite != session->ciphersuite )
416 continue;
417
418 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl,
419 cipher_suite );
420 if( ciphersuite_info == NULL )
421 continue;
422
423 *selected_ciphersuite = session->ciphersuite;
424 *selected_ciphersuite_info = ciphersuite_info;
425
426 return( 0 );
427
428 }
429
430 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]431}
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]432
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]433MBEDTLS_CHECK_RETURN_CRITICAL
434static int ssl_tls13_session_copy( mbedtls_ssl_session *dst,
435 mbedtls_ssl_session *src )
436{
437 dst->endpoint = src->endpoint;
438 dst->ciphersuite = src->ciphersuite;
439 dst->ticket_age_add = src->ticket_age_add;
440 dst->ticket_flags = src->ticket_flags;
441 dst->resumption_key_len = src->resumption_key_len;
442 if( src->resumption_key_len == 0 )
443 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
444 memcpy( dst->resumption_key, src->resumption_key, src->resumption_key_len );
445#if defined(MBEDTLS_HAVE_TIME)
446 dst->start = src->start;
447#endif
448 return( 0 );
449}
450#endif /* MBEDTLS_SSL_SESSION_TICKETS */
451
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]452/* Parser for pre_shared_key extension in client hello
453 * struct {
454 * opaque identity<1..2^16-1>;
455 * uint32 obfuscated_ticket_age;
456 * } PskIdentity;
457 *
458 * opaque PskBinderEntry<32..255>;
459 *
460 * struct {
461 * PskIdentity identities<7..2^16-1>;
462 * PskBinderEntry binders<33..2^16-1>;
463 * } OfferedPsks;
464 *
465 * struct {
466 * select (Handshake.msg_type) {
467 * case client_hello: OfferedPsks;
468 * ....
469 * };
470 * } PreSharedKeyExtension;
471 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]472MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]473static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]474 const unsigned char *pre_shared_key_ext,
475 const unsigned char *pre_shared_key_ext_end,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]476 const unsigned char *ciphersuites,
477 const unsigned char *ciphersuites_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]478{
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]479 const unsigned char *identities = pre_shared_key_ext;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]480 const unsigned char *p_identity_len;
481 size_t identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]482 const unsigned char *identities_end;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]483 const unsigned char *binders;
484 const unsigned char *p_binder_len;
485 size_t binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]486 const unsigned char *binders_end;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]487 int matched_identity = -1;
488 int identity_id = -1;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]489
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]490 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key extension",
491 pre_shared_key_ext,
492 pre_shared_key_ext_end - pre_shared_key_ext );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]493
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]494 /* identities_len 2 bytes
495 * identities_data >= 7 bytes
496 */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]497 MBEDTLS_SSL_CHK_BUF_READ_PTR( identities, pre_shared_key_ext_end, 7 + 2 );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]498 identities_len = MBEDTLS_GET_UINT16_BE( identities, 0 );
499 p_identity_len = identities + 2;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]500 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, pre_shared_key_ext_end,
501 identities_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]502 identities_end = p_identity_len + identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]503
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]504 /* binders_len 2 bytes
505 * binders >= 33 bytes
506 */
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]507 binders = identities_end;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]508 MBEDTLS_SSL_CHK_BUF_READ_PTR( binders, pre_shared_key_ext_end, 33 + 2 );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]509 binders_len = MBEDTLS_GET_UINT16_BE( binders, 0 );
510 p_binder_len = binders + 2;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]511 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, pre_shared_key_ext_end, binders_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]512 binders_end = p_binder_len + binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]513
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]514 ssl->handshake->update_checksum( ssl, pre_shared_key_ext,
515 identities_end - pre_shared_key_ext );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]516
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]517 while( p_identity_len < identities_end && p_binder_len < binders_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]518 {
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]519 const unsigned char *identity;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]520 size_t identity_len;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]521 uint32_t obfuscated_ticket_age;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]522 const unsigned char *binder;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]523 size_t binder_len;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]524 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]525 int psk_type;
526 uint16_t cipher_suite;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]527 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]528#if defined(MBEDTLS_SSL_SESSION_TICKETS)
529 mbedtls_ssl_session session;
530 memset( &session, 0, sizeof( session ) );
531#endif
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]532
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]533 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, identities_end, 2 + 1 + 4 );
534 identity_len = MBEDTLS_GET_UINT16_BE( p_identity_len, 0 );
535 identity = p_identity_len + 2;
536 MBEDTLS_SSL_CHK_BUF_READ_PTR( identity, identities_end, identity_len + 4 );
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]537 obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE( identity , identity_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]538 p_identity_len += identity_len + 6;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]539
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]540 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, binders_end, 1 + 32 );
541 binder_len = *p_binder_len;
542 binder = p_binder_len + 1;
543 MBEDTLS_SSL_CHK_BUF_READ_PTR( binder, binders_end, binder_len );
544 p_binder_len += binder_len + 1;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]545
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]546 identity_id++;
547 if( matched_identity != -1 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]548 continue;
549
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]550 ret = ssl_tls13_offered_psks_check_identity_match(
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]551 ssl, identity, identity_len, obfuscated_ticket_age,
552 &session, &psk_type );
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]553 if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]554 continue;
555
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]556 MBEDTLS_SSL_DEBUG_MSG( 4, ( "found matched identity" ) );
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]557 switch( psk_type )
558 {
559 case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
560 ret = ssl_tls13_select_ciphersuite_for_psk(
561 ssl, ciphersuites, ciphersuites_end,
562 &cipher_suite, &ciphersuite_info );
563 break;
564 case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]565#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]566 ret = ssl_tls13_select_ciphersuite_for_resumption(
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]567 ssl, ciphersuites, ciphersuites_end, &session,
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]568 &cipher_suite, &ciphersuite_info );
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]569#else
570 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
571#endif
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]572 break;
573 default:
574 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
575 }
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]576 if( ret != 0 )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]577 {
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]578 /* See below, no cipher_suite available, abort handshake */
579 MBEDTLS_SSL_PEND_FATAL_ALERT(
580 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
581 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
582 MBEDTLS_SSL_DEBUG_RET(
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]583 2, "ssl_tls13_select_ciphersuite", ret );
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]584 return( ret );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]585 }
586
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]587 ret = ssl_tls13_offered_psks_check_binder_match(
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]588 ssl, binder, binder_len, psk_type,
589 mbedtls_psa_translate_md( ciphersuite_info->mac ) );
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]590 if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]591 {
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]592 /* For security reasons, the handshake should be aborted when we
593 * fail to validate a binder value. See RFC 8446 section 4.2.11.2
594 * and appendix E.6. */
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]595#if defined(MBEDTLS_SSL_SESSION_TICKETS)
596 mbedtls_ssl_session_free( &session );
597#endif
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]598 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Invalid binder." ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]599 MBEDTLS_SSL_DEBUG_RET( 1,
600 "ssl_tls13_offered_psks_check_binder_match" , ret );
601 MBEDTLS_SSL_PEND_FATAL_ALERT(
602 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
603 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
604 return( ret );
605 }
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]606
607 matched_identity = identity_id;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]608
609 /* Update handshake parameters */
Jerry Yue5834fd2022-08-29 20:16:09 +0800[diff] [blame]610 ssl->handshake->ciphersuite_info = ciphersuite_info;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]611 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL )
612 {
613 ssl->session_negotiate->ciphersuite = cipher_suite;
614 MBEDTLS_SSL_DEBUG_MSG( 2, ( "overwrite ciphersuite: %04x - %s",
615 cipher_suite,
616 ciphersuite_info->name ) );
617 }
618#if defined(MBEDTLS_SSL_SESSION_TICKETS)
619 else
620 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
621 {
622 ret = ssl_tls13_session_copy(ssl->session_negotiate, &session );
623 mbedtls_ssl_session_free( &session );
624 if( ret != 0 )
625 return( ret );
626 }
627#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]628 }
629
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]630 if( p_identity_len != identities_end || p_binder_len != binders_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]631 {
632 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extesion decode error" ) );
633 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
634 MBEDTLS_ERR_SSL_DECODE_ERROR );
635 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
636 }
637
Jerry Yu6f1db3f2022-07-22 23:05:59 +0800[diff] [blame]638 /* Update the handshake transcript with the binder list. */
639 ssl->handshake->update_checksum( ssl,
640 identities_end,
641 (size_t)( binders_end - identities_end ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]642 if( matched_identity == -1 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]643 {
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]644 MBEDTLS_SSL_DEBUG_MSG( 3, ( "No matched PSK or ticket." ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]645 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]646 }
647
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]648 ssl->handshake->selected_identity = (uint16_t)matched_identity;
649 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Pre shared key found" ) );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]650
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]651 return( 0 );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]652}
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]653
654/*
655 * struct {
656 * select ( Handshake.msg_type ) {
657 * ....
658 * case server_hello:
659 * uint16 selected_identity;
660 * }
661 * } PreSharedKeyExtension;
662 */
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]663static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
664 unsigned char *buf,
665 unsigned char *end,
666 size_t *olen )
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]667{
668 unsigned char *p = (unsigned char*)buf;
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]669
670 *olen = 0;
671
672#if defined(MBEDTLS_USE_PSA_CRYPTO)
673 if( mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
674#else
675 if( ssl->handshake->psk == NULL )
676#endif
677 {
678 /* We shouldn't have called this extension writer unless we've
679 * chosen to use a PSK. */
680 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
681 }
682
683 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding pre_shared_key extension" ) );
684 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
685
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]686 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]687 MBEDTLS_PUT_UINT16_BE( 2, p, 2 );
688
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]689 MBEDTLS_PUT_UINT16_BE( ssl->handshake->selected_identity, p, 4 );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]690
691 *olen = 6;
692
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]693 MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent selected_identity: %u",
694 ssl->handshake->selected_identity ) );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]695
696 return( 0 );
697}
698
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]699#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
700
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]701/* From RFC 8446:
702 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]703 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]704 * } SupportedVersions;
705 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]706MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]707static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
708 const unsigned char *buf,
709 const unsigned char *end )
710{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]711 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]712 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]713 const unsigned char *versions_end;
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]714 uint16_t tls_version;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]715 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]716
717 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]718 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]719 p += 1;
720
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]721 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, versions_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]722 versions_end = p + versions_len;
723 while( p < versions_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]724 {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]725 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, versions_end, 2 );
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]726 tls_version = mbedtls_ssl_read_version( p, ssl->conf->transport );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]727 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]728
729 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]730 if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]731 {
732 tls13_supported = 1;
733 break;
734 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]735 }
736
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]737 if( !tls13_supported )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]738 {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]739 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 is not supported by the client" ) );
740
741 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
742 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
743 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
744 }
745
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]746 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%04x]",
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]747 (unsigned int)tls_version ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]748
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]749 return( 0 );
750}
751
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]752#if defined(MBEDTLS_ECDH_C)
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]753/*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]754 *
755 * From RFC 8446:
756 * enum {
757 * ... (0xFFFF)
758 * } NamedGroup;
759 * struct {
760 * NamedGroup named_group_list<2..2^16-1>;
761 * } NamedGroupList;
762 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]763MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]764static int ssl_tls13_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
765 const unsigned char *buf,
766 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]767{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]768 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000[diff] [blame]769 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]770 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]771
772 MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", p, end - buf );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]773 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]774 named_group_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]775 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]776 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]777 named_group_list_end = p + named_group_list_len;
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]778 ssl->handshake->hrr_selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]779
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]780 while( p < named_group_list_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]781 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]782 uint16_t named_group;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]783 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, named_group_list_end, 2 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]784 named_group = MBEDTLS_GET_UINT16_BE( p, 0 );
785 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]786
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]787 MBEDTLS_SSL_DEBUG_MSG( 2,
788 ( "got named group: %s(%04x)",
789 mbedtls_ssl_named_group_to_str( named_group ),
790 named_group ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]791
792 if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
793 ! mbedtls_ssl_named_group_is_supported( named_group ) ||
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]794 ssl->handshake->hrr_selected_group != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]795 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]796 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]797 }
798
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]799 MBEDTLS_SSL_DEBUG_MSG( 2,
800 ( "add named group %s(%04x) into received list.",
801 mbedtls_ssl_named_group_to_str( named_group ),
802 named_group ) );
803
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]804 ssl->handshake->hrr_selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]805 }
806
807 return( 0 );
808
809}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]810#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]811
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]812#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
813
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]814#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]815/*
816 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]817 * extension is correct and stores the first acceptable key share and its associated group.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]818 *
819 * Possible return values are:
820 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]821 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]822 * does not match a group supported by the server. A HelloRetryRequest will
823 * be needed.
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]824 * - A negative value for fatal errors.
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]825 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]826MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]827static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
828 const unsigned char *buf,
829 const unsigned char *end )
830{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]831 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]832 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]833 unsigned char const *client_shares_end;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]834 size_t client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]835
836 /* From RFC 8446:
837 *
838 * struct {
839 * KeyShareEntry client_shares<0..2^16-1>;
840 * } KeyShareClientHello;
841 *
842 */
843
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]844 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]845 client_shares_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]846 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]847 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, client_shares_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]848
849 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]850 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]851
852 /* We try to find a suitable key share entry and copy it to the
853 * handshake context. Later, we have to find out whether we can do
854 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]855 * dismiss it and send a HelloRetryRequest message.
856 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]857
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]858 while( p < client_shares_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]859 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]860 uint16_t group;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]861 size_t key_exchange_len;
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]862 const unsigned char *key_exchange;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]863
864 /*
865 * struct {
866 * NamedGroup group;
867 * opaque key_exchange<1..2^16-1>;
868 * } KeyShareEntry;
869 */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]870 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, 4 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]871 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]872 key_exchange_len = MBEDTLS_GET_UINT16_BE( p, 2 );
873 p += 4;
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]874 key_exchange = p;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]875 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, key_exchange_len );
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]876 p += key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]877
878 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]879 * for input validation purposes.
880 */
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]881 if( ! mbedtls_ssl_named_group_is_offered( ssl, group ) ||
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]882 ! mbedtls_ssl_named_group_is_supported( group ) ||
883 ssl->handshake->offered_group_id != 0 )
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]884 {
885 continue;
886 }
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]887
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]888 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]889 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]890 */
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]891 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
892 {
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]893 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH group: %s (%04x)",
894 mbedtls_ssl_named_group_to_str( group ),
895 group ) );
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]896 ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]897 ssl, key_exchange - 2, key_exchange_len + 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]898 if( ret != 0 )
899 return( ret );
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]900
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]901 }
902 else
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]903 {
904 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]905 (unsigned) group ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]906 continue;
907 }
908
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]909 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]910 }
911
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]912
913 if( ssl->handshake->offered_group_id == 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]914 {
915 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching key share" ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]916 return( SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]917 }
918 return( 0 );
919}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]920#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]921
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]922#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]923static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]924{
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]925 ((void) ssl);
926
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]927 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]928 MBEDTLS_SSL_DEBUG_MSG( 3,
929 ( "- KEY_SHARE_EXTENSION ( %s )",
930 ( ( ssl->handshake->extensions_present
931 & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
932 MBEDTLS_SSL_DEBUG_MSG( 3,
933 ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
934 ( ( ssl->handshake->extensions_present
935 & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
936 "TRUE" : "FALSE" ) );
937 MBEDTLS_SSL_DEBUG_MSG( 3,
938 ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
939 ( ( ssl->handshake->extensions_present
940 & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
941 MBEDTLS_SSL_DEBUG_MSG( 3,
942 ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
943 ( ( ssl->handshake->extensions_present
944 & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
945 MBEDTLS_SSL_DEBUG_MSG( 3,
946 ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
947 ( ( ssl->handshake->extensions_present
948 & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
949 "TRUE" : "FALSE" ) );
950 MBEDTLS_SSL_DEBUG_MSG( 3,
951 ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
952 ( ( ssl->handshake->extensions_present
953 & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
954 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]955#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]956 MBEDTLS_SSL_DEBUG_MSG( 3,
957 ( "- SERVERNAME_EXTENSION ( %s )",
958 ( ( ssl->handshake->extensions_present
959 & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
960 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]961#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]962#if defined ( MBEDTLS_SSL_ALPN )
963 MBEDTLS_SSL_DEBUG_MSG( 3,
964 ( "- ALPN_EXTENSION ( %s )",
965 ( ( ssl->handshake->extensions_present
966 & MBEDTLS_SSL_EXT_ALPN ) > 0 ) ?
967 "TRUE" : "FALSE" ) );
968#endif /* MBEDTLS_SSL_ALPN */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]969}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]970#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]971
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]972MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]973static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]974 int exts_mask )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]975{
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]976 int masked = ssl->handshake->extensions_present & exts_mask;
977 return( masked == exts_mask );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]978}
979
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]980MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]981static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
982 mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]983{
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]984 return( ssl_tls13_client_hello_has_exts(
985 ssl,
986 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
987 MBEDTLS_SSL_EXT_KEY_SHARE |
988 MBEDTLS_SSL_EXT_SIG_ALG ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]989}
990
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]991#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
992MBEDTLS_CHECK_RETURN_CRITICAL
993static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
994 mbedtls_ssl_context *ssl )
995{
996 return( ssl_tls13_client_hello_has_exts(
997 ssl,
998 MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
999 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
1000}
1001
1002MBEDTLS_CHECK_RETURN_CRITICAL
1003static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
1004 mbedtls_ssl_context *ssl )
1005{
1006 return( ssl_tls13_client_hello_has_exts(
1007 ssl,
1008 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
1009 MBEDTLS_SSL_EXT_KEY_SHARE |
1010 MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
1011 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
1012}
1013#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1014
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1015MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1016static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1017{
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1018 return( mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) &&
1019 ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) );
1020}
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1021
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1022MBEDTLS_CHECK_RETURN_CRITICAL
1023static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
1024{
1025#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1026 return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) &&
1027 mbedtls_ssl_tls13_psk_enabled( ssl ) &&
1028 ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) );
1029#else
1030 ((void) ssl);
1031 return( 0 );
1032#endif
1033}
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1034
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1035MBEDTLS_CHECK_RETURN_CRITICAL
1036static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
1037{
1038#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1039 return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) &&
1040 mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) &&
1041 ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) );
1042#else
1043 ((void) ssl);
1044 return( 0 );
1045#endif
1046}
1047
1048static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl )
1049{
1050 /*
1051 * Determine the key exchange algorithm to use.
1052 * There are three types of key exchanges supported in TLS 1.3:
1053 * - (EC)DH with ECDSA,
1054 * - (EC)DH with PSK,
1055 * - plain PSK.
1056 *
1057 * The PSK-based key exchanges may additionally be used with 0-RTT.
1058 *
1059 * Our built-in order of preference is
Jerry Yuce6ed702022-07-22 21:49:53 +0800[diff] [blame]1060 * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
1061 * 2 ) Certificate Mode ( ephemeral )
1062 * 3 ) Plain PSK Mode ( psk )
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1063 */
1064
1065 ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
1066
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1067 if( ssl_tls13_check_psk_ephemeral_key_exchange( ssl ) )
1068 {
1069 ssl->handshake->key_exchange_mode =
1070 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1071 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk_ephemeral" ) );
1072 }
1073 else
1074 if( ssl_tls13_check_ephemeral_key_exchange( ssl ) )
1075 {
1076 ssl->handshake->key_exchange_mode =
1077 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
1078 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: ephemeral" ) );
1079 }
1080 else
Jerry Yuce6ed702022-07-22 21:49:53 +0800[diff] [blame]1081 if( ssl_tls13_check_psk_key_exchange( ssl ) )
1082 {
1083 ssl->handshake->key_exchange_mode =
1084 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1085 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk" ) );
1086 }
1087 else
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1088 {
1089 MBEDTLS_SSL_DEBUG_MSG(
1090 1,
1091 ( "ClientHello message misses mandatory extensions." ) );
1092 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ,
1093 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1094 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1095 }
1096
1097 return( 0 );
1098
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1099}
1100
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1101#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1102 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1103/*
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1104 * Pick best ( private key, certificate chain ) pair based on the signature
1105 * algorithms supported by the client.
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1106 */
Ronald Cronce7d76e2022-07-08 18:56:49 +0200[diff] [blame]1107MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian07aad072022-06-14 05:35:09 +0000[diff] [blame]1108static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1109{
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1110 mbedtls_ssl_key_cert *key_cert, *key_cert_list;
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1111 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1112
1113#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1114 if( ssl->handshake->sni_key_cert != NULL )
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1115 key_cert_list = ssl->handshake->sni_key_cert;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1116 else
1117#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1118 key_cert_list = ssl->conf->key_cert;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1119
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1120 if( key_cert_list == NULL )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1121 {
1122 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
1123 return( -1 );
1124 }
1125
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1126 for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1127 {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1128 for( key_cert = key_cert_list; key_cert != NULL;
1129 key_cert = key_cert->next )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1130 {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1131 MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate",
1132 key_cert->cert );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1133
1134 /*
1135 * This avoids sending the client a cert it'll reject based on
1136 * keyUsage or other extensions.
1137 */
1138 if( mbedtls_x509_crt_check_key_usage(
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1139 key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE ) != 0 ||
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1140 mbedtls_x509_crt_check_extended_key_usage(
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1141 key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
1142 MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ) ) != 0 )
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1143 {
1144 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1145 "(extended) key usage extension" ) );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1146 continue;
1147 }
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1148
Jerry Yucc539102022-06-27 16:27:35 +0800[diff] [blame]1149 MBEDTLS_SSL_DEBUG_MSG( 3,
1150 ( "ssl_tls13_pick_key_cert:"
1151 "check signature algorithm %s [%04x]",
1152 mbedtls_ssl_sig_alg_to_str( *sig_alg ),
1153 *sig_alg ) );
Jerry Yufb526692022-06-19 11:22:49 +0800[diff] [blame]1154 if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
Jerry Yud099cf02022-06-19 13:47:00 +0800[diff] [blame]1155 *sig_alg, &key_cert->cert->pk ) )
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1156 {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1157 ssl->handshake->key_cert = key_cert;
Jerry Yucc539102022-06-27 16:27:35 +0800[diff] [blame]1158 MBEDTLS_SSL_DEBUG_MSG( 3,
1159 ( "ssl_tls13_pick_key_cert:"
1160 "selected signature algorithm"
1161 " %s [%04x]",
1162 mbedtls_ssl_sig_alg_to_str( *sig_alg ),
1163 *sig_alg ) );
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1164 MBEDTLS_SSL_DEBUG_CRT(
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1165 3, "selected certificate (chain)",
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1166 ssl->handshake->key_cert->cert );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1167 return( 0 );
1168 }
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1169 }
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1170 }
1171
Jerry Yu9d3e2fa2022-06-27 22:14:01 +0800[diff] [blame]1172 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert:"
1173 "no suitable certificate found" ) );
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1174 return( -1 );
1175}
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1176#endif /* MBEDTLS_X509_CRT_PARSE_C &&
1177 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1178
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1179/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1180 *
1181 * STATE HANDLING: ClientHello
1182 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1183 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1184 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1185 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1186 *
1187 * In this case, the server progresses to sending its ServerHello.
1188 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1189 * 2) The ClientHello was well-formed but didn't match the server's
1190 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1191 *
1192 * For example, the client might not have offered a key share which
1193 * the server supports, or the server might require a cookie.
1194 *
1195 * In this case, the server sends a HelloRetryRequest.
1196 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1197 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1198 *
1199 * In this case, we abort the handshake.
1200 *
1201 */
1202
1203/*
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1204 * Structure of this message:
1205 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1206 * uint16 ProtocolVersion;
1207 * opaque Random[32];
1208 * uint8 CipherSuite[2]; // Cryptographic suite selector
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1209 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1210 * struct {
1211 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1212 * Random random;
1213 * opaque legacy_session_id<0..32>;
1214 * CipherSuite cipher_suites<2..2^16-2>;
1215 * opaque legacy_compression_methods<1..2^8-1>;
1216 * Extension extensions<8..2^16-1>;
1217 * } ClientHello;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1218 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1219
1220#define SSL_CLIENT_HELLO_OK 0
1221#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
1222
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1223MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1224static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
1225 const unsigned char *buf,
1226 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1227{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1228 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1229 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1230 size_t legacy_session_id_len;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]1231 size_t cipher_suites_len;
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1232 const unsigned char *cipher_suites_end;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1233 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1234 const unsigned char *extensions_end;
Jerry Yu49ca9282022-05-05 11:05:22 +0800[diff] [blame]1235 int hrr_required = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1236
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1237#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1238 const unsigned char *cipher_suites;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1239 const unsigned char *pre_shared_key_ext = NULL;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1240 const unsigned char *pre_shared_key_ext_end = NULL;
1241#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1242
1243 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
1244
1245 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1246 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1247 * 0 . 1 protocol version
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1248 * 2 . 33 random bytes
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]1249 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1250 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1251 * .. . .. ciphersuite list length ( 2 bytes )
1252 * .. . .. ciphersuite list
1253 * .. . .. compression alg. list length ( 1 byte )
1254 * .. . .. compression alg. list
1255 * .. . .. extensions length ( 2 bytes, optional )
1256 * .. . .. extensions ( optional )
1257 */
1258
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1259 /*
bootstrap-prime6dbbf442022-05-17 19:30:44 -0400[diff] [blame]1260 * Minimal length ( with everything empty and extensions omitted ) is
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1261 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1262 * read at least up to session id length without worrying.
1263 */
1264 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 38 );
1265
1266 /* ...
1267 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1268 * ...
1269 * with ProtocolVersion defined as:
1270 * uint16 ProtocolVersion;
1271 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]1272 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
1273 MBEDTLS_SSL_VERSION_TLS1_2 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1274 {
1275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1276 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1277 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1278 return ( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1279 }
1280 p += 2;
1281
1282 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]1283 * Only support TLS 1.3 currently, temporarily set the version.
1284 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]1285 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]1286
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]1287#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1288 /* Store minor version for later use with ticket serialization. */
1289 ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1290 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]1291#endif
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]1292
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1293 /* ...
1294 * Random random;
1295 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1296 * with Random defined as:
1297 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1298 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1299 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1300 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1301
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1302 memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
1303 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1304
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1305 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1306 * opaque legacy_session_id<0..32>;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1307 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1308 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1309 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]1310 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1311
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1312 if( legacy_session_id_len > sizeof( ssl->session_negotiate->id ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1313 {
1314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1315 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1316 }
1317
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1318 ssl->session_negotiate->id_len = legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1319 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1320 p, legacy_session_id_len );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1321 /*
1322 * Check we have enough data for the legacy session identifier
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1323 * and the ciphersuite list length.
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1324 */
1325 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1326
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1327 memcpy( &ssl->session_negotiate->id[0], p, legacy_session_id_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1328 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1329
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1330 cipher_suites_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1331 p += 2;
1332
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1333 /* Check we have enough data for the ciphersuite list, the legacy
1334 * compression methods and the length of the extensions.
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1335 *
1336 * cipher_suites cipher_suites_len bytes
1337 * legacy_compression_methods 2 bytes
1338 * extensions_len 2 bytes
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1339 */
1340 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1341
Jerry Yu24b8c812022-08-20 19:06:56 +0800[diff] [blame]1342 /* ...
1343 * CipherSuite cipher_suites<2..2^16-2>;
1344 * ...
1345 * with CipherSuite defined as:
1346 * uint8 CipherSuite[2];
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1347 */
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1348#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1349 cipher_suites = p;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1350#endif
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1351 cipher_suites_end = p + cipher_suites_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1352 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1353 p, cipher_suites_len );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1354
1355 /*
1356 * Search for a matching ciphersuite
1357 */
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1358 for ( ; p < cipher_suites_end; p += 2 )
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]1359 {
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1360 uint16_t cipher_suite;
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1361 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1362
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1363 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, cipher_suites_end, 2 );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1364
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1365 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]1366 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
Jerry Yudd1bef72022-08-23 17:57:02 +0800[diff] [blame]1367 ssl,cipher_suite );
1368 if( ciphersuite_info == NULL )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1369 continue;
1370
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1371 ssl->session_negotiate->ciphersuite = cipher_suite;
1372 ssl->handshake->ciphersuite_info = ciphersuite_info;
1373 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %04x - %s",
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1374 cipher_suite,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1375 ciphersuite_info->name ) );
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]1376 }
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1377
1378 if( ssl->handshake->ciphersuite_info == NULL )
1379 {
1380 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1381 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1382 return ( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1383 }
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1384
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1385 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1386 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1387 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1388 */
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]1389 if( p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1390 {
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1391 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
1392 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1393 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1394 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1395 }
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1396 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1397
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1398 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1399 * Extension extensions<8..2^16-1>;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1400 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1401 * with Extension defined as:
1402 * struct {
1403 * ExtensionType extension_type;
1404 * opaque extension_data<0..2^16-1>;
1405 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1406 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1407 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1408 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1409 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1410 extensions_end = p + extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1411
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1412 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1413
1414 while( p < extensions_end )
1415 {
1416 unsigned int extension_type;
1417 size_t extension_data_len;
1418 const unsigned char *extension_data_end;
1419
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1420 /* RFC 8446, page 57
1421 *
1422 * The "pre_shared_key" extension MUST be the last extension in the
1423 * ClientHello (this facilitates implementation as described below).
1424 * Servers MUST check that it is the last extension and otherwise fail
1425 * the handshake with an "illegal_parameter" alert.
1426 */
1427 if( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY )
1428 {
1429 MBEDTLS_SSL_DEBUG_MSG(
1430 3, ( "pre_shared_key is not last extension." ) );
1431 MBEDTLS_SSL_PEND_FATAL_ALERT(
1432 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1433 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1434 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1435 }
1436
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]1437 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1438 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1439 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1440 p += 4;
1441
1442 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1443 extension_data_end = p + extension_data_len;
1444
1445 switch( extension_type )
1446 {
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1447#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1448 case MBEDTLS_TLS_EXT_SERVERNAME:
1449 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
XiaokangQian9b2b7712022-05-17 02:57:00 +0000[diff] [blame]1450 ret = mbedtls_ssl_parse_server_name_ext( ssl, p,
1451 extension_data_end );
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1452 if( ret != 0 )
1453 {
1454 MBEDTLS_SSL_DEBUG_RET(
1455 1, "mbedtls_ssl_parse_servername_ext", ret );
1456 return( ret );
1457 }
1458 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SERVERNAME;
1459 break;
1460#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1461
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1462#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1463 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1464 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
1465
1466 /* Supported Groups Extension
1467 *
1468 * When sent by the client, the "supported_groups" extension
1469 * indicates the named groups which the client supports,
1470 * ordered from most preferred to least preferred.
1471 */
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1472 ret = ssl_tls13_parse_supported_groups_ext(
1473 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1474 if( ret != 0 )
1475 {
1476 MBEDTLS_SSL_DEBUG_RET( 1,
1477 "mbedtls_ssl_parse_supported_groups_ext", ret );
1478 return( ret );
1479 }
1480
1481 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
1482 break;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1483#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1484
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1485#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1486 case MBEDTLS_TLS_EXT_KEY_SHARE:
1487 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) );
1488
1489 /*
1490 * Key Share Extension
1491 *
1492 * When sent by the client, the "key_share" extension
1493 * contains the endpoint's cryptographic parameters for
1494 * ECDHE/DHE key establishment methods.
1495 */
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1496 ret = ssl_tls13_parse_key_shares_ext(
1497 ssl, p, extension_data_end );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1498 if( ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1499 {
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1500 MBEDTLS_SSL_DEBUG_MSG( 2, ( "HRR needed " ) );
Jerry Yu49ca9282022-05-05 11:05:22 +0800[diff] [blame]1501 hrr_required = 1;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1502 }
1503
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1504 if( ret < 0 )
1505 {
1506 MBEDTLS_SSL_DEBUG_RET(
1507 1, "ssl_tls13_parse_key_shares_ext", ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1508 return( ret );
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1509 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1510
1511 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
1512 break;
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1513#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1514
1515 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1516 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) );
1517
1518 ret = ssl_tls13_parse_supported_versions_ext(
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1519 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1520 if( ret != 0 )
1521 {
1522 MBEDTLS_SSL_DEBUG_RET( 1,
1523 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
1524 return( ret );
1525 }
1526 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
1527 break;
1528
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]1529#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1530 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
1531 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found psk key exchange modes extension" ) );
1532
1533 ret = ssl_tls13_parse_key_exchange_modes_ext(
1534 ssl, p, extension_data_end );
1535 if( ret != 0 )
1536 {
1537 MBEDTLS_SSL_DEBUG_RET(
1538 1, "ssl_tls13_parse_key_exchange_modes_ext", ret );
1539 return( ret );
1540 }
1541
1542 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
1543 break;
1544#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1545
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1546 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1547 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
Jerry Yu13ab81d2022-07-22 23:17:11 +0800[diff] [blame]1548 if( ( ssl->handshake->extensions_present &
1549 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 )
1550 {
1551 MBEDTLS_SSL_PEND_FATAL_ALERT(
1552 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1553 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1554 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1555 }
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1556#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1557 /* Delay processing of the PSK identity once we have
1558 * found out which algorithms to use. We keep a pointer
1559 * to the buffer and the size for later processing.
1560 */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1561 pre_shared_key_ext = p;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1562 pre_shared_key_ext_end = extension_data_end;
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1563#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1564 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
1565 break;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1566
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]1567#if defined(MBEDTLS_SSL_ALPN)
1568 case MBEDTLS_TLS_EXT_ALPN:
1569 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1570
1571 ret = mbedtls_ssl_parse_alpn_ext( ssl, p, extension_data_end );
1572 if( ret != 0 )
1573 {
1574 MBEDTLS_SSL_DEBUG_RET(
1575 1, ( "mbedtls_ssl_parse_alpn_ext" ), ret );
1576 return( ret );
1577 }
1578 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_ALPN;
1579 break;
1580#endif /* MBEDTLS_SSL_ALPN */
1581
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1582#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1583 case MBEDTLS_TLS_EXT_SIG_ALG:
1584 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1585
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1586 ret = mbedtls_ssl_parse_sig_alg_ext(
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1587 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1588 if( ret != 0 )
1589 {
1590 MBEDTLS_SSL_DEBUG_MSG( 1,
1591 ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
1592 ret ) );
1593 return( ret );
1594 }
1595 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
1596 break;
1597#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1598
1599 default:
1600 MBEDTLS_SSL_DEBUG_MSG( 3,
1601 ( "unknown extension found: %ud ( ignoring )",
1602 extension_type ) );
1603 }
1604
1605 p += extension_data_len;
1606 }
1607
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1608#if defined(MBEDTLS_DEBUG_C)
1609 /* List all the extensions we have received */
1610 ssl_tls13_debug_print_client_hello_exts( ssl );
1611#endif /* MBEDTLS_DEBUG_C */
1612
1613 mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
1614 MBEDTLS_SSL_HS_CLIENT_HELLO,
1615 p - buf );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]1616
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1617#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1618 /* Update checksum with either
1619 * - The entire content of the CH message, if no PSK extension is present
1620 * - The content up to but excluding the PSK extension, if present.
1621 */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1622 /* If we've settled on a PSK-based exchange, parse PSK identity ext */
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1623 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) &&
Jerry Yu32e13702022-07-29 13:04:08 +0800[diff] [blame]1624 mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1625 ( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1626 {
1627 ssl->handshake->update_checksum( ssl, buf,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1628 pre_shared_key_ext - buf );
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]1629 ret = ssl_tls13_parse_pre_shared_key_ext( ssl,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1630 pre_shared_key_ext,
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1631 pre_shared_key_ext_end,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1632 cipher_suites,
1633 cipher_suites_end );
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]1634 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1635 {
1636 ssl->handshake->extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
Jerry Yu6f1db3f2022-07-22 23:05:59 +0800[diff] [blame]1637 }
1638 else if( ret != 0 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1639 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]1640 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_pre_shared_key_ext" ),
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1641 ret );
1642 return( ret );
1643 }
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1644 }
1645 else
1646#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1647 {
1648 ssl->handshake->update_checksum( ssl, buf, p - buf );
1649 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1650
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1651 ret = ssl_tls13_determine_key_exchange_mode( ssl );
1652 if( ret < 0 )
1653 return( ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1654
Jerry Yue5834fd2022-08-29 20:16:09 +0800[diff] [blame]1655 mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info );
1656
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1657 return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK );
1658}
1659
1660/* Update the handshake state machine */
1661
Ronald Cronce7d76e2022-07-08 18:56:49 +0200[diff] [blame]1662MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1663static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
1664{
1665 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1666
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1667 /*
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1668 * Server certificate selection
1669 */
1670 if( ssl->conf->f_cert_cb && ( ret = ssl->conf->f_cert_cb( ssl ) ) != 0 )
1671 {
1672 MBEDTLS_SSL_DEBUG_RET( 1, "f_cert_cb", ret );
1673 return( ret );
1674 }
1675#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1676 ssl->handshake->sni_name = NULL;
1677 ssl->handshake->sni_name_len = 0;
1678#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1679
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1680 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
1681 if( ret != 0 )
1682 {
1683 MBEDTLS_SSL_DEBUG_RET( 1,
1684 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret );
1685 return( ret );
1686 }
1687
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1688 return( 0 );
1689
1690}
1691
1692/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1693 * Main entry point from the state machine; orchestrates the otherfunctions.
1694 */
1695
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1696MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1697static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
1698{
1699
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1700 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1701 unsigned char* buf = NULL;
1702 size_t buflen = 0;
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1703 int parse_client_hello_ret;
1704
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1705 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1706
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1707 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
1708 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
1709 &buf, &buflen ) );
1710
1711 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_parse_client_hello( ssl, buf,
1712 buf + buflen ) );
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]1713 parse_client_hello_ret = ret; /* Store return value of parse_client_hello,
1714 * only SSL_CLIENT_HELLO_OK or
1715 * SSL_CLIENT_HELLO_HRR_REQUIRED at this
1716 * stage as negative error codes are handled
1717 * by MBEDTLS_SSL_PROC_CHK_NEG. */
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1718
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1719 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_client_hello( ssl ) );
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1720
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1721 if( parse_client_hello_ret == SSL_CLIENT_HELLO_OK )
1722 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
1723 else
1724 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1725
1726cleanup:
1727
1728 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1729 return( ret );
1730}
1731
1732/*
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1733 * Handler for MBEDTLS_SSL_SERVER_HELLO
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]1734 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1735MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1736static int ssl_tls13_prepare_server_hello( mbedtls_ssl_context *ssl )
1737{
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1738 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1739 unsigned char *server_randbytes =
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1740 ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1741 if( ssl->conf->f_rng == NULL )
1742 {
1743 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
1744 return( MBEDTLS_ERR_SSL_NO_RNG );
1745 }
1746
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1747 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, server_randbytes,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1748 MBEDTLS_SERVER_HELLO_RANDOM_LEN ) ) != 0 )
1749 {
1750 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
1751 return( ret );
1752 }
1753
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1754 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", server_randbytes,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1755 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1756
1757#if defined(MBEDTLS_HAVE_TIME)
1758 ssl->session_negotiate->start = time( NULL );
1759#endif /* MBEDTLS_HAVE_TIME */
1760
1761 return( ret );
1762}
1763
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1764/*
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]1765 * ssl_tls13_write_server_hello_supported_versions_ext ():
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1766 *
1767 * struct {
Jerry Yufb9f54d2022-04-06 10:08:34 +0800[diff] [blame]1768 * ProtocolVersion selected_version;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1769 * } SupportedVersions;
1770 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1771MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]1772static int ssl_tls13_write_server_hello_supported_versions_ext(
1773 mbedtls_ssl_context *ssl,
1774 unsigned char *buf,
1775 unsigned char *end,
1776 size_t *out_len )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1777{
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1778 *out_len = 0;
1779
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1780 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, write selected version" ) );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1781
1782 /* Check if we have space to write the extension:
1783 * - extension_type (2 bytes)
1784 * - extension_data_length (2 bytes)
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1785 * - selected_version (2 bytes)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1786 */
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1787 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1788
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1789 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1790
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1791 MBEDTLS_PUT_UINT16_BE( 2, buf, 2 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1792
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1793 mbedtls_ssl_write_version( buf + 4,
1794 ssl->conf->transport,
1795 ssl->tls_version );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1796
1797 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [%04x]",
1798 ssl->tls_version ) );
1799
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1800 *out_len = 6;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1801
1802 return( 0 );
1803}
1804
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1805
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1806
1807/* Generate and export a single key share. For hybrid KEMs, this can
1808 * be called multiple times with the different components of the hybrid. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1809MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1810static int ssl_tls13_generate_and_write_key_share( mbedtls_ssl_context *ssl,
1811 uint16_t named_group,
1812 unsigned char *buf,
1813 unsigned char *end,
1814 size_t *out_len )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1815{
1816 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1817
1818 *out_len = 0;
1819
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1820#if defined(MBEDTLS_ECDH_C)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1821 if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) )
1822 {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1823 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
1824 ssl, named_group, buf, end, out_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1825 if( ret != 0 )
1826 {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1827 MBEDTLS_SSL_DEBUG_RET(
1828 1, "mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange",
1829 ret );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1830 return( ret );
1831 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1832 }
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1833 else
1834#endif /* MBEDTLS_ECDH_C */
1835 if( 0 /* Other kinds of KEMs */ )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1836 {
1837 }
1838 else
1839 {
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1840 ((void) ssl);
1841 ((void) named_group);
1842 ((void) buf);
1843 ((void) end);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1844 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1845 }
1846
1847 return( ret );
1848}
1849
1850/*
1851 * ssl_tls13_write_key_share_ext
1852 *
1853 * Structure of key_share extension in ServerHello:
1854 *
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1855 * struct {
1856 * NamedGroup group;
1857 * opaque key_exchange<1..2^16-1>;
1858 * } KeyShareEntry;
1859 * struct {
1860 * KeyShareEntry server_share;
1861 * } KeyShareServerHello;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1862 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1863MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1864static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
1865 unsigned char *buf,
1866 unsigned char *end,
1867 size_t *out_len )
1868{
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1869 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1870 unsigned char *p = buf;
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1871 uint16_t group = ssl->handshake->offered_group_id;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1872 unsigned char *server_share = buf + 4;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1873 size_t key_exchange_length;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1874
1875 *out_len = 0;
1876
1877 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding key share extension" ) );
1878
1879 /* Check if we have space for header and length fields:
1880 * - extension_type (2 bytes)
1881 * - extension_data_length (2 bytes)
1882 * - group (2 bytes)
1883 * - key_exchange_length (2 bytes)
1884 */
1885 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 8 );
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1886 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, p, 0 );
1887 MBEDTLS_PUT_UINT16_BE( group, server_share, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1888 p += 8;
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1889
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1890 /* When we introduce PQC-ECDHE hybrids, we'll want to call this
1891 * function multiple times. */
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1892 ret = ssl_tls13_generate_and_write_key_share(
Jerry Yue65d8012022-04-23 10:34:35 +0800[diff] [blame]1893 ssl, group, server_share + 4, end, &key_exchange_length );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1894 if( ret != 0 )
1895 return( ret );
1896 p += key_exchange_length;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1897
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1898 MBEDTLS_PUT_UINT16_BE( key_exchange_length, server_share + 2, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1899
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1900 MBEDTLS_PUT_UINT16_BE( p - server_share, buf, 2 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1901
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1902 *out_len = p - buf;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1903
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1904 return( 0 );
1905}
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1906
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1907MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1908static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl,
1909 unsigned char *buf,
1910 unsigned char *end,
1911 size_t *out_len )
1912{
1913 uint16_t selected_group = ssl->handshake->hrr_selected_group;
1914 /* key_share Extension
1915 *
1916 * struct {
1917 * select (Handshake.msg_type) {
1918 * ...
1919 * case hello_retry_request:
1920 * NamedGroup selected_group;
1921 * ...
1922 * };
1923 * } KeyShare;
1924 */
1925
1926 *out_len = 0;
1927
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]1928 /*
1929 * For a pure PSK key exchange, there is no group to agree upon. The purpose
1930 * of the HRR is then to transmit a cookie to force the client to demonstrate
1931 * reachability at their apparent network address (primarily useful for DTLS).
1932 */
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1933 if( ! mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1934 return( 0 );
1935
1936 /* We should only send the key_share extension if the client's initial
1937 * key share was not acceptable. */
1938 if( ssl->handshake->offered_group_id != 0 )
1939 {
1940 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Skip key_share extension in HRR" ) );
1941 return( 0 );
1942 }
1943
1944 if( selected_group == 0 )
1945 {
1946 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching named group found" ) );
1947 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1948 }
1949
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]1950 /* Check if we have enough space:
1951 * - extension_type (2 bytes)
1952 * - extension_data_length (2 bytes)
1953 * - selected_group (2 bytes)
1954 */
Ronald Cron154d1b62022-06-01 15:33:26 +0200[diff] [blame]1955 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1956
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1957 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1958 MBEDTLS_PUT_UINT16_BE( 2, buf, 2 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1959 MBEDTLS_PUT_UINT16_BE( selected_group, buf, 4 );
1960
1961 MBEDTLS_SSL_DEBUG_MSG( 3,
1962 ( "HRR selected_group: %s (%x)",
1963 mbedtls_ssl_named_group_to_str( selected_group ),
1964 selected_group ) );
1965
1966 *out_len = 6;
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1967
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]1968 return( 0 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1969}
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1970
1971/*
1972 * Structure of ServerHello message:
1973 *
1974 * struct {
1975 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1976 * Random random;
1977 * opaque legacy_session_id_echo<0..32>;
1978 * CipherSuite cipher_suite;
1979 * uint8 legacy_compression_method = 0;
1980 * Extension extensions<6..2^16-1>;
1981 * } ServerHello;
1982 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1983MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1984static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]1985 unsigned char *buf,
1986 unsigned char *end,
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1987 size_t *out_len,
1988 int is_hrr )
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]1989{
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1990 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1991 unsigned char *p = buf;
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1992 unsigned char *p_extensions_len;
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]1993 size_t output_len;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1994
1995 *out_len = 0;
1996
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]1997 /* ...
1998 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1999 * ...
2000 * with ProtocolVersion defined as:
2001 * uint16 ProtocolVersion;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2002 */
2003 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2004 MBEDTLS_PUT_UINT16_BE( 0x0303, p, 0 );
2005 p += 2;
2006
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]2007 /* ...
2008 * Random random;
2009 * ...
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2010 * with Random defined as:
2011 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]2012 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2013 MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2014 if( is_hrr )
2015 {
2016 memcpy( p, mbedtls_ssl_tls13_hello_retry_request_magic,
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]2017 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2018 }
2019 else
2020 {
2021 memcpy( p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]2022 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2023 }
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2024 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2025 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
2026 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
2027
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2028 /* ...
2029 * opaque legacy_session_id_echo<0..32>;
2030 * ...
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2031 */
2032 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 + ssl->session_negotiate->id_len );
2033 *p++ = (unsigned char)ssl->session_negotiate->id_len;
2034 if( ssl->session_negotiate->id_len > 0 )
2035 {
2036 memcpy( p, &ssl->session_negotiate->id[0],
2037 ssl->session_negotiate->id_len );
2038 p += ssl->session_negotiate->id_len;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2039
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2040 MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id,
2041 ssl->session_negotiate->id_len );
2042 }
2043
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2044 /* ...
2045 * CipherSuite cipher_suite;
2046 * ...
2047 * with CipherSuite defined as:
2048 * uint8 CipherSuite[2];
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2049 */
2050 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2051 MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 );
2052 p += 2;
2053 MBEDTLS_SSL_DEBUG_MSG( 3,
2054 ( "server hello, chosen ciphersuite: %s ( id=%d )",
2055 mbedtls_ssl_get_ciphersuite_name(
2056 ssl->session_negotiate->ciphersuite ),
2057 ssl->session_negotiate->ciphersuite ) );
2058
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2059 /* ...
2060 * uint8 legacy_compression_method = 0;
2061 * ...
2062 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2063 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
Thomas Daubney31e03a82022-07-25 15:59:25 +0100[diff] [blame]2064 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2065
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2066 /* ...
2067 * Extension extensions<6..2^16-1>;
2068 * ...
2069 * struct {
2070 * ExtensionType extension_type; (2 bytes)
2071 * opaque extension_data<0..2^16-1>;
2072 * } Extension;
2073 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2074 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2075 p_extensions_len = p;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2076 p += 2;
2077
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]2078 if( ( ret = ssl_tls13_write_server_hello_supported_versions_ext(
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2079 ssl, p, end, &output_len ) ) != 0 )
2080 {
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2081 MBEDTLS_SSL_DEBUG_RET(
2082 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2083 return( ret );
2084 }
2085 p += output_len;
2086
Jerry Yu56acc942022-07-30 23:02:36 +0800[diff] [blame]2087 if( mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2088 {
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2089 if( is_hrr )
2090 ret = ssl_tls13_write_hrr_key_share_ext( ssl, p, end, &output_len );
2091 else
2092 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2093 if( ret != 0 )
2094 return( ret );
2095 p += output_len;
2096 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2097
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2098#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]2099 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2100 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]2101 ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, p, end, &output_len );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2102 if( ret != 0 )
2103 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]2104 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_server_pre_shared_key_ext",
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2105 ret );
2106 return( ret );
2107 }
2108 p += output_len;
2109 }
2110#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
2111
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2112 MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2113
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2114 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello extensions",
2115 p_extensions_len, p - p_extensions_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2116
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2117 *out_len = p - buf;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2118
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2119 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", buf, *out_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2120
2121 return( ret );
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]2122}
2123
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2124MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2125static int ssl_tls13_finalize_write_server_hello( mbedtls_ssl_context *ssl )
2126{
2127 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]2128 ret = mbedtls_ssl_tls13_compute_handshake_transform( ssl );
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2129 if( ret != 0 )
2130 {
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]2131 MBEDTLS_SSL_DEBUG_RET( 1,
2132 "mbedtls_ssl_tls13_compute_handshake_transform",
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2133 ret );
2134 return( ret );
2135 }
2136
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2137 return( ret );
2138}
2139
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2140MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2141static int ssl_tls13_write_server_hello( mbedtls_ssl_context *ssl )
2142{
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]2143 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2144 unsigned char *buf;
2145 size_t buf_len, msg_len;
2146
2147 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2148
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2149 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_server_hello( ssl ) );
2150
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2151 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2152 MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len ) );
2153
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2154 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
2155 buf + buf_len,
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2156 &msg_len,
2157 0 ) );
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2158
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2159 mbedtls_ssl_add_hs_msg_to_checksum(
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2160 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
2161
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2162 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2163 ssl, buf_len, msg_len ) );
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]2164
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2165 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_server_hello( ssl ) );
2166
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2167#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2168 /* The server sends a dummy change_cipher_spec record immediately
2169 * after its first handshake message. This may either be after
2170 * a ServerHello or a HelloRetryRequest.
2171 */
Gabor Mezei96ae9262022-06-28 11:45:18 +0200[diff] [blame]2172 mbedtls_ssl_handshake_set_state(
2173 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2174#else
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]2175 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2176#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2177
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2178cleanup:
2179
2180 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2181 return( ret );
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2182}
2183
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2184
2185/*
2186 * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
2187 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2188MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron7b840462022-06-01 17:05:53 +0200[diff] [blame]2189static int ssl_tls13_prepare_hello_retry_request( mbedtls_ssl_context *ssl )
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2190{
2191 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2192 if( ssl->handshake->hello_retry_request_count > 0 )
2193 {
2194 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) );
2195 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2196 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2197 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2198 }
2199
2200 /*
2201 * Create stateless transcript hash for HRR
2202 */
2203 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) );
2204 ret = mbedtls_ssl_reset_transcript_for_hrr( ssl );
2205 if( ret != 0 )
2206 {
2207 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret );
2208 return( ret );
2209 }
2210 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
2211
2212 return( 0 );
2213}
2214
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2215MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2216static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl )
2217{
2218 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2219 unsigned char *buf;
2220 size_t buf_len, msg_len;
2221
2222 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) );
2223
Ronald Cron7b840462022-06-01 17:05:53 +0200[diff] [blame]2224 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_hello_retry_request( ssl ) );
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2225
2226 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg(
2227 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
2228 &buf, &buf_len ) );
2229
2230 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
2231 buf + buf_len,
2232 &msg_len,
2233 1 ) );
2234 mbedtls_ssl_add_hs_msg_to_checksum(
2235 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
2236
2237
2238 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len,
2239 msg_len ) );
2240
2241 ssl->handshake->hello_retry_request_count++;
2242
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2243#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2244 /* The server sends a dummy change_cipher_spec record immediately
2245 * after its first handshake message. This may either be after
2246 * a ServerHello or a HelloRetryRequest.
2247 */
Gabor Mezei96ae9262022-06-28 11:45:18 +0200[diff] [blame]2248 mbedtls_ssl_handshake_set_state(
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]2249 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2250#else
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2251 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2252#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2253
2254cleanup:
2255 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) );
2256 return( ret );
2257}
2258
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2259/*
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2260 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2261 */
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2262
2263/*
2264 * struct {
2265 * Extension extensions<0..2 ^ 16 - 1>;
2266 * } EncryptedExtensions;
2267 *
2268 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2269MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2270static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl,
2271 unsigned char *buf,
2272 unsigned char *end,
2273 size_t *out_len )
2274{
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2275 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2276 unsigned char *p = buf;
2277 size_t extensions_len = 0;
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2278 unsigned char *p_extensions_len;
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2279 size_t output_len;
Jerry Yu9da5e5a2022-05-03 15:46:09 +0800[diff] [blame]2280
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2281 *out_len = 0;
2282
2283 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2284 p_extensions_len = p;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2285 p += 2;
2286
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2287 ((void) ssl);
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2288 ((void) ret);
2289 ((void) output_len);
2290
2291#if defined(MBEDTLS_SSL_ALPN)
2292 ret = mbedtls_ssl_write_alpn_ext( ssl, p, end, &output_len );
2293 if( ret != 0 )
2294 return( ret );
XiaokangQian95d5f542022-06-24 02:29:26 +0000[diff] [blame]2295 p += output_len;
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2296#endif /* MBEDTLS_SSL_ALPN */
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2297
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2298 extensions_len = ( p - p_extensions_len ) - 2;
2299 MBEDTLS_PUT_UINT16_BE( extensions_len, p_extensions_len, 0 );
2300
2301 *out_len = p - buf;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2302
2303 MBEDTLS_SSL_DEBUG_BUF( 4, "encrypted extensions", buf, *out_len );
2304
2305 return( 0 );
2306}
2307
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2308MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2309static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl )
2310{
2311 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2312 unsigned char *buf;
Jerry Yu39730a72022-05-03 12:14:04 +0800[diff] [blame]2313 size_t buf_len, msg_len;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2314
Gabor Mezei54719122022-06-28 11:34:56 +0200[diff] [blame]2315 mbedtls_ssl_set_outbound_transform( ssl,
2316 ssl->handshake->transform_handshake );
2317 MBEDTLS_SSL_DEBUG_MSG(
2318 3, ( "switching to handshake transform for outbound data" ) );
2319
Jerry Yuab452cc2022-04-28 15:27:08 +0800[diff] [blame]2320 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write encrypted extensions" ) );
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2321
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2322 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2323 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf, &buf_len ) );
2324
2325 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_encrypted_extensions_body(
2326 ssl, buf, buf + buf_len, &msg_len ) );
2327
2328 mbedtls_ssl_add_hs_msg_to_checksum(
2329 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len );
2330
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2331 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2332 ssl, buf_len, msg_len ) );
2333
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2334#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]2335 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2336 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2337 else
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2338 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2339#else
2340 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2341#endif
2342
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2343cleanup:
2344
Jerry Yuab452cc2022-04-28 15:27:08 +0800[diff] [blame]2345 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write encrypted extensions" ) );
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2346 return( ret );
2347}
2348
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2349#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2350#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
2351#define SSL_CERTIFICATE_REQUEST_SKIP 1
2352/* Coordination:
2353 * Check whether a CertificateRequest message should be written.
2354 * Returns a negative code on failure, or
2355 * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
2356 * - SSL_CERTIFICATE_REQUEST_SKIP
2357 * indicating if the writing of the CertificateRequest
2358 * should be skipped or not.
2359 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2360MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2361static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
2362{
2363 int authmode;
2364
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]2365#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2366 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
2367 authmode = ssl->handshake->sni_authmode;
2368 else
2369#endif
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2370 authmode = ssl->conf->authmode;
2371
2372 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
2373 return( SSL_CERTIFICATE_REQUEST_SKIP );
2374
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]2375 ssl->handshake->certificate_request_sent = 1;
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2376
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2377 return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST );
2378}
2379
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2380/*
2381 * struct {
2382 * opaque certificate_request_context<0..2^8-1>;
2383 * Extension extensions<2..2^16-1>;
2384 * } CertificateRequest;
2385 *
2386 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2387MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2388static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl,
2389 unsigned char *buf,
2390 const unsigned char *end,
2391 size_t *out_len )
2392{
2393 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2394 unsigned char *p = buf;
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2395 size_t output_len = 0;
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2396 unsigned char *p_extensions_len;
2397
2398 *out_len = 0;
2399
2400 /* Check if we have enough space:
2401 * - certificate_request_context (1 byte)
2402 * - extensions length (2 bytes)
2403 */
2404 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
2405
2406 /*
2407 * Write certificate_request_context
2408 */
2409 /*
2410 * We use a zero length context for the normal handshake
2411 * messages. For post-authentication handshake messages
2412 * this request context would be set to a non-zero value.
2413 */
2414 *p++ = 0x0;
2415
2416 /*
2417 * Write extensions
2418 */
2419 /* The extensions must contain the signature_algorithms. */
2420 p_extensions_len = p;
2421 p += 2;
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2422 ret = mbedtls_ssl_write_sig_alg_ext( ssl, p, end, &output_len );
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2423 if( ret != 0 )
2424 return( ret );
2425
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2426 p += output_len;
XiaokangQianaad9b0a2022-05-09 01:11:21 +0000[diff] [blame]2427 MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2428
2429 *out_len = p - buf;
2430
2431 return( 0 );
2432}
2433
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2434MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2435static int ssl_tls13_write_certificate_request( mbedtls_ssl_context *ssl )
2436{
2437 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2438
2439 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2440
2441 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
2442
2443 if( ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST )
2444 {
2445 unsigned char *buf;
2446 size_t buf_len, msg_len;
2447
2448 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2449 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, &buf, &buf_len ) );
2450
2451 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_request_body(
2452 ssl, buf, buf + buf_len, &msg_len ) );
2453
2454 mbedtls_ssl_add_hs_msg_to_checksum(
2455 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len );
2456
2457 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2458 ssl, buf_len, msg_len ) );
2459 }
2460 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
2461 {
2462 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2463 ret = 0;
2464 }
2465 else
2466 {
2467 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2468 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2469 goto cleanup;
2470 }
2471
2472 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
2473cleanup:
2474
2475 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2476 return( ret );
2477}
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2478
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2479/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2480 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2481 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2482MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2483static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2484{
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2485 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]2486
2487#if defined(MBEDTLS_X509_CRT_PARSE_C)
2488 if( ( ssl_tls13_pick_key_cert( ssl ) != 0 ) ||
2489 mbedtls_ssl_own_cert( ssl ) == NULL )
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2490 {
Jerry Yub89125b2022-05-13 15:45:49 +0800[diff] [blame]2491 MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate available." ) );
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2492 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2493 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2494 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2495 }
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]2496#endif /* MBEDTLS_X509_CRT_PARSE_C */
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2497
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2498 ret = mbedtls_ssl_tls13_write_certificate( ssl );
2499 if( ret != 0 )
Jerry Yu1bff7112022-04-16 14:29:11 +0800[diff] [blame]2500 return( ret );
Jerry Yu1bff7112022-04-16 14:29:11 +0800[diff] [blame]2501 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
2502 return( 0 );
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2503}
2504
2505/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2506 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2507 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2508MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2509static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2510{
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2511 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2512 if( ret != 0 )
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2513 return( ret );
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2514 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2515 return( 0 );
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2516}
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2517#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2518
2519/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2520 * Handler for MBEDTLS_SSL_SERVER_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2521 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2522MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2523static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2524{
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2525 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu27bdc7c2022-04-16 13:33:27 +0800[diff] [blame]2526
2527 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
2528 if( ret != 0 )
2529 return( ret );
2530
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2531 ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
2532 if( ret != 0 )
2533 {
2534 MBEDTLS_SSL_PEND_FATAL_ALERT(
2535 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2536 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2537 return( ret );
2538 }
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]2539
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2540 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
2541 mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2542
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2543 if( ssl->handshake->certificate_request_sent )
2544 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2545 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2546 {
2547 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate" ) );
2548 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2549 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2550 }
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2551
Jerry Yu27bdc7c2022-04-16 13:33:27 +0800[diff] [blame]2552 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2553}
2554
2555/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2556 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2557 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2558MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2559static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2560{
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2561 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2562
Jerry Yuff226982022-04-16 16:52:57 +0800[diff] [blame]2563 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
2564 if( ret != 0 )
2565 return( ret );
2566
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2567 ret = mbedtls_ssl_tls13_compute_resumption_master_secret( ssl );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2568 if( ret != 0 )
2569 {
2570 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2571 "mbedtls_ssl_tls13_compute_resumption_master_secret", ret );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2572 }
2573
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2574 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yuff226982022-04-16 16:52:57 +0800[diff] [blame]2575 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2576}
2577
2578/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2579 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2580 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2581MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2582static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2583{
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2584 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2585
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2586 mbedtls_ssl_tls13_handshake_wrapup( ssl );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2587
2588#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2589 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
2590#else
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2591 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2592#endif
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2593 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2594}
2595
2596/*
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2597 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
2598 */
2599#define SSL_NEW_SESSION_TICKET_SKIP 0
2600#define SSL_NEW_SESSION_TICKET_WRITE 1
2601MBEDTLS_CHECK_RETURN_CRITICAL
2602static int ssl_tls13_write_new_session_ticket_coordinate( mbedtls_ssl_context *ssl )
2603{
2604 /* Check whether the use of session tickets is enabled */
2605 if( ssl->conf->f_ticket_write == NULL )
2606 {
2607 MBEDTLS_SSL_DEBUG_MSG( 2, ( "new session ticket is not enabled" ) );
2608 return( SSL_NEW_SESSION_TICKET_SKIP );
2609 }
2610
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2611 return( SSL_NEW_SESSION_TICKET_WRITE );
2612}
2613
2614#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2615MBEDTLS_CHECK_RETURN_CRITICAL
2616static int ssl_tls13_prepare_new_session_ticket( mbedtls_ssl_context *ssl,
2617 unsigned char *ticket_nonce,
2618 size_t ticket_nonce_size )
2619{
2620 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2621 mbedtls_ssl_session *session = ssl->session;
2622 mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2623 psa_algorithm_t psa_hash_alg;
2624 int hash_length;
2625
2626 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> prepare NewSessionTicket msg" ) );
2627
2628#if defined(MBEDTLS_HAVE_TIME)
2629 session->start = mbedtls_time( NULL );
2630#endif
2631
2632 /* Generate ticket_age_add */
2633 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng,
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2634 (unsigned char *) &session->ticket_age_add,
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2635 sizeof( session->ticket_age_add ) ) != 0 ) )
2636 {
2637 MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_age_add", ret );
2638 return( ret );
2639 }
2640 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2641 (unsigned int)session->ticket_age_add ) );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2642
2643 /* Generate ticket_nonce */
2644 ret = ssl->conf->f_rng( ssl->conf->p_rng, ticket_nonce, ticket_nonce_size );
2645 if( ret != 0 )
2646 {
2647 MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_nonce", ret );
2648 return( ret );
2649 }
2650 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:",
2651 ticket_nonce, ticket_nonce_size );
2652
2653 ciphersuite_info =
2654 (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
2655 psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
2656 hash_length = PSA_HASH_LENGTH( psa_hash_alg );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2657 if( hash_length == -1 ||
Jerry Yu61197152022-07-21 16:28:02 +0800[diff] [blame]2658 (size_t)hash_length > sizeof( session->resumption_key ) )
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2659 {
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2660 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2661 }
2662
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2663 /* In this code the psk key length equals the length of the hash */
2664 session->resumption_key_len = hash_length;
2665 session->ciphersuite = ciphersuite_info->id;
2666
2667 /* Compute resumption key
2668 *
2669 * HKDF-Expand-Label( resumption_master_secret,
2670 * "resumption", ticket_nonce, Hash.length )
2671 */
2672 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2673 psa_hash_alg,
2674 session->app_secrets.resumption_master_secret,
2675 hash_length,
2676 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
2677 ticket_nonce,
2678 ticket_nonce_size,
2679 session->resumption_key,
2680 hash_length );
2681
2682 if( ret != 0 )
2683 {
2684 MBEDTLS_SSL_DEBUG_RET( 2,
2685 "Creating the ticket-resumed PSK failed",
2686 ret );
2687 return ( ret );
2688 }
2689 MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
2690 session->resumption_key,
2691 session->resumption_key_len );
2692
2693 MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
2694 session->app_secrets.resumption_master_secret,
2695 hash_length );
2696
2697 return( 0 );
2698}
2699
2700/* This function creates a NewSessionTicket message in the following format:
2701 *
2702 * struct {
2703 * uint32 ticket_lifetime;
2704 * uint32 ticket_age_add;
2705 * opaque ticket_nonce<0..255>;
2706 * opaque ticket<1..2^16-1>;
2707 * Extension extensions<0..2^16-2>;
2708 * } NewSessionTicket;
2709 *
2710 * The ticket inside the NewSessionTicket message is an encrypted container
2711 * carrying the necessary information so that the server is later able to
2712 * re-start the communication.
2713 *
2714 * The following fields are placed inside the ticket by the
2715 * f_ticket_write() function:
2716 *
2717 * - creation time (start)
2718 * - flags (flags)
2719 * - age add (ticket_age_add)
2720 * - key (key)
2721 * - key length (key_len)
2722 * - ciphersuite (ciphersuite)
2723 */
2724MBEDTLS_CHECK_RETURN_CRITICAL
2725static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl,
2726 unsigned char *buf,
2727 unsigned char *end,
2728 size_t *out_len,
2729 unsigned char *ticket_nonce,
2730 size_t ticket_nonce_size )
2731{
2732 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2733 unsigned char *p = buf;
2734 mbedtls_ssl_session *session = ssl->session;
2735 size_t ticket_len;
2736 uint32_t ticket_lifetime;
2737
2738 *out_len = 0;
2739 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write NewSessionTicket msg" ) );
2740
2741 /*
2742 * ticket_lifetime 4 bytes
2743 * ticket_age_add 4 bytes
2744 * ticket_nonce 1 + ticket_nonce_size bytes
2745 * ticket >=2 bytes
2746 */
2747 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + 4 + 1 + ticket_nonce_size + 2 );
2748
2749 /* Generate ticket and ticket_lifetime */
2750 ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
2751 session,
2752 p + 9 + ticket_nonce_size + 2,
2753 end,
2754 &ticket_len,
2755 &ticket_lifetime);
2756 if( ret != 0 )
2757 {
2758 MBEDTLS_SSL_DEBUG_RET( 1, "write_ticket", ret );
2759 return( ret );
2760 }
2761 /* RFC 8446 4.6.1
2762 * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
2763 * unsigned integer in network byte order from the time of ticket
2764 * issuance. Servers MUST NOT use any value greater than
2765 * 604800 seconds (7 days). The value of zero indicates that the
2766 * ticket should be discarded immediately. Clients MUST NOT cache
2767 * tickets for longer than 7 days, regardless of the ticket_lifetime,
2768 * and MAY delete tickets earlier based on local policy. A server
2769 * MAY treat a ticket as valid for a shorter period of time than what
2770 * is stated in the ticket_lifetime.
2771 */
2772 ticket_lifetime %= 604800;
2773 MBEDTLS_PUT_UINT32_BE( ticket_lifetime, p, 0 );
2774 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_lifetime: %u",
2775 ( unsigned int )ticket_lifetime ) );
2776
2777 /* Write ticket_age_add */
2778 MBEDTLS_PUT_UINT32_BE( session->ticket_age_add, p, 4 );
2779 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
2780 ( unsigned int )session->ticket_age_add ) );
2781
2782 /* Write ticket_nonce */
2783 p[8] = ( unsigned char )ticket_nonce_size;
2784 if( ticket_nonce_size > 0 )
2785 {
2786 memcpy( p + 9, ticket_nonce, ticket_nonce_size );
2787 }
2788 p += 9 + ticket_nonce_size;
2789
2790 /* Write ticket */
2791 MBEDTLS_PUT_UINT16_BE( ticket_len, p, 0 );
2792 p += 2;
2793 MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", p, ticket_len);
2794 p += ticket_len;
2795
2796 /* Ticket Extensions
2797 *
2798 * Note: We currently don't have any extensions.
2799 * Set length to zero.
2800 */
2801 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2802 MBEDTLS_PUT_UINT16_BE( 0, p, 0 );
2803 p += 2;
2804
2805 *out_len = p - buf;
2806 MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len );
2807 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2808
2809 return( 0 );
2810}
2811
2812/*
2813 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
2814 */
2815static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl )
2816{
2817 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2818
2819 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_new_session_ticket_coordinate( ssl ) );
2820
2821 if( ret == SSL_NEW_SESSION_TICKET_WRITE )
2822 {
2823 unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
2824 unsigned char *buf;
2825 size_t buf_len, msg_len;
2826
2827 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_new_session_ticket(
2828 ssl, ticket_nonce, sizeof( ticket_nonce ) ) );
2829
2830 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2831 MBEDTLS_SSL_HS_NEW_SESSION_TICKET, &buf, &buf_len ) );
2832
2833 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_new_session_ticket_body(
2834 ssl, buf, buf + buf_len, &msg_len,
2835 ticket_nonce, sizeof( ticket_nonce ) ) );
2836
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2837 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2838 ssl, buf_len, msg_len ) );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2839
2840 mbedtls_ssl_handshake_set_state( ssl,
2841 MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2842 }
2843 else
2844 {
2845 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2846 }
2847
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2848cleanup:
2849
2850 return( ret );
2851}
2852#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2853
2854/*
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]2855 * TLS 1.3 State Machine -- server side
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2856 */
Jerry Yu27561932021-08-27 17:07:38 +0800[diff] [blame]2857int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2858{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]2859 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2860
2861 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
2862 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2863
Jerry Yue3b34122021-09-28 17:53:35 +0800[diff] [blame]2864 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)",
2865 mbedtls_ssl_states_str( ssl->state ),
2866 ssl->state ) );
Jerry Yu6e81b272021-09-27 11:16:17 +0800[diff] [blame]2867
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2868 switch( ssl->state )
2869 {
2870 /* start state */
2871 case MBEDTLS_SSL_HELLO_REQUEST:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2872 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]2873 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2874 break;
2875
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2876 case MBEDTLS_SSL_CLIENT_HELLO:
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]2877 ret = ssl_tls13_process_client_hello( ssl );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2878 if( ret != 0 )
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]2879 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_client_hello", ret );
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]2880 break;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2881
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]2882 case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
2883 ret = ssl_tls13_write_hello_retry_request( ssl );
2884 if( ret != 0 )
2885 {
2886 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_hello_retry_request", ret );
2887 return( ret );
2888 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2889 break;
2890
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2891 case MBEDTLS_SSL_SERVER_HELLO:
2892 ret = ssl_tls13_write_server_hello( ssl );
2893 break;
2894
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2895 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2896 ret = ssl_tls13_write_encrypted_extensions( ssl );
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2897 if( ret != 0 )
2898 {
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2899 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_encrypted_extensions", ret );
2900 return( ret );
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2901 }
Jerry Yu48330562022-05-06 21:35:44 +0800[diff] [blame]2902 break;
Jerry Yu6a2cd9e2022-05-05 11:14:19 +0800[diff] [blame]2903
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2904#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
2905 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Xiaofei Bai5ee73d82022-03-14 02:48:30 +0000[diff] [blame]2906 ret = ssl_tls13_write_certificate_request( ssl );
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2907 break;
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2908
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2909 case MBEDTLS_SSL_SERVER_CERTIFICATE:
2910 ret = ssl_tls13_write_server_certificate( ssl );
2911 break;
2912
2913 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
2914 ret = ssl_tls13_write_certificate_verify( ssl );
2915 break;
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2916#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2917
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2918 /*
2919 * Injection of dummy-CCS's for middlebox compatibility
2920 */
2921#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]2922 case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2923 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2924 if( ret == 0 )
2925 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2926 break;
2927
2928 case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
2929 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2930 if( ret == 0 )
2931 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
2932 break;
2933#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2934
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2935 case MBEDTLS_SSL_SERVER_FINISHED:
2936 ret = ssl_tls13_write_server_finished( ssl );
2937 break;
2938
2939 case MBEDTLS_SSL_CLIENT_FINISHED:
2940 ret = ssl_tls13_process_client_finished( ssl );
2941 break;
2942
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2943 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
2944 ret = ssl_tls13_handshake_wrapup( ssl );
2945 break;
2946
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2947 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2948 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]2949 if( ret == 0 )
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2950 {
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]2951 if( ssl->session_negotiate->peer_cert != NULL )
2952 {
2953 mbedtls_ssl_handshake_set_state(
2954 ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
2955 }
2956 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2957 {
2958 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]2959 mbedtls_ssl_handshake_set_state(
2960 ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2961 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2962 }
2963 break;
2964
2965 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2966 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
2967 if( ret == 0 )
2968 {
2969 mbedtls_ssl_handshake_set_state(
2970 ssl, MBEDTLS_SSL_CLIENT_FINISHED );
2971 }
2972 break;
2973
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2974#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2975 case MBEDTLS_SSL_NEW_SESSION_TICKET:
2976 ret = ssl_tls13_write_new_session_ticket( ssl );
2977 if( ret != 0 )
2978 {
2979 MBEDTLS_SSL_DEBUG_RET( 1,
2980 "ssl_tls13_write_new_session_ticket ",
2981 ret );
2982 }
2983 break;
2984 case MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH:
2985 /* This state is necessary to do the flush of the New Session
2986 * Ticket message written in MBEDTLS_SSL_NEW_SESSION_TICKET
2987 * as part of ssl_prepare_handshake_step.
2988 */
2989 ret = 0;
2990 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2991 break;
2992
2993#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2994
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2995 default:
2996 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]2997 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2998 }
2999
3000 return( ret );
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]3001}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3002
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3003#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */