TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 8d4bbbae4f0b1039ae0ed90764f79961120e7249 / . / library / ssl_tls13_server.c
blob: adedb6df5ab26763f940dd292730adf27bc372f7 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18*/
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]23
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]24#include "mbedtls/debug.h"
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]25#include "mbedtls/error.h"
26#include "mbedtls/platform.h"
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]27#include "mbedtls/constant_time.h"
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]28
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]29#include "ssl_misc.h"
30#include "ssl_tls13_keys.h"
31#include "ssl_debug_helpers.h"
32
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]33#if defined(MBEDTLS_ECP_C)
34#include "mbedtls/ecp.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]35#endif /* MBEDTLS_ECP_C */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]36
XiaokangQiana9c58412022-02-17 09:41:26 +0000[diff] [blame]37#if defined(MBEDTLS_PLATFORM_C)
38#include "mbedtls/platform.h"
39#else
40#include <stdlib.h>
41#define mbedtls_calloc calloc
42#define mbedtls_free free
43#endif /* MBEDTLS_PLATFORM_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]44
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]45#include "ssl_misc.h"
46#include "ssl_tls13_keys.h"
47#include "ssl_debug_helpers.h"
48
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]49
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]50static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]51 mbedtls_ssl_context *ssl,
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]52 unsigned int cipher_suite )
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]53{
54 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
55 if( ! mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
56 return( NULL );
57
58 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
59 if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
60 ssl->tls_version,
61 ssl->tls_version ) != 0 ) )
62 {
63 return( NULL );
64 }
65 return( ciphersuite_info );
66}
67
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]68#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
69/* From RFC 8446:
70 *
71 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
72 * struct {
73 * PskKeyExchangeMode ke_modes<1..255>;
74 * } PskKeyExchangeModes;
75 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]76MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]77static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
78 const unsigned char *buf,
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]79 const unsigned char *end )
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]80{
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]81 const unsigned char *p = buf;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]82 size_t ke_modes_len;
83 int ke_modes = 0;
84
Jerry Yu854dd9e2022-07-15 14:28:27 +0800[diff] [blame]85 /* Read ke_modes length (1 Byte) */
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]86 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
87 ke_modes_len = *p++;
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]88 /* Currently, there are only two PSK modes, so even without looking
89 * at the content, something's wrong if the list has more than 2 items. */
90 if( ke_modes_len > 2 )
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]91 {
92 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
93 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]94 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]95 }
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]96
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]97 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ke_modes_len );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]98
99 while( ke_modes_len-- != 0 )
100 {
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]101 switch( *p++ )
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]102 {
103 case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
104 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
105 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK KEX MODE" ) );
106 break;
107 case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:
108 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
109 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK_EPHEMERAL KEX MODE" ) );
110 break;
111 default:
Jerry Yu299e31f2022-07-13 23:06:36 +0800[diff] [blame]112 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
113 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]114 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
115 }
116 }
117
118 ssl->handshake->tls13_kex_modes = ke_modes;
119 return( 0 );
120}
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]121
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]122#define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1
123#define SSL_TLS1_3_OFFERED_PSK_MATCH 0
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]124
125#if defined(MBEDTLS_SSL_SESSION_TICKETS)
126
127MBEDTLS_CHECK_RETURN_CRITICAL
128static int ssl_tls13_offered_psks_check_identity_match_ticket(
129 mbedtls_ssl_context *ssl,
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]130 const unsigned char *identity,
131 size_t identity_len,
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame^]132 uint32_t obfuscated_ticket_age,
133 mbedtls_ssl_session *session )
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]134{
Jerry Yufd310eb2022-09-06 09:16:35 +0800[diff] [blame]135 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]136 unsigned char *ticket_buffer;
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame^]137#if defined(MBEDTLS_HAVE_TIME)
138 mbedtls_time_t now;
139 uint64_t age_in_s, age_in_ms, client_age_in_ms;
140#endif
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]141
142 ((void) obfuscated_ticket_age);
143
144 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> check_identity_match_ticket" ) );
145
146 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %" MBEDTLS_PRINTF_SIZET
147 ". ticket_parse is %sconfigured. "
148 "ticket_write is %sconfigured.",
149 identity_len,
150 ssl->conf->f_ticket_parse == NULL ? "NOT " : "",
151 ssl->conf->f_ticket_write == NULL ? "NOT " : "" ) );
152
Jerry Yufd310eb2022-09-06 09:16:35 +0800[diff] [blame]153 /* Ticket parser is not configured, Skip */
154 if( ssl->conf->f_ticket_parse == NULL || identity_len == 0 )
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]155 return( 0 );
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]156
157 /* We create a copy of the encrypted ticket since decrypting
158 * it into the same buffer will wipe-out the original content.
159 * We do, however, need the original buffer for computing the
160 * psk binder value.
161 */
162 ticket_buffer = mbedtls_calloc( 1, identity_len );
163 if( ticket_buffer == NULL )
164 {
165 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
166 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
167 }
168 memcpy( ticket_buffer, identity, identity_len );
169
170 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket,
171 session,
172 ticket_buffer, identity_len ) ) != 0 )
173 {
174 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
175 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
176 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
177 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
178 else
179 MBEDTLS_SSL_DEBUG_RET( 1, "ticket_parse", ret );
180 }
181
182 /* We delete the temporary buffer */
183 mbedtls_free( ticket_buffer );
184
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame^]185 if( ret != 0 )
186 goto exit;
187
188 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
189#if defined(MBEDTLS_HAVE_TIME)
190 now = mbedtls_time( NULL );
191
192 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
193 if( now < session->start )
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]194 {
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame^]195 MBEDTLS_SSL_DEBUG_MSG(
196 3, ( "Ticket expired: now=%" MBEDTLS_PRINTF_LONGLONG
197 ", start=%" MBEDTLS_PRINTF_LONGLONG,
198 (long long)now, (long long)session->start ) );
199 goto exit;
200 }
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]201
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame^]202 age_in_s = (uint64_t)( now - session->start );
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]203
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame^]204 /* RFC 8446 section 4.6.1
205 *
206 * Servers MUST NOT use any value greater than 604800 seconds (7 days).
207 *
208 * RFC 8446 section 4.2.11.1
209 *
210 * Clients MUST NOT attempt to use tickets which have ages greater than
211 * the "ticket_lifetime" value which was provided with the ticket.
212 *
213 * For time being, the age MUST be less than 604800 seconds (7 days).
214 */
215 if( age_in_s > 604800 )
216 {
217 MBEDTLS_SSL_DEBUG_MSG(
218 3, ( "Ticket expired: Ticket age exceed limitation ticket_age=%lu",
219 (long unsigned int)age_in_s ) );
220 goto exit;
221 }
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]222
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame^]223 /* RFC 8446 section 4.2.10
224 *
225 * For PSKs provisioned via NewSessionTicket, a server MUST validate that
226 * the ticket age for the selected PSK identity (computed by subtracting
227 * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
228 * within a small tolerance of the time since the ticket was issued.
229 */
230 age_in_ms = age_in_s * 1000;
231 client_age_in_ms = obfuscated_ticket_age - session->ticket_age_add;
232 if( age_in_ms < client_age_in_ms ||
233 ( age_in_ms - client_age_in_ms ) > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE )
234 {
235 MBEDTLS_SSL_DEBUG_MSG(
236 3, ( "Ticket expired: Ticket age outside tolerance window "
237 "( diff=%d )",
238 (int)(age_in_ms - client_age_in_ms ) ) );
239 goto exit;
240 }
241
242 ret = 0;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]243
244#endif /* MBEDTLS_HAVE_TIME */
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame^]245
246exit:
247 if( ret != 0 )
248 mbedtls_ssl_session_free( session );
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]249
250 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= check_identity_match_ticket" ) );
251 return( ret );
252}
253#endif /* MBEDTLS_SSL_SESSION_TICKETS */
254
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]255MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]256static int ssl_tls13_offered_psks_check_identity_match(
257 mbedtls_ssl_context *ssl,
258 const unsigned char *identity,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]259 size_t identity_len,
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]260 uint32_t obfuscated_ticket_age,
261 void *session,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]262 int *psk_type )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]263{
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]264 ((void) session);
265 ((void) obfuscated_ticket_age);
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]266 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]267
268 MBEDTLS_SSL_DEBUG_BUF( 4, "identity", identity, identity_len );
269 ssl->handshake->resume = 0;
270
271
272
273#if defined(MBEDTLS_SSL_SESSION_TICKETS)
274 if( ssl_tls13_offered_psks_check_identity_match_ticket(
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800[diff] [blame^]275 ssl, identity, identity_len, obfuscated_ticket_age,
276 (mbedtls_ssl_session *)session ) == SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu95699e72022-08-21 19:22:23 +0800[diff] [blame]277 {
278 mbedtls_ssl_session *i_session=(mbedtls_ssl_session *)session;
279 ssl->handshake->resume = 1;
280 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
281 mbedtls_ssl_set_hs_psk( ssl,
282 i_session->resumption_key,
283 i_session->resumption_key_len );
284
285 MBEDTLS_SSL_DEBUG_BUF( 4, "Ticket-resumed PSK:",
286 i_session->resumption_key,
287 i_session->resumption_key_len );
288 MBEDTLS_SSL_DEBUG_MSG( 4, ( "ticket: obfuscated_ticket_age: %u",
289 (unsigned)obfuscated_ticket_age ) );
290 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
291 }
292#endif /* MBEDTLS_SSL_SESSION_TICKETS */
293
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]294 /* Check identity with external configured function */
295 if( ssl->conf->f_psk != NULL )
296 {
297 if( ssl->conf->f_psk(
298 ssl->conf->p_psk, ssl, identity, identity_len ) == 0 )
299 {
300 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
301 }
302 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
303 }
304
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]305 MBEDTLS_SSL_DEBUG_BUF( 5, "identity", identity, identity_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]306 /* Check identity with pre-configured psk */
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]307 if( ssl->conf->psk_identity != NULL &&
308 identity_len == ssl->conf->psk_identity_len &&
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]309 mbedtls_ct_memcmp( ssl->conf->psk_identity,
310 identity, identity_len ) == 0 )
311 {
312 mbedtls_ssl_set_hs_psk( ssl, ssl->conf->psk, ssl->conf->psk_len );
313 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
314 }
315
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]316 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
317}
318
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]319MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]320static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl,
321 const unsigned char *binder,
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]322 size_t binder_len,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]323 int psk_type,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]324 psa_algorithm_t psk_hash_alg )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]325{
326 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]327
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]328 unsigned char transcript[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]329 size_t transcript_len;
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]330 unsigned char *psk;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]331 size_t psk_len;
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]332 unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]333
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]334 /* Get current state of handshake transcript. */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]335 ret = mbedtls_ssl_get_handshake_transcript(
336 ssl, mbedtls_hash_info_md_from_psa( psk_hash_alg ),
337 transcript, sizeof( transcript ), &transcript_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]338 if( ret != 0 )
339 return( ret );
340
Jerry Yu40f37712022-07-26 16:58:57 +0800[diff] [blame]341 ret = mbedtls_ssl_tls13_export_handshake_psk( ssl, &psk, &psk_len );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]342 if( ret != 0 )
343 return( ret );
344
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]345 ret = mbedtls_ssl_tls13_create_psk_binder( ssl, psk_hash_alg,
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]346 psk, psk_len, psk_type,
347 transcript,
348 server_computed_binder );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]349#if defined(MBEDTLS_USE_PSA_CRYPTO)
350 mbedtls_free( (void*)psk );
351#endif
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]352 if( ret != 0 )
353 {
354 MBEDTLS_SSL_DEBUG_MSG( 1, ( "PSK binder calculation failed." ) );
355 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
356 }
357
358 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( computed ): ",
Jerry Yu2f0abc92022-07-22 19:34:48 +0800[diff] [blame]359 server_computed_binder, transcript_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]360 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( received ): ", binder, binder_len );
361
362 if( mbedtls_ct_memcmp( server_computed_binder, binder, binder_len ) == 0 )
363 {
364 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
365 }
366
Jerry Yudaf375a2022-07-20 21:31:43 +0800[diff] [blame]367 mbedtls_platform_zeroize( server_computed_binder,
368 sizeof( server_computed_binder ) );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]369 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
370}
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]371
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]372MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]373static int ssl_tls13_select_ciphersuite_for_psk(
374 mbedtls_ssl_context *ssl,
375 const unsigned char *cipher_suites,
376 const unsigned char *cipher_suites_end,
377 uint16_t *selected_ciphersuite,
378 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]379{
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]380 psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]381
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]382 *selected_ciphersuite = 0;
383 *selected_ciphersuite_info = NULL;
384
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]385 /* RFC 8446, page 55.
386 *
387 * For externally established PSKs, the Hash algorithm MUST be set when the
388 * PSK is established or default to SHA-256 if no such algorithm is defined.
389 *
390 */
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]391
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]392 /*
393 * Search for a matching ciphersuite
394 */
Jerry Yu1e05b6d2022-08-31 10:35:52 +0800[diff] [blame]395 for ( const unsigned char *p = cipher_suites;
396 p < cipher_suites_end; p += 2 )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]397 {
398 uint16_t cipher_suite;
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]399 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]400
401 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]402 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl,
403 cipher_suite );
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]404 if( ciphersuite_info == NULL )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]405 continue;
406
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]407 /* MAC of selected ciphersuite MUST be same with PSK binder if exist.
408 * Otherwise, client should reject.
409 */
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]410 if( psk_hash_alg == mbedtls_psa_translate_md( ciphersuite_info->mac ) )
411 {
412 *selected_ciphersuite = cipher_suite;
413 *selected_ciphersuite_info = ciphersuite_info;
414 return( 0 );
415 }
416 }
417 MBEDTLS_SSL_DEBUG_MSG( 2, ( "No matched ciphersuite" ) );
418 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
419}
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]420
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]421#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]422MBEDTLS_CHECK_RETURN_CRITICAL
423static int ssl_tls13_select_ciphersuite_for_resumption(
424 mbedtls_ssl_context *ssl,
425 const unsigned char *cipher_suites,
426 const unsigned char *cipher_suites_end,
427 mbedtls_ssl_session *session,
428 uint16_t *selected_ciphersuite,
429 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info )
430{
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]431
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]432 *selected_ciphersuite = 0;
433 *selected_ciphersuite_info = NULL;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]434 for( const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2 )
435 {
436 uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
437 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
438
439 if( cipher_suite != session->ciphersuite )
440 continue;
441
442 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl,
443 cipher_suite );
444 if( ciphersuite_info == NULL )
445 continue;
446
447 *selected_ciphersuite = session->ciphersuite;
448 *selected_ciphersuite_info = ciphersuite_info;
449
450 return( 0 );
451
452 }
453
454 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]455}
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]456
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]457MBEDTLS_CHECK_RETURN_CRITICAL
458static int ssl_tls13_session_copy( mbedtls_ssl_session *dst,
459 mbedtls_ssl_session *src )
460{
461 dst->endpoint = src->endpoint;
462 dst->ciphersuite = src->ciphersuite;
463 dst->ticket_age_add = src->ticket_age_add;
464 dst->ticket_flags = src->ticket_flags;
465 dst->resumption_key_len = src->resumption_key_len;
466 if( src->resumption_key_len == 0 )
467 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
468 memcpy( dst->resumption_key, src->resumption_key, src->resumption_key_len );
469#if defined(MBEDTLS_HAVE_TIME)
470 dst->start = src->start;
471#endif
472 return( 0 );
473}
474#endif /* MBEDTLS_SSL_SESSION_TICKETS */
475
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]476/* Parser for pre_shared_key extension in client hello
477 * struct {
478 * opaque identity<1..2^16-1>;
479 * uint32 obfuscated_ticket_age;
480 * } PskIdentity;
481 *
482 * opaque PskBinderEntry<32..255>;
483 *
484 * struct {
485 * PskIdentity identities<7..2^16-1>;
486 * PskBinderEntry binders<33..2^16-1>;
487 * } OfferedPsks;
488 *
489 * struct {
490 * select (Handshake.msg_type) {
491 * case client_hello: OfferedPsks;
492 * ....
493 * };
494 * } PreSharedKeyExtension;
495 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800[diff] [blame]496MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]497static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]498 const unsigned char *pre_shared_key_ext,
499 const unsigned char *pre_shared_key_ext_end,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]500 const unsigned char *ciphersuites,
501 const unsigned char *ciphersuites_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]502{
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]503 const unsigned char *identities = pre_shared_key_ext;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]504 const unsigned char *p_identity_len;
505 size_t identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]506 const unsigned char *identities_end;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]507 const unsigned char *binders;
508 const unsigned char *p_binder_len;
509 size_t binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]510 const unsigned char *binders_end;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]511 int matched_identity = -1;
512 int identity_id = -1;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]513
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]514 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key extension",
515 pre_shared_key_ext,
516 pre_shared_key_ext_end - pre_shared_key_ext );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]517
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]518 /* identities_len 2 bytes
519 * identities_data >= 7 bytes
520 */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]521 MBEDTLS_SSL_CHK_BUF_READ_PTR( identities, pre_shared_key_ext_end, 7 + 2 );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]522 identities_len = MBEDTLS_GET_UINT16_BE( identities, 0 );
523 p_identity_len = identities + 2;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]524 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, pre_shared_key_ext_end,
525 identities_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]526 identities_end = p_identity_len + identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]527
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]528 /* binders_len 2 bytes
529 * binders >= 33 bytes
530 */
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]531 binders = identities_end;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]532 MBEDTLS_SSL_CHK_BUF_READ_PTR( binders, pre_shared_key_ext_end, 33 + 2 );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]533 binders_len = MBEDTLS_GET_UINT16_BE( binders, 0 );
534 p_binder_len = binders + 2;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]535 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, pre_shared_key_ext_end, binders_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]536 binders_end = p_binder_len + binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]537
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]538 ssl->handshake->update_checksum( ssl, pre_shared_key_ext,
539 identities_end - pre_shared_key_ext );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]540
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]541 while( p_identity_len < identities_end && p_binder_len < binders_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]542 {
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]543 const unsigned char *identity;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]544 size_t identity_len;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]545 uint32_t obfuscated_ticket_age;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]546 const unsigned char *binder;
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]547 size_t binder_len;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]548 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]549 int psk_type;
550 uint16_t cipher_suite;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]551 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]552#if defined(MBEDTLS_SSL_SESSION_TICKETS)
553 mbedtls_ssl_session session;
554 memset( &session, 0, sizeof( session ) );
555#endif
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]556
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]557 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, identities_end, 2 + 1 + 4 );
558 identity_len = MBEDTLS_GET_UINT16_BE( p_identity_len, 0 );
559 identity = p_identity_len + 2;
560 MBEDTLS_SSL_CHK_BUF_READ_PTR( identity, identities_end, identity_len + 4 );
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]561 obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE( identity , identity_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]562 p_identity_len += identity_len + 6;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]563
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]564 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, binders_end, 1 + 32 );
565 binder_len = *p_binder_len;
566 binder = p_binder_len + 1;
567 MBEDTLS_SSL_CHK_BUF_READ_PTR( binder, binders_end, binder_len );
568 p_binder_len += binder_len + 1;
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]569
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]570 identity_id++;
571 if( matched_identity != -1 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]572 continue;
573
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]574 ret = ssl_tls13_offered_psks_check_identity_match(
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]575 ssl, identity, identity_len, obfuscated_ticket_age,
576 &session, &psk_type );
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]577 if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]578 continue;
579
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]580 MBEDTLS_SSL_DEBUG_MSG( 4, ( "found matched identity" ) );
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]581 switch( psk_type )
582 {
583 case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
584 ret = ssl_tls13_select_ciphersuite_for_psk(
585 ssl, ciphersuites, ciphersuites_end,
586 &cipher_suite, &ciphersuite_info );
587 break;
588 case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]589#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]590 ret = ssl_tls13_select_ciphersuite_for_resumption(
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]591 ssl, ciphersuites, ciphersuites_end, &session,
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]592 &cipher_suite, &ciphersuite_info );
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]593#else
594 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
595#endif
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]596 break;
597 default:
598 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
599 }
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]600 if( ret != 0 )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]601 {
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]602 /* See below, no cipher_suite available, abort handshake */
603 MBEDTLS_SSL_PEND_FATAL_ALERT(
604 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
605 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
606 MBEDTLS_SSL_DEBUG_RET(
Jerry Yu0baf9072022-08-25 11:21:04 +0800[diff] [blame]607 2, "ssl_tls13_select_ciphersuite", ret );
Jerry Yuf35ba382022-08-23 17:58:26 +0800[diff] [blame]608 return( ret );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]609 }
610
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]611 ret = ssl_tls13_offered_psks_check_binder_match(
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]612 ssl, binder, binder_len, psk_type,
613 mbedtls_psa_translate_md( ciphersuite_info->mac ) );
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]614 if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]615 {
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]616 /* For security reasons, the handshake should be aborted when we
617 * fail to validate a binder value. See RFC 8446 section 4.2.11.2
618 * and appendix E.6. */
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]619#if defined(MBEDTLS_SSL_SESSION_TICKETS)
620 mbedtls_ssl_session_free( &session );
621#endif
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]622 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Invalid binder." ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]623 MBEDTLS_SSL_DEBUG_RET( 1,
624 "ssl_tls13_offered_psks_check_binder_match" , ret );
625 MBEDTLS_SSL_PEND_FATAL_ALERT(
626 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
627 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
628 return( ret );
629 }
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]630
631 matched_identity = identity_id;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]632
633 /* Update handshake parameters */
Jerry Yue5834fd2022-08-29 20:16:09 +0800[diff] [blame]634 ssl->handshake->ciphersuite_info = ciphersuite_info;
Jerry Yu82534862022-08-30 10:42:33 +0800[diff] [blame]635 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL )
636 {
637 ssl->session_negotiate->ciphersuite = cipher_suite;
638 MBEDTLS_SSL_DEBUG_MSG( 2, ( "overwrite ciphersuite: %04x - %s",
639 cipher_suite,
640 ciphersuite_info->name ) );
641 }
642#if defined(MBEDTLS_SSL_SESSION_TICKETS)
643 else
644 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
645 {
646 ret = ssl_tls13_session_copy(ssl->session_negotiate, &session );
647 mbedtls_ssl_session_free( &session );
648 if( ret != 0 )
649 return( ret );
650 }
651#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]652 }
653
Jerry Yu568ec252022-07-22 21:27:34 +0800[diff] [blame]654 if( p_identity_len != identities_end || p_binder_len != binders_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]655 {
656 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extesion decode error" ) );
657 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
658 MBEDTLS_ERR_SSL_DECODE_ERROR );
659 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
660 }
661
Jerry Yu6f1db3f2022-07-22 23:05:59 +0800[diff] [blame]662 /* Update the handshake transcript with the binder list. */
663 ssl->handshake->update_checksum( ssl,
664 identities_end,
665 (size_t)( binders_end - identities_end ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]666 if( matched_identity == -1 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]667 {
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]668 MBEDTLS_SSL_DEBUG_MSG( 3, ( "No matched PSK or ticket." ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]669 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]670 }
671
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]672 ssl->handshake->selected_identity = (uint16_t)matched_identity;
673 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Pre shared key found" ) );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]674
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]675 return( 0 );
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]676}
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]677
678/*
679 * struct {
680 * select ( Handshake.msg_type ) {
681 * ....
682 * case server_hello:
683 * uint16 selected_identity;
684 * }
685 * } PreSharedKeyExtension;
686 */
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]687static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
688 unsigned char *buf,
689 unsigned char *end,
690 size_t *olen )
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]691{
692 unsigned char *p = (unsigned char*)buf;
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]693
694 *olen = 0;
695
696#if defined(MBEDTLS_USE_PSA_CRYPTO)
697 if( mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
698#else
699 if( ssl->handshake->psk == NULL )
700#endif
701 {
702 /* We shouldn't have called this extension writer unless we've
703 * chosen to use a PSK. */
704 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
705 }
706
707 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding pre_shared_key extension" ) );
708 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
709
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]710 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]711 MBEDTLS_PUT_UINT16_BE( 2, p, 2 );
712
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]713 MBEDTLS_PUT_UINT16_BE( ssl->handshake->selected_identity, p, 4 );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]714
715 *olen = 6;
716
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]717 MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent selected_identity: %u",
718 ssl->handshake->selected_identity ) );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]719
720 return( 0 );
721}
722
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]723#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
724
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]725/* From RFC 8446:
726 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]727 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]728 * } SupportedVersions;
729 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]730MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]731static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
732 const unsigned char *buf,
733 const unsigned char *end )
734{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]735 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]736 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]737 const unsigned char *versions_end;
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]738 uint16_t tls_version;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]739 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]740
741 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]742 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]743 p += 1;
744
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]745 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, versions_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]746 versions_end = p + versions_len;
747 while( p < versions_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]748 {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]749 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, versions_end, 2 );
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]750 tls_version = mbedtls_ssl_read_version( p, ssl->conf->transport );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]751 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]752
753 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]754 if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]755 {
756 tls13_supported = 1;
757 break;
758 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]759 }
760
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]761 if( !tls13_supported )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]762 {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]763 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 is not supported by the client" ) );
764
765 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
766 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
767 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
768 }
769
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]770 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%04x]",
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]771 (unsigned int)tls_version ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]772
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]773 return( 0 );
774}
775
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]776#if defined(MBEDTLS_ECDH_C)
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]777/*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]778 *
779 * From RFC 8446:
780 * enum {
781 * ... (0xFFFF)
782 * } NamedGroup;
783 * struct {
784 * NamedGroup named_group_list<2..2^16-1>;
785 * } NamedGroupList;
786 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]787MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]788static int ssl_tls13_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
789 const unsigned char *buf,
790 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]791{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]792 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000[diff] [blame]793 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]794 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]795
796 MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", p, end - buf );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]797 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]798 named_group_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]799 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]800 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]801 named_group_list_end = p + named_group_list_len;
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]802 ssl->handshake->hrr_selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]803
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]804 while( p < named_group_list_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]805 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]806 uint16_t named_group;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]807 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, named_group_list_end, 2 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]808 named_group = MBEDTLS_GET_UINT16_BE( p, 0 );
809 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]810
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]811 MBEDTLS_SSL_DEBUG_MSG( 2,
812 ( "got named group: %s(%04x)",
813 mbedtls_ssl_named_group_to_str( named_group ),
814 named_group ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]815
816 if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
817 ! mbedtls_ssl_named_group_is_supported( named_group ) ||
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]818 ssl->handshake->hrr_selected_group != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]819 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]820 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]821 }
822
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]823 MBEDTLS_SSL_DEBUG_MSG( 2,
824 ( "add named group %s(%04x) into received list.",
825 mbedtls_ssl_named_group_to_str( named_group ),
826 named_group ) );
827
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]828 ssl->handshake->hrr_selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]829 }
830
831 return( 0 );
832
833}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]834#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]835
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]836#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
837
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]838#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]839/*
840 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]841 * extension is correct and stores the first acceptable key share and its associated group.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]842 *
843 * Possible return values are:
844 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]845 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]846 * does not match a group supported by the server. A HelloRetryRequest will
847 * be needed.
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]848 * - A negative value for fatal errors.
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]849 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]850MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]851static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
852 const unsigned char *buf,
853 const unsigned char *end )
854{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]855 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]856 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]857 unsigned char const *client_shares_end;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]858 size_t client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]859
860 /* From RFC 8446:
861 *
862 * struct {
863 * KeyShareEntry client_shares<0..2^16-1>;
864 * } KeyShareClientHello;
865 *
866 */
867
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]868 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]869 client_shares_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]870 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]871 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, client_shares_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]872
873 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]874 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]875
876 /* We try to find a suitable key share entry and copy it to the
877 * handshake context. Later, we have to find out whether we can do
878 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]879 * dismiss it and send a HelloRetryRequest message.
880 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]881
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]882 while( p < client_shares_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]883 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]884 uint16_t group;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]885 size_t key_exchange_len;
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]886 const unsigned char *key_exchange;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]887
888 /*
889 * struct {
890 * NamedGroup group;
891 * opaque key_exchange<1..2^16-1>;
892 * } KeyShareEntry;
893 */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]894 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, 4 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]895 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]896 key_exchange_len = MBEDTLS_GET_UINT16_BE( p, 2 );
897 p += 4;
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]898 key_exchange = p;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]899 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, key_exchange_len );
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]900 p += key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]901
902 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]903 * for input validation purposes.
904 */
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]905 if( ! mbedtls_ssl_named_group_is_offered( ssl, group ) ||
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]906 ! mbedtls_ssl_named_group_is_supported( group ) ||
907 ssl->handshake->offered_group_id != 0 )
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]908 {
909 continue;
910 }
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]911
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]912 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]913 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]914 */
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]915 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
916 {
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]917 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH group: %s (%04x)",
918 mbedtls_ssl_named_group_to_str( group ),
919 group ) );
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]920 ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
Jerry Yu086edc22022-05-05 10:50:38 +0800[diff] [blame]921 ssl, key_exchange - 2, key_exchange_len + 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]922 if( ret != 0 )
923 return( ret );
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000[diff] [blame]924
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]925 }
926 else
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]927 {
928 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]929 (unsigned) group ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]930 continue;
931 }
932
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]933 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]934 }
935
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]936
937 if( ssl->handshake->offered_group_id == 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]938 {
939 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching key share" ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]940 return( SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]941 }
942 return( 0 );
943}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]944#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]945
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]946#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]947static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]948{
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]949 ((void) ssl);
950
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]951 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]952 MBEDTLS_SSL_DEBUG_MSG( 3,
953 ( "- KEY_SHARE_EXTENSION ( %s )",
954 ( ( ssl->handshake->extensions_present
955 & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
956 MBEDTLS_SSL_DEBUG_MSG( 3,
957 ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
958 ( ( ssl->handshake->extensions_present
959 & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
960 "TRUE" : "FALSE" ) );
961 MBEDTLS_SSL_DEBUG_MSG( 3,
962 ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
963 ( ( ssl->handshake->extensions_present
964 & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
965 MBEDTLS_SSL_DEBUG_MSG( 3,
966 ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
967 ( ( ssl->handshake->extensions_present
968 & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
969 MBEDTLS_SSL_DEBUG_MSG( 3,
970 ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
971 ( ( ssl->handshake->extensions_present
972 & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
973 "TRUE" : "FALSE" ) );
974 MBEDTLS_SSL_DEBUG_MSG( 3,
975 ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
976 ( ( ssl->handshake->extensions_present
977 & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
978 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]979#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]980 MBEDTLS_SSL_DEBUG_MSG( 3,
981 ( "- SERVERNAME_EXTENSION ( %s )",
982 ( ( ssl->handshake->extensions_present
983 & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
984 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]985#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]986#if defined ( MBEDTLS_SSL_ALPN )
987 MBEDTLS_SSL_DEBUG_MSG( 3,
988 ( "- ALPN_EXTENSION ( %s )",
989 ( ( ssl->handshake->extensions_present
990 & MBEDTLS_SSL_EXT_ALPN ) > 0 ) ?
991 "TRUE" : "FALSE" ) );
992#endif /* MBEDTLS_SSL_ALPN */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]993}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]994#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]995
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]996MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]997static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]998 int exts_mask )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]999{
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]1000 int masked = ssl->handshake->extensions_present & exts_mask;
1001 return( masked == exts_mask );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1002}
1003
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1004MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1005static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
1006 mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1007{
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1008 return( ssl_tls13_client_hello_has_exts(
1009 ssl,
1010 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
1011 MBEDTLS_SSL_EXT_KEY_SHARE |
1012 MBEDTLS_SSL_EXT_SIG_ALG ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1013}
1014
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1015#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1016MBEDTLS_CHECK_RETURN_CRITICAL
1017static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
1018 mbedtls_ssl_context *ssl )
1019{
1020 return( ssl_tls13_client_hello_has_exts(
1021 ssl,
1022 MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
1023 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
1024}
1025
1026MBEDTLS_CHECK_RETURN_CRITICAL
1027static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
1028 mbedtls_ssl_context *ssl )
1029{
1030 return( ssl_tls13_client_hello_has_exts(
1031 ssl,
1032 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
1033 MBEDTLS_SSL_EXT_KEY_SHARE |
1034 MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
1035 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
1036}
1037#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1038
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1039MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1040static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1041{
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1042 return( mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) &&
1043 ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) );
1044}
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1045
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1046MBEDTLS_CHECK_RETURN_CRITICAL
1047static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
1048{
1049#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1050 return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) &&
1051 mbedtls_ssl_tls13_psk_enabled( ssl ) &&
1052 ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) );
1053#else
1054 ((void) ssl);
1055 return( 0 );
1056#endif
1057}
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1058
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1059MBEDTLS_CHECK_RETURN_CRITICAL
1060static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
1061{
1062#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1063 return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) &&
1064 mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) &&
1065 ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) );
1066#else
1067 ((void) ssl);
1068 return( 0 );
1069#endif
1070}
1071
1072static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl )
1073{
1074 /*
1075 * Determine the key exchange algorithm to use.
1076 * There are three types of key exchanges supported in TLS 1.3:
1077 * - (EC)DH with ECDSA,
1078 * - (EC)DH with PSK,
1079 * - plain PSK.
1080 *
1081 * The PSK-based key exchanges may additionally be used with 0-RTT.
1082 *
1083 * Our built-in order of preference is
Jerry Yuce6ed702022-07-22 21:49:53 +0800[diff] [blame]1084 * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
1085 * 2 ) Certificate Mode ( ephemeral )
1086 * 3 ) Plain PSK Mode ( psk )
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1087 */
1088
1089 ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
1090
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1091 if( ssl_tls13_check_psk_ephemeral_key_exchange( ssl ) )
1092 {
1093 ssl->handshake->key_exchange_mode =
1094 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1095 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk_ephemeral" ) );
1096 }
1097 else
1098 if( ssl_tls13_check_ephemeral_key_exchange( ssl ) )
1099 {
1100 ssl->handshake->key_exchange_mode =
1101 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
1102 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: ephemeral" ) );
1103 }
1104 else
Jerry Yuce6ed702022-07-22 21:49:53 +0800[diff] [blame]1105 if( ssl_tls13_check_psk_key_exchange( ssl ) )
1106 {
1107 ssl->handshake->key_exchange_mode =
1108 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1109 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk" ) );
1110 }
1111 else
Jerry Yu77f01482022-07-11 07:03:24 +0000[diff] [blame]1112 {
1113 MBEDTLS_SSL_DEBUG_MSG(
1114 1,
1115 ( "ClientHello message misses mandatory extensions." ) );
1116 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ,
1117 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1118 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1119 }
1120
1121 return( 0 );
1122
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1123}
1124
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1125#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1126 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1127/*
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1128 * Pick best ( private key, certificate chain ) pair based on the signature
1129 * algorithms supported by the client.
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1130 */
Ronald Cronce7d76e2022-07-08 18:56:49 +0200[diff] [blame]1131MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian07aad072022-06-14 05:35:09 +0000[diff] [blame]1132static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1133{
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1134 mbedtls_ssl_key_cert *key_cert, *key_cert_list;
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1135 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1136
1137#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1138 if( ssl->handshake->sni_key_cert != NULL )
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1139 key_cert_list = ssl->handshake->sni_key_cert;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1140 else
1141#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1142 key_cert_list = ssl->conf->key_cert;
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1143
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1144 if( key_cert_list == NULL )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1145 {
1146 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
1147 return( -1 );
1148 }
1149
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1150 for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1151 {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1152 for( key_cert = key_cert_list; key_cert != NULL;
1153 key_cert = key_cert->next )
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1154 {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1155 MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate",
1156 key_cert->cert );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1157
1158 /*
1159 * This avoids sending the client a cert it'll reject based on
1160 * keyUsage or other extensions.
1161 */
1162 if( mbedtls_x509_crt_check_key_usage(
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1163 key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE ) != 0 ||
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1164 mbedtls_x509_crt_check_extended_key_usage(
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1165 key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
1166 MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ) ) != 0 )
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1167 {
1168 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1169 "(extended) key usage extension" ) );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1170 continue;
1171 }
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1172
Jerry Yucc539102022-06-27 16:27:35 +0800[diff] [blame]1173 MBEDTLS_SSL_DEBUG_MSG( 3,
1174 ( "ssl_tls13_pick_key_cert:"
1175 "check signature algorithm %s [%04x]",
1176 mbedtls_ssl_sig_alg_to_str( *sig_alg ),
1177 *sig_alg ) );
Jerry Yufb526692022-06-19 11:22:49 +0800[diff] [blame]1178 if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
Jerry Yud099cf02022-06-19 13:47:00 +0800[diff] [blame]1179 *sig_alg, &key_cert->cert->pk ) )
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1180 {
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1181 ssl->handshake->key_cert = key_cert;
Jerry Yucc539102022-06-27 16:27:35 +0800[diff] [blame]1182 MBEDTLS_SSL_DEBUG_MSG( 3,
1183 ( "ssl_tls13_pick_key_cert:"
1184 "selected signature algorithm"
1185 " %s [%04x]",
1186 mbedtls_ssl_sig_alg_to_str( *sig_alg ),
1187 *sig_alg ) );
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1188 MBEDTLS_SSL_DEBUG_CRT(
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1189 3, "selected certificate (chain)",
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1190 ssl->handshake->key_cert->cert );
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1191 return( 0 );
1192 }
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1193 }
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1194 }
1195
Jerry Yu9d3e2fa2022-06-27 22:14:01 +0800[diff] [blame]1196 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert:"
1197 "no suitable certificate found" ) );
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1198 return( -1 );
1199}
XiaokangQian81802f42022-06-10 13:25:22 +0000[diff] [blame]1200#endif /* MBEDTLS_X509_CRT_PARSE_C &&
1201 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]1202
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1203/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1204 *
1205 * STATE HANDLING: ClientHello
1206 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1207 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1208 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1209 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1210 *
1211 * In this case, the server progresses to sending its ServerHello.
1212 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1213 * 2) The ClientHello was well-formed but didn't match the server's
1214 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1215 *
1216 * For example, the client might not have offered a key share which
1217 * the server supports, or the server might require a cookie.
1218 *
1219 * In this case, the server sends a HelloRetryRequest.
1220 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1221 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1222 *
1223 * In this case, we abort the handshake.
1224 *
1225 */
1226
1227/*
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1228 * Structure of this message:
1229 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1230 * uint16 ProtocolVersion;
1231 * opaque Random[32];
1232 * uint8 CipherSuite[2]; // Cryptographic suite selector
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1233 *
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1234 * struct {
1235 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1236 * Random random;
1237 * opaque legacy_session_id<0..32>;
1238 * CipherSuite cipher_suites<2..2^16-2>;
1239 * opaque legacy_compression_methods<1..2^8-1>;
1240 * Extension extensions<8..2^16-1>;
1241 * } ClientHello;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1242 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1243
1244#define SSL_CLIENT_HELLO_OK 0
1245#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
1246
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1247MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1248static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
1249 const unsigned char *buf,
1250 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1251{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1252 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1253 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1254 size_t legacy_session_id_len;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]1255 size_t cipher_suites_len;
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1256 const unsigned char *cipher_suites_end;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1257 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1258 const unsigned char *extensions_end;
Jerry Yu49ca9282022-05-05 11:05:22 +0800[diff] [blame]1259 int hrr_required = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1260
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1261#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1262 const unsigned char *cipher_suites;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1263 const unsigned char *pre_shared_key_ext = NULL;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1264 const unsigned char *pre_shared_key_ext_end = NULL;
1265#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1266
1267 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
1268
1269 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1270 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1271 * 0 . 1 protocol version
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1272 * 2 . 33 random bytes
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]1273 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1274 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1275 * .. . .. ciphersuite list length ( 2 bytes )
1276 * .. . .. ciphersuite list
1277 * .. . .. compression alg. list length ( 1 byte )
1278 * .. . .. compression alg. list
1279 * .. . .. extensions length ( 2 bytes, optional )
1280 * .. . .. extensions ( optional )
1281 */
1282
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1283 /*
bootstrap-prime6dbbf442022-05-17 19:30:44 -0400[diff] [blame]1284 * Minimal length ( with everything empty and extensions omitted ) is
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1285 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1286 * read at least up to session id length without worrying.
1287 */
1288 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 38 );
1289
1290 /* ...
1291 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1292 * ...
1293 * with ProtocolVersion defined as:
1294 * uint16 ProtocolVersion;
1295 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]1296 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
1297 MBEDTLS_SSL_VERSION_TLS1_2 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1298 {
1299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1300 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1301 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1302 return ( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1303 }
1304 p += 2;
1305
1306 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]1307 * Only support TLS 1.3 currently, temporarily set the version.
1308 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]1309 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]1310
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]1311#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1312 /* Store minor version for later use with ticket serialization. */
1313 ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1314 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]1315#endif
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]1316
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1317 /* ...
1318 * Random random;
1319 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1320 * with Random defined as:
1321 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1322 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1323 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1324 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1325
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1326 memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
1327 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1328
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1329 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1330 * opaque legacy_session_id<0..32>;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1331 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1332 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1333 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]1334 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1335
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1336 if( legacy_session_id_len > sizeof( ssl->session_negotiate->id ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1337 {
1338 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1339 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1340 }
1341
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1342 ssl->session_negotiate->id_len = legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1343 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1344 p, legacy_session_id_len );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1345 /*
1346 * Check we have enough data for the legacy session identifier
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1347 * and the ciphersuite list length.
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1348 */
1349 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1350
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1351 memcpy( &ssl->session_negotiate->id[0], p, legacy_session_id_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1352 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1353
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1354 cipher_suites_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1355 p += 2;
1356
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1357 /* Check we have enough data for the ciphersuite list, the legacy
1358 * compression methods and the length of the extensions.
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1359 *
1360 * cipher_suites cipher_suites_len bytes
1361 * legacy_compression_methods 2 bytes
1362 * extensions_len 2 bytes
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1363 */
1364 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1365
Jerry Yu24b8c812022-08-20 19:06:56 +0800[diff] [blame]1366 /* ...
1367 * CipherSuite cipher_suites<2..2^16-2>;
1368 * ...
1369 * with CipherSuite defined as:
1370 * uint8 CipherSuite[2];
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1371 */
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1372#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1373 cipher_suites = p;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1374#endif
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1375 cipher_suites_end = p + cipher_suites_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1376 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1377 p, cipher_suites_len );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1378
1379 /*
1380 * Search for a matching ciphersuite
1381 */
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]1382 for ( ; p < cipher_suites_end; p += 2 )
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]1383 {
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1384 uint16_t cipher_suite;
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1385 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1386
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1387 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, cipher_suites_end, 2 );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1388
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1389 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc5a23a02022-08-25 10:51:44 +0800[diff] [blame]1390 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
Jerry Yudd1bef72022-08-23 17:57:02 +0800[diff] [blame]1391 ssl,cipher_suite );
1392 if( ciphersuite_info == NULL )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1393 continue;
1394
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1395 ssl->session_negotiate->ciphersuite = cipher_suite;
1396 ssl->handshake->ciphersuite_info = ciphersuite_info;
1397 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %04x - %s",
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1398 cipher_suite,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1399 ciphersuite_info->name ) );
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]1400 }
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1401
1402 if( ssl->handshake->ciphersuite_info == NULL )
1403 {
1404 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1405 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1406 return ( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1407 }
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1408
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1409 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1410 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1411 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1412 */
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000[diff] [blame]1413 if( p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1414 {
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1415 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
1416 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1417 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1418 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1419 }
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1420 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1421
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1422 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1423 * Extension extensions<8..2^16-1>;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1424 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1425 * with Extension defined as:
1426 * struct {
1427 * ExtensionType extension_type;
1428 * opaque extension_data<0..2^16-1>;
1429 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1430 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1431 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1432 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1433 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]1434 extensions_end = p + extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1435
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]1436 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1437
1438 while( p < extensions_end )
1439 {
1440 unsigned int extension_type;
1441 size_t extension_data_len;
1442 const unsigned char *extension_data_end;
1443
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1444 /* RFC 8446, page 57
1445 *
1446 * The "pre_shared_key" extension MUST be the last extension in the
1447 * ClientHello (this facilitates implementation as described below).
1448 * Servers MUST check that it is the last extension and otherwise fail
1449 * the handshake with an "illegal_parameter" alert.
1450 */
1451 if( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY )
1452 {
1453 MBEDTLS_SSL_DEBUG_MSG(
1454 3, ( "pre_shared_key is not last extension." ) );
1455 MBEDTLS_SSL_PEND_FATAL_ALERT(
1456 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1457 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1458 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1459 }
1460
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]1461 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1462 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1463 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1464 p += 4;
1465
1466 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1467 extension_data_end = p + extension_data_len;
1468
1469 switch( extension_type )
1470 {
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1471#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1472 case MBEDTLS_TLS_EXT_SERVERNAME:
1473 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
XiaokangQian9b2b7712022-05-17 02:57:00 +0000[diff] [blame]1474 ret = mbedtls_ssl_parse_server_name_ext( ssl, p,
1475 extension_data_end );
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]1476 if( ret != 0 )
1477 {
1478 MBEDTLS_SSL_DEBUG_RET(
1479 1, "mbedtls_ssl_parse_servername_ext", ret );
1480 return( ret );
1481 }
1482 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SERVERNAME;
1483 break;
1484#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1485
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1486#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1487 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1488 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
1489
1490 /* Supported Groups Extension
1491 *
1492 * When sent by the client, the "supported_groups" extension
1493 * indicates the named groups which the client supports,
1494 * ordered from most preferred to least preferred.
1495 */
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1496 ret = ssl_tls13_parse_supported_groups_ext(
1497 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1498 if( ret != 0 )
1499 {
1500 MBEDTLS_SSL_DEBUG_RET( 1,
1501 "mbedtls_ssl_parse_supported_groups_ext", ret );
1502 return( ret );
1503 }
1504
1505 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
1506 break;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]1507#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1508
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1509#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1510 case MBEDTLS_TLS_EXT_KEY_SHARE:
1511 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) );
1512
1513 /*
1514 * Key Share Extension
1515 *
1516 * When sent by the client, the "key_share" extension
1517 * contains the endpoint's cryptographic parameters for
1518 * ECDHE/DHE key establishment methods.
1519 */
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1520 ret = ssl_tls13_parse_key_shares_ext(
1521 ssl, p, extension_data_end );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1522 if( ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1523 {
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1524 MBEDTLS_SSL_DEBUG_MSG( 2, ( "HRR needed " ) );
Jerry Yu49ca9282022-05-05 11:05:22 +0800[diff] [blame]1525 hrr_required = 1;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1526 }
1527
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1528 if( ret < 0 )
1529 {
1530 MBEDTLS_SSL_DEBUG_RET(
1531 1, "ssl_tls13_parse_key_shares_ext", ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1532 return( ret );
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1533 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1534
1535 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
1536 break;
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]1537#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1538
1539 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1540 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) );
1541
1542 ret = ssl_tls13_parse_supported_versions_ext(
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1543 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1544 if( ret != 0 )
1545 {
1546 MBEDTLS_SSL_DEBUG_RET( 1,
1547 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
1548 return( ret );
1549 }
1550 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
1551 break;
1552
Jerry Yue19e3b92022-07-08 12:04:51 +0000[diff] [blame]1553#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1554 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
1555 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found psk key exchange modes extension" ) );
1556
1557 ret = ssl_tls13_parse_key_exchange_modes_ext(
1558 ssl, p, extension_data_end );
1559 if( ret != 0 )
1560 {
1561 MBEDTLS_SSL_DEBUG_RET(
1562 1, "ssl_tls13_parse_key_exchange_modes_ext", ret );
1563 return( ret );
1564 }
1565
1566 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
1567 break;
1568#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1569
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1570 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1571 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
Jerry Yu13ab81d2022-07-22 23:17:11 +0800[diff] [blame]1572 if( ( ssl->handshake->extensions_present &
1573 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 )
1574 {
1575 MBEDTLS_SSL_PEND_FATAL_ALERT(
1576 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1577 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1578 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1579 }
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1580#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1581 /* Delay processing of the PSK identity once we have
1582 * found out which algorithms to use. We keep a pointer
1583 * to the buffer and the size for later processing.
1584 */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1585 pre_shared_key_ext = p;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1586 pre_shared_key_ext_end = extension_data_end;
Jerry Yu1c9247c2022-07-21 12:37:39 +0800[diff] [blame]1587#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1588 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
1589 break;
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1590
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]1591#if defined(MBEDTLS_SSL_ALPN)
1592 case MBEDTLS_TLS_EXT_ALPN:
1593 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1594
1595 ret = mbedtls_ssl_parse_alpn_ext( ssl, p, extension_data_end );
1596 if( ret != 0 )
1597 {
1598 MBEDTLS_SSL_DEBUG_RET(
1599 1, ( "mbedtls_ssl_parse_alpn_ext" ), ret );
1600 return( ret );
1601 }
1602 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_ALPN;
1603 break;
1604#endif /* MBEDTLS_SSL_ALPN */
1605
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1606#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1607 case MBEDTLS_TLS_EXT_SIG_ALG:
1608 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1609
Gabor Mezei078e8032022-04-27 21:17:56 +0200[diff] [blame]1610 ret = mbedtls_ssl_parse_sig_alg_ext(
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1611 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1612 if( ret != 0 )
1613 {
1614 MBEDTLS_SSL_DEBUG_MSG( 1,
1615 ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
1616 ret ) );
1617 return( ret );
1618 }
1619 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
1620 break;
1621#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1622
1623 default:
1624 MBEDTLS_SSL_DEBUG_MSG( 3,
1625 ( "unknown extension found: %ud ( ignoring )",
1626 extension_type ) );
1627 }
1628
1629 p += extension_data_len;
1630 }
1631
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1632#if defined(MBEDTLS_DEBUG_C)
1633 /* List all the extensions we have received */
1634 ssl_tls13_debug_print_client_hello_exts( ssl );
1635#endif /* MBEDTLS_DEBUG_C */
1636
1637 mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
1638 MBEDTLS_SSL_HS_CLIENT_HELLO,
1639 p - buf );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]1640
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1641#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1642 /* Update checksum with either
1643 * - The entire content of the CH message, if no PSK extension is present
1644 * - The content up to but excluding the PSK extension, if present.
1645 */
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1646 /* If we've settled on a PSK-based exchange, parse PSK identity ext */
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1647 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) &&
Jerry Yu32e13702022-07-29 13:04:08 +0800[diff] [blame]1648 mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1649 ( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1650 {
1651 ssl->handshake->update_checksum( ssl, buf,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1652 pre_shared_key_ext - buf );
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]1653 ret = ssl_tls13_parse_pre_shared_key_ext( ssl,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800[diff] [blame]1654 pre_shared_key_ext,
Jerry Yue95c8af2022-07-26 15:48:20 +0800[diff] [blame]1655 pre_shared_key_ext_end,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800[diff] [blame]1656 cipher_suites,
1657 cipher_suites_end );
Jerry Yue9d4fc02022-08-20 19:21:15 +0800[diff] [blame]1658 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1659 {
1660 ssl->handshake->extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
Jerry Yu6f1db3f2022-07-22 23:05:59 +0800[diff] [blame]1661 }
1662 else if( ret != 0 )
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1663 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]1664 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_pre_shared_key_ext" ),
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1665 ret );
1666 return( ret );
1667 }
Jerry Yu1c105562022-07-10 06:32:38 +0000[diff] [blame]1668 }
1669 else
1670#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1671 {
1672 ssl->handshake->update_checksum( ssl, buf, p - buf );
1673 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1674
Jerry Yuba9b6e92022-07-22 21:35:18 +0800[diff] [blame]1675 ret = ssl_tls13_determine_key_exchange_mode( ssl );
1676 if( ret < 0 )
1677 return( ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1678
Jerry Yue5834fd2022-08-29 20:16:09 +0800[diff] [blame]1679 mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info );
1680
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1681 return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK );
1682}
1683
1684/* Update the handshake state machine */
1685
Ronald Cronce7d76e2022-07-08 18:56:49 +0200[diff] [blame]1686MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian75fe8c72022-06-15 09:42:45 +0000[diff] [blame]1687static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
1688{
1689 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1690
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1691 /*
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]1692 * Server certificate selection
1693 */
1694 if( ssl->conf->f_cert_cb && ( ret = ssl->conf->f_cert_cb( ssl ) ) != 0 )
1695 {
1696 MBEDTLS_SSL_DEBUG_RET( 1, "f_cert_cb", ret );
1697 return( ret );
1698 }
1699#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1700 ssl->handshake->sni_name = NULL;
1701 ssl->handshake->sni_name_len = 0;
1702#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1703
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1704 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
1705 if( ret != 0 )
1706 {
1707 MBEDTLS_SSL_DEBUG_RET( 1,
1708 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret );
1709 return( ret );
1710 }
1711
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]1712 return( 0 );
1713
1714}
1715
1716/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1717 * Main entry point from the state machine; orchestrates the otherfunctions.
1718 */
1719
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1720MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1721static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
1722{
1723
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]1724 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1725 unsigned char* buf = NULL;
1726 size_t buflen = 0;
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1727 int parse_client_hello_ret;
1728
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1729 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1730
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1731 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
1732 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
1733 &buf, &buflen ) );
1734
1735 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_parse_client_hello( ssl, buf,
1736 buf + buflen ) );
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]1737 parse_client_hello_ret = ret; /* Store return value of parse_client_hello,
1738 * only SSL_CLIENT_HELLO_OK or
1739 * SSL_CLIENT_HELLO_HRR_REQUIRED at this
1740 * stage as negative error codes are handled
1741 * by MBEDTLS_SSL_PROC_CHK_NEG. */
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1742
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]1743 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_client_hello( ssl ) );
Jerry Yu582dd062022-04-22 21:59:01 +0800[diff] [blame]1744
Jerry Yu4ca91402022-05-09 15:50:57 +0800[diff] [blame]1745 if( parse_client_hello_ret == SSL_CLIENT_HELLO_OK )
1746 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
1747 else
1748 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]1749
1750cleanup:
1751
1752 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1753 return( ret );
1754}
1755
1756/*
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1757 * Handler for MBEDTLS_SSL_SERVER_HELLO
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]1758 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1759MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1760static int ssl_tls13_prepare_server_hello( mbedtls_ssl_context *ssl )
1761{
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1762 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1763 unsigned char *server_randbytes =
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1764 ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1765 if( ssl->conf->f_rng == NULL )
1766 {
1767 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
1768 return( MBEDTLS_ERR_SSL_NO_RNG );
1769 }
1770
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1771 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, server_randbytes,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1772 MBEDTLS_SERVER_HELLO_RANDOM_LEN ) ) != 0 )
1773 {
1774 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
1775 return( ret );
1776 }
1777
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]1778 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", server_randbytes,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]1779 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1780
1781#if defined(MBEDTLS_HAVE_TIME)
1782 ssl->session_negotiate->start = time( NULL );
1783#endif /* MBEDTLS_HAVE_TIME */
1784
1785 return( ret );
1786}
1787
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1788/*
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]1789 * ssl_tls13_write_server_hello_supported_versions_ext ():
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1790 *
1791 * struct {
Jerry Yufb9f54d2022-04-06 10:08:34 +0800[diff] [blame]1792 * ProtocolVersion selected_version;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1793 * } SupportedVersions;
1794 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1795MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]1796static int ssl_tls13_write_server_hello_supported_versions_ext(
1797 mbedtls_ssl_context *ssl,
1798 unsigned char *buf,
1799 unsigned char *end,
1800 size_t *out_len )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1801{
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1802 *out_len = 0;
1803
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1804 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, write selected version" ) );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1805
1806 /* Check if we have space to write the extension:
1807 * - extension_type (2 bytes)
1808 * - extension_data_length (2 bytes)
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1809 * - selected_version (2 bytes)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1810 */
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1811 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1812
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1813 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1814
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1815 MBEDTLS_PUT_UINT16_BE( 2, buf, 2 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1816
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1817 mbedtls_ssl_write_version( buf + 4,
1818 ssl->conf->transport,
1819 ssl->tls_version );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1820
1821 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [%04x]",
1822 ssl->tls_version ) );
1823
Jerry Yu349a6132022-04-14 20:52:56 +0800[diff] [blame]1824 *out_len = 6;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1825
1826 return( 0 );
1827}
1828
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1829
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1830
1831/* Generate and export a single key share. For hybrid KEMs, this can
1832 * be called multiple times with the different components of the hybrid. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1833MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1834static int ssl_tls13_generate_and_write_key_share( mbedtls_ssl_context *ssl,
1835 uint16_t named_group,
1836 unsigned char *buf,
1837 unsigned char *end,
1838 size_t *out_len )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1839{
1840 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1841
1842 *out_len = 0;
1843
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1844#if defined(MBEDTLS_ECDH_C)
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1845 if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) )
1846 {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1847 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
1848 ssl, named_group, buf, end, out_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1849 if( ret != 0 )
1850 {
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1851 MBEDTLS_SSL_DEBUG_RET(
1852 1, "mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange",
1853 ret );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1854 return( ret );
1855 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1856 }
Jerry Yu89e103c2022-03-30 22:43:29 +0800[diff] [blame]1857 else
1858#endif /* MBEDTLS_ECDH_C */
1859 if( 0 /* Other kinds of KEMs */ )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1860 {
1861 }
1862 else
1863 {
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1864 ((void) ssl);
1865 ((void) named_group);
1866 ((void) buf);
1867 ((void) end);
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1868 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1869 }
1870
1871 return( ret );
1872}
1873
1874/*
1875 * ssl_tls13_write_key_share_ext
1876 *
1877 * Structure of key_share extension in ServerHello:
1878 *
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]1879 * struct {
1880 * NamedGroup group;
1881 * opaque key_exchange<1..2^16-1>;
1882 * } KeyShareEntry;
1883 * struct {
1884 * KeyShareEntry server_share;
1885 * } KeyShareServerHello;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1886 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1887MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1888static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
1889 unsigned char *buf,
1890 unsigned char *end,
1891 size_t *out_len )
1892{
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1893 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1894 unsigned char *p = buf;
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1895 uint16_t group = ssl->handshake->offered_group_id;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1896 unsigned char *server_share = buf + 4;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1897 size_t key_exchange_length;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1898
1899 *out_len = 0;
1900
1901 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding key share extension" ) );
1902
1903 /* Check if we have space for header and length fields:
1904 * - extension_type (2 bytes)
1905 * - extension_data_length (2 bytes)
1906 * - group (2 bytes)
1907 * - key_exchange_length (2 bytes)
1908 */
1909 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 8 );
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1910 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, p, 0 );
1911 MBEDTLS_PUT_UINT16_BE( group, server_share, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1912 p += 8;
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1913
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1914 /* When we introduce PQC-ECDHE hybrids, we'll want to call this
1915 * function multiple times. */
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1916 ret = ssl_tls13_generate_and_write_key_share(
Jerry Yue65d8012022-04-23 10:34:35 +0800[diff] [blame]1917 ssl, group, server_share + 4, end, &key_exchange_length );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1918 if( ret != 0 )
1919 return( ret );
1920 p += key_exchange_length;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800[diff] [blame]1921
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1922 MBEDTLS_PUT_UINT16_BE( key_exchange_length, server_share + 2, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1923
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1924 MBEDTLS_PUT_UINT16_BE( p - server_share, buf, 2 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1925
Jerry Yu57d48412022-04-20 21:50:42 +0800[diff] [blame]1926 *out_len = p - buf;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]1927
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1928 return( 0 );
1929}
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]1930
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1931MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1932static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl,
1933 unsigned char *buf,
1934 unsigned char *end,
1935 size_t *out_len )
1936{
1937 uint16_t selected_group = ssl->handshake->hrr_selected_group;
1938 /* key_share Extension
1939 *
1940 * struct {
1941 * select (Handshake.msg_type) {
1942 * ...
1943 * case hello_retry_request:
1944 * NamedGroup selected_group;
1945 * ...
1946 * };
1947 * } KeyShare;
1948 */
1949
1950 *out_len = 0;
1951
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]1952 /*
1953 * For a pure PSK key exchange, there is no group to agree upon. The purpose
1954 * of the HRR is then to transmit a cookie to force the client to demonstrate
1955 * reachability at their apparent network address (primarily useful for DTLS).
1956 */
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]1957 if( ! mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1958 return( 0 );
1959
1960 /* We should only send the key_share extension if the client's initial
1961 * key share was not acceptable. */
1962 if( ssl->handshake->offered_group_id != 0 )
1963 {
1964 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Skip key_share extension in HRR" ) );
1965 return( 0 );
1966 }
1967
1968 if( selected_group == 0 )
1969 {
1970 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching named group found" ) );
1971 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1972 }
1973
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]1974 /* Check if we have enough space:
1975 * - extension_type (2 bytes)
1976 * - extension_data_length (2 bytes)
1977 * - selected_group (2 bytes)
1978 */
Ronald Cron154d1b62022-06-01 15:33:26 +0200[diff] [blame]1979 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1980
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1981 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1982 MBEDTLS_PUT_UINT16_BE( 2, buf, 2 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1983 MBEDTLS_PUT_UINT16_BE( selected_group, buf, 4 );
1984
1985 MBEDTLS_SSL_DEBUG_MSG( 3,
1986 ( "HRR selected_group: %s (%x)",
1987 mbedtls_ssl_named_group_to_str( selected_group ),
1988 selected_group ) );
1989
1990 *out_len = 6;
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1991
Jerry Yub0ac10b2022-05-05 11:10:08 +0800[diff] [blame]1992 return( 0 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]1993}
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]1994
1995/*
1996 * Structure of ServerHello message:
1997 *
1998 * struct {
1999 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
2000 * Random random;
2001 * opaque legacy_session_id_echo<0..32>;
2002 * CipherSuite cipher_suite;
2003 * uint8 legacy_compression_method = 0;
2004 * Extension extensions<6..2^16-1>;
2005 * } ServerHello;
2006 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2007MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2008static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]2009 unsigned char *buf,
2010 unsigned char *end,
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2011 size_t *out_len,
2012 int is_hrr )
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]2013{
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2014 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2015 unsigned char *p = buf;
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2016 unsigned char *p_extensions_len;
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]2017 size_t output_len;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2018
2019 *out_len = 0;
2020
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2021 /* ...
2022 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
2023 * ...
2024 * with ProtocolVersion defined as:
2025 * uint16 ProtocolVersion;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2026 */
2027 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2028 MBEDTLS_PUT_UINT16_BE( 0x0303, p, 0 );
2029 p += 2;
2030
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]2031 /* ...
2032 * Random random;
2033 * ...
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2034 * with Random defined as:
2035 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu1c3e6882022-04-20 21:23:40 +0800[diff] [blame]2036 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2037 MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2038 if( is_hrr )
2039 {
2040 memcpy( p, mbedtls_ssl_tls13_hello_retry_request_magic,
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]2041 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2042 }
2043 else
2044 {
2045 memcpy( p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],
Jerry Yufbe3e642022-04-25 19:31:51 +0800[diff] [blame]2046 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2047 }
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2048 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2049 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
2050 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
2051
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2052 /* ...
2053 * opaque legacy_session_id_echo<0..32>;
2054 * ...
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2055 */
2056 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 + ssl->session_negotiate->id_len );
2057 *p++ = (unsigned char)ssl->session_negotiate->id_len;
2058 if( ssl->session_negotiate->id_len > 0 )
2059 {
2060 memcpy( p, &ssl->session_negotiate->id[0],
2061 ssl->session_negotiate->id_len );
2062 p += ssl->session_negotiate->id_len;
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2063
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2064 MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id,
2065 ssl->session_negotiate->id_len );
2066 }
2067
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2068 /* ...
2069 * CipherSuite cipher_suite;
2070 * ...
2071 * with CipherSuite defined as:
2072 * uint8 CipherSuite[2];
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2073 */
2074 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2075 MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 );
2076 p += 2;
2077 MBEDTLS_SSL_DEBUG_MSG( 3,
2078 ( "server hello, chosen ciphersuite: %s ( id=%d )",
2079 mbedtls_ssl_get_ciphersuite_name(
2080 ssl->session_negotiate->ciphersuite ),
2081 ssl->session_negotiate->ciphersuite ) );
2082
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2083 /* ...
2084 * uint8 legacy_compression_method = 0;
2085 * ...
2086 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2087 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
Thomas Daubney31e03a82022-07-25 15:59:25 +0100[diff] [blame]2088 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2089
Jerry Yucfc04b32022-04-21 09:31:58 +0800[diff] [blame]2090 /* ...
2091 * Extension extensions<6..2^16-1>;
2092 * ...
2093 * struct {
2094 * ExtensionType extension_type; (2 bytes)
2095 * opaque extension_data<0..2^16-1>;
2096 * } Extension;
2097 */
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2098 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2099 p_extensions_len = p;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2100 p += 2;
2101
Jerry Yue74e04a2022-04-21 09:23:16 +0800[diff] [blame]2102 if( ( ret = ssl_tls13_write_server_hello_supported_versions_ext(
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2103 ssl, p, end, &output_len ) ) != 0 )
2104 {
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]2105 MBEDTLS_SSL_DEBUG_RET(
2106 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2107 return( ret );
2108 }
2109 p += output_len;
2110
Jerry Yu56acc942022-07-30 23:02:36 +0800[diff] [blame]2111 if( mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2112 {
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2113 if( is_hrr )
2114 ret = ssl_tls13_write_hrr_key_share_ext( ssl, p, end, &output_len );
2115 else
2116 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2117 if( ret != 0 )
2118 return( ret );
2119 p += output_len;
2120 }
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2121
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2122#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
Jerry Yu96a2e362022-07-21 15:11:34 +0800[diff] [blame]2123 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2124 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]2125 ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, p, end, &output_len );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2126 if( ret != 0 )
2127 {
Jerry Yubb852022022-07-20 21:10:44 +0800[diff] [blame]2128 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_server_pre_shared_key_ext",
Jerry Yu032b15ce2022-07-11 06:10:03 +0000[diff] [blame]2129 ret );
2130 return( ret );
2131 }
2132 p += output_len;
2133 }
2134#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
2135
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2136 MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2137
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2138 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello extensions",
2139 p_extensions_len, p - p_extensions_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2140
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2141 *out_len = p - buf;
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2142
Jerry Yud9436a12022-04-20 22:28:09 +0800[diff] [blame]2143 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", buf, *out_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2144
2145 return( ret );
Jerry Yu56404d72022-03-30 17:36:13 +0800[diff] [blame]2146}
2147
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2148MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2149static int ssl_tls13_finalize_write_server_hello( mbedtls_ssl_context *ssl )
2150{
2151 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]2152 ret = mbedtls_ssl_tls13_compute_handshake_transform( ssl );
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2153 if( ret != 0 )
2154 {
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]2155 MBEDTLS_SSL_DEBUG_RET( 1,
2156 "mbedtls_ssl_tls13_compute_handshake_transform",
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2157 ret );
2158 return( ret );
2159 }
2160
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2161 return( ret );
2162}
2163
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2164MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2165static int ssl_tls13_write_server_hello( mbedtls_ssl_context *ssl )
2166{
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]2167 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2168 unsigned char *buf;
2169 size_t buf_len, msg_len;
2170
2171 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2172
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2173 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_server_hello( ssl ) );
2174
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2175 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2176 MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len ) );
2177
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2178 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
2179 buf + buf_len,
Jerry Yu23f7a6f2022-04-23 15:16:45 +0800[diff] [blame]2180 &msg_len,
2181 0 ) );
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2182
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2183 mbedtls_ssl_add_hs_msg_to_checksum(
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2184 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
2185
Jerry Yu3bf2c642022-03-30 22:02:12 +0800[diff] [blame]2186 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2187 ssl, buf_len, msg_len ) );
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]2188
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2189 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_server_hello( ssl ) );
2190
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2191#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2192 /* The server sends a dummy change_cipher_spec record immediately
2193 * after its first handshake message. This may either be after
2194 * a ServerHello or a HelloRetryRequest.
2195 */
Gabor Mezei96ae9262022-06-28 11:45:18 +0200[diff] [blame]2196 mbedtls_ssl_handshake_set_state(
2197 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2198#else
Jerry Yu637a3f12022-04-20 21:37:58 +0800[diff] [blame]2199 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2200#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]2201
Jerry Yuf4b27e42022-03-30 17:32:21 +0800[diff] [blame]2202cleanup:
2203
2204 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2205 return( ret );
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2206}
2207
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2208
2209/*
2210 * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
2211 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2212MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron7b840462022-06-01 17:05:53 +0200[diff] [blame]2213static int ssl_tls13_prepare_hello_retry_request( mbedtls_ssl_context *ssl )
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2214{
2215 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2216 if( ssl->handshake->hello_retry_request_count > 0 )
2217 {
2218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) );
2219 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2220 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2221 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2222 }
2223
2224 /*
2225 * Create stateless transcript hash for HRR
2226 */
2227 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) );
2228 ret = mbedtls_ssl_reset_transcript_for_hrr( ssl );
2229 if( ret != 0 )
2230 {
2231 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret );
2232 return( ret );
2233 }
2234 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
2235
2236 return( 0 );
2237}
2238
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2239MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2240static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl )
2241{
2242 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2243 unsigned char *buf;
2244 size_t buf_len, msg_len;
2245
2246 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) );
2247
Ronald Cron7b840462022-06-01 17:05:53 +0200[diff] [blame]2248 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_hello_retry_request( ssl ) );
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2249
2250 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg(
2251 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
2252 &buf, &buf_len ) );
2253
2254 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
2255 buf + buf_len,
2256 &msg_len,
2257 1 ) );
2258 mbedtls_ssl_add_hs_msg_to_checksum(
2259 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
2260
2261
2262 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len,
2263 msg_len ) );
2264
2265 ssl->handshake->hello_retry_request_count++;
2266
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2267#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2268 /* The server sends a dummy change_cipher_spec record immediately
2269 * after its first handshake message. This may either be after
2270 * a ServerHello or a HelloRetryRequest.
2271 */
Gabor Mezei96ae9262022-06-28 11:45:18 +0200[diff] [blame]2272 mbedtls_ssl_handshake_set_state(
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]2273 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2274#else
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2275 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2276#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yu23d1a252022-05-12 18:08:59 +0800[diff] [blame]2277
2278cleanup:
2279 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) );
2280 return( ret );
2281}
2282
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2283/*
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2284 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2285 */
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2286
2287/*
2288 * struct {
2289 * Extension extensions<0..2 ^ 16 - 1>;
2290 * } EncryptedExtensions;
2291 *
2292 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2293MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2294static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl,
2295 unsigned char *buf,
2296 unsigned char *end,
2297 size_t *out_len )
2298{
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2299 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2300 unsigned char *p = buf;
2301 size_t extensions_len = 0;
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2302 unsigned char *p_extensions_len;
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2303 size_t output_len;
Jerry Yu9da5e5a2022-05-03 15:46:09 +0800[diff] [blame]2304
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2305 *out_len = 0;
2306
2307 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2308 p_extensions_len = p;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2309 p += 2;
2310
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2311 ((void) ssl);
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2312 ((void) ret);
2313 ((void) output_len);
2314
2315#if defined(MBEDTLS_SSL_ALPN)
2316 ret = mbedtls_ssl_write_alpn_ext( ssl, p, end, &output_len );
2317 if( ret != 0 )
2318 return( ret );
XiaokangQian95d5f542022-06-24 02:29:26 +0000[diff] [blame]2319 p += output_len;
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]2320#endif /* MBEDTLS_SSL_ALPN */
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2321
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2322 extensions_len = ( p - p_extensions_len ) - 2;
2323 MBEDTLS_PUT_UINT16_BE( extensions_len, p_extensions_len, 0 );
2324
2325 *out_len = p - buf;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2326
2327 MBEDTLS_SSL_DEBUG_BUF( 4, "encrypted extensions", buf, *out_len );
2328
2329 return( 0 );
2330}
2331
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2332MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2333static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl )
2334{
2335 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2336 unsigned char *buf;
Jerry Yu39730a72022-05-03 12:14:04 +0800[diff] [blame]2337 size_t buf_len, msg_len;
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2338
Gabor Mezei54719122022-06-28 11:34:56 +0200[diff] [blame]2339 mbedtls_ssl_set_outbound_transform( ssl,
2340 ssl->handshake->transform_handshake );
2341 MBEDTLS_SSL_DEBUG_MSG(
2342 3, ( "switching to handshake transform for outbound data" ) );
2343
Jerry Yuab452cc2022-04-28 15:27:08 +0800[diff] [blame]2344 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write encrypted extensions" ) );
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2345
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2346 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2347 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf, &buf_len ) );
2348
2349 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_encrypted_extensions_body(
2350 ssl, buf, buf + buf_len, &msg_len ) );
2351
2352 mbedtls_ssl_add_hs_msg_to_checksum(
2353 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len );
2354
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2355 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2356 ssl, buf_len, msg_len ) );
2357
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2358#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
Ronald Cron79907712022-07-20 17:05:29 +0200[diff] [blame]2359 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2360 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2361 else
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2362 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
Jerry Yu8937eb42022-05-03 12:12:14 +0800[diff] [blame]2363#else
2364 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2365#endif
2366
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2367cleanup:
2368
Jerry Yuab452cc2022-04-28 15:27:08 +0800[diff] [blame]2369 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write encrypted extensions" ) );
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2370 return( ret );
2371}
2372
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2373#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2374#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
2375#define SSL_CERTIFICATE_REQUEST_SKIP 1
2376/* Coordination:
2377 * Check whether a CertificateRequest message should be written.
2378 * Returns a negative code on failure, or
2379 * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
2380 * - SSL_CERTIFICATE_REQUEST_SKIP
2381 * indicating if the writing of the CertificateRequest
2382 * should be skipped or not.
2383 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2384MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2385static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
2386{
2387 int authmode;
2388
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]2389#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2390 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
2391 authmode = ssl->handshake->sni_authmode;
2392 else
2393#endif
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2394 authmode = ssl->conf->authmode;
2395
2396 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
2397 return( SSL_CERTIFICATE_REQUEST_SKIP );
2398
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]2399 ssl->handshake->certificate_request_sent = 1;
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2400
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]2401 return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST );
2402}
2403
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2404/*
2405 * struct {
2406 * opaque certificate_request_context<0..2^8-1>;
2407 * Extension extensions<2..2^16-1>;
2408 * } CertificateRequest;
2409 *
2410 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2411MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2412static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl,
2413 unsigned char *buf,
2414 const unsigned char *end,
2415 size_t *out_len )
2416{
2417 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2418 unsigned char *p = buf;
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2419 size_t output_len = 0;
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2420 unsigned char *p_extensions_len;
2421
2422 *out_len = 0;
2423
2424 /* Check if we have enough space:
2425 * - certificate_request_context (1 byte)
2426 * - extensions length (2 bytes)
2427 */
2428 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
2429
2430 /*
2431 * Write certificate_request_context
2432 */
2433 /*
2434 * We use a zero length context for the normal handshake
2435 * messages. For post-authentication handshake messages
2436 * this request context would be set to a non-zero value.
2437 */
2438 *p++ = 0x0;
2439
2440 /*
2441 * Write extensions
2442 */
2443 /* The extensions must contain the signature_algorithms. */
2444 p_extensions_len = p;
2445 p += 2;
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2446 ret = mbedtls_ssl_write_sig_alg_ext( ssl, p, end, &output_len );
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2447 if( ret != 0 )
2448 return( ret );
2449
XiaokangQianec6efb92022-05-06 09:53:10 +0000[diff] [blame]2450 p += output_len;
XiaokangQianaad9b0a2022-05-09 01:11:21 +0000[diff] [blame]2451 MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2452
2453 *out_len = p - buf;
2454
2455 return( 0 );
2456}
2457
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2458MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2459static int ssl_tls13_write_certificate_request( mbedtls_ssl_context *ssl )
2460{
2461 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2462
2463 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2464
2465 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
2466
2467 if( ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST )
2468 {
2469 unsigned char *buf;
2470 size_t buf_len, msg_len;
2471
2472 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2473 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, &buf, &buf_len ) );
2474
2475 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_request_body(
2476 ssl, buf, buf + buf_len, &msg_len ) );
2477
2478 mbedtls_ssl_add_hs_msg_to_checksum(
2479 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len );
2480
2481 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2482 ssl, buf_len, msg_len ) );
2483 }
2484 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
2485 {
2486 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2487 ret = 0;
2488 }
2489 else
2490 {
2491 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2492 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2493 goto cleanup;
2494 }
2495
2496 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
2497cleanup:
2498
2499 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2500 return( ret );
2501}
XiaokangQiancec9ae62022-05-06 07:28:50 +0000[diff] [blame]2502
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2503/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2504 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2505 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2506MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2507static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2508{
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2509 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]2510
2511#if defined(MBEDTLS_X509_CRT_PARSE_C)
2512 if( ( ssl_tls13_pick_key_cert( ssl ) != 0 ) ||
2513 mbedtls_ssl_own_cert( ssl ) == NULL )
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2514 {
Jerry Yub89125b2022-05-13 15:45:49 +0800[diff] [blame]2515 MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate available." ) );
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2516 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2517 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2518 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2519 }
XiaokangQianfb665a82022-06-15 03:57:21 +0000[diff] [blame]2520#endif /* MBEDTLS_X509_CRT_PARSE_C */
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2521
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2522 ret = mbedtls_ssl_tls13_write_certificate( ssl );
2523 if( ret != 0 )
Jerry Yu1bff7112022-04-16 14:29:11 +0800[diff] [blame]2524 return( ret );
Jerry Yu1bff7112022-04-16 14:29:11 +0800[diff] [blame]2525 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
2526 return( 0 );
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2527}
2528
2529/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2530 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2531 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2532MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc6e6dbf2022-04-16 19:42:57 +0800[diff] [blame]2533static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2534{
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2535 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
Jerry Yuf1c3c4e2022-05-10 11:36:35 +0800[diff] [blame]2536 if( ret != 0 )
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2537 return( ret );
Jerry Yu4ff9e142022-04-16 14:57:49 +0800[diff] [blame]2538 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2539 return( 0 );
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2540}
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2541#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2542
2543/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2544 * Handler for MBEDTLS_SSL_SERVER_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2545 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2546MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2547static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2548{
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2549 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu27bdc7c2022-04-16 13:33:27 +0800[diff] [blame]2550
2551 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
2552 if( ret != 0 )
2553 return( ret );
2554
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2555 ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
2556 if( ret != 0 )
2557 {
2558 MBEDTLS_SSL_PEND_FATAL_ALERT(
2559 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2560 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2561 return( ret );
2562 }
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]2563
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2564 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
2565 mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2566
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2567 if( ssl->handshake->certificate_request_sent )
2568 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2569 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2570 {
2571 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate" ) );
2572 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
XiaokangQian189ded22022-05-10 08:12:17 +0000[diff] [blame]2573 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2574 }
Ronald Cron63dc4632022-05-31 14:41:53 +0200[diff] [blame]2575
Jerry Yu27bdc7c2022-04-16 13:33:27 +0800[diff] [blame]2576 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2577}
2578
2579/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2580 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2581 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2582MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2583static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2584{
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2585 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2586
Jerry Yuff226982022-04-16 16:52:57 +0800[diff] [blame]2587 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
2588 if( ret != 0 )
2589 return( ret );
2590
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2591 ret = mbedtls_ssl_tls13_compute_resumption_master_secret( ssl );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2592 if( ret != 0 )
2593 {
2594 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu466dda82022-09-13 11:20:20 +0800[diff] [blame]2595 "mbedtls_ssl_tls13_compute_resumption_master_secret", ret );
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2596 }
2597
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2598 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yuff226982022-04-16 16:52:57 +0800[diff] [blame]2599 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2600}
2601
2602/*
Jerry Yud6e253d2022-05-18 13:59:24 +0800[diff] [blame]2603 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2604 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2605MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]2606static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2607{
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2608 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2609
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2610 mbedtls_ssl_tls13_handshake_wrapup( ssl );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2611
2612#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2613 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
2614#else
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2615 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2616#endif
Jerry Yu03ed50b2022-04-16 17:13:30 +0800[diff] [blame]2617 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2618}
2619
2620/*
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2621 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
2622 */
2623#define SSL_NEW_SESSION_TICKET_SKIP 0
2624#define SSL_NEW_SESSION_TICKET_WRITE 1
2625MBEDTLS_CHECK_RETURN_CRITICAL
2626static int ssl_tls13_write_new_session_ticket_coordinate( mbedtls_ssl_context *ssl )
2627{
2628 /* Check whether the use of session tickets is enabled */
2629 if( ssl->conf->f_ticket_write == NULL )
2630 {
2631 MBEDTLS_SSL_DEBUG_MSG( 2, ( "new session ticket is not enabled" ) );
2632 return( SSL_NEW_SESSION_TICKET_SKIP );
2633 }
2634
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2635 return( SSL_NEW_SESSION_TICKET_WRITE );
2636}
2637
2638#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2639MBEDTLS_CHECK_RETURN_CRITICAL
2640static int ssl_tls13_prepare_new_session_ticket( mbedtls_ssl_context *ssl,
2641 unsigned char *ticket_nonce,
2642 size_t ticket_nonce_size )
2643{
2644 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2645 mbedtls_ssl_session *session = ssl->session;
2646 mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2647 psa_algorithm_t psa_hash_alg;
2648 int hash_length;
2649
2650 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> prepare NewSessionTicket msg" ) );
2651
2652#if defined(MBEDTLS_HAVE_TIME)
2653 session->start = mbedtls_time( NULL );
2654#endif
2655
2656 /* Generate ticket_age_add */
2657 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng,
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2658 (unsigned char *) &session->ticket_age_add,
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2659 sizeof( session->ticket_age_add ) ) != 0 ) )
2660 {
2661 MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_age_add", ret );
2662 return( ret );
2663 }
2664 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2665 (unsigned int)session->ticket_age_add ) );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2666
2667 /* Generate ticket_nonce */
2668 ret = ssl->conf->f_rng( ssl->conf->p_rng, ticket_nonce, ticket_nonce_size );
2669 if( ret != 0 )
2670 {
2671 MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_nonce", ret );
2672 return( ret );
2673 }
2674 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:",
2675 ticket_nonce, ticket_nonce_size );
2676
2677 ciphersuite_info =
2678 (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
2679 psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
2680 hash_length = PSA_HASH_LENGTH( psa_hash_alg );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2681 if( hash_length == -1 ||
Jerry Yu61197152022-07-21 16:28:02 +0800[diff] [blame]2682 (size_t)hash_length > sizeof( session->resumption_key ) )
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2683 {
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2684 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2685 }
2686
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2687 /* In this code the psk key length equals the length of the hash */
2688 session->resumption_key_len = hash_length;
2689 session->ciphersuite = ciphersuite_info->id;
2690
2691 /* Compute resumption key
2692 *
2693 * HKDF-Expand-Label( resumption_master_secret,
2694 * "resumption", ticket_nonce, Hash.length )
2695 */
2696 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2697 psa_hash_alg,
2698 session->app_secrets.resumption_master_secret,
2699 hash_length,
2700 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
2701 ticket_nonce,
2702 ticket_nonce_size,
2703 session->resumption_key,
2704 hash_length );
2705
2706 if( ret != 0 )
2707 {
2708 MBEDTLS_SSL_DEBUG_RET( 2,
2709 "Creating the ticket-resumed PSK failed",
2710 ret );
2711 return ( ret );
2712 }
2713 MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
2714 session->resumption_key,
2715 session->resumption_key_len );
2716
2717 MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
2718 session->app_secrets.resumption_master_secret,
2719 hash_length );
2720
2721 return( 0 );
2722}
2723
2724/* This function creates a NewSessionTicket message in the following format:
2725 *
2726 * struct {
2727 * uint32 ticket_lifetime;
2728 * uint32 ticket_age_add;
2729 * opaque ticket_nonce<0..255>;
2730 * opaque ticket<1..2^16-1>;
2731 * Extension extensions<0..2^16-2>;
2732 * } NewSessionTicket;
2733 *
2734 * The ticket inside the NewSessionTicket message is an encrypted container
2735 * carrying the necessary information so that the server is later able to
2736 * re-start the communication.
2737 *
2738 * The following fields are placed inside the ticket by the
2739 * f_ticket_write() function:
2740 *
2741 * - creation time (start)
2742 * - flags (flags)
2743 * - age add (ticket_age_add)
2744 * - key (key)
2745 * - key length (key_len)
2746 * - ciphersuite (ciphersuite)
2747 */
2748MBEDTLS_CHECK_RETURN_CRITICAL
2749static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl,
2750 unsigned char *buf,
2751 unsigned char *end,
2752 size_t *out_len,
2753 unsigned char *ticket_nonce,
2754 size_t ticket_nonce_size )
2755{
2756 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2757 unsigned char *p = buf;
2758 mbedtls_ssl_session *session = ssl->session;
2759 size_t ticket_len;
2760 uint32_t ticket_lifetime;
2761
2762 *out_len = 0;
2763 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write NewSessionTicket msg" ) );
2764
2765 /*
2766 * ticket_lifetime 4 bytes
2767 * ticket_age_add 4 bytes
2768 * ticket_nonce 1 + ticket_nonce_size bytes
2769 * ticket >=2 bytes
2770 */
2771 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + 4 + 1 + ticket_nonce_size + 2 );
2772
2773 /* Generate ticket and ticket_lifetime */
2774 ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
2775 session,
2776 p + 9 + ticket_nonce_size + 2,
2777 end,
2778 &ticket_len,
2779 &ticket_lifetime);
2780 if( ret != 0 )
2781 {
2782 MBEDTLS_SSL_DEBUG_RET( 1, "write_ticket", ret );
2783 return( ret );
2784 }
2785 /* RFC 8446 4.6.1
2786 * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
2787 * unsigned integer in network byte order from the time of ticket
2788 * issuance. Servers MUST NOT use any value greater than
2789 * 604800 seconds (7 days). The value of zero indicates that the
2790 * ticket should be discarded immediately. Clients MUST NOT cache
2791 * tickets for longer than 7 days, regardless of the ticket_lifetime,
2792 * and MAY delete tickets earlier based on local policy. A server
2793 * MAY treat a ticket as valid for a shorter period of time than what
2794 * is stated in the ticket_lifetime.
2795 */
2796 ticket_lifetime %= 604800;
2797 MBEDTLS_PUT_UINT32_BE( ticket_lifetime, p, 0 );
2798 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_lifetime: %u",
2799 ( unsigned int )ticket_lifetime ) );
2800
2801 /* Write ticket_age_add */
2802 MBEDTLS_PUT_UINT32_BE( session->ticket_age_add, p, 4 );
2803 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
2804 ( unsigned int )session->ticket_age_add ) );
2805
2806 /* Write ticket_nonce */
2807 p[8] = ( unsigned char )ticket_nonce_size;
2808 if( ticket_nonce_size > 0 )
2809 {
2810 memcpy( p + 9, ticket_nonce, ticket_nonce_size );
2811 }
2812 p += 9 + ticket_nonce_size;
2813
2814 /* Write ticket */
2815 MBEDTLS_PUT_UINT16_BE( ticket_len, p, 0 );
2816 p += 2;
2817 MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", p, ticket_len);
2818 p += ticket_len;
2819
2820 /* Ticket Extensions
2821 *
2822 * Note: We currently don't have any extensions.
2823 * Set length to zero.
2824 */
2825 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2826 MBEDTLS_PUT_UINT16_BE( 0, p, 0 );
2827 p += 2;
2828
2829 *out_len = p - buf;
2830 MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len );
2831 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2832
2833 return( 0 );
2834}
2835
2836/*
2837 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
2838 */
2839static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl )
2840{
2841 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2842
2843 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_new_session_ticket_coordinate( ssl ) );
2844
2845 if( ret == SSL_NEW_SESSION_TICKET_WRITE )
2846 {
2847 unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
2848 unsigned char *buf;
2849 size_t buf_len, msg_len;
2850
2851 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_new_session_ticket(
2852 ssl, ticket_nonce, sizeof( ticket_nonce ) ) );
2853
2854 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2855 MBEDTLS_SSL_HS_NEW_SESSION_TICKET, &buf, &buf_len ) );
2856
2857 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_new_session_ticket_body(
2858 ssl, buf, buf + buf_len, &msg_len,
2859 ticket_nonce, sizeof( ticket_nonce ) ) );
2860
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2861 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2862 ssl, buf_len, msg_len ) );
Jerry Yufca4d572022-07-21 10:37:48 +0800[diff] [blame]2863
2864 mbedtls_ssl_handshake_set_state( ssl,
2865 MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH );
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2866 }
2867 else
2868 {
2869 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2870 }
2871
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2872cleanup:
2873
2874 return( ret );
2875}
2876#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2877
2878/*
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]2879 * TLS 1.3 State Machine -- server side
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2880 */
Jerry Yu27561932021-08-27 17:07:38 +0800[diff] [blame]2881int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2882{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]2883 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2884
2885 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
2886 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2887
Jerry Yue3b34122021-09-28 17:53:35 +0800[diff] [blame]2888 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)",
2889 mbedtls_ssl_states_str( ssl->state ),
2890 ssl->state ) );
Jerry Yu6e81b272021-09-27 11:16:17 +0800[diff] [blame]2891
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2892 switch( ssl->state )
2893 {
2894 /* start state */
2895 case MBEDTLS_SSL_HELLO_REQUEST:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2896 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]2897 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2898 break;
2899
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2900 case MBEDTLS_SSL_CLIENT_HELLO:
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]2901 ret = ssl_tls13_process_client_hello( ssl );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2902 if( ret != 0 )
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]2903 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_client_hello", ret );
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]2904 break;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2905
Jerry Yuf41553b2022-05-09 22:20:30 +0800[diff] [blame]2906 case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
2907 ret = ssl_tls13_write_hello_retry_request( ssl );
2908 if( ret != 0 )
2909 {
2910 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_hello_retry_request", ret );
2911 return( ret );
2912 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]2913 break;
2914
Jerry Yu5b64ae92022-03-30 17:15:02 +0800[diff] [blame]2915 case MBEDTLS_SSL_SERVER_HELLO:
2916 ret = ssl_tls13_write_server_hello( ssl );
2917 break;
2918
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2919 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2920 ret = ssl_tls13_write_encrypted_extensions( ssl );
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2921 if( ret != 0 )
2922 {
Jerry Yu4d3841a2022-04-16 12:37:19 +0800[diff] [blame]2923 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_encrypted_extensions", ret );
2924 return( ret );
Xiaofei Baicba64af2022-02-15 10:00:56 +0000[diff] [blame]2925 }
Jerry Yu48330562022-05-06 21:35:44 +0800[diff] [blame]2926 break;
Jerry Yu6a2cd9e2022-05-05 11:14:19 +0800[diff] [blame]2927
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2928#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
2929 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Xiaofei Bai5ee73d82022-03-14 02:48:30 +0000[diff] [blame]2930 ret = ssl_tls13_write_certificate_request( ssl );
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2931 break;
Xiaofei Bai9ca09d42022-02-14 12:57:18 +0000[diff] [blame]2932
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2933 case MBEDTLS_SSL_SERVER_CERTIFICATE:
2934 ret = ssl_tls13_write_server_certificate( ssl );
2935 break;
2936
2937 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
2938 ret = ssl_tls13_write_certificate_verify( ssl );
2939 break;
Jerry Yu5a26f302022-05-10 20:46:40 +0800[diff] [blame]2940#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +0800[diff] [blame]2941
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2942 /*
2943 * Injection of dummy-CCS's for middlebox compatibility
2944 */
2945#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]2946 case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
Gabor Mezei7b39bf12022-05-24 16:04:14 +0200[diff] [blame]2947 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2948 if( ret == 0 )
2949 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2950 break;
2951
2952 case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
2953 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2954 if( ret == 0 )
2955 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
2956 break;
2957#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2958
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2959 case MBEDTLS_SSL_SERVER_FINISHED:
2960 ret = ssl_tls13_write_server_finished( ssl );
2961 break;
2962
2963 case MBEDTLS_SSL_CLIENT_FINISHED:
2964 ret = ssl_tls13_process_client_finished( ssl );
2965 break;
2966
Jerry Yu69dd8d42022-04-16 12:51:26 +0800[diff] [blame]2967 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
2968 ret = ssl_tls13_handshake_wrapup( ssl );
2969 break;
2970
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2971 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2972 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]2973 if( ret == 0 )
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2974 {
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]2975 if( ssl->session_negotiate->peer_cert != NULL )
2976 {
2977 mbedtls_ssl_handshake_set_state(
2978 ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
2979 }
2980 else
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2981 {
2982 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
Ronald Cron209cae92022-06-07 10:30:19 +0200[diff] [blame]2983 mbedtls_ssl_handshake_set_state(
2984 ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2985 }
XiaokangQian6b916b12022-04-25 07:29:34 +0000[diff] [blame]2986 }
2987 break;
2988
2989 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2990 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
2991 if( ret == 0 )
2992 {
2993 mbedtls_ssl_handshake_set_state(
2994 ssl, MBEDTLS_SSL_CLIENT_FINISHED );
2995 }
2996 break;
2997
Jerry Yue67bef42022-07-07 07:29:42 +0000[diff] [blame]2998#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2999 case MBEDTLS_SSL_NEW_SESSION_TICKET:
3000 ret = ssl_tls13_write_new_session_ticket( ssl );
3001 if( ret != 0 )
3002 {
3003 MBEDTLS_SSL_DEBUG_RET( 1,
3004 "ssl_tls13_write_new_session_ticket ",
3005 ret );
3006 }
3007 break;
3008 case MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH:
3009 /* This state is necessary to do the flush of the New Session
3010 * Ticket message written in MBEDTLS_SSL_NEW_SESSION_TICKET
3011 * as part of ssl_prepare_handshake_step.
3012 */
3013 ret = 0;
3014 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
3015 break;
3016
3017#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3018
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]3019 default:
3020 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
XiaokangQian060d8672022-04-21 09:24:56 +0000[diff] [blame]3021 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]3022 }
3023
3024 return( ret );
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]3025}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3026
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3027#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */