TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 318dc763a6c165413c0b0a971015df402f2b8a1d / . / library / ssl_tls13_server.c
blob: 447bc0e3dcba2ad6e4d4596f0daf988bffdf5cd3 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]2 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18*/
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]22#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]23
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]24#include "mbedtls/debug.h"
25
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]26#include "ssl_misc.h"
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]27#include "ssl_client.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]28#include "ssl_tls13_keys.h"
Gilles Peskine923d5c92021-12-15 12:56:54 +0100[diff] [blame]29#include "ssl_debug_helpers.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]30#include <string.h>
31#if defined(MBEDTLS_ECP_C)
32#include "mbedtls/ecp.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]33#endif /* MBEDTLS_ECP_C */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]34
XiaokangQiana9c58412022-02-17 09:41:26 +0000[diff] [blame]35#if defined(MBEDTLS_PLATFORM_C)
36#include "mbedtls/platform.h"
37#else
38#include <stdlib.h>
39#define mbedtls_calloc calloc
40#define mbedtls_free free
41#endif /* MBEDTLS_PLATFORM_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]42
43/* From RFC 8446:
44 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]45 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]46 * } SupportedVersions;
47 */
48static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
49 const unsigned char *buf,
50 const unsigned char *end )
51{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]52 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]53 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]54 const unsigned char *versions_end;
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]55 int tls_version;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]56 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]57
58 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]59 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]60 p += 1;
61
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]62 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, versions_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]63 versions_end = p + versions_len;
64 while( p < versions_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]65 {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]66 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, versions_end, 2 );
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]67 tls_version = mbedtls_ssl_read_version( p, ssl->conf->transport );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]68 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]69
70 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]71 if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]72 {
73 tls13_supported = 1;
74 break;
75 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]76 }
77
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]78 if( !tls13_supported )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]79 {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]80 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 is not supported by the client" ) );
81
82 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
83 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
84 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
85 }
86
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]87 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%04x]",
88 tls_version ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]89
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]90 return( 0 );
91}
92
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]93#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]94/* This function parses the TLS 1.3 supported_groups extension and
95 * stores the received groups in ssl->handshake->curves.
96 *
97 * From RFC 8446:
98 * enum {
99 * ... (0xFFFF)
100 * } NamedGroup;
101 * struct {
102 * NamedGroup named_group_list<2..2^16-1>;
103 * } NamedGroupList;
104 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]105static int ssl_tls13_parse_supported_groups_ext(
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]106 mbedtls_ssl_context *ssl,
107 const unsigned char *buf, const unsigned char *end )
108{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]109 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000[diff] [blame]110 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]111 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]112
113 MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", p, end - buf );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]114 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]115 named_group_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]116 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]117 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]118 named_group_list_end = p + named_group_list_len;
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]119 ssl->handshake->hrr_selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]120
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]121 while( p < named_group_list_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]122 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]123 uint16_t named_group;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]124 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, named_group_list_end, 2 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]125 named_group = MBEDTLS_GET_UINT16_BE( p, 0 );
126 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]127
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame^]128 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got named group: %d", named_group ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]129
130 if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
131 ! mbedtls_ssl_named_group_is_supported( named_group ) ||
132 ssl->handshake->hrr_selected_group != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]133 {
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]134 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]135 }
136
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]137 MBEDTLS_SSL_DEBUG_MSG(
138 2, ( "add named group (%04x) into received list.",
139 named_group ) );
140 ssl->handshake->hrr_selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]141 }
142
143 return( 0 );
144
145}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]146#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]147
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]148#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
149
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]150#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]151/*
152 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
153 * extension is correct and stores the provided key shares. Whether this is an
154 * acceptable key share depends on the selected ciphersuite.
155 *
156 * Possible return values are:
157 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]158 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]159 * does not match a group supported by the server. A HelloRetryRequest will
160 * be needed.
161 * - Another negative return value for fatal errors.
162*/
163
164static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
165 const unsigned char *buf,
166 const unsigned char *end )
167{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]168 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]169 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]170 unsigned char const *client_shares_end;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]171 size_t client_shares_len, key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]172 int match_found = 0;
173
174 /* From RFC 8446:
175 *
176 * struct {
177 * KeyShareEntry client_shares<0..2^16-1>;
178 * } KeyShareClientHello;
179 *
180 */
181
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]182 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]183 client_shares_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]184 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]185 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, client_shares_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]186
187 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]188 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]189
190 /* We try to find a suitable key share entry and copy it to the
191 * handshake context. Later, we have to find out whether we can do
192 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]193 * dismiss it and send a HelloRetryRequest message.
194 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]195
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]196 for( ; p < client_shares_end; p += key_exchange_len )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]197 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]198 uint16_t group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]199
200 /*
201 * struct {
202 * NamedGroup group;
203 * opaque key_exchange<1..2^16-1>;
204 * } KeyShareEntry;
205 */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]206 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, 4 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]207 group = MBEDTLS_GET_UINT16_BE( p, 0 );
208 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]209 key_exchange_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]210 p += 2;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]211 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, key_exchange_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]212
213 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]214 * for input validation purposes.
215 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]216 if( match_found == 1 )
217 continue;
218
219 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]220 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]221 */
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]222 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
223 {
224 const mbedtls_ecp_curve_info *curve_info =
225 mbedtls_ecp_curve_info_from_tls_id( group );
226 if( curve_info == NULL )
227 {
228 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]229 continue;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]230 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]231
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]232 match_found = 1;
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame^]234 ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
235 ssl, p - 2, key_exchange_len + 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]236 if( ret != 0 )
237 return( ret );
238 }
239 else
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]240 {
241 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]242 (unsigned) group ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]243 continue;
244 }
245
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000[diff] [blame]246 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]247 }
248
249 if( match_found == 0 )
250 {
251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching key share" ) );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]252 return( SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]253 }
254 return( 0 );
255}
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]256#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]257
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]258#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]259static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]260{
XiaokangQian3207a322022-02-23 03:15:27 +0000[diff] [blame]261 ((void) ssl);
262
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]264 MBEDTLS_SSL_DEBUG_MSG( 3,
265 ( "- KEY_SHARE_EXTENSION ( %s )",
266 ( ( ssl->handshake->extensions_present
267 & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
268 MBEDTLS_SSL_DEBUG_MSG( 3,
269 ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
270 ( ( ssl->handshake->extensions_present
271 & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
272 "TRUE" : "FALSE" ) );
273 MBEDTLS_SSL_DEBUG_MSG( 3,
274 ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
275 ( ( ssl->handshake->extensions_present
276 & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
277 MBEDTLS_SSL_DEBUG_MSG( 3,
278 ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
279 ( ( ssl->handshake->extensions_present
280 & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
281 MBEDTLS_SSL_DEBUG_MSG( 3,
282 ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
283 ( ( ssl->handshake->extensions_present
284 & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
285 "TRUE" : "FALSE" ) );
286 MBEDTLS_SSL_DEBUG_MSG( 3,
287 ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
288 ( ( ssl->handshake->extensions_present
289 & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
290 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]291#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]292 MBEDTLS_SSL_DEBUG_MSG( 3,
293 ( "- SERVERNAME_EXTENSION ( %s )",
294 ( ( ssl->handshake->extensions_present
295 & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
296 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]297#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]298}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]299#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]300
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]301static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]302 int exts_mask )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]303{
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]304 int masked = ssl->handshake->extensions_present & exts_mask;
305 return( masked == exts_mask );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]306}
307
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]308static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
309 mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]310{
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]311 return( ssl_tls13_client_hello_has_exts( ssl,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]312 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
313 MBEDTLS_SSL_EXT_KEY_SHARE |
314 MBEDTLS_SSL_EXT_SIG_ALG ) );
315}
316
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]317static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]318{
319 if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) )
320 return( 0 );
321
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]322 if( !ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]323 return( 0 );
324
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]325 ssl->handshake->tls13_kex_modes =
326 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]327 return( 1 );
328}
329
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]330/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]331 *
332 * STATE HANDLING: ClientHello
333 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]334 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]335 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]336 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]337 *
338 * In this case, the server progresses to sending its ServerHello.
339 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]340 * 2) The ClientHello was well-formed but didn't match the server's
341 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]342 *
343 * For example, the client might not have offered a key share which
344 * the server supports, or the server might require a cookie.
345 *
346 * In this case, the server sends a HelloRetryRequest.
347 *
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]348 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]349 *
350 * In this case, we abort the handshake.
351 *
352 */
353
354/*
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]355 * Structure of this message:
356 *
357 * uint16 ProtocolVersion;
358 * opaque Random[32];
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]359 * uint8 CipherSuite[2]; // Cryptographic suite selector
360 *
361 * struct {
362 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
363 * Random random;
364 * opaque legacy_session_id<0..32>;
365 * CipherSuite cipher_suites<2..2^16-2>;
366 * opaque legacy_compression_methods<1..2^8-1>;
367 * Extension extensions<8..2^16-1>;
368 * } ClientHello;
369 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]370
371#define SSL_CLIENT_HELLO_OK 0
372#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
373
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]374static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
375 const unsigned char *buf,
376 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]377{
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]378 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
379 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]380 size_t legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]381 const unsigned char *cipher_suites_start;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame^]382 size_t cipher_suites_len;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]383 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]384 const unsigned char *extensions_end;
385
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]386 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]387 int hrr_required = 0;
388
389 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
390
391 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]392 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]393 * 0 . 1 protocol version
394 * 2 . 33 random bytes ( starting with 4 bytes of Unix time )
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]395 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]396 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]397 * .. . .. ciphersuite list length ( 2 bytes )
398 * .. . .. ciphersuite list
399 * .. . .. compression alg. list length ( 1 byte )
400 * .. . .. compression alg. list
401 * .. . .. extensions length ( 2 bytes, optional )
402 * .. . .. extensions ( optional )
403 */
404
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]405 /*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]406 * Minimal length ( with everything empty and extensions ommitted ) is
407 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
408 * read at least up to session id length without worrying.
409 */
410 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 38 );
411
412 /* ...
413 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
414 * ...
415 * with ProtocolVersion defined as:
416 * uint16 ProtocolVersion;
417 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]418 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
419 MBEDTLS_SSL_VERSION_TLS1_2 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]420 {
421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
422 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
423 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]424 return ( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]425 }
426 p += 2;
427
428 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]429 * Only support TLS 1.3 currently, temporarily set the version.
430 */
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]431 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQianf8ceb942022-04-15 11:43:27 +0000[diff] [blame]432
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]433 /* ---
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]434 * Random random;
435 * ---
436 * with Random defined as:
437 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]438 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]439 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]440 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]441
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]442 memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
443 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]444
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]445 /* ---
446 * opaque legacy_session_id<0..32>;
447 * ---
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]448 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]449 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +0000[diff] [blame]450 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]451
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]452 if( legacy_session_id_len > sizeof( ssl->session_negotiate->id ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]453 {
454 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
455 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
456 }
457
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]458 ssl->session_negotiate->id_len = legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]459 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
460 buf, legacy_session_id_len );
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]461 /*
462 * Check we have enough data for the legacy session identifier
463 * and the ciphersuite list length.
464 */
465 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]466
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]467 memcpy( &ssl->session_negotiate->id[0], p, legacy_session_id_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]468 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]469
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]470 cipher_suites_len = MBEDTLS_GET_UINT16_BE( p, 0 );
471 p += 2;
472
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]473 /* Check we have enough data for the ciphersuite list, the legacy
474 * compression methods and the length of the extensions.
475 */
476 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]477
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]478 /* ---
479 * CipherSuite cipher_suites<2..2^16-2>;
480 * ---
481 * with CipherSuite defined as:
482 * uint8 CipherSuite[2];
483 */
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]484 cipher_suites_start = p;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]485 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
486 p, cipher_suites_len );
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]487 /*
488 * Search for a matching ciphersuite
489 */
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame^]490 int ciphersuite_match = 0;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]491 ciphersuite_info = NULL;
492 for ( size_t j = 0; j < cipher_suites_len;
493 j += 2, p += 2 )
494 {
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame^]495 uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]496 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
497 cipher_suite );
498 /*
499 * Check whether this ciphersuite is valid and offered.
500 */
501 if( ( mbedtls_ssl_validate_ciphersuite(
XiaokangQiande333912022-04-20 08:49:42 +0000[diff] [blame]502 ssl, ciphersuite_info, ssl->tls_version,
503 ssl->tls_version ) != 0 ) ||
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]504 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
505 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]506
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]507 ssl->session_negotiate->ciphersuite = cipher_suite;
508 ssl->handshake->ciphersuite_info = ciphersuite_info;
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame^]509 ciphersuite_match = 1;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]510
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]511 break;
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]512
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]513 }
514
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame^]515 if( !ciphersuite_match )
516 {
517 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
518 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
519 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
520 }
XiaokangQian17f974c2022-04-19 09:57:41 +0000[diff] [blame]521
522 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
523 ciphersuite_info->name ) );
524
525 p = cipher_suites_start + cipher_suites_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]526 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]527 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]528 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]529 */
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]530 if( p[0] != 1 || p[1] != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]531 {
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
533 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
534 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
535 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]536 }
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]537 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]538
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]539 /* ---
540 * Extension extensions<8..2^16-1>;
541 * ---
542 * with Extension defined as:
543 * struct {
544 * ExtensionType extension_type;
545 * opaque extension_data<0..2^16-1>;
546 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]547 */
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]548 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]549 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]550 extensions_end = p + extensions_len;
551 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]552
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]553 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]554
555 while( p < extensions_end )
556 {
557 unsigned int extension_type;
558 size_t extension_data_len;
559 const unsigned char *extension_data_end;
560
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame^]561 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]562 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
563 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
564 p += 4;
565
566 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
567 extension_data_end = p + extension_data_len;
568
569 switch( extension_type )
570 {
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]571#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]572 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
573 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
574
575 /* Supported Groups Extension
576 *
577 * When sent by the client, the "supported_groups" extension
578 * indicates the named groups which the client supports,
579 * ordered from most preferred to least preferred.
580 */
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]581 ret = ssl_tls13_parse_supported_groups_ext( ssl, p,
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]582 extension_data_end );
583 if( ret != 0 )
584 {
585 MBEDTLS_SSL_DEBUG_RET( 1,
586 "mbedtls_ssl_parse_supported_groups_ext", ret );
587 return( ret );
588 }
589
590 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
591 break;
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]592#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]593
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]594#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]595 case MBEDTLS_TLS_EXT_KEY_SHARE:
596 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) );
597
598 /*
599 * Key Share Extension
600 *
601 * When sent by the client, the "key_share" extension
602 * contains the endpoint's cryptographic parameters for
603 * ECDHE/DHE key establishment methods.
604 */
605 ret = ssl_tls13_parse_key_shares_ext( ssl, p, extension_data_end );
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]606 if( ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]607 {
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]608 MBEDTLS_SSL_DEBUG_MSG( 2, ( "HRR needed " ) );
609 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]610 }
611
612 if( ret != 0 )
613 return( ret );
614
615 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
616 break;
XiaokangQian88408882022-04-02 10:15:03 +0000[diff] [blame]617#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]618
619 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
620 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) );
621
622 ret = ssl_tls13_parse_supported_versions_ext(
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]623 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]624 if( ret != 0 )
625 {
626 MBEDTLS_SSL_DEBUG_RET( 1,
627 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
628 return( ret );
629 }
630 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
631 break;
632
633#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
634 case MBEDTLS_TLS_EXT_SIG_ALG:
635 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
636
637 ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ssl, p,
638 extension_data_end );
639 if( ret != 0 )
640 {
641 MBEDTLS_SSL_DEBUG_MSG( 1,
642 ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
643 ret ) );
644 return( ret );
645 }
646 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
647 break;
648#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
649
650 default:
651 MBEDTLS_SSL_DEBUG_MSG( 3,
652 ( "unknown extension found: %ud ( ignoring )",
653 extension_type ) );
654 }
655
656 p += extension_data_len;
657 }
658
659 /* Update checksum with either
660 * - The entire content of the CH message, if no PSK extension is present
661 * - The content up to but excluding the PSK extension, if present.
662 */
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]663 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
XiaokangQianc4b8c992022-04-07 11:31:38 +0000[diff] [blame]664 buf, p - buf );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]665
666 /* List all the extensions we have received */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]667#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]668 ssl_tls13_debug_print_client_hello_exts( ssl );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000[diff] [blame]669#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]670
671 /*
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]672 * Here we only support the ephemeral or (EC)DHE key echange mode
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]673 */
674
XiaokangQianb67384d2022-04-19 00:02:38 +0000[diff] [blame]675 if( !ssl_tls13_check_ephemeral_key_exchange( ssl ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]676 {
677 MBEDTLS_SSL_DEBUG_MSG(
678 1,
679 ( "ClientHello message misses mandatory extensions." ) );
680 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ,
681 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
682 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
683 }
684
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]685 if( hrr_required == 1 )
686 return( SSL_CLIENT_HELLO_HRR_REQUIRED );
687
688 return( 0 );
689}
690
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]691/* Update the handshake state machine */
692
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]693static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]694{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]695 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]696
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]697 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
698 if( ret != 0 )
699 {
700 MBEDTLS_SSL_DEBUG_RET( 1,
701 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret );
702 return( ret );
703 }
704
705 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
706 return( 0 );
707
708}
709
710/*
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]711 * Main entry point from the state machine; orchestrates the otherfunctions.
712 */
713
714static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
715{
716
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]717 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]718 unsigned char* buf = NULL;
719 size_t buflen = 0;
720 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
721
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]722 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
723 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
724 &buf, &buflen ) );
725
726 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_parse_client_hello( ssl, buf,
727 buf + buflen ) );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]728 MBEDTLS_SSL_DEBUG_MSG( 1, ( "postprocess" ) );
XiaokangQiancfd925f2022-04-14 07:10:37 +0000[diff] [blame]729 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_client_hello( ssl ) );
XiaokangQianed582dd2022-04-13 08:21:05 +0000[diff] [blame]730
731cleanup:
732
733 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
734 return( ret );
735}
736
737/*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]738 * TLS and DTLS 1.3 State Maschine -- server side
739 */
Jerry Yu27561932021-08-27 17:07:38 +0800[diff] [blame]740int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]741{
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]742 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]743
744 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
745 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
746
Jerry Yue3b34122021-09-28 17:53:35 +0800[diff] [blame]747 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)",
748 mbedtls_ssl_states_str( ssl->state ),
749 ssl->state ) );
Jerry Yu6e81b272021-09-27 11:16:17 +0800[diff] [blame]750
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]751 switch( ssl->state )
752 {
753 /* start state */
754 case MBEDTLS_SSL_HELLO_REQUEST:
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]755 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
756
XiaokangQian08037552022-04-20 07:16:41 +0000[diff] [blame]757 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]758 break;
759
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]760 case MBEDTLS_SSL_CLIENT_HELLO:
761
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]762 ret = ssl_tls13_process_client_hello( ssl );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]763 if( ret != 0 )
XiaokangQian4080a7f2022-04-11 09:55:18 +0000[diff] [blame]764 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_client_hello", ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]765
766 break;
767
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]768 case MBEDTLS_SSL_SERVER_HELLO:
769 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSL - The requested feature is not available" ) );
770 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
771
772 break;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000[diff] [blame]773 default:
774 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
775 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
776 }
777
778 return( ret );
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]779}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]780
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]781#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */