blob: f82cc04c832c8af56db51435e53019f35108fb58 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +08001/*
Jerry Yub9930e72021-08-06 17:11:51 +08002 * TLS 1.3 server-side functions
Jerry Yu3cc4c2a2021-08-06 16:29:08 +08003 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18*/
19
20#include "common.h"
21
Jerry Yufb4b6472022-01-27 15:03:26 +080022#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +080023
Jerry Yu687101b2021-09-14 16:03:56 +080024#include "mbedtls/debug.h"
Xiaofei Baicba64af2022-02-15 10:00:56 +000025#include "mbedtls/error.h"
26#include "mbedtls/platform.h"
Jerry Yu1c105562022-07-10 06:32:38 +000027#include "mbedtls/constant_time.h"
Jerry Yu3bf2c642022-03-30 22:02:12 +080028
Xiaofei Bai9ca09d42022-02-14 12:57:18 +000029#include "ssl_misc.h"
30#include "ssl_tls13_keys.h"
31#include "ssl_debug_helpers.h"
32
XiaokangQian7807f9f2022-02-15 10:04:37 +000033#if defined(MBEDTLS_ECP_C)
34#include "mbedtls/ecp.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +000035#endif /* MBEDTLS_ECP_C */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +080036
XiaokangQiana9c58412022-02-17 09:41:26 +000037#include "mbedtls/platform.h"
XiaokangQian7807f9f2022-02-15 10:04:37 +000038
Jerry Yu4d3841a2022-04-16 12:37:19 +080039#include "ssl_misc.h"
40#include "ssl_tls13_keys.h"
41#include "ssl_debug_helpers.h"
42
Jerry Yuf35ba382022-08-23 17:58:26 +080043
Jerry Yuc5a23a02022-08-25 10:51:44 +080044static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
Jerry Yuf35ba382022-08-23 17:58:26 +080045 mbedtls_ssl_context *ssl,
Jerry Yuc5a23a02022-08-25 10:51:44 +080046 unsigned int cipher_suite )
Jerry Yuf35ba382022-08-23 17:58:26 +080047{
48 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
49 if( ! mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
50 return( NULL );
51
52 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
53 if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
54 ssl->tls_version,
55 ssl->tls_version ) != 0 ) )
56 {
57 return( NULL );
58 }
59 return( ciphersuite_info );
60}
61
Ronald Cron41a443a2022-10-04 16:38:25 +020062#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue19e3b92022-07-08 12:04:51 +000063/* From RFC 8446:
64 *
65 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
66 * struct {
67 * PskKeyExchangeMode ke_modes<1..255>;
68 * } PskKeyExchangeModes;
69 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +080070MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue19e3b92022-07-08 12:04:51 +000071static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
72 const unsigned char *buf,
Jerry Yu299e31f2022-07-13 23:06:36 +080073 const unsigned char *end )
Jerry Yue19e3b92022-07-08 12:04:51 +000074{
Jerry Yu299e31f2022-07-13 23:06:36 +080075 const unsigned char *p = buf;
Jerry Yue19e3b92022-07-08 12:04:51 +000076 size_t ke_modes_len;
77 int ke_modes = 0;
78
Jerry Yu854dd9e2022-07-15 14:28:27 +080079 /* Read ke_modes length (1 Byte) */
Jerry Yu299e31f2022-07-13 23:06:36 +080080 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
81 ke_modes_len = *p++;
Jerry Yue19e3b92022-07-08 12:04:51 +000082 /* Currently, there are only two PSK modes, so even without looking
83 * at the content, something's wrong if the list has more than 2 items. */
84 if( ke_modes_len > 2 )
Jerry Yu299e31f2022-07-13 23:06:36 +080085 {
86 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
87 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue19e3b92022-07-08 12:04:51 +000088 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu299e31f2022-07-13 23:06:36 +080089 }
Jerry Yue19e3b92022-07-08 12:04:51 +000090
Jerry Yu299e31f2022-07-13 23:06:36 +080091 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ke_modes_len );
Jerry Yue19e3b92022-07-08 12:04:51 +000092
93 while( ke_modes_len-- != 0 )
94 {
Jerry Yu299e31f2022-07-13 23:06:36 +080095 switch( *p++ )
Jerry Yue19e3b92022-07-08 12:04:51 +000096 {
97 case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
98 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
99 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK KEX MODE" ) );
100 break;
101 case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:
102 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
103 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK_EPHEMERAL KEX MODE" ) );
104 break;
105 default:
Jerry Yu299e31f2022-07-13 23:06:36 +0800106 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
107 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue19e3b92022-07-08 12:04:51 +0000108 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
109 }
110 }
111
112 ssl->handshake->tls13_kex_modes = ke_modes;
113 return( 0 );
114}
Jerry Yu1c105562022-07-10 06:32:38 +0000115
Jerry Yue9d4fc02022-08-20 19:21:15 +0800116#define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1
117#define SSL_TLS1_3_OFFERED_PSK_MATCH 0
Jerry Yu95699e72022-08-21 19:22:23 +0800118
119#if defined(MBEDTLS_SSL_SESSION_TICKETS)
120
121MBEDTLS_CHECK_RETURN_CRITICAL
122static int ssl_tls13_offered_psks_check_identity_match_ticket(
123 mbedtls_ssl_context *ssl,
Jerry Yu95699e72022-08-21 19:22:23 +0800124 const unsigned char *identity,
125 size_t identity_len,
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800126 uint32_t obfuscated_ticket_age,
127 mbedtls_ssl_session *session )
Jerry Yu95699e72022-08-21 19:22:23 +0800128{
Jerry Yufd310eb2022-09-06 09:16:35 +0800129 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu95699e72022-08-21 19:22:23 +0800130 unsigned char *ticket_buffer;
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800131#if defined(MBEDTLS_HAVE_TIME)
132 mbedtls_time_t now;
Jerry Yuacff8232022-09-14 14:35:11 +0800133 uint64_t age_in_s;
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800134 int64_t age_diff_in_ms;
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800135#endif
Jerry Yu95699e72022-08-21 19:22:23 +0800136
137 ((void) obfuscated_ticket_age);
138
139 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> check_identity_match_ticket" ) );
140
Jerry Yufd310eb2022-09-06 09:16:35 +0800141 /* Ticket parser is not configured, Skip */
142 if( ssl->conf->f_ticket_parse == NULL || identity_len == 0 )
Jerry Yu95699e72022-08-21 19:22:23 +0800143 return( 0 );
Jerry Yu95699e72022-08-21 19:22:23 +0800144
Jerry Yu4746b102022-09-13 11:11:48 +0800145 /* We create a copy of the encrypted ticket since the ticket parsing
146 * function is allowed to use its input buffer as an output buffer
147 * (in-place decryption). We do, however, need the original buffer for
148 * computing the PSK binder value.
Jerry Yu95699e72022-08-21 19:22:23 +0800149 */
150 ticket_buffer = mbedtls_calloc( 1, identity_len );
151 if( ticket_buffer == NULL )
152 {
153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
154 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
155 }
156 memcpy( ticket_buffer, identity, identity_len );
157
158 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket,
159 session,
160 ticket_buffer, identity_len ) ) != 0 )
161 {
162 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
163 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
164 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
165 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
166 else
167 MBEDTLS_SSL_DEBUG_RET( 1, "ticket_parse", ret );
168 }
169
170 /* We delete the temporary buffer */
171 mbedtls_free( ticket_buffer );
172
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800173 if( ret != 0 )
174 goto exit;
175
176 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
177#if defined(MBEDTLS_HAVE_TIME)
178 now = mbedtls_time( NULL );
179
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800180 if( now < session->start )
Jerry Yu95699e72022-08-21 19:22:23 +0800181 {
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800182 MBEDTLS_SSL_DEBUG_MSG(
Jerry Yu03aa1742022-10-10 21:48:37 +0800183 3, ( "Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG
Jerry Yua99cbfa2022-10-08 11:17:14 +0800184 ", start=%" MBEDTLS_PRINTF_LONGLONG " )",
185 (long long)now, (long long)session->start ) );
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800186 goto exit;
187 }
Jerry Yu95699e72022-08-21 19:22:23 +0800188
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800189 age_in_s = (uint64_t)( now - session->start );
Jerry Yu95699e72022-08-21 19:22:23 +0800190
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800191 /* RFC 8446 section 4.6.1
192 *
193 * Servers MUST NOT use any value greater than 604800 seconds (7 days).
194 *
195 * RFC 8446 section 4.2.11.1
196 *
197 * Clients MUST NOT attempt to use tickets which have ages greater than
198 * the "ticket_lifetime" value which was provided with the ticket.
199 *
200 * For time being, the age MUST be less than 604800 seconds (7 days).
201 */
202 if( age_in_s > 604800 )
203 {
204 MBEDTLS_SSL_DEBUG_MSG(
Jerry Yuc2bfaf02022-10-11 15:55:52 +0800205 3, ( "Ticket age exceeds limitation ticket_age=%lu",
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800206 (long unsigned int)age_in_s ) );
207 goto exit;
208 }
Jerry Yu95699e72022-08-21 19:22:23 +0800209
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800210 /* RFC 8446 section 4.2.10
211 *
212 * For PSKs provisioned via NewSessionTicket, a server MUST validate that
213 * the ticket age for the selected PSK identity (computed by subtracting
214 * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
215 * within a small tolerance of the time since the ticket was issued.
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800216 *
Jerry Yu0a55cc62022-09-15 16:15:06 +0800217 * NOTE: When `now == session->start`, `age_diff_in_ms` may be negative
218 * as the age units are different on the server (s) and in the
219 * client (ms) side. Add a -1000 ms tolerance window to take this
220 * into account.
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800221 */
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800222 age_diff_in_ms = age_in_s * 1000;
223 age_diff_in_ms -= ( obfuscated_ticket_age - session->ticket_age_add );
224 if( age_diff_in_ms <= -1000 ||
225 age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE )
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800226 {
227 MBEDTLS_SSL_DEBUG_MSG(
Jerry Yu03aa1742022-10-10 21:48:37 +0800228 3, ( "Ticket age outside tolerance window ( diff=%d )",
229 (int)age_diff_in_ms ) );
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800230 goto exit;
231 }
232
233 ret = 0;
Jerry Yu95699e72022-08-21 19:22:23 +0800234
235#endif /* MBEDTLS_HAVE_TIME */
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800236
237exit:
238 if( ret != 0 )
239 mbedtls_ssl_session_free( session );
Jerry Yu95699e72022-08-21 19:22:23 +0800240
241 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= check_identity_match_ticket" ) );
242 return( ret );
243}
244#endif /* MBEDTLS_SSL_SESSION_TICKETS */
245
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800246MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu1c105562022-07-10 06:32:38 +0000247static int ssl_tls13_offered_psks_check_identity_match(
248 mbedtls_ssl_context *ssl,
249 const unsigned char *identity,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800250 size_t identity_len,
Jerry Yu95699e72022-08-21 19:22:23 +0800251 uint32_t obfuscated_ticket_age,
Jerry Yu4746b102022-09-13 11:11:48 +0800252 int *psk_type,
253 mbedtls_ssl_session *session )
Jerry Yu1c105562022-07-10 06:32:38 +0000254{
Jerry Yu95699e72022-08-21 19:22:23 +0800255 ((void) session);
256 ((void) obfuscated_ticket_age);
Jerry Yu5725f1c2022-08-21 17:27:16 +0800257 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
Jerry Yu95699e72022-08-21 19:22:23 +0800258
259 MBEDTLS_SSL_DEBUG_BUF( 4, "identity", identity, identity_len );
260 ssl->handshake->resume = 0;
261
Jerry Yu95699e72022-08-21 19:22:23 +0800262#if defined(MBEDTLS_SSL_SESSION_TICKETS)
263 if( ssl_tls13_offered_psks_check_identity_match_ticket(
Jerry Yu8d4bbba2022-09-13 14:15:48 +0800264 ssl, identity, identity_len, obfuscated_ticket_age,
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800265 session ) == SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu95699e72022-08-21 19:22:23 +0800266 {
Jerry Yu95699e72022-08-21 19:22:23 +0800267 ssl->handshake->resume = 1;
268 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
269 mbedtls_ssl_set_hs_psk( ssl,
Jerry Yu0a55cc62022-09-15 16:15:06 +0800270 session->resumption_key,
271 session->resumption_key_len );
Jerry Yu95699e72022-08-21 19:22:23 +0800272
273 MBEDTLS_SSL_DEBUG_BUF( 4, "Ticket-resumed PSK:",
Jerry Yu0a55cc62022-09-15 16:15:06 +0800274 session->resumption_key,
275 session->resumption_key_len );
Jerry Yu95699e72022-08-21 19:22:23 +0800276 MBEDTLS_SSL_DEBUG_MSG( 4, ( "ticket: obfuscated_ticket_age: %u",
277 (unsigned)obfuscated_ticket_age ) );
278 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
279 }
280#endif /* MBEDTLS_SSL_SESSION_TICKETS */
281
Jerry Yu1c105562022-07-10 06:32:38 +0000282 /* Check identity with external configured function */
283 if( ssl->conf->f_psk != NULL )
284 {
285 if( ssl->conf->f_psk(
286 ssl->conf->p_psk, ssl, identity, identity_len ) == 0 )
287 {
288 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
289 }
290 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
291 }
292
Jerry Yu96a2e362022-07-21 15:11:34 +0800293 MBEDTLS_SSL_DEBUG_BUF( 5, "identity", identity, identity_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000294 /* Check identity with pre-configured psk */
Jerry Yu2f0abc92022-07-22 19:34:48 +0800295 if( ssl->conf->psk_identity != NULL &&
296 identity_len == ssl->conf->psk_identity_len &&
Jerry Yu1c105562022-07-10 06:32:38 +0000297 mbedtls_ct_memcmp( ssl->conf->psk_identity,
298 identity, identity_len ) == 0 )
299 {
300 mbedtls_ssl_set_hs_psk( ssl, ssl->conf->psk, ssl->conf->psk_len );
301 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
302 }
303
Jerry Yu1c105562022-07-10 06:32:38 +0000304 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
305}
306
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800307MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu96a2e362022-07-21 15:11:34 +0800308static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl,
309 const unsigned char *binder,
Jerry Yue95c8af2022-07-26 15:48:20 +0800310 size_t binder_len,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800311 int psk_type,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800312 psa_algorithm_t psk_hash_alg )
Jerry Yu1c105562022-07-10 06:32:38 +0000313{
314 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu96a2e362022-07-21 15:11:34 +0800315
Jerry Yudaf375a2022-07-20 21:31:43 +0800316 unsigned char transcript[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000317 size_t transcript_len;
Jerry Yu2f0abc92022-07-22 19:34:48 +0800318 unsigned char *psk;
Jerry Yu96a2e362022-07-21 15:11:34 +0800319 size_t psk_len;
Jerry Yudaf375a2022-07-20 21:31:43 +0800320 unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
Jerry Yu1c105562022-07-10 06:32:38 +0000321
Jerry Yu1c105562022-07-10 06:32:38 +0000322 /* Get current state of handshake transcript. */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800323 ret = mbedtls_ssl_get_handshake_transcript(
324 ssl, mbedtls_hash_info_md_from_psa( psk_hash_alg ),
325 transcript, sizeof( transcript ), &transcript_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000326 if( ret != 0 )
327 return( ret );
328
Jerry Yu40f37712022-07-26 16:58:57 +0800329 ret = mbedtls_ssl_tls13_export_handshake_psk( ssl, &psk, &psk_len );
Jerry Yu96a2e362022-07-21 15:11:34 +0800330 if( ret != 0 )
331 return( ret );
332
Jerry Yu29d9faa2022-08-23 17:52:45 +0800333 ret = mbedtls_ssl_tls13_create_psk_binder( ssl, psk_hash_alg,
Jerry Yu1c105562022-07-10 06:32:38 +0000334 psk, psk_len, psk_type,
335 transcript,
336 server_computed_binder );
Jerry Yu96a2e362022-07-21 15:11:34 +0800337#if defined(MBEDTLS_USE_PSA_CRYPTO)
338 mbedtls_free( (void*)psk );
339#endif
Jerry Yu1c105562022-07-10 06:32:38 +0000340 if( ret != 0 )
341 {
342 MBEDTLS_SSL_DEBUG_MSG( 1, ( "PSK binder calculation failed." ) );
343 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
344 }
345
346 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( computed ): ",
Jerry Yu2f0abc92022-07-22 19:34:48 +0800347 server_computed_binder, transcript_len );
Jerry Yu1c105562022-07-10 06:32:38 +0000348 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( received ): ", binder, binder_len );
349
350 if( mbedtls_ct_memcmp( server_computed_binder, binder, binder_len ) == 0 )
351 {
352 return( SSL_TLS1_3_OFFERED_PSK_MATCH );
353 }
354
Jerry Yudaf375a2022-07-20 21:31:43 +0800355 mbedtls_platform_zeroize( server_computed_binder,
356 sizeof( server_computed_binder ) );
Jerry Yu1c105562022-07-10 06:32:38 +0000357 return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH );
358}
Jerry Yu96a2e362022-07-21 15:11:34 +0800359
Jerry Yu5725f1c2022-08-21 17:27:16 +0800360MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf35ba382022-08-23 17:58:26 +0800361static int ssl_tls13_select_ciphersuite_for_psk(
362 mbedtls_ssl_context *ssl,
363 const unsigned char *cipher_suites,
364 const unsigned char *cipher_suites_end,
365 uint16_t *selected_ciphersuite,
366 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800367{
Jerry Yuf35ba382022-08-23 17:58:26 +0800368 psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800369
Jerry Yu0baf9072022-08-25 11:21:04 +0800370 *selected_ciphersuite = 0;
371 *selected_ciphersuite_info = NULL;
372
Jerry Yuf35ba382022-08-23 17:58:26 +0800373 /* RFC 8446, page 55.
374 *
375 * For externally established PSKs, the Hash algorithm MUST be set when the
376 * PSK is established or default to SHA-256 if no such algorithm is defined.
377 *
378 */
Jerry Yu5725f1c2022-08-21 17:27:16 +0800379
Jerry Yu5725f1c2022-08-21 17:27:16 +0800380 /*
381 * Search for a matching ciphersuite
382 */
Jerry Yu1e05b6d2022-08-31 10:35:52 +0800383 for ( const unsigned char *p = cipher_suites;
384 p < cipher_suites_end; p += 2 )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800385 {
386 uint16_t cipher_suite;
Jerry Yuf35ba382022-08-23 17:58:26 +0800387 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800388
389 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc5a23a02022-08-25 10:51:44 +0800390 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl,
391 cipher_suite );
Jerry Yuf35ba382022-08-23 17:58:26 +0800392 if( ciphersuite_info == NULL )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800393 continue;
394
Jerry Yu5725f1c2022-08-21 17:27:16 +0800395 /* MAC of selected ciphersuite MUST be same with PSK binder if exist.
396 * Otherwise, client should reject.
397 */
Jerry Yuf35ba382022-08-23 17:58:26 +0800398 if( psk_hash_alg == mbedtls_psa_translate_md( ciphersuite_info->mac ) )
399 {
400 *selected_ciphersuite = cipher_suite;
401 *selected_ciphersuite_info = ciphersuite_info;
402 return( 0 );
403 }
404 }
405 MBEDTLS_SSL_DEBUG_MSG( 2, ( "No matched ciphersuite" ) );
406 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
407}
Jerry Yu5725f1c2022-08-21 17:27:16 +0800408
Jerry Yu82534862022-08-30 10:42:33 +0800409#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yuf35ba382022-08-23 17:58:26 +0800410MBEDTLS_CHECK_RETURN_CRITICAL
411static int ssl_tls13_select_ciphersuite_for_resumption(
412 mbedtls_ssl_context *ssl,
413 const unsigned char *cipher_suites,
414 const unsigned char *cipher_suites_end,
415 mbedtls_ssl_session *session,
416 uint16_t *selected_ciphersuite,
417 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info )
418{
Jerry Yu82534862022-08-30 10:42:33 +0800419
Jerry Yuf35ba382022-08-23 17:58:26 +0800420 *selected_ciphersuite = 0;
421 *selected_ciphersuite_info = NULL;
Jerry Yu82534862022-08-30 10:42:33 +0800422 for( const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2 )
423 {
424 uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
425 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
426
427 if( cipher_suite != session->ciphersuite )
428 continue;
429
430 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl,
431 cipher_suite );
432 if( ciphersuite_info == NULL )
433 continue;
434
Jerry Yu4746b102022-09-13 11:11:48 +0800435 *selected_ciphersuite = cipher_suite;
Jerry Yu82534862022-08-30 10:42:33 +0800436 *selected_ciphersuite_info = ciphersuite_info;
437
438 return( 0 );
Jerry Yu82534862022-08-30 10:42:33 +0800439 }
440
441 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800442}
Jerry Yuf35ba382022-08-23 17:58:26 +0800443
Jerry Yu82534862022-08-30 10:42:33 +0800444MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4746b102022-09-13 11:11:48 +0800445static int ssl_tls13_session_copy_ticket( mbedtls_ssl_session *dst,
446 const mbedtls_ssl_session *src )
Jerry Yu82534862022-08-30 10:42:33 +0800447{
Jerry Yu82534862022-08-30 10:42:33 +0800448 dst->ticket_age_add = src->ticket_age_add;
449 dst->ticket_flags = src->ticket_flags;
450 dst->resumption_key_len = src->resumption_key_len;
451 if( src->resumption_key_len == 0 )
452 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
453 memcpy( dst->resumption_key, src->resumption_key, src->resumption_key_len );
Jerry Yu4746b102022-09-13 11:11:48 +0800454
Jerry Yu82534862022-08-30 10:42:33 +0800455 return( 0 );
456}
457#endif /* MBEDTLS_SSL_SESSION_TICKETS */
458
Jerry Yu1c105562022-07-10 06:32:38 +0000459/* Parser for pre_shared_key extension in client hello
460 * struct {
461 * opaque identity<1..2^16-1>;
462 * uint32 obfuscated_ticket_age;
463 * } PskIdentity;
464 *
465 * opaque PskBinderEntry<32..255>;
466 *
467 * struct {
468 * PskIdentity identities<7..2^16-1>;
469 * PskBinderEntry binders<33..2^16-1>;
470 * } OfferedPsks;
471 *
472 * struct {
473 * select (Handshake.msg_type) {
474 * case client_hello: OfferedPsks;
475 * ....
476 * };
477 * } PreSharedKeyExtension;
478 */
Jerry Yu6e74a7e2022-07-20 20:49:32 +0800479MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yubb852022022-07-20 21:10:44 +0800480static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl,
Jerry Yu29d9faa2022-08-23 17:52:45 +0800481 const unsigned char *pre_shared_key_ext,
482 const unsigned char *pre_shared_key_ext_end,
Jerry Yu5725f1c2022-08-21 17:27:16 +0800483 const unsigned char *ciphersuites,
484 const unsigned char *ciphersuites_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000485{
Jerry Yu29d9faa2022-08-23 17:52:45 +0800486 const unsigned char *identities = pre_shared_key_ext;
Jerry Yu568ec252022-07-22 21:27:34 +0800487 const unsigned char *p_identity_len;
488 size_t identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000489 const unsigned char *identities_end;
Jerry Yu568ec252022-07-22 21:27:34 +0800490 const unsigned char *binders;
491 const unsigned char *p_binder_len;
492 size_t binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000493 const unsigned char *binders_end;
Jerry Yu96a2e362022-07-21 15:11:34 +0800494 int matched_identity = -1;
495 int identity_id = -1;
Jerry Yu1c105562022-07-10 06:32:38 +0000496
Jerry Yu29d9faa2022-08-23 17:52:45 +0800497 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key extension",
498 pre_shared_key_ext,
499 pre_shared_key_ext_end - pre_shared_key_ext );
Jerry Yu1c105562022-07-10 06:32:38 +0000500
Jerry Yu96a2e362022-07-21 15:11:34 +0800501 /* identities_len 2 bytes
502 * identities_data >= 7 bytes
503 */
Jerry Yu29d9faa2022-08-23 17:52:45 +0800504 MBEDTLS_SSL_CHK_BUF_READ_PTR( identities, pre_shared_key_ext_end, 7 + 2 );
Jerry Yu568ec252022-07-22 21:27:34 +0800505 identities_len = MBEDTLS_GET_UINT16_BE( identities, 0 );
506 p_identity_len = identities + 2;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800507 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, pre_shared_key_ext_end,
508 identities_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800509 identities_end = p_identity_len + identities_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000510
Jerry Yu96a2e362022-07-21 15:11:34 +0800511 /* binders_len 2 bytes
512 * binders >= 33 bytes
513 */
Jerry Yu568ec252022-07-22 21:27:34 +0800514 binders = identities_end;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800515 MBEDTLS_SSL_CHK_BUF_READ_PTR( binders, pre_shared_key_ext_end, 33 + 2 );
Jerry Yu568ec252022-07-22 21:27:34 +0800516 binders_len = MBEDTLS_GET_UINT16_BE( binders, 0 );
517 p_binder_len = binders + 2;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800518 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, pre_shared_key_ext_end, binders_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800519 binders_end = p_binder_len + binders_len;
Jerry Yu1c105562022-07-10 06:32:38 +0000520
Jerry Yu29d9faa2022-08-23 17:52:45 +0800521 ssl->handshake->update_checksum( ssl, pre_shared_key_ext,
522 identities_end - pre_shared_key_ext );
Jerry Yu96a2e362022-07-21 15:11:34 +0800523
Jerry Yu568ec252022-07-22 21:27:34 +0800524 while( p_identity_len < identities_end && p_binder_len < binders_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000525 {
Jerry Yu1c105562022-07-10 06:32:38 +0000526 const unsigned char *identity;
Jerry Yu568ec252022-07-22 21:27:34 +0800527 size_t identity_len;
Jerry Yu82534862022-08-30 10:42:33 +0800528 uint32_t obfuscated_ticket_age;
Jerry Yu96a2e362022-07-21 15:11:34 +0800529 const unsigned char *binder;
Jerry Yu568ec252022-07-22 21:27:34 +0800530 size_t binder_len;
Jerry Yu96a2e362022-07-21 15:11:34 +0800531 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800532 int psk_type;
533 uint16_t cipher_suite;
Jerry Yu29d9faa2022-08-23 17:52:45 +0800534 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Jerry Yu82534862022-08-30 10:42:33 +0800535#if defined(MBEDTLS_SSL_SESSION_TICKETS)
536 mbedtls_ssl_session session;
Jerry Yu4746b102022-09-13 11:11:48 +0800537 mbedtls_ssl_session_init( &session );
Jerry Yu82534862022-08-30 10:42:33 +0800538#endif
Jerry Yubb852022022-07-20 21:10:44 +0800539
Jerry Yu568ec252022-07-22 21:27:34 +0800540 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, identities_end, 2 + 1 + 4 );
541 identity_len = MBEDTLS_GET_UINT16_BE( p_identity_len, 0 );
542 identity = p_identity_len + 2;
543 MBEDTLS_SSL_CHK_BUF_READ_PTR( identity, identities_end, identity_len + 4 );
Jerry Yu82534862022-08-30 10:42:33 +0800544 obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE( identity , identity_len );
Jerry Yu568ec252022-07-22 21:27:34 +0800545 p_identity_len += identity_len + 6;
Jerry Yu1c105562022-07-10 06:32:38 +0000546
Jerry Yu568ec252022-07-22 21:27:34 +0800547 MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, binders_end, 1 + 32 );
548 binder_len = *p_binder_len;
549 binder = p_binder_len + 1;
550 MBEDTLS_SSL_CHK_BUF_READ_PTR( binder, binders_end, binder_len );
551 p_binder_len += binder_len + 1;
Jerry Yu96a2e362022-07-21 15:11:34 +0800552
Jerry Yu96a2e362022-07-21 15:11:34 +0800553 identity_id++;
554 if( matched_identity != -1 )
Jerry Yu1c105562022-07-10 06:32:38 +0000555 continue;
556
Jerry Yu96a2e362022-07-21 15:11:34 +0800557 ret = ssl_tls13_offered_psks_check_identity_match(
Jerry Yu82534862022-08-30 10:42:33 +0800558 ssl, identity, identity_len, obfuscated_ticket_age,
Jerry Yu4746b102022-09-13 11:11:48 +0800559 &psk_type, &session );
Jerry Yue95c8af2022-07-26 15:48:20 +0800560 if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu96a2e362022-07-21 15:11:34 +0800561 continue;
562
Jerry Yuf35ba382022-08-23 17:58:26 +0800563 MBEDTLS_SSL_DEBUG_MSG( 4, ( "found matched identity" ) );
Jerry Yu0baf9072022-08-25 11:21:04 +0800564 switch( psk_type )
565 {
566 case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
567 ret = ssl_tls13_select_ciphersuite_for_psk(
568 ssl, ciphersuites, ciphersuites_end,
569 &cipher_suite, &ciphersuite_info );
570 break;
571 case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
Jerry Yu82534862022-08-30 10:42:33 +0800572#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yu0baf9072022-08-25 11:21:04 +0800573 ret = ssl_tls13_select_ciphersuite_for_resumption(
Jerry Yu82534862022-08-30 10:42:33 +0800574 ssl, ciphersuites, ciphersuites_end, &session,
Jerry Yu0baf9072022-08-25 11:21:04 +0800575 &cipher_suite, &ciphersuite_info );
Jerry Yu4746b102022-09-13 11:11:48 +0800576 if( ret != 0 )
577 mbedtls_ssl_session_free( &session );
Jerry Yu82534862022-08-30 10:42:33 +0800578#else
579 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
580#endif
Jerry Yu0baf9072022-08-25 11:21:04 +0800581 break;
582 default:
583 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
584 }
Jerry Yuf35ba382022-08-23 17:58:26 +0800585 if( ret != 0 )
Jerry Yu5725f1c2022-08-21 17:27:16 +0800586 {
Jerry Yuf35ba382022-08-23 17:58:26 +0800587 /* See below, no cipher_suite available, abort handshake */
588 MBEDTLS_SSL_PEND_FATAL_ALERT(
589 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
590 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
591 MBEDTLS_SSL_DEBUG_RET(
Jerry Yu0baf9072022-08-25 11:21:04 +0800592 2, "ssl_tls13_select_ciphersuite", ret );
Jerry Yuf35ba382022-08-23 17:58:26 +0800593 return( ret );
Jerry Yu5725f1c2022-08-21 17:27:16 +0800594 }
595
Jerry Yu96a2e362022-07-21 15:11:34 +0800596 ret = ssl_tls13_offered_psks_check_binder_match(
Jerry Yu29d9faa2022-08-23 17:52:45 +0800597 ssl, binder, binder_len, psk_type,
598 mbedtls_psa_translate_md( ciphersuite_info->mac ) );
Jerry Yue9d4fc02022-08-20 19:21:15 +0800599 if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
Jerry Yu96a2e362022-07-21 15:11:34 +0800600 {
Jerry Yuc5a23a02022-08-25 10:51:44 +0800601 /* For security reasons, the handshake should be aborted when we
602 * fail to validate a binder value. See RFC 8446 section 4.2.11.2
603 * and appendix E.6. */
Jerry Yu82534862022-08-30 10:42:33 +0800604#if defined(MBEDTLS_SSL_SESSION_TICKETS)
605 mbedtls_ssl_session_free( &session );
606#endif
Jerry Yuc5a23a02022-08-25 10:51:44 +0800607 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Invalid binder." ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800608 MBEDTLS_SSL_DEBUG_RET( 1,
609 "ssl_tls13_offered_psks_check_binder_match" , ret );
610 MBEDTLS_SSL_PEND_FATAL_ALERT(
611 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
612 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
613 return( ret );
614 }
Jerry Yu96a2e362022-07-21 15:11:34 +0800615
616 matched_identity = identity_id;
Jerry Yu5725f1c2022-08-21 17:27:16 +0800617
618 /* Update handshake parameters */
Jerry Yue5834fd2022-08-29 20:16:09 +0800619 ssl->handshake->ciphersuite_info = ciphersuite_info;
Jerry Yu4746b102022-09-13 11:11:48 +0800620 ssl->session_negotiate->ciphersuite = cipher_suite;
Jerry Yue5834fd2022-08-29 20:16:09 +0800621 MBEDTLS_SSL_DEBUG_MSG( 2, ( "overwrite ciphersuite: %04x - %s",
622 cipher_suite, ciphersuite_info->name ) );
Jerry Yu82534862022-08-30 10:42:33 +0800623#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yu82534862022-08-30 10:42:33 +0800624 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
625 {
Jerry Yuf7dad3c2022-09-14 22:31:39 +0800626 ret = ssl_tls13_session_copy_ticket( ssl->session_negotiate,
627 &session );
Jerry Yu82534862022-08-30 10:42:33 +0800628 mbedtls_ssl_session_free( &session );
629 if( ret != 0 )
630 return( ret );
631 }
632#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1c105562022-07-10 06:32:38 +0000633 }
634
Jerry Yu568ec252022-07-22 21:27:34 +0800635 if( p_identity_len != identities_end || p_binder_len != binders_end )
Jerry Yu1c105562022-07-10 06:32:38 +0000636 {
637 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extesion decode error" ) );
638 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
639 MBEDTLS_ERR_SSL_DECODE_ERROR );
640 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
641 }
642
Jerry Yu6f1db3f2022-07-22 23:05:59 +0800643 /* Update the handshake transcript with the binder list. */
644 ssl->handshake->update_checksum( ssl,
645 identities_end,
646 (size_t)( binders_end - identities_end ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800647 if( matched_identity == -1 )
Jerry Yu1c105562022-07-10 06:32:38 +0000648 {
Jerry Yue9d4fc02022-08-20 19:21:15 +0800649 MBEDTLS_SSL_DEBUG_MSG( 3, ( "No matched PSK or ticket." ) );
Jerry Yu96a2e362022-07-21 15:11:34 +0800650 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
Jerry Yu1c105562022-07-10 06:32:38 +0000651 }
652
Jerry Yu96a2e362022-07-21 15:11:34 +0800653 ssl->handshake->selected_identity = (uint16_t)matched_identity;
654 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Pre shared key found" ) );
Jerry Yu1c105562022-07-10 06:32:38 +0000655
Jerry Yu96a2e362022-07-21 15:11:34 +0800656 return( 0 );
Jerry Yu1c105562022-07-10 06:32:38 +0000657}
Jerry Yu032b15ce2022-07-11 06:10:03 +0000658
659/*
660 * struct {
661 * select ( Handshake.msg_type ) {
662 * ....
663 * case server_hello:
664 * uint16 selected_identity;
665 * }
666 * } PreSharedKeyExtension;
667 */
Jerry Yubb852022022-07-20 21:10:44 +0800668static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
669 unsigned char *buf,
670 unsigned char *end,
671 size_t *olen )
Jerry Yu032b15ce2022-07-11 06:10:03 +0000672{
673 unsigned char *p = (unsigned char*)buf;
Jerry Yu032b15ce2022-07-11 06:10:03 +0000674
675 *olen = 0;
676
677#if defined(MBEDTLS_USE_PSA_CRYPTO)
678 if( mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
679#else
680 if( ssl->handshake->psk == NULL )
681#endif
682 {
683 /* We shouldn't have called this extension writer unless we've
684 * chosen to use a PSK. */
685 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
686 }
687
688 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding pre_shared_key extension" ) );
689 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
690
Jerry Yu032b15ce2022-07-11 06:10:03 +0000691 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000692 MBEDTLS_PUT_UINT16_BE( 2, p, 2 );
693
Jerry Yu96a2e362022-07-21 15:11:34 +0800694 MBEDTLS_PUT_UINT16_BE( ssl->handshake->selected_identity, p, 4 );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000695
696 *olen = 6;
697
Jerry Yu96a2e362022-07-21 15:11:34 +0800698 MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent selected_identity: %u",
699 ssl->handshake->selected_identity ) );
Jerry Yu032b15ce2022-07-11 06:10:03 +0000700
701 return( 0 );
702}
703
Ronald Cron41a443a2022-10-04 16:38:25 +0200704#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
Jerry Yue19e3b92022-07-08 12:04:51 +0000705
XiaokangQian7807f9f2022-02-15 10:04:37 +0000706/* From RFC 8446:
707 * struct {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000708 * ProtocolVersion versions<2..254>;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000709 * } SupportedVersions;
710 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200711MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian7807f9f2022-02-15 10:04:37 +0000712static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
713 const unsigned char *buf,
714 const unsigned char *end )
715{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000716 const unsigned char *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000717 size_t versions_len;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000718 const unsigned char *versions_end;
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000719 uint16_t tls_version;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000720 int tls13_supported = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000721
722 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000723 versions_len = p[0];
XiaokangQian7807f9f2022-02-15 10:04:37 +0000724 p += 1;
725
XiaokangQian4080a7f2022-04-11 09:55:18 +0000726 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, versions_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000727 versions_end = p + versions_len;
728 while( p < versions_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000729 {
XiaokangQiancfd925f2022-04-14 07:10:37 +0000730 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, versions_end, 2 );
XiaokangQiande333912022-04-20 08:49:42 +0000731 tls_version = mbedtls_ssl_read_version( p, ssl->conf->transport );
XiaokangQianb67384d2022-04-19 00:02:38 +0000732 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000733
734 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */
XiaokangQiande333912022-04-20 08:49:42 +0000735 if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000736 {
737 tls13_supported = 1;
738 break;
739 }
XiaokangQian7807f9f2022-02-15 10:04:37 +0000740 }
741
XiaokangQianb67384d2022-04-19 00:02:38 +0000742 if( !tls13_supported )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000743 {
XiaokangQian7807f9f2022-02-15 10:04:37 +0000744 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS 1.3 is not supported by the client" ) );
745
746 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
747 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
748 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
749 }
750
XiaokangQiande333912022-04-20 08:49:42 +0000751 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%04x]",
XiaokangQian0a1b54e2022-04-21 03:01:38 +0000752 (unsigned int)tls_version ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000753
XiaokangQian7807f9f2022-02-15 10:04:37 +0000754 return( 0 );
755}
756
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000757#if defined(MBEDTLS_ECDH_C)
XiaokangQiane8ff3502022-04-22 02:34:40 +0000758/*
XiaokangQian7807f9f2022-02-15 10:04:37 +0000759 *
760 * From RFC 8446:
761 * enum {
762 * ... (0xFFFF)
763 * } NamedGroup;
764 * struct {
765 * NamedGroup named_group_list<2..2^16-1>;
766 * } NamedGroupList;
767 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200768MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc1be19f2022-04-23 16:11:39 +0800769static int ssl_tls13_parse_supported_groups_ext( mbedtls_ssl_context *ssl,
770 const unsigned char *buf,
771 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000772{
XiaokangQian7807f9f2022-02-15 10:04:37 +0000773 const unsigned char *p = buf;
XiaokangQian84823772022-04-19 07:57:30 +0000774 size_t named_group_list_len;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000775 const unsigned char *named_group_list_end;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000776
777 MBEDTLS_SSL_DEBUG_BUF( 3, "supported_groups extension", p, end - buf );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000778 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian4080a7f2022-04-11 09:55:18 +0000779 named_group_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000780 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +0000781 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000782 named_group_list_end = p + named_group_list_len;
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000783 ssl->handshake->hrr_selected_group = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000784
XiaokangQian08037552022-04-20 07:16:41 +0000785 while( p < named_group_list_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000786 {
XiaokangQian08037552022-04-20 07:16:41 +0000787 uint16_t named_group;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000788 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, named_group_list_end, 2 );
XiaokangQian08037552022-04-20 07:16:41 +0000789 named_group = MBEDTLS_GET_UINT16_BE( p, 0 );
790 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000791
Jerry Yuc1be19f2022-04-23 16:11:39 +0800792 MBEDTLS_SSL_DEBUG_MSG( 2,
793 ( "got named group: %s(%04x)",
794 mbedtls_ssl_named_group_to_str( named_group ),
795 named_group ) );
XiaokangQian08037552022-04-20 07:16:41 +0000796
797 if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
798 ! mbedtls_ssl_named_group_is_supported( named_group ) ||
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000799 ssl->handshake->hrr_selected_group != 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000800 {
XiaokangQian08037552022-04-20 07:16:41 +0000801 continue;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000802 }
803
Jerry Yuc1be19f2022-04-23 16:11:39 +0800804 MBEDTLS_SSL_DEBUG_MSG( 2,
805 ( "add named group %s(%04x) into received list.",
806 mbedtls_ssl_named_group_to_str( named_group ),
807 named_group ) );
808
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000809 ssl->handshake->hrr_selected_group = named_group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000810 }
811
812 return( 0 );
813
814}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000815#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000816
XiaokangQian08037552022-04-20 07:16:41 +0000817#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
818
XiaokangQian88408882022-04-02 10:15:03 +0000819#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +0000820/*
821 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
XiaokangQiane8ff3502022-04-22 02:34:40 +0000822 * extension is correct and stores the first acceptable key share and its associated group.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000823 *
824 * Possible return values are:
825 * - 0: Successful processing of the client provided key share extension.
XiaokangQian08037552022-04-20 07:16:41 +0000826 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
XiaokangQian7807f9f2022-02-15 10:04:37 +0000827 * does not match a group supported by the server. A HelloRetryRequest will
828 * be needed.
XiaokangQiane8ff3502022-04-22 02:34:40 +0000829 * - A negative value for fatal errors.
Jerry Yuc1be19f2022-04-23 16:11:39 +0800830 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200831MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian7807f9f2022-02-15 10:04:37 +0000832static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
833 const unsigned char *buf,
834 const unsigned char *end )
835{
XiaokangQianb67384d2022-04-19 00:02:38 +0000836 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000837 unsigned char const *p = buf;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000838 unsigned char const *client_shares_end;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800839 size_t client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000840
841 /* From RFC 8446:
842 *
843 * struct {
844 * KeyShareEntry client_shares<0..2^16-1>;
845 * } KeyShareClientHello;
846 *
847 */
848
XiaokangQian7807f9f2022-02-15 10:04:37 +0000849 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000850 client_shares_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000851 p += 2;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000852 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, client_shares_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000853
854 ssl->handshake->offered_group_id = 0;
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000855 client_shares_end = p + client_shares_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000856
857 /* We try to find a suitable key share entry and copy it to the
858 * handshake context. Later, we have to find out whether we can do
859 * something with the provided key share or whether we have to
XiaokangQianc5763b52022-04-02 03:34:37 +0000860 * dismiss it and send a HelloRetryRequest message.
861 */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000862
Jerry Yuc1be19f2022-04-23 16:11:39 +0800863 while( p < client_shares_end )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000864 {
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000865 uint16_t group;
Jerry Yuc1be19f2022-04-23 16:11:39 +0800866 size_t key_exchange_len;
Jerry Yu086edc22022-05-05 10:50:38 +0800867 const unsigned char *key_exchange;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000868
869 /*
870 * struct {
871 * NamedGroup group;
872 * opaque key_exchange<1..2^16-1>;
873 * } KeyShareEntry;
874 */
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000875 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, 4 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000876 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc1be19f2022-04-23 16:11:39 +0800877 key_exchange_len = MBEDTLS_GET_UINT16_BE( p, 2 );
878 p += 4;
Jerry Yu086edc22022-05-05 10:50:38 +0800879 key_exchange = p;
XiaokangQianb67384d2022-04-19 00:02:38 +0000880 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, client_shares_end, key_exchange_len );
Jerry Yu086edc22022-05-05 10:50:38 +0800881 p += key_exchange_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000882
883 /* Continue parsing even if we have already found a match,
XiaokangQianc5763b52022-04-02 03:34:37 +0000884 * for input validation purposes.
885 */
XiaokangQian060d8672022-04-21 09:24:56 +0000886 if( ! mbedtls_ssl_named_group_is_offered( ssl, group ) ||
Jerry Yuc1be19f2022-04-23 16:11:39 +0800887 ! mbedtls_ssl_named_group_is_supported( group ) ||
888 ssl->handshake->offered_group_id != 0 )
XiaokangQian060d8672022-04-21 09:24:56 +0000889 {
890 continue;
891 }
XiaokangQian060d8672022-04-21 09:24:56 +0000892
XiaokangQian7807f9f2022-02-15 10:04:37 +0000893 /*
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000894 * For now, we only support ECDHE groups.
XiaokangQian7807f9f2022-02-15 10:04:37 +0000895 */
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000896 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
897 {
Jerry Yuc1be19f2022-04-23 16:11:39 +0800898 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH group: %s (%04x)",
899 mbedtls_ssl_named_group_to_str( group ),
900 group ) );
XiaokangQian318dc762022-04-20 09:43:51 +0000901 ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
Jerry Yu086edc22022-05-05 10:50:38 +0800902 ssl, key_exchange - 2, key_exchange_len + 2 );
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000903 if( ret != 0 )
904 return( ret );
XiaokangQian4e8cd7b2022-04-21 09:48:09 +0000905
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000906 }
907 else
XiaokangQian7807f9f2022-02-15 10:04:37 +0000908 {
909 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Unrecognized NamedGroup %u",
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000910 (unsigned) group ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000911 continue;
912 }
913
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000914 ssl->handshake->offered_group_id = group;
XiaokangQian7807f9f2022-02-15 10:04:37 +0000915 }
916
Jerry Yuc1be19f2022-04-23 16:11:39 +0800917
918 if( ssl->handshake->offered_group_id == 0 )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000919 {
920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching key share" ) );
XiaokangQian08037552022-04-20 07:16:41 +0000921 return( SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000922 }
923 return( 0 );
924}
XiaokangQian88408882022-04-02 10:15:03 +0000925#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000926
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000927#if defined(MBEDTLS_DEBUG_C)
XiaokangQian4080a7f2022-04-11 09:55:18 +0000928static void ssl_tls13_debug_print_client_hello_exts( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000929{
XiaokangQian3207a322022-02-23 03:15:27 +0000930 ((void) ssl);
931
XiaokangQian7807f9f2022-02-15 10:04:37 +0000932 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Extensions:" ) );
XiaokangQianb67384d2022-04-19 00:02:38 +0000933 MBEDTLS_SSL_DEBUG_MSG( 3,
934 ( "- KEY_SHARE_EXTENSION ( %s )",
935 ( ( ssl->handshake->extensions_present
936 & MBEDTLS_SSL_EXT_KEY_SHARE ) > 0 ) ? "TRUE" : "FALSE" ) );
937 MBEDTLS_SSL_DEBUG_MSG( 3,
938 ( "- PSK_KEY_EXCHANGE_MODES_EXTENSION ( %s )",
939 ( ( ssl->handshake->extensions_present
940 & MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) > 0 ) ?
941 "TRUE" : "FALSE" ) );
942 MBEDTLS_SSL_DEBUG_MSG( 3,
943 ( "- PRE_SHARED_KEY_EXTENSION ( %s )",
944 ( ( ssl->handshake->extensions_present
945 & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) > 0 ) ? "TRUE" : "FALSE" ) );
946 MBEDTLS_SSL_DEBUG_MSG( 3,
947 ( "- SIGNATURE_ALGORITHM_EXTENSION ( %s )",
948 ( ( ssl->handshake->extensions_present
949 & MBEDTLS_SSL_EXT_SIG_ALG ) > 0 ) ? "TRUE" : "FALSE" ) );
950 MBEDTLS_SSL_DEBUG_MSG( 3,
951 ( "- SUPPORTED_GROUPS_EXTENSION ( %s )",
952 ( ( ssl->handshake->extensions_present
953 & MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ) >0 ) ?
954 "TRUE" : "FALSE" ) );
955 MBEDTLS_SSL_DEBUG_MSG( 3,
956 ( "- SUPPORTED_VERSION_EXTENSION ( %s )",
957 ( ( ssl->handshake->extensions_present
958 & MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) > 0 ) ?
959 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000960#if defined ( MBEDTLS_SSL_SERVER_NAME_INDICATION )
XiaokangQianb67384d2022-04-19 00:02:38 +0000961 MBEDTLS_SSL_DEBUG_MSG( 3,
962 ( "- SERVERNAME_EXTENSION ( %s )",
963 ( ( ssl->handshake->extensions_present
964 & MBEDTLS_SSL_EXT_SERVERNAME ) > 0 ) ?
965 "TRUE" : "FALSE" ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000966#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQianacb39922022-06-17 10:18:48 +0000967#if defined ( MBEDTLS_SSL_ALPN )
968 MBEDTLS_SSL_DEBUG_MSG( 3,
969 ( "- ALPN_EXTENSION ( %s )",
970 ( ( ssl->handshake->extensions_present
971 & MBEDTLS_SSL_EXT_ALPN ) > 0 ) ?
972 "TRUE" : "FALSE" ) );
973#endif /* MBEDTLS_SSL_ALPN */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000974}
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000975#endif /* MBEDTLS_DEBUG_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +0000976
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200977MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian4080a7f2022-04-11 09:55:18 +0000978static int ssl_tls13_client_hello_has_exts( mbedtls_ssl_context *ssl,
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000979 int exts_mask )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000980{
XiaokangQian8f9dfe42022-04-15 02:52:39 +0000981 int masked = ssl->handshake->extensions_present & exts_mask;
982 return( masked == exts_mask );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000983}
984
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200985MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianb67384d2022-04-19 00:02:38 +0000986static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
987 mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +0000988{
Jerry Yu77f01482022-07-11 07:03:24 +0000989 return( ssl_tls13_client_hello_has_exts(
990 ssl,
991 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
992 MBEDTLS_SSL_EXT_KEY_SHARE |
993 MBEDTLS_SSL_EXT_SIG_ALG ) );
XiaokangQian7807f9f2022-02-15 10:04:37 +0000994}
995
Ronald Cron41a443a2022-10-04 16:38:25 +0200996#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yu77f01482022-07-11 07:03:24 +0000997MBEDTLS_CHECK_RETURN_CRITICAL
998static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
999 mbedtls_ssl_context *ssl )
1000{
1001 return( ssl_tls13_client_hello_has_exts(
1002 ssl,
1003 MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
1004 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
1005}
1006
1007MBEDTLS_CHECK_RETURN_CRITICAL
1008static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
1009 mbedtls_ssl_context *ssl )
1010{
1011 return( ssl_tls13_client_hello_has_exts(
1012 ssl,
1013 MBEDTLS_SSL_EXT_SUPPORTED_GROUPS |
1014 MBEDTLS_SSL_EXT_KEY_SHARE |
1015 MBEDTLS_SSL_EXT_PRE_SHARED_KEY |
1016 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) );
1017}
Ronald Cron41a443a2022-10-04 16:38:25 +02001018#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
Jerry Yu77f01482022-07-11 07:03:24 +00001019
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001020MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianb67384d2022-04-19 00:02:38 +00001021static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
XiaokangQian7807f9f2022-02-15 10:04:37 +00001022{
Jerry Yu77f01482022-07-11 07:03:24 +00001023 return( mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) &&
1024 ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) );
1025}
XiaokangQian7807f9f2022-02-15 10:04:37 +00001026
Jerry Yu77f01482022-07-11 07:03:24 +00001027MBEDTLS_CHECK_RETURN_CRITICAL
1028static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl )
1029{
Ronald Cron41a443a2022-10-04 16:38:25 +02001030#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yu77f01482022-07-11 07:03:24 +00001031 return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) &&
1032 mbedtls_ssl_tls13_psk_enabled( ssl ) &&
1033 ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) );
1034#else
1035 ((void) ssl);
1036 return( 0 );
1037#endif
1038}
XiaokangQian7807f9f2022-02-15 10:04:37 +00001039
Jerry Yu77f01482022-07-11 07:03:24 +00001040MBEDTLS_CHECK_RETURN_CRITICAL
1041static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
1042{
Ronald Cron41a443a2022-10-04 16:38:25 +02001043#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yu77f01482022-07-11 07:03:24 +00001044 return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) &&
1045 mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) &&
1046 ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) );
1047#else
1048 ((void) ssl);
1049 return( 0 );
1050#endif
1051}
1052
1053static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl )
1054{
1055 /*
1056 * Determine the key exchange algorithm to use.
1057 * There are three types of key exchanges supported in TLS 1.3:
1058 * - (EC)DH with ECDSA,
1059 * - (EC)DH with PSK,
1060 * - plain PSK.
1061 *
1062 * The PSK-based key exchanges may additionally be used with 0-RTT.
1063 *
1064 * Our built-in order of preference is
Jerry Yuce6ed702022-07-22 21:49:53 +08001065 * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
1066 * 2 ) Certificate Mode ( ephemeral )
1067 * 3 ) Plain PSK Mode ( psk )
Jerry Yu77f01482022-07-11 07:03:24 +00001068 */
1069
1070 ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
1071
Jerry Yu77f01482022-07-11 07:03:24 +00001072 if( ssl_tls13_check_psk_ephemeral_key_exchange( ssl ) )
1073 {
1074 ssl->handshake->key_exchange_mode =
1075 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1076 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk_ephemeral" ) );
1077 }
1078 else
1079 if( ssl_tls13_check_ephemeral_key_exchange( ssl ) )
1080 {
1081 ssl->handshake->key_exchange_mode =
1082 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
1083 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: ephemeral" ) );
1084 }
1085 else
Jerry Yuce6ed702022-07-22 21:49:53 +08001086 if( ssl_tls13_check_psk_key_exchange( ssl ) )
1087 {
1088 ssl->handshake->key_exchange_mode =
1089 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1090 MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk" ) );
1091 }
1092 else
Jerry Yu77f01482022-07-11 07:03:24 +00001093 {
1094 MBEDTLS_SSL_DEBUG_MSG(
1095 1,
1096 ( "ClientHello message misses mandatory extensions." ) );
1097 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION ,
1098 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1099 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1100 }
1101
1102 return( 0 );
1103
XiaokangQian7807f9f2022-02-15 10:04:37 +00001104}
1105
XiaokangQian81802f42022-06-10 13:25:22 +00001106#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
Ronald Cron928cbd32022-10-04 16:14:26 +02001107 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Ronald Cron67ea2542022-09-15 17:34:42 +02001108
1109#if defined(MBEDTLS_USE_PSA_CRYPTO)
1110static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg( uint16_t sig_alg )
1111{
1112 switch( sig_alg )
1113 {
1114 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
1115 return( PSA_ALG_ECDSA( PSA_ALG_SHA_256 ) );
1116 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
1117 return( PSA_ALG_ECDSA( PSA_ALG_SHA_384 ) );
1118 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
1119 return( PSA_ALG_ECDSA( PSA_ALG_SHA_512 ) );
1120 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
1121 return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 ) );
1122 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
1123 return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_384 ) );
1124 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
1125 return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_512 ) );
1126 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
Ronald Cronb72dac42022-09-27 08:56:47 +02001127 return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_256 ) );
Ronald Cron67ea2542022-09-15 17:34:42 +02001128 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
Ronald Cronb72dac42022-09-27 08:56:47 +02001129 return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_384 ) );
Ronald Cron67ea2542022-09-15 17:34:42 +02001130 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
Ronald Cronb72dac42022-09-27 08:56:47 +02001131 return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_512 ) );
Ronald Cron67ea2542022-09-15 17:34:42 +02001132 default:
1133 return( PSA_ALG_NONE );
1134 }
1135}
1136#endif /* MBEDTLS_USE_PSA_CRYPTO */
1137
XiaokangQian23c5be62022-06-07 02:04:34 +00001138/*
XiaokangQianfb665a82022-06-15 03:57:21 +00001139 * Pick best ( private key, certificate chain ) pair based on the signature
1140 * algorithms supported by the client.
XiaokangQian23c5be62022-06-07 02:04:34 +00001141 */
Ronald Cronce7d76e2022-07-08 18:56:49 +02001142MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian07aad072022-06-14 05:35:09 +00001143static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
XiaokangQian23c5be62022-06-07 02:04:34 +00001144{
XiaokangQianfb665a82022-06-15 03:57:21 +00001145 mbedtls_ssl_key_cert *key_cert, *key_cert_list;
XiaokangQian81802f42022-06-10 13:25:22 +00001146 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
XiaokangQian23c5be62022-06-07 02:04:34 +00001147
1148#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1149 if( ssl->handshake->sni_key_cert != NULL )
XiaokangQianfb665a82022-06-15 03:57:21 +00001150 key_cert_list = ssl->handshake->sni_key_cert;
XiaokangQian23c5be62022-06-07 02:04:34 +00001151 else
1152#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQianfb665a82022-06-15 03:57:21 +00001153 key_cert_list = ssl->conf->key_cert;
XiaokangQian23c5be62022-06-07 02:04:34 +00001154
XiaokangQianfb665a82022-06-15 03:57:21 +00001155 if( key_cert_list == NULL )
XiaokangQian23c5be62022-06-07 02:04:34 +00001156 {
1157 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
1158 return( -1 );
1159 }
1160
XiaokangQian81802f42022-06-10 13:25:22 +00001161 for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
XiaokangQian23c5be62022-06-07 02:04:34 +00001162 {
Ronald Cron67ea2542022-09-15 17:34:42 +02001163 if( !mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) )
1164 continue;
1165
1166 if( !mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) )
1167 continue;
1168
XiaokangQianfb665a82022-06-15 03:57:21 +00001169 for( key_cert = key_cert_list; key_cert != NULL;
1170 key_cert = key_cert->next )
XiaokangQian23c5be62022-06-07 02:04:34 +00001171 {
Ronald Cron67ea2542022-09-15 17:34:42 +02001172#if defined(MBEDTLS_USE_PSA_CRYPTO)
1173 psa_algorithm_t psa_alg = PSA_ALG_NONE;
1174#endif /* MBEDTLS_USE_PSA_CRYPTO */
1175
XiaokangQianfb665a82022-06-15 03:57:21 +00001176 MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate",
1177 key_cert->cert );
XiaokangQian81802f42022-06-10 13:25:22 +00001178
1179 /*
1180 * This avoids sending the client a cert it'll reject based on
1181 * keyUsage or other extensions.
1182 */
1183 if( mbedtls_x509_crt_check_key_usage(
XiaokangQianfb665a82022-06-15 03:57:21 +00001184 key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE ) != 0 ||
XiaokangQian81802f42022-06-10 13:25:22 +00001185 mbedtls_x509_crt_check_extended_key_usage(
XiaokangQianfb665a82022-06-15 03:57:21 +00001186 key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
1187 MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ) ) != 0 )
XiaokangQian81802f42022-06-10 13:25:22 +00001188 {
1189 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
XiaokangQianfb665a82022-06-15 03:57:21 +00001190 "(extended) key usage extension" ) );
XiaokangQian81802f42022-06-10 13:25:22 +00001191 continue;
1192 }
XiaokangQian23c5be62022-06-07 02:04:34 +00001193
Jerry Yucc539102022-06-27 16:27:35 +08001194 MBEDTLS_SSL_DEBUG_MSG( 3,
1195 ( "ssl_tls13_pick_key_cert:"
1196 "check signature algorithm %s [%04x]",
1197 mbedtls_ssl_sig_alg_to_str( *sig_alg ),
1198 *sig_alg ) );
Ronald Cron67ea2542022-09-15 17:34:42 +02001199#if defined(MBEDTLS_USE_PSA_CRYPTO)
1200 psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg( *sig_alg );
1201#endif /* MBEDTLS_USE_PSA_CRYPTO */
1202
Jerry Yufb526692022-06-19 11:22:49 +08001203 if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
Ronald Cron67ea2542022-09-15 17:34:42 +02001204 *sig_alg, &key_cert->cert->pk )
1205#if defined(MBEDTLS_USE_PSA_CRYPTO)
1206 && psa_alg != PSA_ALG_NONE &&
1207 mbedtls_pk_can_do_ext( &key_cert->cert->pk, psa_alg,
1208 PSA_KEY_USAGE_SIGN_HASH ) == 1
1209#endif /* MBEDTLS_USE_PSA_CRYPTO */
1210 )
XiaokangQian81802f42022-06-10 13:25:22 +00001211 {
XiaokangQianfb665a82022-06-15 03:57:21 +00001212 ssl->handshake->key_cert = key_cert;
Jerry Yucc539102022-06-27 16:27:35 +08001213 MBEDTLS_SSL_DEBUG_MSG( 3,
1214 ( "ssl_tls13_pick_key_cert:"
1215 "selected signature algorithm"
1216 " %s [%04x]",
1217 mbedtls_ssl_sig_alg_to_str( *sig_alg ),
1218 *sig_alg ) );
XiaokangQianfb665a82022-06-15 03:57:21 +00001219 MBEDTLS_SSL_DEBUG_CRT(
XiaokangQian75fe8c72022-06-15 09:42:45 +00001220 3, "selected certificate (chain)",
XiaokangQianfb665a82022-06-15 03:57:21 +00001221 ssl->handshake->key_cert->cert );
XiaokangQian81802f42022-06-10 13:25:22 +00001222 return( 0 );
1223 }
XiaokangQian81802f42022-06-10 13:25:22 +00001224 }
XiaokangQian23c5be62022-06-07 02:04:34 +00001225 }
1226
Jerry Yu9d3e2fa2022-06-27 22:14:01 +08001227 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert:"
1228 "no suitable certificate found" ) );
XiaokangQian23c5be62022-06-07 02:04:34 +00001229 return( -1 );
1230}
XiaokangQian81802f42022-06-10 13:25:22 +00001231#endif /* MBEDTLS_X509_CRT_PARSE_C &&
Ronald Cron928cbd32022-10-04 16:14:26 +02001232 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
XiaokangQian23c5be62022-06-07 02:04:34 +00001233
XiaokangQian4080a7f2022-04-11 09:55:18 +00001234/*
XiaokangQianed582dd2022-04-13 08:21:05 +00001235 *
1236 * STATE HANDLING: ClientHello
1237 *
XiaokangQianb67384d2022-04-19 00:02:38 +00001238 * There are three possible classes of outcomes when parsing the ClientHello:
XiaokangQianed582dd2022-04-13 08:21:05 +00001239 *
XiaokangQianb67384d2022-04-19 00:02:38 +00001240 * 1) The ClientHello was well-formed and matched the server's configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +00001241 *
1242 * In this case, the server progresses to sending its ServerHello.
1243 *
XiaokangQianb67384d2022-04-19 00:02:38 +00001244 * 2) The ClientHello was well-formed but didn't match the server's
1245 * configuration.
XiaokangQianed582dd2022-04-13 08:21:05 +00001246 *
1247 * For example, the client might not have offered a key share which
1248 * the server supports, or the server might require a cookie.
1249 *
1250 * In this case, the server sends a HelloRetryRequest.
1251 *
XiaokangQianb67384d2022-04-19 00:02:38 +00001252 * 3) The ClientHello was ill-formed
XiaokangQianed582dd2022-04-13 08:21:05 +00001253 *
1254 * In this case, we abort the handshake.
1255 *
1256 */
1257
1258/*
XiaokangQian4080a7f2022-04-11 09:55:18 +00001259 * Structure of this message:
1260 *
XiaokangQiane8ff3502022-04-22 02:34:40 +00001261 * uint16 ProtocolVersion;
1262 * opaque Random[32];
1263 * uint8 CipherSuite[2]; // Cryptographic suite selector
XiaokangQian4080a7f2022-04-11 09:55:18 +00001264 *
XiaokangQiane8ff3502022-04-22 02:34:40 +00001265 * struct {
1266 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1267 * Random random;
1268 * opaque legacy_session_id<0..32>;
1269 * CipherSuite cipher_suites<2..2^16-2>;
1270 * opaque legacy_compression_methods<1..2^8-1>;
1271 * Extension extensions<8..2^16-1>;
1272 * } ClientHello;
XiaokangQian4080a7f2022-04-11 09:55:18 +00001273 */
XiaokangQianed582dd2022-04-13 08:21:05 +00001274
1275#define SSL_CLIENT_HELLO_OK 0
1276#define SSL_CLIENT_HELLO_HRR_REQUIRED 1
1277
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001278MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian4080a7f2022-04-11 09:55:18 +00001279static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
1280 const unsigned char *buf,
1281 const unsigned char *end )
XiaokangQian7807f9f2022-02-15 10:04:37 +00001282{
XiaokangQianb67384d2022-04-19 00:02:38 +00001283 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1284 const unsigned char *p = buf;
XiaokangQian4080a7f2022-04-11 09:55:18 +00001285 size_t legacy_session_id_len;
XiaokangQian318dc762022-04-20 09:43:51 +00001286 size_t cipher_suites_len;
XiaokangQian060d8672022-04-21 09:24:56 +00001287 const unsigned char *cipher_suites_end;
XiaokangQianb67384d2022-04-19 00:02:38 +00001288 size_t extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001289 const unsigned char *extensions_end;
Jerry Yu49ca9282022-05-05 11:05:22 +08001290 int hrr_required = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001291
Ronald Cron41a443a2022-10-04 16:38:25 +02001292#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yu5725f1c2022-08-21 17:27:16 +08001293 const unsigned char *cipher_suites;
Jerry Yu29d9faa2022-08-23 17:52:45 +08001294 const unsigned char *pre_shared_key_ext = NULL;
Jerry Yu1c105562022-07-10 06:32:38 +00001295 const unsigned char *pre_shared_key_ext_end = NULL;
Ronald Cron41a443a2022-10-04 16:38:25 +02001296#endif
XiaokangQian7807f9f2022-02-15 10:04:37 +00001297
1298 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
1299
1300 /*
XiaokangQianb67384d2022-04-19 00:02:38 +00001301 * ClientHello layout:
XiaokangQian7807f9f2022-02-15 10:04:37 +00001302 * 0 . 1 protocol version
XiaokangQiane8ff3502022-04-22 02:34:40 +00001303 * 2 . 33 random bytes
XiaokangQianc5763b52022-04-02 03:34:37 +00001304 * 34 . 34 session id length ( 1 byte )
XiaokangQian7807f9f2022-02-15 10:04:37 +00001305 * 35 . 34+x session id
XiaokangQian7807f9f2022-02-15 10:04:37 +00001306 * .. . .. ciphersuite list length ( 2 bytes )
1307 * .. . .. ciphersuite list
1308 * .. . .. compression alg. list length ( 1 byte )
1309 * .. . .. compression alg. list
1310 * .. . .. extensions length ( 2 bytes, optional )
1311 * .. . .. extensions ( optional )
1312 */
1313
XiaokangQianb67384d2022-04-19 00:02:38 +00001314 /*
bootstrap-prime6dbbf442022-05-17 19:30:44 -04001315 * Minimal length ( with everything empty and extensions omitted ) is
XiaokangQian7807f9f2022-02-15 10:04:37 +00001316 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1317 * read at least up to session id length without worrying.
1318 */
1319 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 38 );
1320
1321 /* ...
1322 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1323 * ...
1324 * with ProtocolVersion defined as:
1325 * uint16 ProtocolVersion;
1326 */
XiaokangQiande333912022-04-20 08:49:42 +00001327 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
1328 MBEDTLS_SSL_VERSION_TLS1_2 )
XiaokangQian7807f9f2022-02-15 10:04:37 +00001329 {
1330 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1331 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1332 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQianb67384d2022-04-19 00:02:38 +00001333 return ( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001334 }
1335 p += 2;
1336
1337 /*
XiaokangQianf8ceb942022-04-15 11:43:27 +00001338 * Only support TLS 1.3 currently, temporarily set the version.
1339 */
XiaokangQiande333912022-04-20 08:49:42 +00001340 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
XiaokangQianf8ceb942022-04-15 11:43:27 +00001341
Jerry Yue67bef42022-07-07 07:29:42 +00001342#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1343 /* Store minor version for later use with ticket serialization. */
1344 ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
Jerry Yua66fece2022-07-13 14:30:29 +08001345 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Jerry Yufca4d572022-07-21 10:37:48 +08001346#endif
Jerry Yue67bef42022-07-07 07:29:42 +00001347
Jerry Yuc1be19f2022-04-23 16:11:39 +08001348 /* ...
1349 * Random random;
1350 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +00001351 * with Random defined as:
1352 * opaque Random[32];
XiaokangQian7807f9f2022-02-15 10:04:37 +00001353 */
XiaokangQian4080a7f2022-04-11 09:55:18 +00001354 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
XiaokangQian08037552022-04-20 07:16:41 +00001355 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001356
XiaokangQian08037552022-04-20 07:16:41 +00001357 memcpy( &ssl->handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
1358 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001359
Jerry Yuc1be19f2022-04-23 16:11:39 +08001360 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +00001361 * opaque legacy_session_id<0..32>;
Jerry Yuc1be19f2022-04-23 16:11:39 +08001362 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +00001363 */
XiaokangQian4080a7f2022-04-11 09:55:18 +00001364 legacy_session_id_len = p[0];
XiaokangQianc5763b52022-04-02 03:34:37 +00001365 p++;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001366
XiaokangQianb67384d2022-04-19 00:02:38 +00001367 if( legacy_session_id_len > sizeof( ssl->session_negotiate->id ) )
XiaokangQian7807f9f2022-02-15 10:04:37 +00001368 {
1369 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1370 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1371 }
1372
XiaokangQian4080a7f2022-04-11 09:55:18 +00001373 ssl->session_negotiate->id_len = legacy_session_id_len;
XiaokangQianed582dd2022-04-13 08:21:05 +00001374 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
XiaokangQiane8ff3502022-04-22 02:34:40 +00001375 p, legacy_session_id_len );
XiaokangQianb67384d2022-04-19 00:02:38 +00001376 /*
1377 * Check we have enough data for the legacy session identifier
Jerry Yue95c8af2022-07-26 15:48:20 +08001378 * and the ciphersuite list length.
XiaokangQianb67384d2022-04-19 00:02:38 +00001379 */
1380 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_len + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001381
XiaokangQianed582dd2022-04-13 08:21:05 +00001382 memcpy( &ssl->session_negotiate->id[0], p, legacy_session_id_len );
XiaokangQian4080a7f2022-04-11 09:55:18 +00001383 p += legacy_session_id_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001384
XiaokangQian7807f9f2022-02-15 10:04:37 +00001385 cipher_suites_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1386 p += 2;
1387
XiaokangQianb67384d2022-04-19 00:02:38 +00001388 /* Check we have enough data for the ciphersuite list, the legacy
1389 * compression methods and the length of the extensions.
Jerry Yue95c8af2022-07-26 15:48:20 +08001390 *
1391 * cipher_suites cipher_suites_len bytes
1392 * legacy_compression_methods 2 bytes
1393 * extensions_len 2 bytes
XiaokangQianb67384d2022-04-19 00:02:38 +00001394 */
1395 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cipher_suites_len + 2 + 2 );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001396
Jerry Yu24b8c812022-08-20 19:06:56 +08001397 /* ...
1398 * CipherSuite cipher_suites<2..2^16-2>;
1399 * ...
1400 * with CipherSuite defined as:
1401 * uint8 CipherSuite[2];
XiaokangQian08037552022-04-20 07:16:41 +00001402 */
Ronald Cron41a443a2022-10-04 16:38:25 +02001403#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQian060d8672022-04-21 09:24:56 +00001404 cipher_suites = p;
Jerry Yu5725f1c2022-08-21 17:27:16 +08001405#endif
XiaokangQian060d8672022-04-21 09:24:56 +00001406 cipher_suites_end = p + cipher_suites_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001407 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1408 p, cipher_suites_len );
Jerry Yu5725f1c2022-08-21 17:27:16 +08001409
1410 /*
1411 * Search for a matching ciphersuite
1412 */
XiaokangQian060d8672022-04-21 09:24:56 +00001413 for ( ; p < cipher_suites_end; p += 2 )
XiaokangQian17f974c2022-04-19 09:57:41 +00001414 {
XiaokangQiane8ff3502022-04-22 02:34:40 +00001415 uint16_t cipher_suite;
Jerry Yue95c8af2022-07-26 15:48:20 +08001416 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
Jerry Yu5725f1c2022-08-21 17:27:16 +08001417
XiaokangQiane8ff3502022-04-22 02:34:40 +00001418 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, cipher_suites_end, 2 );
Jerry Yu5725f1c2022-08-21 17:27:16 +08001419
XiaokangQiane8ff3502022-04-22 02:34:40 +00001420 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yuc5a23a02022-08-25 10:51:44 +08001421 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
Jerry Yudd1bef72022-08-23 17:57:02 +08001422 ssl,cipher_suite );
1423 if( ciphersuite_info == NULL )
Jerry Yu5725f1c2022-08-21 17:27:16 +08001424 continue;
1425
Jerry Yu5725f1c2022-08-21 17:27:16 +08001426 ssl->session_negotiate->ciphersuite = cipher_suite;
1427 ssl->handshake->ciphersuite_info = ciphersuite_info;
1428 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %04x - %s",
Jerry Yue95c8af2022-07-26 15:48:20 +08001429 cipher_suite,
Jerry Yu5725f1c2022-08-21 17:27:16 +08001430 ciphersuite_info->name ) );
XiaokangQian17f974c2022-04-19 09:57:41 +00001431 }
Jerry Yu5725f1c2022-08-21 17:27:16 +08001432
1433 if( ssl->handshake->ciphersuite_info == NULL )
1434 {
1435 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1436 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1437 return ( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1438 }
Jerry Yuc1be19f2022-04-23 16:11:39 +08001439
XiaokangQian4080a7f2022-04-11 09:55:18 +00001440 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +00001441 * opaque legacy_compression_methods<1..2^8-1>;
XiaokangQian4080a7f2022-04-11 09:55:18 +00001442 * ...
XiaokangQian7807f9f2022-02-15 10:04:37 +00001443 */
XiaokangQian0a1b54e2022-04-21 03:01:38 +00001444 if( p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL )
XiaokangQian7807f9f2022-02-15 10:04:37 +00001445 {
XiaokangQian4080a7f2022-04-11 09:55:18 +00001446 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
1447 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1448 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1449 return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001450 }
XiaokangQianb67384d2022-04-19 00:02:38 +00001451 p += 2;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001452
Jerry Yuc1be19f2022-04-23 16:11:39 +08001453 /* ...
XiaokangQianb67384d2022-04-19 00:02:38 +00001454 * Extension extensions<8..2^16-1>;
Jerry Yuc1be19f2022-04-23 16:11:39 +08001455 * ...
XiaokangQianb67384d2022-04-19 00:02:38 +00001456 * with Extension defined as:
1457 * struct {
1458 * ExtensionType extension_type;
1459 * opaque extension_data<0..2^16-1>;
1460 * } Extension;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001461 */
XiaokangQian4080a7f2022-04-11 09:55:18 +00001462 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001463 p += 2;
XiaokangQian4080a7f2022-04-11 09:55:18 +00001464 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
XiaokangQiane8ff3502022-04-22 02:34:40 +00001465 extensions_end = p + extensions_len;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001466
XiaokangQian4080a7f2022-04-11 09:55:18 +00001467 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", p, extensions_len );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001468
1469 while( p < extensions_end )
1470 {
1471 unsigned int extension_type;
1472 size_t extension_data_len;
1473 const unsigned char *extension_data_end;
1474
Jerry Yu1c9247c2022-07-21 12:37:39 +08001475 /* RFC 8446, page 57
1476 *
1477 * The "pre_shared_key" extension MUST be the last extension in the
1478 * ClientHello (this facilitates implementation as described below).
1479 * Servers MUST check that it is the last extension and otherwise fail
1480 * the handshake with an "illegal_parameter" alert.
1481 */
1482 if( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY )
1483 {
1484 MBEDTLS_SSL_DEBUG_MSG(
1485 3, ( "pre_shared_key is not last extension." ) );
1486 MBEDTLS_SSL_PEND_FATAL_ALERT(
1487 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1488 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1489 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1490 }
1491
XiaokangQian318dc762022-04-20 09:43:51 +00001492 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001493 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1494 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1495 p += 4;
1496
1497 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1498 extension_data_end = p + extension_data_len;
1499
1500 switch( extension_type )
1501 {
XiaokangQian40a35232022-05-07 09:02:40 +00001502#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1503 case MBEDTLS_TLS_EXT_SERVERNAME:
1504 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
XiaokangQian9b2b7712022-05-17 02:57:00 +00001505 ret = mbedtls_ssl_parse_server_name_ext( ssl, p,
1506 extension_data_end );
XiaokangQian40a35232022-05-07 09:02:40 +00001507 if( ret != 0 )
1508 {
1509 MBEDTLS_SSL_DEBUG_RET(
1510 1, "mbedtls_ssl_parse_servername_ext", ret );
1511 return( ret );
1512 }
1513 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SERVERNAME;
1514 break;
1515#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1516
XiaokangQianb67384d2022-04-19 00:02:38 +00001517#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +00001518 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1519 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported group extension" ) );
1520
1521 /* Supported Groups Extension
1522 *
1523 * When sent by the client, the "supported_groups" extension
1524 * indicates the named groups which the client supports,
1525 * ordered from most preferred to least preferred.
1526 */
Jerry Yuc1be19f2022-04-23 16:11:39 +08001527 ret = ssl_tls13_parse_supported_groups_ext(
1528 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001529 if( ret != 0 )
1530 {
1531 MBEDTLS_SSL_DEBUG_RET( 1,
1532 "mbedtls_ssl_parse_supported_groups_ext", ret );
1533 return( ret );
1534 }
1535
1536 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
1537 break;
XiaokangQianb67384d2022-04-19 00:02:38 +00001538#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +00001539
XiaokangQian88408882022-04-02 10:15:03 +00001540#if defined(MBEDTLS_ECDH_C)
XiaokangQian7807f9f2022-02-15 10:04:37 +00001541 case MBEDTLS_TLS_EXT_KEY_SHARE:
1542 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key share extension" ) );
1543
1544 /*
1545 * Key Share Extension
1546 *
1547 * When sent by the client, the "key_share" extension
1548 * contains the endpoint's cryptographic parameters for
1549 * ECDHE/DHE key establishment methods.
1550 */
Jerry Yuc1be19f2022-04-23 16:11:39 +08001551 ret = ssl_tls13_parse_key_shares_ext(
1552 ssl, p, extension_data_end );
XiaokangQian08037552022-04-20 07:16:41 +00001553 if( ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH )
XiaokangQian7807f9f2022-02-15 10:04:37 +00001554 {
XiaokangQianed582dd2022-04-13 08:21:05 +00001555 MBEDTLS_SSL_DEBUG_MSG( 2, ( "HRR needed " ) );
Jerry Yu49ca9282022-05-05 11:05:22 +08001556 hrr_required = 1;
XiaokangQian7807f9f2022-02-15 10:04:37 +00001557 }
1558
Jerry Yu582dd062022-04-22 21:59:01 +08001559 if( ret < 0 )
1560 {
1561 MBEDTLS_SSL_DEBUG_RET(
1562 1, "ssl_tls13_parse_key_shares_ext", ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001563 return( ret );
Jerry Yu582dd062022-04-22 21:59:01 +08001564 }
XiaokangQian7807f9f2022-02-15 10:04:37 +00001565
1566 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
1567 break;
XiaokangQian88408882022-04-02 10:15:03 +00001568#endif /* MBEDTLS_ECDH_C */
XiaokangQian7807f9f2022-02-15 10:04:37 +00001569
1570 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1571 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported versions extension" ) );
1572
1573 ret = ssl_tls13_parse_supported_versions_ext(
Jerry Yuc1be19f2022-04-23 16:11:39 +08001574 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001575 if( ret != 0 )
1576 {
1577 MBEDTLS_SSL_DEBUG_RET( 1,
1578 ( "ssl_tls13_parse_supported_versions_ext" ), ret );
1579 return( ret );
1580 }
1581 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS;
1582 break;
1583
Ronald Cron41a443a2022-10-04 16:38:25 +02001584#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue19e3b92022-07-08 12:04:51 +00001585 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
1586 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found psk key exchange modes extension" ) );
1587
1588 ret = ssl_tls13_parse_key_exchange_modes_ext(
1589 ssl, p, extension_data_end );
1590 if( ret != 0 )
1591 {
1592 MBEDTLS_SSL_DEBUG_RET(
1593 1, "ssl_tls13_parse_key_exchange_modes_ext", ret );
1594 return( ret );
1595 }
1596
1597 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES;
1598 break;
Ronald Cron41a443a2022-10-04 16:38:25 +02001599#endif
Jerry Yue19e3b92022-07-08 12:04:51 +00001600
Jerry Yu1c105562022-07-10 06:32:38 +00001601 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1602 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
Jerry Yu13ab81d2022-07-22 23:17:11 +08001603 if( ( ssl->handshake->extensions_present &
1604 MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 )
1605 {
1606 MBEDTLS_SSL_PEND_FATAL_ALERT(
1607 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1608 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1609 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1610 }
Ronald Cron41a443a2022-10-04 16:38:25 +02001611#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yu1c105562022-07-10 06:32:38 +00001612 /* Delay processing of the PSK identity once we have
1613 * found out which algorithms to use. We keep a pointer
1614 * to the buffer and the size for later processing.
1615 */
Jerry Yu29d9faa2022-08-23 17:52:45 +08001616 pre_shared_key_ext = p;
Jerry Yu1c105562022-07-10 06:32:38 +00001617 pre_shared_key_ext_end = extension_data_end;
Ronald Cron41a443a2022-10-04 16:38:25 +02001618#endif
Jerry Yu1c105562022-07-10 06:32:38 +00001619 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
1620 break;
Jerry Yu1c105562022-07-10 06:32:38 +00001621
XiaokangQianacb39922022-06-17 10:18:48 +00001622#if defined(MBEDTLS_SSL_ALPN)
1623 case MBEDTLS_TLS_EXT_ALPN:
1624 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1625
1626 ret = mbedtls_ssl_parse_alpn_ext( ssl, p, extension_data_end );
1627 if( ret != 0 )
1628 {
1629 MBEDTLS_SSL_DEBUG_RET(
1630 1, ( "mbedtls_ssl_parse_alpn_ext" ), ret );
1631 return( ret );
1632 }
1633 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_ALPN;
1634 break;
1635#endif /* MBEDTLS_SSL_ALPN */
1636
Ronald Cron928cbd32022-10-04 16:14:26 +02001637#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
XiaokangQian7807f9f2022-02-15 10:04:37 +00001638 case MBEDTLS_TLS_EXT_SIG_ALG:
1639 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1640
Gabor Mezei078e8032022-04-27 21:17:56 +02001641 ret = mbedtls_ssl_parse_sig_alg_ext(
Jerry Yuc1be19f2022-04-23 16:11:39 +08001642 ssl, p, extension_data_end );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001643 if( ret != 0 )
1644 {
1645 MBEDTLS_SSL_DEBUG_MSG( 1,
1646 ( "ssl_parse_supported_signature_algorithms_server_ext ( %d )",
1647 ret ) );
1648 return( ret );
1649 }
1650 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
1651 break;
Ronald Cron928cbd32022-10-04 16:14:26 +02001652#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
XiaokangQian7807f9f2022-02-15 10:04:37 +00001653
1654 default:
1655 MBEDTLS_SSL_DEBUG_MSG( 3,
1656 ( "unknown extension found: %ud ( ignoring )",
1657 extension_type ) );
1658 }
1659
1660 p += extension_data_len;
1661 }
1662
Jerry Yu1c105562022-07-10 06:32:38 +00001663#if defined(MBEDTLS_DEBUG_C)
1664 /* List all the extensions we have received */
1665 ssl_tls13_debug_print_client_hello_exts( ssl );
1666#endif /* MBEDTLS_DEBUG_C */
1667
1668 mbedtls_ssl_add_hs_hdr_to_checksum( ssl,
1669 MBEDTLS_SSL_HS_CLIENT_HELLO,
1670 p - buf );
Jerry Yu032b15ce2022-07-11 06:10:03 +00001671
Ronald Cron41a443a2022-10-04 16:38:25 +02001672#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQian7807f9f2022-02-15 10:04:37 +00001673 /* Update checksum with either
1674 * - The entire content of the CH message, if no PSK extension is present
1675 * - The content up to but excluding the PSK extension, if present.
1676 */
Jerry Yu1c105562022-07-10 06:32:38 +00001677 /* If we've settled on a PSK-based exchange, parse PSK identity ext */
Jerry Yuba9b6e92022-07-22 21:35:18 +08001678 if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) &&
Jerry Yu32e13702022-07-29 13:04:08 +08001679 mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
Jerry Yuba9b6e92022-07-22 21:35:18 +08001680 ( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) )
Jerry Yu1c105562022-07-10 06:32:38 +00001681 {
1682 ssl->handshake->update_checksum( ssl, buf,
Jerry Yu29d9faa2022-08-23 17:52:45 +08001683 pre_shared_key_ext - buf );
Jerry Yubb852022022-07-20 21:10:44 +08001684 ret = ssl_tls13_parse_pre_shared_key_ext( ssl,
Jerry Yu29d9faa2022-08-23 17:52:45 +08001685 pre_shared_key_ext,
Jerry Yue95c8af2022-07-26 15:48:20 +08001686 pre_shared_key_ext_end,
Jerry Yu5725f1c2022-08-21 17:27:16 +08001687 cipher_suites,
1688 cipher_suites_end );
Jerry Yue9d4fc02022-08-20 19:21:15 +08001689 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
Jerry Yuba9b6e92022-07-22 21:35:18 +08001690 {
1691 ssl->handshake->extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
Jerry Yu6f1db3f2022-07-22 23:05:59 +08001692 }
1693 else if( ret != 0 )
Jerry Yu1c105562022-07-10 06:32:38 +00001694 {
Jerry Yubb852022022-07-20 21:10:44 +08001695 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_pre_shared_key_ext" ),
Jerry Yu1c105562022-07-10 06:32:38 +00001696 ret );
1697 return( ret );
1698 }
Jerry Yu1c105562022-07-10 06:32:38 +00001699 }
1700 else
Ronald Cron41a443a2022-10-04 16:38:25 +02001701#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
Jerry Yu1c105562022-07-10 06:32:38 +00001702 {
1703 ssl->handshake->update_checksum( ssl, buf, p - buf );
1704 }
XiaokangQian7807f9f2022-02-15 10:04:37 +00001705
Jerry Yuba9b6e92022-07-22 21:35:18 +08001706 ret = ssl_tls13_determine_key_exchange_mode( ssl );
1707 if( ret < 0 )
1708 return( ret );
XiaokangQian7807f9f2022-02-15 10:04:37 +00001709
Jerry Yue5834fd2022-08-29 20:16:09 +08001710 mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info );
1711
XiaokangQian75fe8c72022-06-15 09:42:45 +00001712 return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK );
1713}
1714
1715/* Update the handshake state machine */
1716
Ronald Cronce7d76e2022-07-08 18:56:49 +02001717MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian75fe8c72022-06-15 09:42:45 +00001718static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
1719{
1720 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1721
XiaokangQian7807f9f2022-02-15 10:04:37 +00001722 /*
XiaokangQianfb665a82022-06-15 03:57:21 +00001723 * Server certificate selection
1724 */
1725 if( ssl->conf->f_cert_cb && ( ret = ssl->conf->f_cert_cb( ssl ) ) != 0 )
1726 {
1727 MBEDTLS_SSL_DEBUG_RET( 1, "f_cert_cb", ret );
1728 return( ret );
1729 }
1730#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1731 ssl->handshake->sni_name = NULL;
1732 ssl->handshake->sni_name_len = 0;
1733#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
XiaokangQian7807f9f2022-02-15 10:04:37 +00001734
XiaokangQian7807f9f2022-02-15 10:04:37 +00001735 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
1736 if( ret != 0 )
1737 {
1738 MBEDTLS_SSL_DEBUG_RET( 1,
1739 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret );
1740 return( ret );
1741 }
1742
XiaokangQian7807f9f2022-02-15 10:04:37 +00001743 return( 0 );
1744
1745}
1746
1747/*
XiaokangQianed582dd2022-04-13 08:21:05 +00001748 * Main entry point from the state machine; orchestrates the otherfunctions.
1749 */
1750
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001751MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianed582dd2022-04-13 08:21:05 +00001752static int ssl_tls13_process_client_hello( mbedtls_ssl_context *ssl )
1753{
1754
XiaokangQian08037552022-04-20 07:16:41 +00001755 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianed582dd2022-04-13 08:21:05 +00001756 unsigned char* buf = NULL;
1757 size_t buflen = 0;
Jerry Yu4ca91402022-05-09 15:50:57 +08001758 int parse_client_hello_ret;
1759
XiaokangQianed582dd2022-04-13 08:21:05 +00001760 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1761
XiaokangQianed582dd2022-04-13 08:21:05 +00001762 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
1763 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
1764 &buf, &buflen ) );
1765
1766 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_parse_client_hello( ssl, buf,
1767 buf + buflen ) );
Jerry Yuf41553b2022-05-09 22:20:30 +08001768 parse_client_hello_ret = ret; /* Store return value of parse_client_hello,
1769 * only SSL_CLIENT_HELLO_OK or
1770 * SSL_CLIENT_HELLO_HRR_REQUIRED at this
1771 * stage as negative error codes are handled
1772 * by MBEDTLS_SSL_PROC_CHK_NEG. */
Jerry Yu4ca91402022-05-09 15:50:57 +08001773
XiaokangQiancfd925f2022-04-14 07:10:37 +00001774 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_client_hello( ssl ) );
Jerry Yu582dd062022-04-22 21:59:01 +08001775
Jerry Yu4ca91402022-05-09 15:50:57 +08001776 if( parse_client_hello_ret == SSL_CLIENT_HELLO_OK )
1777 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
1778 else
1779 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST );
XiaokangQianed582dd2022-04-13 08:21:05 +00001780
1781cleanup:
1782
1783 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1784 return( ret );
1785}
1786
1787/*
Jerry Yu1c3e6882022-04-20 21:23:40 +08001788 * Handler for MBEDTLS_SSL_SERVER_HELLO
Jerry Yu5b64ae92022-03-30 17:15:02 +08001789 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001790MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf4b27e42022-03-30 17:32:21 +08001791static int ssl_tls13_prepare_server_hello( mbedtls_ssl_context *ssl )
1792{
Jerry Yu637a3f12022-04-20 21:37:58 +08001793 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1794 unsigned char *server_randbytes =
Jerry Yu3bf2c642022-03-30 22:02:12 +08001795 ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
Jerry Yuf4b27e42022-03-30 17:32:21 +08001796 if( ssl->conf->f_rng == NULL )
1797 {
1798 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
1799 return( MBEDTLS_ERR_SSL_NO_RNG );
1800 }
1801
Jerry Yu637a3f12022-04-20 21:37:58 +08001802 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, server_randbytes,
Jerry Yuf4b27e42022-03-30 17:32:21 +08001803 MBEDTLS_SERVER_HELLO_RANDOM_LEN ) ) != 0 )
1804 {
1805 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
1806 return( ret );
1807 }
1808
Jerry Yu637a3f12022-04-20 21:37:58 +08001809 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", server_randbytes,
Jerry Yuf4b27e42022-03-30 17:32:21 +08001810 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1811
1812#if defined(MBEDTLS_HAVE_TIME)
1813 ssl->session_negotiate->start = time( NULL );
1814#endif /* MBEDTLS_HAVE_TIME */
1815
1816 return( ret );
1817}
1818
Jerry Yu3bf2c642022-03-30 22:02:12 +08001819/*
Jerry Yue74e04a2022-04-21 09:23:16 +08001820 * ssl_tls13_write_server_hello_supported_versions_ext ():
Jerry Yu3bf2c642022-03-30 22:02:12 +08001821 *
1822 * struct {
Jerry Yufb9f54d2022-04-06 10:08:34 +08001823 * ProtocolVersion selected_version;
Jerry Yu3bf2c642022-03-30 22:02:12 +08001824 * } SupportedVersions;
1825 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001826MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue74e04a2022-04-21 09:23:16 +08001827static int ssl_tls13_write_server_hello_supported_versions_ext(
1828 mbedtls_ssl_context *ssl,
1829 unsigned char *buf,
1830 unsigned char *end,
1831 size_t *out_len )
Jerry Yu3bf2c642022-03-30 22:02:12 +08001832{
Jerry Yu3bf2c642022-03-30 22:02:12 +08001833 *out_len = 0;
1834
Jerry Yu955ddd72022-04-22 22:27:33 +08001835 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, write selected version" ) );
Jerry Yu3bf2c642022-03-30 22:02:12 +08001836
1837 /* Check if we have space to write the extension:
1838 * - extension_type (2 bytes)
1839 * - extension_data_length (2 bytes)
Jerry Yu349a6132022-04-14 20:52:56 +08001840 * - selected_version (2 bytes)
Jerry Yu3bf2c642022-03-30 22:02:12 +08001841 */
Jerry Yu349a6132022-04-14 20:52:56 +08001842 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 );
Jerry Yu3bf2c642022-03-30 22:02:12 +08001843
Jerry Yu349a6132022-04-14 20:52:56 +08001844 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +08001845
Jerry Yu349a6132022-04-14 20:52:56 +08001846 MBEDTLS_PUT_UINT16_BE( 2, buf, 2 );
Jerry Yu3bf2c642022-03-30 22:02:12 +08001847
Jerry Yu349a6132022-04-14 20:52:56 +08001848 mbedtls_ssl_write_version( buf + 4,
1849 ssl->conf->transport,
1850 ssl->tls_version );
Jerry Yu3bf2c642022-03-30 22:02:12 +08001851
1852 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [%04x]",
1853 ssl->tls_version ) );
1854
Jerry Yu349a6132022-04-14 20:52:56 +08001855 *out_len = 6;
Jerry Yu3bf2c642022-03-30 22:02:12 +08001856
1857 return( 0 );
1858}
1859
Jerry Yud9436a12022-04-20 22:28:09 +08001860
Jerry Yu3bf2c642022-03-30 22:02:12 +08001861
1862/* Generate and export a single key share. For hybrid KEMs, this can
1863 * be called multiple times with the different components of the hybrid. */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001864MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu955ddd72022-04-22 22:27:33 +08001865static int ssl_tls13_generate_and_write_key_share( mbedtls_ssl_context *ssl,
1866 uint16_t named_group,
1867 unsigned char *buf,
1868 unsigned char *end,
1869 size_t *out_len )
Jerry Yu3bf2c642022-03-30 22:02:12 +08001870{
1871 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu955ddd72022-04-22 22:27:33 +08001872
1873 *out_len = 0;
1874
Jerry Yu89e103c2022-03-30 22:43:29 +08001875#if defined(MBEDTLS_ECDH_C)
Jerry Yu3bf2c642022-03-30 22:02:12 +08001876 if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) )
1877 {
Jerry Yu89e103c2022-03-30 22:43:29 +08001878 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
1879 ssl, named_group, buf, end, out_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +08001880 if( ret != 0 )
1881 {
Jerry Yu89e103c2022-03-30 22:43:29 +08001882 MBEDTLS_SSL_DEBUG_RET(
1883 1, "mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange",
1884 ret );
Jerry Yu3bf2c642022-03-30 22:02:12 +08001885 return( ret );
1886 }
Jerry Yu3bf2c642022-03-30 22:02:12 +08001887 }
Jerry Yu89e103c2022-03-30 22:43:29 +08001888 else
1889#endif /* MBEDTLS_ECDH_C */
1890 if( 0 /* Other kinds of KEMs */ )
Jerry Yu3bf2c642022-03-30 22:02:12 +08001891 {
1892 }
1893 else
1894 {
Jerry Yu955ddd72022-04-22 22:27:33 +08001895 ((void) ssl);
1896 ((void) named_group);
1897 ((void) buf);
1898 ((void) end);
Jerry Yu3bf2c642022-03-30 22:02:12 +08001899 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1900 }
1901
1902 return( ret );
1903}
1904
1905/*
1906 * ssl_tls13_write_key_share_ext
1907 *
1908 * Structure of key_share extension in ServerHello:
1909 *
Jerry Yu1c3e6882022-04-20 21:23:40 +08001910 * struct {
1911 * NamedGroup group;
1912 * opaque key_exchange<1..2^16-1>;
1913 * } KeyShareEntry;
1914 * struct {
1915 * KeyShareEntry server_share;
1916 * } KeyShareServerHello;
Jerry Yu3bf2c642022-03-30 22:02:12 +08001917 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001918MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3bf2c642022-03-30 22:02:12 +08001919static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
1920 unsigned char *buf,
1921 unsigned char *end,
1922 size_t *out_len )
1923{
Jerry Yu955ddd72022-04-22 22:27:33 +08001924 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +08001925 unsigned char *p = buf;
Jerry Yu57d48412022-04-20 21:50:42 +08001926 uint16_t group = ssl->handshake->offered_group_id;
Jerry Yu3bf2c642022-03-30 22:02:12 +08001927 unsigned char *server_share = buf + 4;
Jerry Yu3bf2c642022-03-30 22:02:12 +08001928 size_t key_exchange_length;
Jerry Yu3bf2c642022-03-30 22:02:12 +08001929
1930 *out_len = 0;
1931
1932 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding key share extension" ) );
1933
Jerry Yu58af2332022-09-06 11:19:31 +08001934 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, write selected_group: %s (%04x)",
1935 mbedtls_ssl_named_group_to_str( group ),
1936 group ) );
1937
Jerry Yu3bf2c642022-03-30 22:02:12 +08001938 /* Check if we have space for header and length fields:
1939 * - extension_type (2 bytes)
1940 * - extension_data_length (2 bytes)
1941 * - group (2 bytes)
1942 * - key_exchange_length (2 bytes)
1943 */
1944 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 8 );
Jerry Yu57d48412022-04-20 21:50:42 +08001945 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, p, 0 );
1946 MBEDTLS_PUT_UINT16_BE( group, server_share, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +08001947 p += 8;
Jerry Yu57d48412022-04-20 21:50:42 +08001948
Jerry Yu3bf2c642022-03-30 22:02:12 +08001949 /* When we introduce PQC-ECDHE hybrids, we'll want to call this
1950 * function multiple times. */
Jerry Yu955ddd72022-04-22 22:27:33 +08001951 ret = ssl_tls13_generate_and_write_key_share(
Jerry Yue65d8012022-04-23 10:34:35 +08001952 ssl, group, server_share + 4, end, &key_exchange_length );
Jerry Yu3bf2c642022-03-30 22:02:12 +08001953 if( ret != 0 )
1954 return( ret );
1955 p += key_exchange_length;
Jerry Yuc1be19f2022-04-23 16:11:39 +08001956
Jerry Yu955ddd72022-04-22 22:27:33 +08001957 MBEDTLS_PUT_UINT16_BE( key_exchange_length, server_share + 2, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +08001958
Jerry Yu57d48412022-04-20 21:50:42 +08001959 MBEDTLS_PUT_UINT16_BE( p - server_share, buf, 2 );
Jerry Yu3bf2c642022-03-30 22:02:12 +08001960
Jerry Yu57d48412022-04-20 21:50:42 +08001961 *out_len = p - buf;
Jerry Yu955ddd72022-04-22 22:27:33 +08001962
Jerry Yu3bf2c642022-03-30 22:02:12 +08001963 return( 0 );
1964}
Jerry Yud9436a12022-04-20 22:28:09 +08001965
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001966MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu23f7a6f2022-04-23 15:16:45 +08001967static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl,
1968 unsigned char *buf,
1969 unsigned char *end,
1970 size_t *out_len )
1971{
1972 uint16_t selected_group = ssl->handshake->hrr_selected_group;
1973 /* key_share Extension
1974 *
1975 * struct {
1976 * select (Handshake.msg_type) {
1977 * ...
1978 * case hello_retry_request:
1979 * NamedGroup selected_group;
1980 * ...
1981 * };
1982 * } KeyShare;
1983 */
1984
1985 *out_len = 0;
1986
Jerry Yub0ac10b2022-05-05 11:10:08 +08001987 /*
1988 * For a pure PSK key exchange, there is no group to agree upon. The purpose
1989 * of the HRR is then to transmit a cookie to force the client to demonstrate
1990 * reachability at their apparent network address (primarily useful for DTLS).
1991 */
Ronald Cron79907712022-07-20 17:05:29 +02001992 if( ! mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
Jerry Yu23f7a6f2022-04-23 15:16:45 +08001993 return( 0 );
1994
1995 /* We should only send the key_share extension if the client's initial
1996 * key share was not acceptable. */
1997 if( ssl->handshake->offered_group_id != 0 )
1998 {
1999 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Skip key_share extension in HRR" ) );
2000 return( 0 );
2001 }
2002
2003 if( selected_group == 0 )
2004 {
2005 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching named group found" ) );
2006 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2007 }
2008
Jerry Yub0ac10b2022-05-05 11:10:08 +08002009 /* Check if we have enough space:
2010 * - extension_type (2 bytes)
2011 * - extension_data_length (2 bytes)
2012 * - selected_group (2 bytes)
2013 */
Ronald Cron154d1b62022-06-01 15:33:26 +02002014 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002015
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002016 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002017 MBEDTLS_PUT_UINT16_BE( 2, buf, 2 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002018 MBEDTLS_PUT_UINT16_BE( selected_group, buf, 4 );
2019
2020 MBEDTLS_SSL_DEBUG_MSG( 3,
2021 ( "HRR selected_group: %s (%x)",
2022 mbedtls_ssl_named_group_to_str( selected_group ),
2023 selected_group ) );
2024
2025 *out_len = 6;
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002026
Jerry Yub0ac10b2022-05-05 11:10:08 +08002027 return( 0 );
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002028}
Jerry Yu3bf2c642022-03-30 22:02:12 +08002029
2030/*
2031 * Structure of ServerHello message:
2032 *
2033 * struct {
2034 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
2035 * Random random;
2036 * opaque legacy_session_id_echo<0..32>;
2037 * CipherSuite cipher_suite;
2038 * uint8 legacy_compression_method = 0;
2039 * Extension extensions<6..2^16-1>;
2040 * } ServerHello;
2041 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002042MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu3bf2c642022-03-30 22:02:12 +08002043static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl,
Jerry Yu56404d72022-03-30 17:36:13 +08002044 unsigned char *buf,
2045 unsigned char *end,
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002046 size_t *out_len,
2047 int is_hrr )
Jerry Yu56404d72022-03-30 17:36:13 +08002048{
Jerry Yu955ddd72022-04-22 22:27:33 +08002049 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu3bf2c642022-03-30 22:02:12 +08002050 unsigned char *p = buf;
Jerry Yud9436a12022-04-20 22:28:09 +08002051 unsigned char *p_extensions_len;
Jerry Yufbe3e642022-04-25 19:31:51 +08002052 size_t output_len;
Jerry Yu3bf2c642022-03-30 22:02:12 +08002053
2054 *out_len = 0;
2055
Jerry Yucfc04b32022-04-21 09:31:58 +08002056 /* ...
2057 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
2058 * ...
2059 * with ProtocolVersion defined as:
2060 * uint16 ProtocolVersion;
Jerry Yu3bf2c642022-03-30 22:02:12 +08002061 */
2062 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2063 MBEDTLS_PUT_UINT16_BE( 0x0303, p, 0 );
2064 p += 2;
2065
Jerry Yu1c3e6882022-04-20 21:23:40 +08002066 /* ...
2067 * Random random;
2068 * ...
Jerry Yucfc04b32022-04-21 09:31:58 +08002069 * with Random defined as:
2070 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu1c3e6882022-04-20 21:23:40 +08002071 */
Jerry Yu3bf2c642022-03-30 22:02:12 +08002072 MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002073 if( is_hrr )
2074 {
2075 memcpy( p, mbedtls_ssl_tls13_hello_retry_request_magic,
Jerry Yufbe3e642022-04-25 19:31:51 +08002076 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002077 }
2078 else
2079 {
2080 memcpy( p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],
Jerry Yufbe3e642022-04-25 19:31:51 +08002081 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002082 }
Jerry Yu955ddd72022-04-22 22:27:33 +08002083 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
Jerry Yu3bf2c642022-03-30 22:02:12 +08002084 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
2085 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
2086
Jerry Yucfc04b32022-04-21 09:31:58 +08002087 /* ...
2088 * opaque legacy_session_id_echo<0..32>;
2089 * ...
Jerry Yu3bf2c642022-03-30 22:02:12 +08002090 */
2091 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 + ssl->session_negotiate->id_len );
2092 *p++ = (unsigned char)ssl->session_negotiate->id_len;
2093 if( ssl->session_negotiate->id_len > 0 )
2094 {
2095 memcpy( p, &ssl->session_negotiate->id[0],
2096 ssl->session_negotiate->id_len );
2097 p += ssl->session_negotiate->id_len;
Jerry Yu955ddd72022-04-22 22:27:33 +08002098
Jerry Yu3bf2c642022-03-30 22:02:12 +08002099 MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id,
2100 ssl->session_negotiate->id_len );
2101 }
2102
Jerry Yucfc04b32022-04-21 09:31:58 +08002103 /* ...
2104 * CipherSuite cipher_suite;
2105 * ...
2106 * with CipherSuite defined as:
2107 * uint8 CipherSuite[2];
Jerry Yu3bf2c642022-03-30 22:02:12 +08002108 */
2109 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2110 MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 );
2111 p += 2;
2112 MBEDTLS_SSL_DEBUG_MSG( 3,
2113 ( "server hello, chosen ciphersuite: %s ( id=%d )",
2114 mbedtls_ssl_get_ciphersuite_name(
2115 ssl->session_negotiate->ciphersuite ),
2116 ssl->session_negotiate->ciphersuite ) );
2117
Jerry Yucfc04b32022-04-21 09:31:58 +08002118 /* ...
2119 * uint8 legacy_compression_method = 0;
2120 * ...
2121 */
Jerry Yu3bf2c642022-03-30 22:02:12 +08002122 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
Thomas Daubney31e03a82022-07-25 15:59:25 +01002123 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Jerry Yu3bf2c642022-03-30 22:02:12 +08002124
Jerry Yucfc04b32022-04-21 09:31:58 +08002125 /* ...
2126 * Extension extensions<6..2^16-1>;
2127 * ...
2128 * struct {
2129 * ExtensionType extension_type; (2 bytes)
2130 * opaque extension_data<0..2^16-1>;
2131 * } Extension;
2132 */
Jerry Yu3bf2c642022-03-30 22:02:12 +08002133 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Jerry Yud9436a12022-04-20 22:28:09 +08002134 p_extensions_len = p;
Jerry Yu3bf2c642022-03-30 22:02:12 +08002135 p += 2;
2136
Jerry Yue74e04a2022-04-21 09:23:16 +08002137 if( ( ret = ssl_tls13_write_server_hello_supported_versions_ext(
Jerry Yu3bf2c642022-03-30 22:02:12 +08002138 ssl, p, end, &output_len ) ) != 0 )
2139 {
Jerry Yu955ddd72022-04-22 22:27:33 +08002140 MBEDTLS_SSL_DEBUG_RET(
2141 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret );
Jerry Yu3bf2c642022-03-30 22:02:12 +08002142 return( ret );
2143 }
2144 p += output_len;
2145
Jerry Yu56acc942022-07-30 23:02:36 +08002146 if( mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
Jerry Yu3bf2c642022-03-30 22:02:12 +08002147 {
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002148 if( is_hrr )
2149 ret = ssl_tls13_write_hrr_key_share_ext( ssl, p, end, &output_len );
2150 else
2151 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +08002152 if( ret != 0 )
2153 return( ret );
2154 p += output_len;
2155 }
Jerry Yu3bf2c642022-03-30 22:02:12 +08002156
Ronald Cron41a443a2022-10-04 16:38:25 +02002157#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yuad4d2bb2022-09-14 22:40:35 +08002158 if( !is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Jerry Yu032b15ce2022-07-11 06:10:03 +00002159 {
Jerry Yubb852022022-07-20 21:10:44 +08002160 ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, p, end, &output_len );
Jerry Yu032b15ce2022-07-11 06:10:03 +00002161 if( ret != 0 )
2162 {
Jerry Yubb852022022-07-20 21:10:44 +08002163 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_server_pre_shared_key_ext",
Jerry Yu032b15ce2022-07-11 06:10:03 +00002164 ret );
2165 return( ret );
2166 }
2167 p += output_len;
2168 }
Ronald Cron41a443a2022-10-04 16:38:25 +02002169#endif
Jerry Yu032b15ce2022-07-11 06:10:03 +00002170
Jerry Yud9436a12022-04-20 22:28:09 +08002171 MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
Jerry Yu3bf2c642022-03-30 22:02:12 +08002172
Jerry Yud9436a12022-04-20 22:28:09 +08002173 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello extensions",
2174 p_extensions_len, p - p_extensions_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +08002175
Jerry Yud9436a12022-04-20 22:28:09 +08002176 *out_len = p - buf;
Jerry Yu3bf2c642022-03-30 22:02:12 +08002177
Jerry Yud9436a12022-04-20 22:28:09 +08002178 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello", buf, *out_len );
Jerry Yu3bf2c642022-03-30 22:02:12 +08002179
2180 return( ret );
Jerry Yu56404d72022-03-30 17:36:13 +08002181}
2182
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002183MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yue110d252022-05-05 10:19:22 +08002184static int ssl_tls13_finalize_write_server_hello( mbedtls_ssl_context *ssl )
2185{
2186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf86eb752022-05-06 11:16:55 +08002187 ret = mbedtls_ssl_tls13_compute_handshake_transform( ssl );
Jerry Yue110d252022-05-05 10:19:22 +08002188 if( ret != 0 )
2189 {
Jerry Yuf86eb752022-05-06 11:16:55 +08002190 MBEDTLS_SSL_DEBUG_RET( 1,
2191 "mbedtls_ssl_tls13_compute_handshake_transform",
Jerry Yue110d252022-05-05 10:19:22 +08002192 ret );
2193 return( ret );
2194 }
2195
Jerry Yue110d252022-05-05 10:19:22 +08002196 return( ret );
2197}
2198
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002199MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu5b64ae92022-03-30 17:15:02 +08002200static int ssl_tls13_write_server_hello( mbedtls_ssl_context *ssl )
2201{
Jerry Yu637a3f12022-04-20 21:37:58 +08002202 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf4b27e42022-03-30 17:32:21 +08002203 unsigned char *buf;
2204 size_t buf_len, msg_len;
2205
2206 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2207
Jerry Yuf4b27e42022-03-30 17:32:21 +08002208 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_server_hello( ssl ) );
2209
Jerry Yu3bf2c642022-03-30 22:02:12 +08002210 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
Jerry Yuf4b27e42022-03-30 17:32:21 +08002211 MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len ) );
2212
Jerry Yu3bf2c642022-03-30 22:02:12 +08002213 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
2214 buf + buf_len,
Jerry Yu23f7a6f2022-04-23 15:16:45 +08002215 &msg_len,
2216 0 ) );
Jerry Yuf4b27e42022-03-30 17:32:21 +08002217
Jerry Yu3bf2c642022-03-30 22:02:12 +08002218 mbedtls_ssl_add_hs_msg_to_checksum(
Jerry Yuf4b27e42022-03-30 17:32:21 +08002219 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
2220
Jerry Yu3bf2c642022-03-30 22:02:12 +08002221 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
Jerry Yuf4b27e42022-03-30 17:32:21 +08002222 ssl, buf_len, msg_len ) );
Jerry Yu637a3f12022-04-20 21:37:58 +08002223
Jerry Yue110d252022-05-05 10:19:22 +08002224 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_server_hello( ssl ) );
2225
Gabor Mezei7b39bf12022-05-24 16:04:14 +02002226#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2227 /* The server sends a dummy change_cipher_spec record immediately
2228 * after its first handshake message. This may either be after
2229 * a ServerHello or a HelloRetryRequest.
2230 */
Gabor Mezei96ae9262022-06-28 11:45:18 +02002231 mbedtls_ssl_handshake_set_state(
2232 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO );
Gabor Mezei7b39bf12022-05-24 16:04:14 +02002233#else
Jerry Yu637a3f12022-04-20 21:37:58 +08002234 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
Gabor Mezei7b39bf12022-05-24 16:04:14 +02002235#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yue110d252022-05-05 10:19:22 +08002236
Jerry Yuf4b27e42022-03-30 17:32:21 +08002237cleanup:
2238
2239 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2240 return( ret );
Jerry Yu5b64ae92022-03-30 17:15:02 +08002241}
2242
Jerry Yu23d1a252022-05-12 18:08:59 +08002243
2244/*
2245 * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
2246 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002247MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron7b840462022-06-01 17:05:53 +02002248static int ssl_tls13_prepare_hello_retry_request( mbedtls_ssl_context *ssl )
Jerry Yu23d1a252022-05-12 18:08:59 +08002249{
2250 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2251 if( ssl->handshake->hello_retry_request_count > 0 )
2252 {
2253 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) );
2254 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2255 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2256 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2257 }
2258
2259 /*
2260 * Create stateless transcript hash for HRR
2261 */
2262 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) );
2263 ret = mbedtls_ssl_reset_transcript_for_hrr( ssl );
2264 if( ret != 0 )
2265 {
2266 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret );
2267 return( ret );
2268 }
2269 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
2270
2271 return( 0 );
2272}
2273
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002274MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu23d1a252022-05-12 18:08:59 +08002275static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl )
2276{
2277 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2278 unsigned char *buf;
2279 size_t buf_len, msg_len;
2280
2281 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) );
2282
Ronald Cron7b840462022-06-01 17:05:53 +02002283 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_hello_retry_request( ssl ) );
Jerry Yu23d1a252022-05-12 18:08:59 +08002284
2285 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg(
2286 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
2287 &buf, &buf_len ) );
2288
2289 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
2290 buf + buf_len,
2291 &msg_len,
2292 1 ) );
2293 mbedtls_ssl_add_hs_msg_to_checksum(
2294 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
2295
2296
2297 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len,
2298 msg_len ) );
2299
2300 ssl->handshake->hello_retry_request_count++;
2301
Gabor Mezei7b39bf12022-05-24 16:04:14 +02002302#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2303 /* The server sends a dummy change_cipher_spec record immediately
2304 * after its first handshake message. This may either be after
2305 * a ServerHello or a HelloRetryRequest.
2306 */
Gabor Mezei96ae9262022-06-28 11:45:18 +02002307 mbedtls_ssl_handshake_set_state(
Gabor Mezeif7044ea2022-06-28 16:01:49 +02002308 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST );
Gabor Mezei7b39bf12022-05-24 16:04:14 +02002309#else
Jerry Yu23d1a252022-05-12 18:08:59 +08002310 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
Gabor Mezei7b39bf12022-05-24 16:04:14 +02002311#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Jerry Yu23d1a252022-05-12 18:08:59 +08002312
2313cleanup:
2314 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) );
2315 return( ret );
2316}
2317
Jerry Yu5b64ae92022-03-30 17:15:02 +08002318/*
Jerry Yu4d3841a2022-04-16 12:37:19 +08002319 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2320 */
Jerry Yu4d3841a2022-04-16 12:37:19 +08002321
2322/*
2323 * struct {
2324 * Extension extensions<0..2 ^ 16 - 1>;
2325 * } EncryptedExtensions;
2326 *
2327 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002328MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d3841a2022-04-16 12:37:19 +08002329static int ssl_tls13_write_encrypted_extensions_body( mbedtls_ssl_context *ssl,
2330 unsigned char *buf,
2331 unsigned char *end,
2332 size_t *out_len )
2333{
XiaokangQianacb39922022-06-17 10:18:48 +00002334 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu4d3841a2022-04-16 12:37:19 +08002335 unsigned char *p = buf;
2336 size_t extensions_len = 0;
Jerry Yu8937eb42022-05-03 12:12:14 +08002337 unsigned char *p_extensions_len;
XiaokangQianacb39922022-06-17 10:18:48 +00002338 size_t output_len;
Jerry Yu9da5e5a2022-05-03 15:46:09 +08002339
Jerry Yu4d3841a2022-04-16 12:37:19 +08002340 *out_len = 0;
2341
2342 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
Jerry Yu8937eb42022-05-03 12:12:14 +08002343 p_extensions_len = p;
Jerry Yu4d3841a2022-04-16 12:37:19 +08002344 p += 2;
2345
Jerry Yu8937eb42022-05-03 12:12:14 +08002346 ((void) ssl);
XiaokangQianacb39922022-06-17 10:18:48 +00002347 ((void) ret);
2348 ((void) output_len);
2349
2350#if defined(MBEDTLS_SSL_ALPN)
2351 ret = mbedtls_ssl_write_alpn_ext( ssl, p, end, &output_len );
2352 if( ret != 0 )
2353 return( ret );
XiaokangQian95d5f542022-06-24 02:29:26 +00002354 p += output_len;
XiaokangQianacb39922022-06-17 10:18:48 +00002355#endif /* MBEDTLS_SSL_ALPN */
Jerry Yu4d3841a2022-04-16 12:37:19 +08002356
Jerry Yu8937eb42022-05-03 12:12:14 +08002357 extensions_len = ( p - p_extensions_len ) - 2;
2358 MBEDTLS_PUT_UINT16_BE( extensions_len, p_extensions_len, 0 );
2359
2360 *out_len = p - buf;
Jerry Yu4d3841a2022-04-16 12:37:19 +08002361
2362 MBEDTLS_SSL_DEBUG_BUF( 4, "encrypted extensions", buf, *out_len );
2363
2364 return( 0 );
2365}
2366
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002367MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d3841a2022-04-16 12:37:19 +08002368static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl )
2369{
2370 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2371 unsigned char *buf;
Jerry Yu39730a72022-05-03 12:14:04 +08002372 size_t buf_len, msg_len;
Jerry Yu4d3841a2022-04-16 12:37:19 +08002373
Gabor Mezei54719122022-06-28 11:34:56 +02002374 mbedtls_ssl_set_outbound_transform( ssl,
2375 ssl->handshake->transform_handshake );
2376 MBEDTLS_SSL_DEBUG_MSG(
2377 3, ( "switching to handshake transform for outbound data" ) );
2378
Jerry Yuab452cc2022-04-28 15:27:08 +08002379 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write encrypted extensions" ) );
Jerry Yu4d3841a2022-04-16 12:37:19 +08002380
Jerry Yu4d3841a2022-04-16 12:37:19 +08002381 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2382 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf, &buf_len ) );
2383
2384 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_encrypted_extensions_body(
2385 ssl, buf, buf + buf_len, &msg_len ) );
2386
2387 mbedtls_ssl_add_hs_msg_to_checksum(
2388 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len );
2389
Jerry Yu4d3841a2022-04-16 12:37:19 +08002390 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2391 ssl, buf_len, msg_len ) );
2392
Ronald Cron928cbd32022-10-04 16:14:26 +02002393#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Ronald Cron79907712022-07-20 17:05:29 +02002394 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Jerry Yu8937eb42022-05-03 12:12:14 +08002395 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2396 else
XiaokangQiana987e1d2022-05-07 01:25:58 +00002397 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
Jerry Yu8937eb42022-05-03 12:12:14 +08002398#else
2399 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2400#endif
2401
Jerry Yu4d3841a2022-04-16 12:37:19 +08002402cleanup:
2403
Jerry Yuab452cc2022-04-28 15:27:08 +08002404 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write encrypted extensions" ) );
Jerry Yu4d3841a2022-04-16 12:37:19 +08002405 return( ret );
2406}
2407
Ronald Cron928cbd32022-10-04 16:14:26 +02002408#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
XiaokangQiana987e1d2022-05-07 01:25:58 +00002409#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
2410#define SSL_CERTIFICATE_REQUEST_SKIP 1
2411/* Coordination:
2412 * Check whether a CertificateRequest message should be written.
2413 * Returns a negative code on failure, or
2414 * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
2415 * - SSL_CERTIFICATE_REQUEST_SKIP
2416 * indicating if the writing of the CertificateRequest
2417 * should be skipped or not.
2418 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002419MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiana987e1d2022-05-07 01:25:58 +00002420static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
2421{
2422 int authmode;
2423
XiaokangQian40a35232022-05-07 09:02:40 +00002424#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2425 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
2426 authmode = ssl->handshake->sni_authmode;
2427 else
2428#endif
XiaokangQiana987e1d2022-05-07 01:25:58 +00002429 authmode = ssl->conf->authmode;
2430
2431 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
Ronald Croneac00ad2022-09-13 10:16:31 +02002432 {
2433 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
XiaokangQiana987e1d2022-05-07 01:25:58 +00002434 return( SSL_CERTIFICATE_REQUEST_SKIP );
Ronald Croneac00ad2022-09-13 10:16:31 +02002435 }
XiaokangQiana987e1d2022-05-07 01:25:58 +00002436
XiaokangQianc3017f62022-05-13 05:55:41 +00002437 ssl->handshake->certificate_request_sent = 1;
XiaokangQian189ded22022-05-10 08:12:17 +00002438
XiaokangQiana987e1d2022-05-07 01:25:58 +00002439 return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST );
2440}
2441
XiaokangQiancec9ae62022-05-06 07:28:50 +00002442/*
2443 * struct {
2444 * opaque certificate_request_context<0..2^8-1>;
2445 * Extension extensions<2..2^16-1>;
2446 * } CertificateRequest;
2447 *
2448 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002449MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiancec9ae62022-05-06 07:28:50 +00002450static int ssl_tls13_write_certificate_request_body( mbedtls_ssl_context *ssl,
2451 unsigned char *buf,
2452 const unsigned char *end,
2453 size_t *out_len )
2454{
2455 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2456 unsigned char *p = buf;
XiaokangQianec6efb92022-05-06 09:53:10 +00002457 size_t output_len = 0;
XiaokangQiancec9ae62022-05-06 07:28:50 +00002458 unsigned char *p_extensions_len;
2459
2460 *out_len = 0;
2461
2462 /* Check if we have enough space:
2463 * - certificate_request_context (1 byte)
2464 * - extensions length (2 bytes)
2465 */
2466 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
2467
2468 /*
2469 * Write certificate_request_context
2470 */
2471 /*
2472 * We use a zero length context for the normal handshake
2473 * messages. For post-authentication handshake messages
2474 * this request context would be set to a non-zero value.
2475 */
2476 *p++ = 0x0;
2477
2478 /*
2479 * Write extensions
2480 */
2481 /* The extensions must contain the signature_algorithms. */
2482 p_extensions_len = p;
2483 p += 2;
XiaokangQianec6efb92022-05-06 09:53:10 +00002484 ret = mbedtls_ssl_write_sig_alg_ext( ssl, p, end, &output_len );
XiaokangQiancec9ae62022-05-06 07:28:50 +00002485 if( ret != 0 )
2486 return( ret );
2487
XiaokangQianec6efb92022-05-06 09:53:10 +00002488 p += output_len;
XiaokangQianaad9b0a2022-05-09 01:11:21 +00002489 MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 );
XiaokangQiancec9ae62022-05-06 07:28:50 +00002490
2491 *out_len = p - buf;
2492
2493 return( 0 );
2494}
2495
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002496MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiancec9ae62022-05-06 07:28:50 +00002497static int ssl_tls13_write_certificate_request( mbedtls_ssl_context *ssl )
2498{
2499 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2500
2501 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2502
2503 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
2504
2505 if( ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST )
2506 {
2507 unsigned char *buf;
2508 size_t buf_len, msg_len;
2509
2510 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2511 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, &buf, &buf_len ) );
2512
2513 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_request_body(
2514 ssl, buf, buf + buf_len, &msg_len ) );
2515
2516 mbedtls_ssl_add_hs_msg_to_checksum(
2517 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len );
2518
2519 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2520 ssl, buf_len, msg_len ) );
2521 }
2522 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
2523 {
2524 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2525 ret = 0;
2526 }
2527 else
2528 {
2529 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2530 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2531 goto cleanup;
2532 }
2533
2534 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
2535cleanup:
2536
2537 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2538 return( ret );
2539}
XiaokangQiancec9ae62022-05-06 07:28:50 +00002540
Jerry Yu4d3841a2022-04-16 12:37:19 +08002541/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +08002542 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
Jerry Yu83da34e2022-04-16 13:59:52 +08002543 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002544MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc6e6dbf2022-04-16 19:42:57 +08002545static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu83da34e2022-04-16 13:59:52 +08002546{
Jerry Yu5a26f302022-05-10 20:46:40 +08002547 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianfb665a82022-06-15 03:57:21 +00002548
2549#if defined(MBEDTLS_X509_CRT_PARSE_C)
2550 if( ( ssl_tls13_pick_key_cert( ssl ) != 0 ) ||
2551 mbedtls_ssl_own_cert( ssl ) == NULL )
Jerry Yu5a26f302022-05-10 20:46:40 +08002552 {
Jerry Yub89125b2022-05-13 15:45:49 +08002553 MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate available." ) );
Jerry Yu5a26f302022-05-10 20:46:40 +08002554 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2555 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
Jerry Yuf1c3c4e2022-05-10 11:36:35 +08002556 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yu5a26f302022-05-10 20:46:40 +08002557 }
XiaokangQianfb665a82022-06-15 03:57:21 +00002558#endif /* MBEDTLS_X509_CRT_PARSE_C */
Jerry Yu5a26f302022-05-10 20:46:40 +08002559
Jerry Yuf1c3c4e2022-05-10 11:36:35 +08002560 ret = mbedtls_ssl_tls13_write_certificate( ssl );
2561 if( ret != 0 )
Jerry Yu1bff7112022-04-16 14:29:11 +08002562 return( ret );
Jerry Yu1bff7112022-04-16 14:29:11 +08002563 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
2564 return( 0 );
Jerry Yu83da34e2022-04-16 13:59:52 +08002565}
2566
2567/*
Jerry Yuc6e6dbf2022-04-16 19:42:57 +08002568 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
Jerry Yu83da34e2022-04-16 13:59:52 +08002569 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002570MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc6e6dbf2022-04-16 19:42:57 +08002571static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu83da34e2022-04-16 13:59:52 +08002572{
Jerry Yu4ff9e142022-04-16 14:57:49 +08002573 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
Jerry Yuf1c3c4e2022-05-10 11:36:35 +08002574 if( ret != 0 )
Jerry Yu4ff9e142022-04-16 14:57:49 +08002575 return( ret );
Jerry Yu4ff9e142022-04-16 14:57:49 +08002576 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2577 return( 0 );
Jerry Yu83da34e2022-04-16 13:59:52 +08002578}
Ronald Cron928cbd32022-10-04 16:14:26 +02002579#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +08002580
2581/*
Jerry Yud6e253d2022-05-18 13:59:24 +08002582 * Handler for MBEDTLS_SSL_SERVER_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +08002583 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002584MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +08002585static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +08002586{
Jerry Yud6e253d2022-05-18 13:59:24 +08002587 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu27bdc7c2022-04-16 13:33:27 +08002588
2589 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
2590 if( ret != 0 )
2591 return( ret );
2592
Jerry Yue3d67cb2022-05-19 15:33:10 +08002593 ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
2594 if( ret != 0 )
2595 {
2596 MBEDTLS_SSL_PEND_FATAL_ALERT(
2597 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2598 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2599 return( ret );
2600 }
XiaokangQianc3017f62022-05-13 05:55:41 +00002601
Ronald Cron63dc4632022-05-31 14:41:53 +02002602 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
2603 mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
XiaokangQian189ded22022-05-10 08:12:17 +00002604
Ronald Cron63dc4632022-05-31 14:41:53 +02002605 if( ssl->handshake->certificate_request_sent )
2606 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
XiaokangQian189ded22022-05-10 08:12:17 +00002607 else
Ronald Cron19385882022-06-15 16:26:13 +02002608 {
2609 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate" ) );
2610 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
XiaokangQian189ded22022-05-10 08:12:17 +00002611 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +02002612 }
Ronald Cron63dc4632022-05-31 14:41:53 +02002613
Jerry Yu27bdc7c2022-04-16 13:33:27 +08002614 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +08002615}
2616
2617/*
Jerry Yud6e253d2022-05-18 13:59:24 +08002618 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
Jerry Yu69dd8d42022-04-16 12:51:26 +08002619 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002620MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +08002621static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +08002622{
Jerry Yud6e253d2022-05-18 13:59:24 +08002623 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2624
Jerry Yuff226982022-04-16 16:52:57 +08002625 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
2626 if( ret != 0 )
2627 return( ret );
2628
Jerry Yu466dda82022-09-13 11:20:20 +08002629 ret = mbedtls_ssl_tls13_compute_resumption_master_secret( ssl );
Jerry Yue3d67cb2022-05-19 15:33:10 +08002630 if( ret != 0 )
2631 {
2632 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu466dda82022-09-13 11:20:20 +08002633 "mbedtls_ssl_tls13_compute_resumption_master_secret", ret );
Jerry Yue3d67cb2022-05-19 15:33:10 +08002634 }
2635
Jerry Yu03ed50b2022-04-16 17:13:30 +08002636 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yuff226982022-04-16 16:52:57 +08002637 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +08002638}
2639
2640/*
Jerry Yud6e253d2022-05-18 13:59:24 +08002641 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
Jerry Yu69dd8d42022-04-16 12:51:26 +08002642 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002643MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4d8567f2022-04-17 10:57:57 +08002644static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu69dd8d42022-04-16 12:51:26 +08002645{
Jerry Yu03ed50b2022-04-16 17:13:30 +08002646 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
2647
Jerry Yu03ed50b2022-04-16 17:13:30 +08002648 mbedtls_ssl_tls13_handshake_wrapup( ssl );
Jerry Yue67bef42022-07-07 07:29:42 +00002649
2650#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yufca4d572022-07-21 10:37:48 +08002651 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
2652#else
Jerry Yu03ed50b2022-04-16 17:13:30 +08002653 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
Jerry Yufca4d572022-07-21 10:37:48 +08002654#endif
Jerry Yu03ed50b2022-04-16 17:13:30 +08002655 return( 0 );
Jerry Yu69dd8d42022-04-16 12:51:26 +08002656}
2657
2658/*
Jerry Yue67bef42022-07-07 07:29:42 +00002659 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
2660 */
2661#define SSL_NEW_SESSION_TICKET_SKIP 0
2662#define SSL_NEW_SESSION_TICKET_WRITE 1
2663MBEDTLS_CHECK_RETURN_CRITICAL
2664static int ssl_tls13_write_new_session_ticket_coordinate( mbedtls_ssl_context *ssl )
2665{
2666 /* Check whether the use of session tickets is enabled */
2667 if( ssl->conf->f_ticket_write == NULL )
2668 {
Jerry Yud0766ec2022-09-22 10:46:57 +08002669 MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: disabled,"
2670 " callback is not set" ) );
2671 return( SSL_NEW_SESSION_TICKET_SKIP );
2672 }
2673 if( ssl->conf->new_session_tickets_count == 0 )
2674 {
2675 MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: disabled,"
2676 " configured count is zero" ) );
2677 return( SSL_NEW_SESSION_TICKET_SKIP );
2678 }
2679
2680 if( ssl->handshake->new_session_tickets_count == 0 )
2681 {
2682 MBEDTLS_SSL_DEBUG_MSG( 2, ( "NewSessionTicket: all tickets have "
2683 "been sent." ) );
Jerry Yue67bef42022-07-07 07:29:42 +00002684 return( SSL_NEW_SESSION_TICKET_SKIP );
2685 }
2686
Jerry Yue67bef42022-07-07 07:29:42 +00002687 return( SSL_NEW_SESSION_TICKET_WRITE );
2688}
2689
2690#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2691MBEDTLS_CHECK_RETURN_CRITICAL
2692static int ssl_tls13_prepare_new_session_ticket( mbedtls_ssl_context *ssl,
2693 unsigned char *ticket_nonce,
2694 size_t ticket_nonce_size )
2695{
2696 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2697 mbedtls_ssl_session *session = ssl->session;
2698 mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2699 psa_algorithm_t psa_hash_alg;
2700 int hash_length;
2701
2702 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> prepare NewSessionTicket msg" ) );
2703
2704#if defined(MBEDTLS_HAVE_TIME)
2705 session->start = mbedtls_time( NULL );
2706#endif
2707
2708 /* Generate ticket_age_add */
2709 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng,
Jerry Yufca4d572022-07-21 10:37:48 +08002710 (unsigned char *) &session->ticket_age_add,
Jerry Yue67bef42022-07-07 07:29:42 +00002711 sizeof( session->ticket_age_add ) ) != 0 ) )
2712 {
2713 MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_age_add", ret );
2714 return( ret );
2715 }
2716 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
Jerry Yufca4d572022-07-21 10:37:48 +08002717 (unsigned int)session->ticket_age_add ) );
Jerry Yue67bef42022-07-07 07:29:42 +00002718
2719 /* Generate ticket_nonce */
2720 ret = ssl->conf->f_rng( ssl->conf->p_rng, ticket_nonce, ticket_nonce_size );
2721 if( ret != 0 )
2722 {
2723 MBEDTLS_SSL_DEBUG_RET( 1, "generate_ticket_nonce", ret );
2724 return( ret );
2725 }
2726 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:",
2727 ticket_nonce, ticket_nonce_size );
2728
2729 ciphersuite_info =
2730 (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
2731 psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
2732 hash_length = PSA_HASH_LENGTH( psa_hash_alg );
Jerry Yufca4d572022-07-21 10:37:48 +08002733 if( hash_length == -1 ||
Jerry Yu61197152022-07-21 16:28:02 +08002734 (size_t)hash_length > sizeof( session->resumption_key ) )
Jerry Yufca4d572022-07-21 10:37:48 +08002735 {
Jerry Yue67bef42022-07-07 07:29:42 +00002736 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yufca4d572022-07-21 10:37:48 +08002737 }
2738
Jerry Yue67bef42022-07-07 07:29:42 +00002739 /* In this code the psk key length equals the length of the hash */
2740 session->resumption_key_len = hash_length;
2741 session->ciphersuite = ciphersuite_info->id;
2742
2743 /* Compute resumption key
2744 *
2745 * HKDF-Expand-Label( resumption_master_secret,
2746 * "resumption", ticket_nonce, Hash.length )
2747 */
2748 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2749 psa_hash_alg,
2750 session->app_secrets.resumption_master_secret,
2751 hash_length,
2752 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
2753 ticket_nonce,
2754 ticket_nonce_size,
2755 session->resumption_key,
2756 hash_length );
2757
2758 if( ret != 0 )
2759 {
2760 MBEDTLS_SSL_DEBUG_RET( 2,
2761 "Creating the ticket-resumed PSK failed",
2762 ret );
2763 return ( ret );
2764 }
2765 MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
2766 session->resumption_key,
2767 session->resumption_key_len );
2768
2769 MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
2770 session->app_secrets.resumption_master_secret,
2771 hash_length );
2772
2773 return( 0 );
2774}
2775
2776/* This function creates a NewSessionTicket message in the following format:
2777 *
2778 * struct {
2779 * uint32 ticket_lifetime;
2780 * uint32 ticket_age_add;
2781 * opaque ticket_nonce<0..255>;
2782 * opaque ticket<1..2^16-1>;
2783 * Extension extensions<0..2^16-2>;
2784 * } NewSessionTicket;
2785 *
2786 * The ticket inside the NewSessionTicket message is an encrypted container
2787 * carrying the necessary information so that the server is later able to
2788 * re-start the communication.
2789 *
2790 * The following fields are placed inside the ticket by the
2791 * f_ticket_write() function:
2792 *
2793 * - creation time (start)
2794 * - flags (flags)
2795 * - age add (ticket_age_add)
2796 * - key (key)
2797 * - key length (key_len)
2798 * - ciphersuite (ciphersuite)
2799 */
2800MBEDTLS_CHECK_RETURN_CRITICAL
2801static int ssl_tls13_write_new_session_ticket_body( mbedtls_ssl_context *ssl,
2802 unsigned char *buf,
2803 unsigned char *end,
2804 size_t *out_len,
2805 unsigned char *ticket_nonce,
2806 size_t ticket_nonce_size )
2807{
2808 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2809 unsigned char *p = buf;
2810 mbedtls_ssl_session *session = ssl->session;
2811 size_t ticket_len;
2812 uint32_t ticket_lifetime;
2813
2814 *out_len = 0;
2815 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write NewSessionTicket msg" ) );
2816
2817 /*
2818 * ticket_lifetime 4 bytes
2819 * ticket_age_add 4 bytes
2820 * ticket_nonce 1 + ticket_nonce_size bytes
2821 * ticket >=2 bytes
2822 */
2823 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + 4 + 1 + ticket_nonce_size + 2 );
2824
2825 /* Generate ticket and ticket_lifetime */
2826 ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
2827 session,
2828 p + 9 + ticket_nonce_size + 2,
2829 end,
2830 &ticket_len,
2831 &ticket_lifetime);
2832 if( ret != 0 )
2833 {
2834 MBEDTLS_SSL_DEBUG_RET( 1, "write_ticket", ret );
2835 return( ret );
2836 }
2837 /* RFC 8446 4.6.1
2838 * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
2839 * unsigned integer in network byte order from the time of ticket
2840 * issuance. Servers MUST NOT use any value greater than
2841 * 604800 seconds (7 days). The value of zero indicates that the
2842 * ticket should be discarded immediately. Clients MUST NOT cache
2843 * tickets for longer than 7 days, regardless of the ticket_lifetime,
2844 * and MAY delete tickets earlier based on local policy. A server
2845 * MAY treat a ticket as valid for a shorter period of time than what
2846 * is stated in the ticket_lifetime.
2847 */
Xiaokang Qian28af5012022-10-13 08:18:19 +00002848 if( ticket_lifetime > 604800 )
2849 ticket_lifetime = 604800;
Jerry Yue67bef42022-07-07 07:29:42 +00002850 MBEDTLS_PUT_UINT32_BE( ticket_lifetime, p, 0 );
2851 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_lifetime: %u",
2852 ( unsigned int )ticket_lifetime ) );
2853
2854 /* Write ticket_age_add */
2855 MBEDTLS_PUT_UINT32_BE( session->ticket_age_add, p, 4 );
2856 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket_age_add: %u",
2857 ( unsigned int )session->ticket_age_add ) );
2858
2859 /* Write ticket_nonce */
2860 p[8] = ( unsigned char )ticket_nonce_size;
2861 if( ticket_nonce_size > 0 )
2862 {
2863 memcpy( p + 9, ticket_nonce, ticket_nonce_size );
2864 }
2865 p += 9 + ticket_nonce_size;
2866
2867 /* Write ticket */
2868 MBEDTLS_PUT_UINT16_BE( ticket_len, p, 0 );
2869 p += 2;
2870 MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", p, ticket_len);
2871 p += ticket_len;
2872
2873 /* Ticket Extensions
2874 *
2875 * Note: We currently don't have any extensions.
2876 * Set length to zero.
2877 */
2878 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
2879 MBEDTLS_PUT_UINT16_BE( 0, p, 0 );
2880 p += 2;
2881
2882 *out_len = p - buf;
2883 MBEDTLS_SSL_DEBUG_BUF( 4, "ticket", buf, *out_len );
2884 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
2885
2886 return( 0 );
2887}
2888
2889/*
2890 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
2891 */
2892static int ssl_tls13_write_new_session_ticket( mbedtls_ssl_context *ssl )
2893{
2894 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2895
2896 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_new_session_ticket_coordinate( ssl ) );
2897
2898 if( ret == SSL_NEW_SESSION_TICKET_WRITE )
2899 {
2900 unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
2901 unsigned char *buf;
2902 size_t buf_len, msg_len;
2903
2904 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_new_session_ticket(
2905 ssl, ticket_nonce, sizeof( ticket_nonce ) ) );
2906
2907 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
2908 MBEDTLS_SSL_HS_NEW_SESSION_TICKET, &buf, &buf_len ) );
2909
2910 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_new_session_ticket_body(
2911 ssl, buf, buf + buf_len, &msg_len,
2912 ticket_nonce, sizeof( ticket_nonce ) ) );
2913
Jerry Yue67bef42022-07-07 07:29:42 +00002914 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
2915 ssl, buf_len, msg_len ) );
Jerry Yufca4d572022-07-21 10:37:48 +08002916
Jerry Yu359e65f2022-09-22 23:47:43 +08002917 /* Limit session tickets count to one when resumption connection.
2918 *
2919 * See document of mbedtls_ssl_conf_new_session_tickets.
2920 */
2921 if( ssl->handshake->resume == 1 )
2922 ssl->handshake->new_session_tickets_count = 0;
2923 else
2924 ssl->handshake->new_session_tickets_count--;
Jerry Yub7e3fa72022-09-22 11:07:18 +08002925
Jerry Yufca4d572022-07-21 10:37:48 +08002926 mbedtls_ssl_handshake_set_state( ssl,
2927 MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH );
Jerry Yue67bef42022-07-07 07:29:42 +00002928 }
2929 else
2930 {
2931 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2932 }
2933
Jerry Yue67bef42022-07-07 07:29:42 +00002934cleanup:
2935
2936 return( ret );
2937}
2938#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2939
2940/*
XiaokangQiane8ff3502022-04-22 02:34:40 +00002941 * TLS 1.3 State Machine -- server side
XiaokangQian7807f9f2022-02-15 10:04:37 +00002942 */
Jerry Yu27561932021-08-27 17:07:38 +08002943int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
Jerry Yub9930e72021-08-06 17:11:51 +08002944{
XiaokangQian08037552022-04-20 07:16:41 +00002945 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian7807f9f2022-02-15 10:04:37 +00002946
2947 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
2948 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2949
Jerry Yue3b34122021-09-28 17:53:35 +08002950 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls13 server state: %s(%d)",
2951 mbedtls_ssl_states_str( ssl->state ),
2952 ssl->state ) );
Jerry Yu6e81b272021-09-27 11:16:17 +08002953
XiaokangQian7807f9f2022-02-15 10:04:37 +00002954 switch( ssl->state )
2955 {
2956 /* start state */
2957 case MBEDTLS_SSL_HELLO_REQUEST:
XiaokangQian7807f9f2022-02-15 10:04:37 +00002958 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
XiaokangQian08037552022-04-20 07:16:41 +00002959 ret = 0;
XiaokangQian7807f9f2022-02-15 10:04:37 +00002960 break;
2961
XiaokangQian7807f9f2022-02-15 10:04:37 +00002962 case MBEDTLS_SSL_CLIENT_HELLO:
XiaokangQian4080a7f2022-04-11 09:55:18 +00002963 ret = ssl_tls13_process_client_hello( ssl );
XiaokangQian7807f9f2022-02-15 10:04:37 +00002964 if( ret != 0 )
XiaokangQian4080a7f2022-04-11 09:55:18 +00002965 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_client_hello", ret );
Jerry Yuf41553b2022-05-09 22:20:30 +08002966 break;
XiaokangQian7807f9f2022-02-15 10:04:37 +00002967
Jerry Yuf41553b2022-05-09 22:20:30 +08002968 case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
2969 ret = ssl_tls13_write_hello_retry_request( ssl );
2970 if( ret != 0 )
2971 {
2972 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_hello_retry_request", ret );
2973 return( ret );
2974 }
XiaokangQian7807f9f2022-02-15 10:04:37 +00002975 break;
2976
Jerry Yu5b64ae92022-03-30 17:15:02 +08002977 case MBEDTLS_SSL_SERVER_HELLO:
2978 ret = ssl_tls13_write_server_hello( ssl );
2979 break;
2980
Xiaofei Baicba64af2022-02-15 10:00:56 +00002981 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
Jerry Yu4d3841a2022-04-16 12:37:19 +08002982 ret = ssl_tls13_write_encrypted_extensions( ssl );
Xiaofei Baicba64af2022-02-15 10:00:56 +00002983 if( ret != 0 )
2984 {
Jerry Yu4d3841a2022-04-16 12:37:19 +08002985 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_encrypted_extensions", ret );
2986 return( ret );
Xiaofei Baicba64af2022-02-15 10:00:56 +00002987 }
Jerry Yu48330562022-05-06 21:35:44 +08002988 break;
Jerry Yu6a2cd9e2022-05-05 11:14:19 +08002989
Ronald Cron928cbd32022-10-04 16:14:26 +02002990#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Xiaofei Bai9ca09d42022-02-14 12:57:18 +00002991 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Xiaofei Bai5ee73d82022-03-14 02:48:30 +00002992 ret = ssl_tls13_write_certificate_request( ssl );
Xiaofei Bai9ca09d42022-02-14 12:57:18 +00002993 break;
Xiaofei Bai9ca09d42022-02-14 12:57:18 +00002994
Jerry Yu83da34e2022-04-16 13:59:52 +08002995 case MBEDTLS_SSL_SERVER_CERTIFICATE:
2996 ret = ssl_tls13_write_server_certificate( ssl );
2997 break;
2998
2999 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3000 ret = ssl_tls13_write_certificate_verify( ssl );
3001 break;
Ronald Cron928cbd32022-10-04 16:14:26 +02003002#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu83da34e2022-04-16 13:59:52 +08003003
Gabor Mezei7b39bf12022-05-24 16:04:14 +02003004 /*
3005 * Injection of dummy-CCS's for middlebox compatibility
3006 */
3007#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
Gabor Mezeif7044ea2022-06-28 16:01:49 +02003008 case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
Gabor Mezei7b39bf12022-05-24 16:04:14 +02003009 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
3010 if( ret == 0 )
3011 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
3012 break;
3013
3014 case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
3015 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
3016 if( ret == 0 )
3017 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
3018 break;
3019#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3020
Jerry Yu69dd8d42022-04-16 12:51:26 +08003021 case MBEDTLS_SSL_SERVER_FINISHED:
3022 ret = ssl_tls13_write_server_finished( ssl );
3023 break;
3024
3025 case MBEDTLS_SSL_CLIENT_FINISHED:
3026 ret = ssl_tls13_process_client_finished( ssl );
3027 break;
3028
Jerry Yu69dd8d42022-04-16 12:51:26 +08003029 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3030 ret = ssl_tls13_handshake_wrapup( ssl );
3031 break;
3032
Ronald Cron766c0cd2022-10-18 12:17:11 +02003033#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
XiaokangQian6b916b12022-04-25 07:29:34 +00003034 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3035 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Ronald Cron209cae92022-06-07 10:30:19 +02003036 if( ret == 0 )
XiaokangQian6b916b12022-04-25 07:29:34 +00003037 {
Ronald Cron209cae92022-06-07 10:30:19 +02003038 if( ssl->session_negotiate->peer_cert != NULL )
3039 {
3040 mbedtls_ssl_handshake_set_state(
3041 ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
3042 }
3043 else
Ronald Cron19385882022-06-15 16:26:13 +02003044 {
3045 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) );
Ronald Cron209cae92022-06-07 10:30:19 +02003046 mbedtls_ssl_handshake_set_state(
3047 ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +02003048 }
XiaokangQian6b916b12022-04-25 07:29:34 +00003049 }
3050 break;
3051
3052 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
3053 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
3054 if( ret == 0 )
3055 {
3056 mbedtls_ssl_handshake_set_state(
3057 ssl, MBEDTLS_SSL_CLIENT_FINISHED );
3058 }
3059 break;
Ronald Cron766c0cd2022-10-18 12:17:11 +02003060#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
XiaokangQian6b916b12022-04-25 07:29:34 +00003061
Jerry Yue67bef42022-07-07 07:29:42 +00003062#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3063 case MBEDTLS_SSL_NEW_SESSION_TICKET:
3064 ret = ssl_tls13_write_new_session_ticket( ssl );
3065 if( ret != 0 )
3066 {
3067 MBEDTLS_SSL_DEBUG_RET( 1,
3068 "ssl_tls13_write_new_session_ticket ",
3069 ret );
3070 }
3071 break;
3072 case MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH:
3073 /* This state is necessary to do the flush of the New Session
3074 * Ticket message written in MBEDTLS_SSL_NEW_SESSION_TICKET
3075 * as part of ssl_prepare_handshake_step.
3076 */
3077 ret = 0;
Jerry Yud4e75002022-08-09 13:33:50 +08003078
Jerry Yud0766ec2022-09-22 10:46:57 +08003079 if( ssl->handshake->new_session_tickets_count == 0 )
Jerry Yud4e75002022-08-09 13:33:50 +08003080 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
3081 else
3082 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_NEW_SESSION_TICKET );
Jerry Yue67bef42022-07-07 07:29:42 +00003083 break;
3084
3085#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3086
XiaokangQian7807f9f2022-02-15 10:04:37 +00003087 default:
3088 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
XiaokangQian060d8672022-04-21 09:24:56 +00003089 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
XiaokangQian7807f9f2022-02-15 10:04:37 +00003090 }
3091
3092 return( ret );
Jerry Yub9930e72021-08-06 17:11:51 +08003093}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +08003094
Jerry Yufb4b6472022-01-27 15:03:26 +08003095#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */