TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ef6b36b484ea00bae37c5833d14b15127d76ea98 / . / library / ssl_tls13_client.c
blob: 0b10b12f412a3bcc72d44d31b04c3044dff1a135 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS ( https://tls.mbed.org )
20 */
21
22#include "common.h"
23
24#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
25
26#if defined(MBEDTLS_SSL_CLI_C)
27
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]28#include <string.h>
29
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]30#include "ssl_misc.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]31#include <mbedtls/debug.h>
32
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]33/* Main entry point; orchestrates the other functions */
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]34static int ssl_client_hello_process( mbedtls_ssl_context* ssl );
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]35
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]36int mbedtls_ssl_handshake_client_step_tls1_3( mbedtls_ssl_context *ssl )
37{
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]38 int ret = 0;
39
40 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
41 {
42 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Handshake completed but ssl->handshake is NULL.\n" ) );
43 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
44 }
45
46 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
47
48 switch( ssl->state )
49 {
50 case MBEDTLS_SSL_HELLO_REQUEST:
51 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
52 break;
53
54 case MBEDTLS_SSL_CLIENT_HELLO:
55 ret = ssl_client_hello_process( ssl );
56 break;
57
58 case MBEDTLS_SSL_SERVER_HELLO:
59 // Stop here : we haven't finished whole flow
60 ret=MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
61 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
62 break;
63
64 default:
65 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
66 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
67 }
68
69 return( ret );
70}
71
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]72
73static int ssl_client_hello_prepare( mbedtls_ssl_context* ssl );
74static int ssl_client_hello_write_partial( mbedtls_ssl_context* ssl,
75 unsigned char* buf, size_t buflen,
76 size_t* len_without_binders,
77 size_t* len_with_binders );
78static int ssl_client_hello_postprocess( mbedtls_ssl_context* ssl );
79
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]80static int ssl_client_hello_process( mbedtls_ssl_context* ssl )
81{
82 int ret = 0;
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]83 unsigned char *buf;
84 size_t buf_len, msg_len;
85 size_t len_without_binders = 0;
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]86
87 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
88
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]89 MBEDTLS_SSL_PROC_CHK( ssl_client_hello_prepare, ( ssl ) );
90
91 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg, ( ssl,
92 MBEDTLS_SSL_HS_CLIENT_HELLO, &buf, &buf_len ) );
93
94 MBEDTLS_SSL_PROC_CHK( ssl_client_hello_write_partial, ( ssl, buf, buf_len,
95 &len_without_binders,
96 &msg_len ) );
97
98 mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
99 msg_len );
100 ssl->handshake->update_checksum( ssl, buf, len_without_binders );
101
102 MBEDTLS_SSL_PROC_CHK( ssl_client_hello_postprocess, ( ssl ) );
103 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg, ( ssl, buf_len, msg_len ) );
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]104
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]105cleanup:
106
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]107 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
108 /* client_hello_process haven't finished */
109 ret=MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
110 return ret;
Jerry Yub9930e72021-08-06 17:11:51 +0800[diff] [blame]111}
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]112
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]113static int ssl_client_hello_prepare( mbedtls_ssl_context* ssl )
114{
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]115 int ret;
116 size_t rand_bytes_len;
117
118 if( ssl->conf->f_rng == NULL )
119 {
120 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
121 return( MBEDTLS_ERR_SSL_NO_RNG );
122 }
123
124 rand_bytes_len = 32;
125
126 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->handshake->randbytes, rand_bytes_len ) ) != 0 )
127 {
128 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
129 return( ret );
130 }
131
132 return( 0 );
133}
134
135static int ssl_client_hello_postprocess( mbedtls_ssl_context* ssl )
136{
137 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
138
139 return( 0 );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]140}
141
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]142/* Write extensions */
143
144static void ssl_write_supported_versions_ext( mbedtls_ssl_context *ssl,
145 unsigned char* buf,
146 unsigned char* end,
147 size_t* olen );
148
149#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
150
151static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
152 unsigned char* buf,
153 unsigned char* end,
154 size_t* olen );
155
156static int ssl_write_key_shares_ext( mbedtls_ssl_context *ssl,
157 unsigned char* buf,
158 unsigned char* end,
159 size_t* olen );
160
161#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
162
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]163static int ssl_client_hello_write_partial( mbedtls_ssl_context* ssl,
164 unsigned char* buf, size_t buflen,
165 size_t* len_without_binders,
166 size_t* len_with_binders )
167{
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]168 /* Extensions */
169
170 /* extension_start
171 * Used during extension writing where the
172 * buffer pointer to the beginning of the
173 * extension list must be kept to write
174 * the total extension list size in the end.
175 */
176
177 int ret;
178 unsigned char* extension_start;
179 size_t cur_ext_len; /* Size of the current extension */
180 size_t total_ext_len; /* Size of list of extensions */
181
182 /* Length information */
183 size_t rand_bytes_len;
184 size_t version_len;
185
186 /* Buffer management */
187 unsigned char* start = buf;
188 unsigned char* end = buf + buflen;
189
190 /* Ciphersuite-related variables */
191 const int* ciphersuites;
192 const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
193 size_t i; /* used to iterate through ciphersuite list */
194 /* ciphersuite_start points to the start of the ciphersuite list, i.e. to the length field*/
195 unsigned char* ciphersuite_start;
196 size_t ciphersuite_count;
197
198 /* Keeping track of the included extensions */
199 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
200
201 rand_bytes_len = 32;
202
203 /* NOTE:
204 * Even for DTLS 1.3, we are writing a TLS handshake header here.
205 * The actual DTLS 1.3 handshake header is inserted in
206 * the record writing routine mbedtls_ssl_write_record().
207 *
208 * For cTLS the length, and the version field
209 * are elided. The random bytes are shorter.
210 */
211 version_len = 2;
212
213 if( ssl->conf->max_major_ver == 0 )
214 {
215 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
216 "consider using mbedtls_ssl_config_defaults()" ) );
217 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
218 }
219
220 ssl->major_ver = ssl->conf->min_major_ver;
221 ssl->minor_ver = ssl->conf->min_minor_ver;
222
223 /* For TLS 1.3 we use the legacy version number {0x03, 0x03}
224 * instead of the true version number.
225 *
226 * For DTLS 1.3 we use the legacy version number
227 * {254,253}.
228 *
229 * In cTLS the version number is elided.
230 */
231 *buf++ = 0x03;
232 *buf++ = 0x03;
233 buflen -= version_len;
234
235 /* Write random bytes */
236 memcpy( buf, ssl->handshake->randbytes, rand_bytes_len );
237 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf, rand_bytes_len );
238
239 buf += rand_bytes_len;
240 buflen -= rand_bytes_len;
241
242 /* Versions of TLS before TLS 1.3 supported a
243 * "session resumption" feature which has been merged with pre-shared
244 * keys in this version. A client which has a
245 * cached session ID set by a pre-TLS 1.3 server SHOULD set this
246 * field to that value. In compatibility mode,
247 * this field MUST be non-empty, so a client not offering a
248 * pre-TLS 1.3 session MUST generate a new 32-byte value. This value
249 * need not be random but SHOULD be unpredictable to avoid
250 * implementations fixating on a specific value ( also known as
251 * ossification ). Otherwise, it MUST be set as a zero-length vector
252 * ( i.e., a zero-valued single byte length field ).
253 */
254 if( buflen < 1 )
255 {
256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small to hold ClientHello" ) );
257 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
258 }
259
260 *buf++ = 0; /* session id length set to zero */
261 buflen -= 1;
262
263 /*
264 * Ciphersuite list
265 *
266 * This is a list of the symmetric cipher options supported by
267 * the client, specifically the record protection algorithm
268 * ( including secret key length ) and a hash to be used with
269 * HKDF, in descending order of client preference.
270 */
271 ciphersuites = ssl->conf->ciphersuite_list;
272
273 if( buflen < 2 /* for ciphersuite list length */ )
274 {
275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small to hold ClientHello" ) );
276 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
277 }
278
279 /* Skip writing ciphersuite length for now */
280 ciphersuite_count = 0;
281 ciphersuite_start = buf;
282 buf += 2;
283 buflen -= 2;
284
285 for ( i = 0; ciphersuites[i] != 0; i++ )
286 {
287 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
288
289 if( ciphersuite_info == NULL )
290 continue;
291
292 if( ciphersuite_info->min_minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 ||
293 ciphersuite_info->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 )
294 continue;
295
296 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x, %s",
297 (unsigned int) ciphersuites[i], ciphersuite_info->name ) );
298
299 ciphersuite_count++;
300
301 if( buflen < 2 /* for ciphersuite list length */ )
302 {
303 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small to hold ClientHello" ) );
304 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
305 }
306
307 *buf++ = (unsigned char)( ciphersuites[i] >> 8 );
308 *buf++ = (unsigned char)( ciphersuites[i] );
309
310 buflen -= 2;
311
312 }
313
314 /* write ciphersuite length now */
315 *ciphersuite_start++ = (unsigned char)( ciphersuite_count*2 >> 8 );
316 *ciphersuite_start++ = (unsigned char)( ciphersuite_count*2 );
317
318 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %" MBEDTLS_PRINTF_SIZET " ciphersuites", ciphersuite_count ) );
319
320 /* For every TLS 1.3 ClientHello, this vector MUST contain exactly
321 * one byte set to zero, which corresponds to the 'null' compression
322 * method in prior versions of TLS.
323 *
324 * For cTLS this field is elided.
325 */
326 if( buflen < 2 /* for ciphersuite list length */ )
327 {
328 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small to hold ClientHello" ) );
329 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
330 }
331
332 *buf++ = 1;
333 *buf++ = MBEDTLS_SSL_COMPRESS_NULL;
334
335 buflen -= 2;
336
337 /* First write extensions, then the total length */
338 extension_start = buf;
339 total_ext_len = 0;
340 buf += 2;
341
342 /* Supported Versions Extension is mandatory with TLS 1.3.
343 *
344 * For cTLS we only need to provide it if there is more than one version
345 * and currently there is only one.
346 */
347 ssl_write_supported_versions_ext( ssl, buf, end, &cur_ext_len );
348 total_ext_len += cur_ext_len;
349 buf += cur_ext_len;
350
351#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
352 /* The supported_groups and the key_share extensions are
353 * REQUIRED for ECDHE ciphersuites.
354 */
355 ret = ssl_write_supported_groups_ext( ssl, buf, end, &cur_ext_len );
356 if( ret != 0 )
357 return( ret );
358
359 total_ext_len += cur_ext_len;
360 buf += cur_ext_len;
361
362 /* The supported_signature_algorithms extension is REQUIRED for
363 * certificate authenticated ciphersuites. */
364 ret = mbedtls_ssl_write_signature_algorithms_ext( ssl, buf, end, &cur_ext_len );
365 if( ret != 0 )
366 return( ret );
367
368 total_ext_len += cur_ext_len;
369 buf += cur_ext_len;
370
371 /* We need to send the key shares under three conditions:
372 * 1 ) A certificate-based ciphersuite is being offered. In this case
373 * supported_groups and supported_signature extensions have been successfully added.
374 * 2 ) A PSK-based ciphersuite with ECDHE is offered. In this case the
375 * psk_key_exchange_modes has been added as the last extension.
376 * 3 ) Or, in case all ciphers are supported ( which includes #1 and #2 from above )
377 */
378
379 ret = ssl_write_key_shares_ext( ssl, buf, end, &cur_ext_len );
380 if( ret != 0 )
381 return( ret );
382
383 total_ext_len += cur_ext_len;
384 buf += cur_ext_len;
385#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
386
387 /* Add more extensions here */
388
389 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %" MBEDTLS_PRINTF_SIZET ,
390 total_ext_len ) );
391
392 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", extension_start, total_ext_len );
393
394 /* Write extension length */
395 *extension_start++ = (unsigned char)( ( total_ext_len >> 8 ) & 0xFF );
396 *extension_start++ = (unsigned char)( ( total_ext_len ) & 0xFF );
397
398 *len_without_binders = buf - start;
399 *len_with_binders = ( extension_start + total_ext_len ) - start;
400 return( 0 );
401}
402
Jerry Yuef6b36b2021-08-24 16:29:02 +0800[diff] [blame^]403/*
404 * ssl_write_supported_versions_ext():
405 *
406 * struct {
407 * ProtocolVersion versions<2..254>;
408 * } SupportedVersions;
409 */
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]410static void ssl_write_supported_versions_ext( mbedtls_ssl_context *ssl,
411 unsigned char* buf,
412 unsigned char* end,
413 size_t* olen )
414{
Jerry Yuef6b36b2021-08-24 16:29:02 +0800[diff] [blame^]415 unsigned char *p = buf;
416
417 *olen = 0;
418
419 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported version extension" ) );
420
421 if( end < p || (size_t)( end - p ) < 7 )
422 {
423 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
424 return;
425 }
426
427 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS >> 8 ) & 0xFF );
428 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS ) & 0xFF );
429
430 /* total length */
431 *p++ = 0x00;
432 *p++ = 3;
433
434 /* length of next field */
435 *p++ = 0x2;
436
437 /* This implementation only supports a single TLS version, and only
438 * advertises a single value.
439 */
440 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
441 ssl->conf->transport, p );
442
443 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [%d:%d]", ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
444
445 *olen = 7;
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]446}
447
448#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
449
450static int ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
451 unsigned char* buf,
452 unsigned char* end,
453 size_t* olen )
454{
455 ((void) ssl);
456 ((void) buf);
457 ((void) end);
458 ((void) olen);
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]459 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
460}
461
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]462static int ssl_write_key_shares_ext( mbedtls_ssl_context *ssl,
463 unsigned char* buf,
464 unsigned char* end,
465 size_t* olen )
466{
467 ((void) ssl);
468 ((void) buf);
469 ((void) end);
470 ((void) olen);
471 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
472}
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]473
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]474#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]475
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]476#endif /* MBEDTLS_SSL_CLI_C */
477
478#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */