/src/mbedtls/library/ssl_tls13_server.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * TLS 1.3 server-side functions |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | |
8 | | #include "common.h" |
9 | | |
10 | | #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) |
11 | | |
12 | | #include "debug_internal.h" |
13 | | #include "mbedtls/error.h" |
14 | | #include "mbedtls/platform.h" |
15 | | #include "mbedtls/constant_time.h" |
16 | | #include "mbedtls/oid.h" |
17 | | #include "mbedtls/psa_util.h" |
18 | | |
19 | | #include "ssl_misc.h" |
20 | | #include "ssl_tls13_keys.h" |
21 | | #include "ssl_debug_helpers.h" |
22 | | |
23 | | |
24 | | static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite( |
25 | | mbedtls_ssl_context *ssl, |
26 | | unsigned int cipher_suite) |
27 | 0 | { |
28 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
29 | 0 | if (!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) { |
30 | 0 | return NULL; |
31 | 0 | } |
32 | | |
33 | 0 | ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite); |
34 | 0 | if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info, |
35 | 0 | ssl->tls_version, |
36 | 0 | ssl->tls_version) != 0)) { |
37 | 0 | return NULL; |
38 | 0 | } |
39 | 0 | return ciphersuite_info; |
40 | 0 | } |
41 | | |
42 | | static void ssl_tls13_select_ciphersuite( |
43 | | mbedtls_ssl_context *ssl, |
44 | | const unsigned char *cipher_suites, |
45 | | const unsigned char *cipher_suites_end, |
46 | | int psk_ciphersuite_id, |
47 | | psa_algorithm_t psk_hash_alg, |
48 | | const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info) |
49 | 0 | { |
50 | 0 | *selected_ciphersuite_info = NULL; |
51 | | |
52 | | /* |
53 | | * In a compliant ClientHello the byte-length of the list of ciphersuites |
54 | | * is even and this function relies on this fact. This should have been |
55 | | * checked in the main ClientHello parsing function. Double check here. |
56 | | */ |
57 | 0 | if ((cipher_suites_end - cipher_suites) & 1) { |
58 | 0 | return; |
59 | 0 | } |
60 | | |
61 | 0 | for (const unsigned char *p = cipher_suites; |
62 | 0 | p < cipher_suites_end; p += 2) { |
63 | | /* |
64 | | * "cipher_suites_end - p is even" is an invariant of the loop. As |
65 | | * cipher_suites_end - p > 0, we have cipher_suites_end - p >= 2 and it |
66 | | * is thus safe to read two bytes. |
67 | | */ |
68 | 0 | uint16_t id = MBEDTLS_GET_UINT16_BE(p, 0); |
69 | |
|
70 | 0 | const mbedtls_ssl_ciphersuite_t *info = |
71 | 0 | ssl_tls13_validate_peer_ciphersuite(ssl, id); |
72 | 0 | if (info == NULL) { |
73 | 0 | continue; |
74 | 0 | } |
75 | | |
76 | | /* |
77 | | * If a valid PSK ciphersuite identifier has been passed in, we want |
78 | | * an exact match. |
79 | | */ |
80 | 0 | if (psk_ciphersuite_id != 0) { |
81 | 0 | if (id != psk_ciphersuite_id) { |
82 | 0 | continue; |
83 | 0 | } |
84 | 0 | } else if (psk_hash_alg != PSA_ALG_NONE) { |
85 | 0 | if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac) != |
86 | 0 | psk_hash_alg) { |
87 | 0 | continue; |
88 | 0 | } |
89 | 0 | } |
90 | | |
91 | 0 | *selected_ciphersuite_info = info; |
92 | 0 | return; |
93 | 0 | } |
94 | | |
95 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx", |
96 | 0 | (unsigned) psk_ciphersuite_id, |
97 | 0 | (unsigned long) psk_hash_alg)); |
98 | 0 | } |
99 | | |
100 | | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
101 | | /* From RFC 8446: |
102 | | * |
103 | | * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode; |
104 | | * struct { |
105 | | * PskKeyExchangeMode ke_modes<1..255>; |
106 | | * } PskKeyExchangeModes; |
107 | | */ |
108 | | MBEDTLS_CHECK_RETURN_CRITICAL |
109 | | static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl, |
110 | | const unsigned char *buf, |
111 | | const unsigned char *end) |
112 | 0 | { |
113 | 0 | const unsigned char *p = buf; |
114 | 0 | size_t ke_modes_len; |
115 | 0 | int ke_modes = 0; |
116 | | |
117 | | /* Read ke_modes length (1 Byte) */ |
118 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1); |
119 | 0 | ke_modes_len = *p++; |
120 | | /* Currently, there are only two PSK modes, so even without looking |
121 | | * at the content, something's wrong if the list has more than 2 items. */ |
122 | 0 | if (ke_modes_len > 2) { |
123 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
124 | 0 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
125 | 0 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
126 | 0 | } |
127 | | |
128 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ke_modes_len); |
129 | | |
130 | 0 | while (ke_modes_len-- != 0) { |
131 | 0 | switch (*p++) { |
132 | 0 | case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE: |
133 | 0 | ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; |
134 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK KEX MODE")); |
135 | 0 | break; |
136 | 0 | case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE: |
137 | 0 | ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; |
138 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK_EPHEMERAL KEX MODE")); |
139 | 0 | break; |
140 | 0 | default: |
141 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
142 | 0 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
143 | 0 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
144 | 0 | } |
145 | 0 | } |
146 | | |
147 | 0 | ssl->handshake->tls13_kex_modes = ke_modes; |
148 | 0 | return 0; |
149 | 0 | } |
150 | | |
151 | | /* |
152 | | * Non-error return values of |
153 | | * ssl_tls13_offered_psks_check_identity_match_ticket() and |
154 | | * ssl_tls13_offered_psks_check_identity_match(). They are positive to |
155 | | * not collide with error codes that are negative. Zero |
156 | | * (SSL_TLS1_3_PSK_IDENTITY_MATCH) in case of success as it may be propagated |
157 | | * up by the callers of this function as a generic success condition. |
158 | | * |
159 | | * The return value SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE means |
160 | | * that the pre-shared-key identity matches that of a ticket or an externally- |
161 | | * provisioned pre-shared-key. We have thus been able to retrieve the |
162 | | * attributes of the pre-shared-key but at least one of them does not meet |
163 | | * some criteria and the pre-shared-key cannot be used. For example, a ticket |
164 | | * is expired or its version is not TLS 1.3. Note eventually that the return |
165 | | * value SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE does not have |
166 | | * anything to do with binder check. A binder check is done only when a |
167 | | * suitable pre-shared-key has been selected and only for that selected |
168 | | * pre-shared-key: if the binder check fails, we fail the handshake and we do |
169 | | * not try to find another pre-shared-key for which the binder check would |
170 | | * succeed as recommended by the specification. |
171 | | */ |
172 | 0 | #define SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH 2 |
173 | 0 | #define SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE 1 |
174 | 0 | #define SSL_TLS1_3_PSK_IDENTITY_MATCH 0 |
175 | | |
176 | | MBEDTLS_CHECK_RETURN_CRITICAL |
177 | | static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl); |
178 | | MBEDTLS_CHECK_RETURN_CRITICAL |
179 | | static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl); |
180 | | |
181 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
182 | | MBEDTLS_CHECK_RETURN_CRITICAL |
183 | | static int ssl_tls13_offered_psks_check_identity_match_ticket( |
184 | | mbedtls_ssl_context *ssl, |
185 | | const unsigned char *identity, |
186 | | size_t identity_len, |
187 | | uint32_t obfuscated_ticket_age, |
188 | | mbedtls_ssl_session *session) |
189 | 0 | { |
190 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
191 | 0 | unsigned char *ticket_buffer; |
192 | 0 | #if defined(MBEDTLS_HAVE_TIME) |
193 | 0 | mbedtls_ms_time_t now; |
194 | 0 | mbedtls_ms_time_t server_age; |
195 | 0 | uint32_t client_age; |
196 | 0 | mbedtls_ms_time_t age_diff; |
197 | 0 | #endif |
198 | |
|
199 | 0 | ((void) obfuscated_ticket_age); |
200 | |
|
201 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> check_identity_match_ticket")); |
202 | | |
203 | | /* Ticket parser is not configured, Skip */ |
204 | 0 | if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) { |
205 | 0 | return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; |
206 | 0 | } |
207 | | |
208 | | /* We create a copy of the encrypted ticket since the ticket parsing |
209 | | * function is allowed to use its input buffer as an output buffer |
210 | | * (in-place decryption). We do, however, need the original buffer for |
211 | | * computing the PSK binder value. |
212 | | */ |
213 | 0 | ticket_buffer = mbedtls_calloc(1, identity_len); |
214 | 0 | if (ticket_buffer == NULL) { |
215 | 0 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
216 | 0 | } |
217 | 0 | memcpy(ticket_buffer, identity, identity_len); |
218 | |
|
219 | 0 | ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, |
220 | 0 | session, |
221 | 0 | ticket_buffer, identity_len); |
222 | 0 | switch (ret) { |
223 | 0 | case 0: |
224 | 0 | ret = SSL_TLS1_3_PSK_IDENTITY_MATCH; |
225 | 0 | break; |
226 | | |
227 | 0 | case MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED: |
228 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired")); |
229 | 0 | ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE; |
230 | 0 | break; |
231 | | |
232 | 0 | case MBEDTLS_ERR_SSL_INVALID_MAC: |
233 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); |
234 | 0 | ret = SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; |
235 | 0 | break; |
236 | | |
237 | 0 | default: |
238 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret); |
239 | 0 | ret = SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; |
240 | 0 | } |
241 | | |
242 | | /* We delete the temporary buffer */ |
243 | 0 | mbedtls_free(ticket_buffer); |
244 | |
|
245 | 0 | if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) { |
246 | 0 | goto exit; |
247 | 0 | } |
248 | | |
249 | | /* |
250 | | * The identity matches that of a ticket. Now check that it has suitable |
251 | | * attributes and bet it will not be the case. |
252 | | */ |
253 | 0 | ret = SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE; |
254 | |
|
255 | 0 | if (session->tls_version != MBEDTLS_SSL_VERSION_TLS1_3) { |
256 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket TLS version is not 1.3.")); |
257 | 0 | goto exit; |
258 | 0 | } |
259 | | |
260 | 0 | #if defined(MBEDTLS_HAVE_TIME) |
261 | 0 | now = mbedtls_ms_time(); |
262 | |
|
263 | 0 | if (now < session->ticket_creation_time) { |
264 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
265 | 0 | 3, ("Invalid ticket creation time ( now = %" MBEDTLS_PRINTF_MS_TIME |
266 | 0 | ", creation_time = %" MBEDTLS_PRINTF_MS_TIME " )", |
267 | 0 | now, session->ticket_creation_time)); |
268 | 0 | goto exit; |
269 | 0 | } |
270 | | |
271 | 0 | server_age = now - session->ticket_creation_time; |
272 | | |
273 | | /* RFC 8446 section 4.6.1 |
274 | | * |
275 | | * Servers MUST NOT use any value greater than 604800 seconds (7 days). |
276 | | * |
277 | | * RFC 8446 section 4.2.11.1 |
278 | | * |
279 | | * Clients MUST NOT attempt to use tickets which have ages greater than |
280 | | * the "ticket_lifetime" value which was provided with the ticket. |
281 | | * |
282 | | */ |
283 | 0 | if (server_age > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME * 1000) { |
284 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
285 | 0 | 3, ("Ticket age exceeds limitation ticket_age = %" MBEDTLS_PRINTF_MS_TIME, |
286 | 0 | server_age)); |
287 | 0 | goto exit; |
288 | 0 | } |
289 | | |
290 | | /* RFC 8446 section 4.2.10 |
291 | | * |
292 | | * For PSKs provisioned via NewSessionTicket, a server MUST validate that |
293 | | * the ticket age for the selected PSK identity (computed by subtracting |
294 | | * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is |
295 | | * within a small tolerance of the time since the ticket was issued. |
296 | | * |
297 | | * NOTE: The typical accuracy of an RTC crystal is ±100 to ±20 parts per |
298 | | * million (360 to 72 milliseconds per hour). Default tolerance |
299 | | * window is 6s, thus in the worst case clients and servers must |
300 | | * sync up their system time every 6000/360/2~=8 hours. |
301 | | */ |
302 | 0 | client_age = obfuscated_ticket_age - session->ticket_age_add; |
303 | 0 | age_diff = server_age - (mbedtls_ms_time_t) client_age; |
304 | 0 | if (age_diff < -MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE || |
305 | 0 | age_diff > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) { |
306 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
307 | 0 | 3, ("Ticket age outside tolerance window ( diff = %" |
308 | 0 | MBEDTLS_PRINTF_MS_TIME ")", |
309 | 0 | age_diff)); |
310 | 0 | goto exit; |
311 | 0 | } |
312 | 0 | #endif /* MBEDTLS_HAVE_TIME */ |
313 | | |
314 | | /* |
315 | | * All good, we have found a suitable ticket. |
316 | | */ |
317 | 0 | ret = SSL_TLS1_3_PSK_IDENTITY_MATCH; |
318 | |
|
319 | 0 | exit: |
320 | 0 | if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) { |
321 | 0 | mbedtls_ssl_session_free(session); |
322 | 0 | } |
323 | |
|
324 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= check_identity_match_ticket")); |
325 | 0 | return ret; |
326 | 0 | } |
327 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
328 | | |
329 | | MBEDTLS_CHECK_RETURN_CRITICAL |
330 | | static int ssl_tls13_offered_psks_check_identity_match( |
331 | | mbedtls_ssl_context *ssl, |
332 | | const unsigned char *identity, |
333 | | size_t identity_len, |
334 | | uint32_t obfuscated_ticket_age, |
335 | | int *psk_type, |
336 | | mbedtls_ssl_session *session) |
337 | 0 | { |
338 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
339 | |
|
340 | 0 | ((void) session); |
341 | 0 | ((void) obfuscated_ticket_age); |
342 | 0 | *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; |
343 | |
|
344 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "identity", identity, identity_len); |
345 | |
|
346 | 0 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
347 | 0 | ret = ssl_tls13_offered_psks_check_identity_match_ticket( |
348 | 0 | ssl, identity, identity_len, obfuscated_ticket_age, session); |
349 | 0 | if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH) { |
350 | 0 | *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; |
351 | 0 | ret = mbedtls_ssl_set_hs_psk(ssl, |
352 | 0 | session->resumption_key, |
353 | 0 | session->resumption_key_len); |
354 | 0 | if (ret != 0) { |
355 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); |
356 | 0 | return ret; |
357 | 0 | } |
358 | | |
359 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "Ticket-resumed PSK:", |
360 | 0 | session->resumption_key, |
361 | 0 | session->resumption_key_len); |
362 | 0 | MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u", |
363 | 0 | (unsigned) obfuscated_ticket_age)); |
364 | 0 | return SSL_TLS1_3_PSK_IDENTITY_MATCH; |
365 | 0 | } else if (ret == SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE) { |
366 | 0 | return SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE; |
367 | 0 | } |
368 | 0 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
369 | | |
370 | | /* Check identity with external configured function */ |
371 | 0 | if (ssl->conf->f_psk != NULL) { |
372 | 0 | if (ssl->conf->f_psk( |
373 | 0 | ssl->conf->p_psk, ssl, identity, identity_len) == 0) { |
374 | 0 | return SSL_TLS1_3_PSK_IDENTITY_MATCH; |
375 | 0 | } |
376 | 0 | return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; |
377 | 0 | } |
378 | | |
379 | 0 | MBEDTLS_SSL_DEBUG_BUF(5, "identity", identity, identity_len); |
380 | | /* Check identity with pre-configured psk */ |
381 | 0 | if (ssl->conf->psk_identity != NULL && |
382 | 0 | identity_len == ssl->conf->psk_identity_len && |
383 | 0 | mbedtls_ct_memcmp(ssl->conf->psk_identity, |
384 | 0 | identity, identity_len) == 0) { |
385 | 0 | ret = mbedtls_ssl_set_hs_psk(ssl, ssl->conf->psk, ssl->conf->psk_len); |
386 | 0 | if (ret != 0) { |
387 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); |
388 | 0 | return ret; |
389 | 0 | } |
390 | 0 | return SSL_TLS1_3_PSK_IDENTITY_MATCH; |
391 | 0 | } |
392 | | |
393 | 0 | return SSL_TLS1_3_PSK_IDENTITY_DOES_NOT_MATCH; |
394 | 0 | } |
395 | | |
396 | | /* |
397 | | * Non-error return values of ssl_tls13_offered_psks_check_binder_match(). |
398 | | * They are positive to not collide with error codes that are negative. Zero |
399 | | * (SSL_TLS1_3_BINDER_MATCH) in case of success as it may be propagated up |
400 | | * by the callers of this function as a generic success condition. |
401 | | */ |
402 | 0 | #define SSL_TLS1_3_BINDER_DOES_NOT_MATCH 1 |
403 | 0 | #define SSL_TLS1_3_BINDER_MATCH 0 |
404 | | MBEDTLS_CHECK_RETURN_CRITICAL |
405 | | static int ssl_tls13_offered_psks_check_binder_match( |
406 | | mbedtls_ssl_context *ssl, |
407 | | const unsigned char *binder, size_t binder_len, |
408 | | int psk_type, psa_algorithm_t psk_hash_alg) |
409 | 0 | { |
410 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
411 | |
|
412 | 0 | unsigned char transcript[PSA_HASH_MAX_SIZE]; |
413 | 0 | size_t transcript_len; |
414 | 0 | unsigned char *psk; |
415 | 0 | size_t psk_len; |
416 | 0 | unsigned char server_computed_binder[PSA_HASH_MAX_SIZE]; |
417 | |
|
418 | 0 | if (binder_len != PSA_HASH_LENGTH(psk_hash_alg)) { |
419 | 0 | return SSL_TLS1_3_BINDER_DOES_NOT_MATCH; |
420 | 0 | } |
421 | | |
422 | | /* Get current state of handshake transcript. */ |
423 | 0 | ret = mbedtls_ssl_get_handshake_transcript( |
424 | 0 | ssl, mbedtls_md_type_from_psa_alg(psk_hash_alg), |
425 | 0 | transcript, sizeof(transcript), &transcript_len); |
426 | 0 | if (ret != 0) { |
427 | 0 | return ret; |
428 | 0 | } |
429 | | |
430 | 0 | ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len); |
431 | 0 | if (ret != 0) { |
432 | 0 | return ret; |
433 | 0 | } |
434 | | |
435 | 0 | ret = mbedtls_ssl_tls13_create_psk_binder(ssl, psk_hash_alg, |
436 | 0 | psk, psk_len, psk_type, |
437 | 0 | transcript, |
438 | 0 | server_computed_binder); |
439 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
440 | | mbedtls_free((void *) psk); |
441 | | #endif |
442 | 0 | if (ret != 0) { |
443 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("PSK binder calculation failed.")); |
444 | 0 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
445 | 0 | } |
446 | | |
447 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( computed ): ", |
448 | 0 | server_computed_binder, transcript_len); |
449 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len); |
450 | |
|
451 | 0 | if (mbedtls_ct_memcmp(server_computed_binder, |
452 | 0 | binder, |
453 | 0 | PSA_HASH_LENGTH(psk_hash_alg)) == 0) { |
454 | 0 | return SSL_TLS1_3_BINDER_MATCH; |
455 | 0 | } |
456 | | |
457 | 0 | mbedtls_platform_zeroize(server_computed_binder, |
458 | 0 | sizeof(server_computed_binder)); |
459 | 0 | return SSL_TLS1_3_BINDER_DOES_NOT_MATCH; |
460 | 0 | } |
461 | | |
462 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
463 | | MBEDTLS_CHECK_RETURN_CRITICAL |
464 | | static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst, |
465 | | const mbedtls_ssl_session *src) |
466 | 0 | { |
467 | 0 | dst->ticket_age_add = src->ticket_age_add; |
468 | 0 | dst->ticket_flags = src->ticket_flags; |
469 | 0 | dst->resumption_key_len = src->resumption_key_len; |
470 | 0 | if (src->resumption_key_len == 0) { |
471 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
472 | 0 | } |
473 | 0 | memcpy(dst->resumption_key, src->resumption_key, src->resumption_key_len); |
474 | |
|
475 | 0 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
476 | 0 | dst->max_early_data_size = src->max_early_data_size; |
477 | |
|
478 | 0 | #if defined(MBEDTLS_SSL_ALPN) |
479 | 0 | int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn); |
480 | 0 | if (ret != 0) { |
481 | 0 | return ret; |
482 | 0 | } |
483 | 0 | #endif /* MBEDTLS_SSL_ALPN */ |
484 | 0 | #endif /* MBEDTLS_SSL_EARLY_DATA*/ |
485 | | |
486 | 0 | return 0; |
487 | 0 | } |
488 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
489 | | |
490 | | struct psk_attributes { |
491 | | int type; |
492 | | int key_exchange_mode; |
493 | | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
494 | | }; |
495 | 1.28k | #define PSK_ATTRIBUTES_INIT { 0, 0, NULL } |
496 | | |
497 | | /* Parser for pre_shared_key extension in client hello |
498 | | * struct { |
499 | | * opaque identity<1..2^16-1>; |
500 | | * uint32 obfuscated_ticket_age; |
501 | | * } PskIdentity; |
502 | | * |
503 | | * opaque PskBinderEntry<32..255>; |
504 | | * |
505 | | * struct { |
506 | | * PskIdentity identities<7..2^16-1>; |
507 | | * PskBinderEntry binders<33..2^16-1>; |
508 | | * } OfferedPsks; |
509 | | * |
510 | | * struct { |
511 | | * select (Handshake.msg_type) { |
512 | | * case client_hello: OfferedPsks; |
513 | | * .... |
514 | | * }; |
515 | | * } PreSharedKeyExtension; |
516 | | */ |
517 | | MBEDTLS_CHECK_RETURN_CRITICAL |
518 | | static int ssl_tls13_parse_pre_shared_key_ext( |
519 | | mbedtls_ssl_context *ssl, |
520 | | const unsigned char *pre_shared_key_ext, |
521 | | const unsigned char *pre_shared_key_ext_end, |
522 | | const unsigned char *ciphersuites, |
523 | | const unsigned char *ciphersuites_end, |
524 | | struct psk_attributes *psk) |
525 | 0 | { |
526 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
527 | 0 | const unsigned char *identities = pre_shared_key_ext; |
528 | 0 | const unsigned char *p_identity_len; |
529 | 0 | size_t identities_len; |
530 | 0 | const unsigned char *identities_end; |
531 | 0 | const unsigned char *binders; |
532 | 0 | const unsigned char *p_binder_len; |
533 | 0 | size_t binders_len; |
534 | 0 | const unsigned char *binders_end; |
535 | 0 | int matched_identity = -1; |
536 | 0 | int identity_id = -1; |
537 | |
|
538 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key extension", |
539 | 0 | pre_shared_key_ext, |
540 | 0 | pre_shared_key_ext_end - pre_shared_key_ext); |
541 | | |
542 | | /* identities_len 2 bytes |
543 | | * identities_data >= 7 bytes |
544 | | */ |
545 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(identities, pre_shared_key_ext_end, 7 + 2); |
546 | 0 | identities_len = MBEDTLS_GET_UINT16_BE(identities, 0); |
547 | 0 | p_identity_len = identities + 2; |
548 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, pre_shared_key_ext_end, |
549 | 0 | identities_len); |
550 | 0 | identities_end = p_identity_len + identities_len; |
551 | | |
552 | | /* binders_len 2 bytes |
553 | | * binders >= 33 bytes |
554 | | */ |
555 | 0 | binders = identities_end; |
556 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(binders, pre_shared_key_ext_end, 33 + 2); |
557 | 0 | binders_len = MBEDTLS_GET_UINT16_BE(binders, 0); |
558 | 0 | p_binder_len = binders + 2; |
559 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len); |
560 | 0 | binders_end = p_binder_len + binders_len; |
561 | |
|
562 | 0 | ret = ssl->handshake->update_checksum(ssl, pre_shared_key_ext, |
563 | 0 | identities_end - pre_shared_key_ext); |
564 | 0 | if (0 != ret) { |
565 | 0 | MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); |
566 | 0 | return ret; |
567 | 0 | } |
568 | | |
569 | 0 | while (p_identity_len < identities_end && p_binder_len < binders_end) { |
570 | 0 | const unsigned char *identity; |
571 | 0 | size_t identity_len; |
572 | 0 | uint32_t obfuscated_ticket_age; |
573 | 0 | const unsigned char *binder; |
574 | 0 | size_t binder_len; |
575 | 0 | int psk_ciphersuite_id; |
576 | 0 | psa_algorithm_t psk_hash_alg; |
577 | 0 | int allowed_key_exchange_modes; |
578 | |
|
579 | 0 | mbedtls_ssl_session session; |
580 | 0 | mbedtls_ssl_session_init(&session); |
581 | |
|
582 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4); |
583 | 0 | identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0); |
584 | 0 | identity = p_identity_len + 2; |
585 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(identity, identities_end, identity_len + 4); |
586 | 0 | obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE(identity, identity_len); |
587 | 0 | p_identity_len += identity_len + 6; |
588 | |
|
589 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, binders_end, 1 + 32); |
590 | 0 | binder_len = *p_binder_len; |
591 | 0 | binder = p_binder_len + 1; |
592 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(binder, binders_end, binder_len); |
593 | 0 | p_binder_len += binder_len + 1; |
594 | |
|
595 | 0 | identity_id++; |
596 | 0 | if (matched_identity != -1) { |
597 | 0 | continue; |
598 | 0 | } |
599 | | |
600 | 0 | ret = ssl_tls13_offered_psks_check_identity_match( |
601 | 0 | ssl, identity, identity_len, obfuscated_ticket_age, |
602 | 0 | &psk->type, &session); |
603 | 0 | if (ret != SSL_TLS1_3_PSK_IDENTITY_MATCH) { |
604 | 0 | continue; |
605 | 0 | } |
606 | | |
607 | 0 | MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity")); |
608 | |
|
609 | 0 | switch (psk->type) { |
610 | 0 | case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL: |
611 | 0 | psk_ciphersuite_id = 0; |
612 | 0 | psk_hash_alg = PSA_ALG_SHA_256; |
613 | 0 | allowed_key_exchange_modes = |
614 | 0 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; |
615 | 0 | break; |
616 | 0 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
617 | 0 | case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION: |
618 | 0 | psk_ciphersuite_id = session.ciphersuite; |
619 | 0 | psk_hash_alg = PSA_ALG_NONE; |
620 | 0 | ssl->session_negotiate->ticket_flags = session.ticket_flags; |
621 | 0 | allowed_key_exchange_modes = |
622 | 0 | session.ticket_flags & |
623 | 0 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; |
624 | 0 | break; |
625 | 0 | #endif |
626 | 0 | default: |
627 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
628 | 0 | } |
629 | | |
630 | 0 | psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; |
631 | |
|
632 | 0 | if ((allowed_key_exchange_modes & |
633 | 0 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) && |
634 | 0 | ssl_tls13_key_exchange_is_psk_ephemeral_available(ssl)) { |
635 | 0 | psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; |
636 | 0 | } else if ((allowed_key_exchange_modes & |
637 | 0 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) && |
638 | 0 | ssl_tls13_key_exchange_is_psk_available(ssl)) { |
639 | 0 | psk->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; |
640 | 0 | } |
641 | |
|
642 | 0 | if (psk->key_exchange_mode == MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE) { |
643 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable PSK key exchange mode")); |
644 | 0 | continue; |
645 | 0 | } |
646 | | |
647 | 0 | ssl_tls13_select_ciphersuite(ssl, ciphersuites, ciphersuites_end, |
648 | 0 | psk_ciphersuite_id, psk_hash_alg, |
649 | 0 | &psk->ciphersuite_info); |
650 | |
|
651 | 0 | if (psk->ciphersuite_info == NULL) { |
652 | 0 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
653 | 0 | mbedtls_ssl_session_free(&session); |
654 | 0 | #endif |
655 | | /* |
656 | | * We consider finding a ciphersuite suitable for the PSK as part |
657 | | * of the validation of its binder. Thus if we do not find one, we |
658 | | * abort the handshake with a decrypt_error alert. |
659 | | */ |
660 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
661 | 0 | MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, |
662 | 0 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
663 | 0 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
664 | 0 | } |
665 | | |
666 | 0 | ret = ssl_tls13_offered_psks_check_binder_match( |
667 | 0 | ssl, binder, binder_len, psk->type, |
668 | 0 | mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) psk->ciphersuite_info->mac)); |
669 | 0 | if (ret != SSL_TLS1_3_BINDER_MATCH) { |
670 | | /* For security reasons, the handshake should be aborted when we |
671 | | * fail to validate a binder value. See RFC 8446 section 4.2.11.2 |
672 | | * and appendix E.6. */ |
673 | 0 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
674 | 0 | mbedtls_ssl_session_free(&session); |
675 | 0 | #endif |
676 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder.")); |
677 | 0 | MBEDTLS_SSL_DEBUG_RET( |
678 | 0 | 1, "ssl_tls13_offered_psks_check_binder_match", ret); |
679 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
680 | 0 | MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, |
681 | 0 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
682 | 0 | return ret; |
683 | 0 | } |
684 | | |
685 | 0 | matched_identity = identity_id; |
686 | |
|
687 | 0 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
688 | 0 | if (psk->type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) { |
689 | 0 | ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate, |
690 | 0 | &session); |
691 | 0 | mbedtls_ssl_session_free(&session); |
692 | 0 | if (ret != 0) { |
693 | 0 | return ret; |
694 | 0 | } |
695 | 0 | } |
696 | 0 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
697 | 0 | } |
698 | | |
699 | 0 | if (p_identity_len != identities_end || p_binder_len != binders_end) { |
700 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("pre_shared_key extension decode error")); |
701 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
702 | 0 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
703 | 0 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
704 | 0 | } |
705 | | |
706 | | /* Update the handshake transcript with the binder list. */ |
707 | 0 | ret = ssl->handshake->update_checksum( |
708 | 0 | ssl, identities_end, (size_t) (binders_end - identities_end)); |
709 | 0 | if (0 != ret) { |
710 | 0 | MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); |
711 | 0 | return ret; |
712 | 0 | } |
713 | 0 | if (matched_identity == -1) { |
714 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("No usable PSK or ticket.")); |
715 | 0 | return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; |
716 | 0 | } |
717 | | |
718 | 0 | ssl->handshake->selected_identity = (uint16_t) matched_identity; |
719 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("Pre shared key found")); |
720 | |
|
721 | 0 | return 0; |
722 | 0 | } |
723 | | |
724 | | /* |
725 | | * struct { |
726 | | * select ( Handshake.msg_type ) { |
727 | | * .... |
728 | | * case server_hello: |
729 | | * uint16 selected_identity; |
730 | | * } |
731 | | * } PreSharedKeyExtension; |
732 | | */ |
733 | | static int ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, |
734 | | unsigned char *buf, |
735 | | unsigned char *end, |
736 | | size_t *olen) |
737 | 0 | { |
738 | 0 | unsigned char *p = (unsigned char *) buf; |
739 | |
|
740 | 0 | *olen = 0; |
741 | |
|
742 | 0 | int not_using_psk = 0; |
743 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
744 | | not_using_psk = (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)); |
745 | | #else |
746 | 0 | not_using_psk = (ssl->handshake->psk == NULL); |
747 | 0 | #endif |
748 | 0 | if (not_using_psk) { |
749 | | /* We shouldn't have called this extension writer unless we've |
750 | | * chosen to use a PSK. */ |
751 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
752 | 0 | } |
753 | | |
754 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding pre_shared_key extension")); |
755 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); |
756 | | |
757 | 0 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0); |
758 | 0 | MBEDTLS_PUT_UINT16_BE(2, p, 2); |
759 | |
|
760 | 0 | MBEDTLS_PUT_UINT16_BE(ssl->handshake->selected_identity, p, 4); |
761 | |
|
762 | 0 | *olen = 6; |
763 | |
|
764 | 0 | MBEDTLS_SSL_DEBUG_MSG(4, ("sent selected_identity: %u", |
765 | 0 | ssl->handshake->selected_identity)); |
766 | |
|
767 | 0 | mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY); |
768 | |
|
769 | 0 | return 0; |
770 | 0 | } |
771 | | |
772 | | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ |
773 | | |
774 | | /* From RFC 8446: |
775 | | * struct { |
776 | | * ProtocolVersion versions<2..254>; |
777 | | * } SupportedVersions; |
778 | | */ |
779 | | MBEDTLS_CHECK_RETURN_CRITICAL |
780 | | static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl, |
781 | | const unsigned char *buf, |
782 | | const unsigned char *end) |
783 | 241 | { |
784 | 241 | const unsigned char *p = buf; |
785 | 241 | size_t versions_len; |
786 | 241 | const unsigned char *versions_end; |
787 | 241 | uint16_t tls_version; |
788 | 241 | int found_supported_version = 0; |
789 | | |
790 | 241 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1); |
791 | 239 | versions_len = p[0]; |
792 | 239 | p += 1; |
793 | | |
794 | 239 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, versions_len); |
795 | 236 | versions_end = p + versions_len; |
796 | 2.46k | while (p < versions_end) { |
797 | 2.44k | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, versions_end, 2); |
798 | 2.43k | tls_version = mbedtls_ssl_read_version(p, ssl->conf->transport); |
799 | 2.43k | p += 2; |
800 | | |
801 | 2.43k | if (MBEDTLS_SSL_VERSION_TLS1_3 == tls_version) { |
802 | 4 | found_supported_version = 1; |
803 | 4 | break; |
804 | 4 | } |
805 | | |
806 | 2.43k | if ((MBEDTLS_SSL_VERSION_TLS1_2 == tls_version) && |
807 | 2.43k | mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) { |
808 | 208 | found_supported_version = 1; |
809 | 208 | break; |
810 | 208 | } |
811 | 2.43k | } |
812 | | |
813 | 225 | if (!found_supported_version) { |
814 | 13 | MBEDTLS_SSL_DEBUG_MSG(1, ("No supported version found.")); |
815 | | |
816 | 13 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, |
817 | 13 | MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION); |
818 | 13 | return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; |
819 | 13 | } |
820 | | |
821 | 212 | MBEDTLS_SSL_DEBUG_MSG(1, ("Negotiated version: [%04x]", |
822 | 212 | (unsigned int) tls_version)); |
823 | | |
824 | 212 | return (int) tls_version; |
825 | 225 | } |
826 | | |
827 | | #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) |
828 | | /* |
829 | | * |
830 | | * From RFC 8446: |
831 | | * enum { |
832 | | * ... (0xFFFF) |
833 | | * } NamedGroup; |
834 | | * struct { |
835 | | * NamedGroup named_group_list<2..2^16-1>; |
836 | | * } NamedGroupList; |
837 | | */ |
838 | | MBEDTLS_CHECK_RETURN_CRITICAL |
839 | | static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl, |
840 | | const unsigned char *buf, |
841 | | const unsigned char *end) |
842 | 0 | { |
843 | 0 | const unsigned char *p = buf; |
844 | 0 | size_t named_group_list_len; |
845 | 0 | const unsigned char *named_group_list_end; |
846 | |
|
847 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "supported_groups extension", p, end - buf); |
848 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
849 | 0 | named_group_list_len = MBEDTLS_GET_UINT16_BE(p, 0); |
850 | 0 | p += 2; |
851 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, named_group_list_len); |
852 | 0 | named_group_list_end = p + named_group_list_len; |
853 | 0 | ssl->handshake->hrr_selected_group = 0; |
854 | |
|
855 | 0 | while (p < named_group_list_end) { |
856 | 0 | uint16_t named_group; |
857 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, named_group_list_end, 2); |
858 | 0 | named_group = MBEDTLS_GET_UINT16_BE(p, 0); |
859 | 0 | p += 2; |
860 | |
|
861 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, |
862 | 0 | ("got named group: %s(%04x)", |
863 | 0 | mbedtls_ssl_named_group_to_str(named_group), |
864 | 0 | named_group)); |
865 | |
|
866 | 0 | if (!mbedtls_ssl_named_group_is_offered(ssl, named_group) || |
867 | 0 | !mbedtls_ssl_named_group_is_supported(named_group) || |
868 | 0 | ssl->handshake->hrr_selected_group != 0) { |
869 | 0 | continue; |
870 | 0 | } |
871 | | |
872 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, |
873 | 0 | ("add named group %s(%04x) into received list.", |
874 | 0 | mbedtls_ssl_named_group_to_str(named_group), |
875 | 0 | named_group)); |
876 | |
|
877 | 0 | ssl->handshake->hrr_selected_group = named_group; |
878 | 0 | } |
879 | | |
880 | 0 | return 0; |
881 | |
|
882 | 0 | } |
883 | | #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ |
884 | | |
885 | 0 | #define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1 |
886 | | |
887 | | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) |
888 | | /* |
889 | | * ssl_tls13_parse_key_shares_ext() verifies whether the information in the |
890 | | * extension is correct and stores the first acceptable key share and its |
891 | | * associated group. |
892 | | * |
893 | | * Possible return values are: |
894 | | * - 0: Successful processing of the client provided key share extension. |
895 | | * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by |
896 | | * the client does not match a group supported by the server. A |
897 | | * HelloRetryRequest will be needed. |
898 | | * - A negative value for fatal errors. |
899 | | */ |
900 | | MBEDTLS_CHECK_RETURN_CRITICAL |
901 | | static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl, |
902 | | const unsigned char *buf, |
903 | | const unsigned char *end) |
904 | 0 | { |
905 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
906 | 0 | unsigned char const *p = buf; |
907 | 0 | unsigned char const *client_shares_end; |
908 | 0 | size_t client_shares_len; |
909 | | |
910 | | /* From RFC 8446: |
911 | | * |
912 | | * struct { |
913 | | * KeyShareEntry client_shares<0..2^16-1>; |
914 | | * } KeyShareClientHello; |
915 | | * |
916 | | */ |
917 | |
|
918 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); |
919 | 0 | client_shares_len = MBEDTLS_GET_UINT16_BE(p, 0); |
920 | 0 | p += 2; |
921 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, client_shares_len); |
922 | | |
923 | 0 | ssl->handshake->offered_group_id = 0; |
924 | 0 | client_shares_end = p + client_shares_len; |
925 | | |
926 | | /* We try to find a suitable key share entry and copy it to the |
927 | | * handshake context. Later, we have to find out whether we can do |
928 | | * something with the provided key share or whether we have to |
929 | | * dismiss it and send a HelloRetryRequest message. |
930 | | */ |
931 | |
|
932 | 0 | while (p < client_shares_end) { |
933 | 0 | uint16_t group; |
934 | 0 | size_t key_exchange_len; |
935 | 0 | const unsigned char *key_exchange; |
936 | | |
937 | | /* |
938 | | * struct { |
939 | | * NamedGroup group; |
940 | | * opaque key_exchange<1..2^16-1>; |
941 | | * } KeyShareEntry; |
942 | | */ |
943 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, 4); |
944 | 0 | group = MBEDTLS_GET_UINT16_BE(p, 0); |
945 | 0 | key_exchange_len = MBEDTLS_GET_UINT16_BE(p, 2); |
946 | 0 | p += 4; |
947 | 0 | key_exchange = p; |
948 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, key_exchange_len); |
949 | 0 | p += key_exchange_len; |
950 | | |
951 | | /* Continue parsing even if we have already found a match, |
952 | | * for input validation purposes. |
953 | | */ |
954 | 0 | if (!mbedtls_ssl_named_group_is_offered(ssl, group) || |
955 | 0 | !mbedtls_ssl_named_group_is_supported(group) || |
956 | 0 | ssl->handshake->offered_group_id != 0) { |
957 | 0 | continue; |
958 | 0 | } |
959 | | |
960 | | /* |
961 | | * ECDHE and FFDHE groups are supported |
962 | | */ |
963 | 0 | if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) || |
964 | 0 | mbedtls_ssl_tls13_named_group_is_ffdh(group)) { |
965 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH/FFDH group: %s (%04x)", |
966 | 0 | mbedtls_ssl_named_group_to_str(group), |
967 | 0 | group)); |
968 | 0 | ret = mbedtls_ssl_tls13_read_public_xxdhe_share( |
969 | 0 | ssl, key_exchange - 2, key_exchange_len + 2); |
970 | 0 | if (ret != 0) { |
971 | 0 | return ret; |
972 | 0 | } |
973 | |
|
974 | 0 | } else { |
975 | 0 | MBEDTLS_SSL_DEBUG_MSG(4, ("Unrecognized NamedGroup %u", |
976 | 0 | (unsigned) group)); |
977 | 0 | continue; |
978 | 0 | } |
979 | | |
980 | 0 | ssl->handshake->offered_group_id = group; |
981 | 0 | } |
982 | | |
983 | | |
984 | 0 | if (ssl->handshake->offered_group_id == 0) { |
985 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("no matching key share")); |
986 | 0 | return SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH; |
987 | 0 | } |
988 | 0 | return 0; |
989 | 0 | } |
990 | | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */ |
991 | | |
992 | | MBEDTLS_CHECK_RETURN_CRITICAL |
993 | | static int ssl_tls13_client_hello_has_exts(mbedtls_ssl_context *ssl, |
994 | | int exts_mask) |
995 | 0 | { |
996 | 0 | int masked = ssl->handshake->received_extensions & exts_mask; |
997 | 0 | return masked == exts_mask; |
998 | 0 | } |
999 | | |
1000 | | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
1001 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1002 | | static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( |
1003 | | mbedtls_ssl_context *ssl) |
1004 | 0 | { |
1005 | 0 | return ssl_tls13_client_hello_has_exts( |
1006 | 0 | ssl, |
1007 | 0 | MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | |
1008 | 0 | MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | |
1009 | 0 | MBEDTLS_SSL_EXT_MASK(SIG_ALG)); |
1010 | 0 | } |
1011 | | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
1012 | | |
1013 | | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) |
1014 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1015 | | static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange( |
1016 | | mbedtls_ssl_context *ssl) |
1017 | 0 | { |
1018 | 0 | return ssl_tls13_client_hello_has_exts( |
1019 | 0 | ssl, |
1020 | 0 | MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | |
1021 | 0 | MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)); |
1022 | 0 | } |
1023 | | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */ |
1024 | | |
1025 | | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) |
1026 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1027 | | static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( |
1028 | | mbedtls_ssl_context *ssl) |
1029 | 0 | { |
1030 | 0 | return ssl_tls13_client_hello_has_exts( |
1031 | 0 | ssl, |
1032 | 0 | MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | |
1033 | 0 | MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | |
1034 | 0 | MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | |
1035 | 0 | MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)); |
1036 | 0 | } |
1037 | | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */ |
1038 | | |
1039 | | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
1040 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1041 | | static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl) |
1042 | 0 | { |
1043 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) |
1044 | 0 | return mbedtls_ssl_conf_tls13_is_psk_enabled(ssl) && |
1045 | 0 | mbedtls_ssl_tls13_is_psk_supported(ssl) && |
1046 | 0 | ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl); |
1047 | | #else |
1048 | | ((void) ssl); |
1049 | | return 0; |
1050 | | #endif |
1051 | 0 | } |
1052 | | |
1053 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1054 | | static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl) |
1055 | 0 | { |
1056 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) |
1057 | 0 | return mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl) && |
1058 | 0 | mbedtls_ssl_tls13_is_psk_ephemeral_supported(ssl) && |
1059 | 0 | ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl); |
1060 | | #else |
1061 | | ((void) ssl); |
1062 | | return 0; |
1063 | | #endif |
1064 | 0 | } |
1065 | | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ |
1066 | | |
1067 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1068 | | static int ssl_tls13_key_exchange_is_ephemeral_available(mbedtls_ssl_context *ssl) |
1069 | 0 | { |
1070 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
1071 | 0 | return mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl) && |
1072 | 0 | ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl); |
1073 | | #else |
1074 | | ((void) ssl); |
1075 | | return 0; |
1076 | | #endif |
1077 | 0 | } |
1078 | | |
1079 | | #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ |
1080 | | defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
1081 | | |
1082 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
1083 | | static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg) |
1084 | | { |
1085 | | switch (sig_alg) { |
1086 | | case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: |
1087 | | return PSA_ALG_ECDSA(PSA_ALG_SHA_256); |
1088 | | case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: |
1089 | | return PSA_ALG_ECDSA(PSA_ALG_SHA_384); |
1090 | | case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: |
1091 | | return PSA_ALG_ECDSA(PSA_ALG_SHA_512); |
1092 | | case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: |
1093 | | return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256); |
1094 | | case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: |
1095 | | return PSA_ALG_RSA_PSS(PSA_ALG_SHA_384); |
1096 | | case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: |
1097 | | return PSA_ALG_RSA_PSS(PSA_ALG_SHA_512); |
1098 | | case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: |
1099 | | return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256); |
1100 | | case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: |
1101 | | return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384); |
1102 | | case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: |
1103 | | return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_512); |
1104 | | default: |
1105 | | return PSA_ALG_NONE; |
1106 | | } |
1107 | | } |
1108 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
1109 | | |
1110 | | /* |
1111 | | * Pick best ( private key, certificate chain ) pair based on the signature |
1112 | | * algorithms supported by the client. |
1113 | | */ |
1114 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1115 | | static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl) |
1116 | 0 | { |
1117 | 0 | mbedtls_ssl_key_cert *key_cert, *key_cert_list; |
1118 | 0 | const uint16_t *sig_alg = ssl->handshake->received_sig_algs; |
1119 | |
|
1120 | 0 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
1121 | 0 | if (ssl->handshake->sni_key_cert != NULL) { |
1122 | 0 | key_cert_list = ssl->handshake->sni_key_cert; |
1123 | 0 | } else |
1124 | 0 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
1125 | 0 | key_cert_list = ssl->conf->key_cert; |
1126 | |
|
1127 | 0 | if (key_cert_list == NULL) { |
1128 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate")); |
1129 | 0 | return -1; |
1130 | 0 | } |
1131 | | |
1132 | 0 | for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) { |
1133 | 0 | if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) { |
1134 | 0 | continue; |
1135 | 0 | } |
1136 | | |
1137 | 0 | if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) { |
1138 | 0 | continue; |
1139 | 0 | } |
1140 | | |
1141 | 0 | for (key_cert = key_cert_list; key_cert != NULL; |
1142 | 0 | key_cert = key_cert->next) { |
1143 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
1144 | | psa_algorithm_t psa_alg = PSA_ALG_NONE; |
1145 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
1146 | |
|
1147 | 0 | MBEDTLS_SSL_DEBUG_CRT(3, "certificate (chain) candidate", |
1148 | 0 | key_cert->cert); |
1149 | | |
1150 | | /* |
1151 | | * This avoids sending the client a cert it'll reject based on |
1152 | | * keyUsage or other extensions. |
1153 | | */ |
1154 | 0 | if (mbedtls_x509_crt_check_key_usage( |
1155 | 0 | key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0 || |
1156 | 0 | mbedtls_x509_crt_check_extended_key_usage( |
1157 | 0 | key_cert->cert, MBEDTLS_OID_SERVER_AUTH, |
1158 | 0 | MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) != 0) { |
1159 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: " |
1160 | 0 | "(extended) key usage extension")); |
1161 | 0 | continue; |
1162 | 0 | } |
1163 | | |
1164 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
1165 | 0 | ("ssl_tls13_pick_key_cert:" |
1166 | 0 | "check signature algorithm %s [%04x]", |
1167 | 0 | mbedtls_ssl_sig_alg_to_str(*sig_alg), |
1168 | 0 | *sig_alg)); |
1169 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
1170 | | psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg(*sig_alg); |
1171 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
1172 | |
|
1173 | 0 | if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match( |
1174 | 0 | *sig_alg, &key_cert->cert->pk) |
1175 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
1176 | | && psa_alg != PSA_ALG_NONE && |
1177 | | mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg, |
1178 | | PSA_KEY_USAGE_SIGN_HASH) == 1 |
1179 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
1180 | 0 | ) { |
1181 | 0 | ssl->handshake->key_cert = key_cert; |
1182 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
1183 | 0 | ("ssl_tls13_pick_key_cert:" |
1184 | 0 | "selected signature algorithm" |
1185 | 0 | " %s [%04x]", |
1186 | 0 | mbedtls_ssl_sig_alg_to_str(*sig_alg), |
1187 | 0 | *sig_alg)); |
1188 | 0 | MBEDTLS_SSL_DEBUG_CRT( |
1189 | 0 | 3, "selected certificate (chain)", |
1190 | 0 | ssl->handshake->key_cert->cert); |
1191 | 0 | return 0; |
1192 | 0 | } |
1193 | 0 | } |
1194 | 0 | } |
1195 | | |
1196 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("ssl_tls13_pick_key_cert:" |
1197 | 0 | "no suitable certificate found")); |
1198 | 0 | return -1; |
1199 | 0 | } |
1200 | | #endif /* MBEDTLS_X509_CRT_PARSE_C && |
1201 | | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
1202 | | |
1203 | | /* |
1204 | | * |
1205 | | * STATE HANDLING: ClientHello |
1206 | | * |
1207 | | * There are three possible classes of outcomes when parsing the ClientHello: |
1208 | | * |
1209 | | * 1) The ClientHello was well-formed and matched the server's configuration. |
1210 | | * |
1211 | | * In this case, the server progresses to sending its ServerHello. |
1212 | | * |
1213 | | * 2) The ClientHello was well-formed but didn't match the server's |
1214 | | * configuration. |
1215 | | * |
1216 | | * For example, the client might not have offered a key share which |
1217 | | * the server supports, or the server might require a cookie. |
1218 | | * |
1219 | | * In this case, the server sends a HelloRetryRequest. |
1220 | | * |
1221 | | * 3) The ClientHello was ill-formed |
1222 | | * |
1223 | | * In this case, we abort the handshake. |
1224 | | * |
1225 | | */ |
1226 | | |
1227 | | /* |
1228 | | * Structure of this message: |
1229 | | * |
1230 | | * uint16 ProtocolVersion; |
1231 | | * opaque Random[32]; |
1232 | | * uint8 CipherSuite[2]; // Cryptographic suite selector |
1233 | | * |
1234 | | * struct { |
1235 | | * ProtocolVersion legacy_version = 0x0303; // TLS v1.2 |
1236 | | * Random random; |
1237 | | * opaque legacy_session_id<0..32>; |
1238 | | * CipherSuite cipher_suites<2..2^16-2>; |
1239 | | * opaque legacy_compression_methods<1..2^8-1>; |
1240 | | * Extension extensions<8..2^16-1>; |
1241 | | * } ClientHello; |
1242 | | */ |
1243 | | |
1244 | 0 | #define SSL_CLIENT_HELLO_OK 0 |
1245 | 0 | #define SSL_CLIENT_HELLO_HRR_REQUIRED 1 |
1246 | 2.33k | #define SSL_CLIENT_HELLO_TLS1_2 2 |
1247 | | |
1248 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1249 | | static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, |
1250 | | const unsigned char *buf, |
1251 | | const unsigned char *end) |
1252 | 1.28k | { |
1253 | 1.28k | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1254 | 1.28k | const unsigned char *p = buf; |
1255 | 1.28k | const unsigned char *random; |
1256 | 1.28k | size_t legacy_session_id_len; |
1257 | 1.28k | const unsigned char *legacy_session_id; |
1258 | 1.28k | size_t cipher_suites_len; |
1259 | 1.28k | const unsigned char *cipher_suites; |
1260 | 1.28k | const unsigned char *cipher_suites_end; |
1261 | 1.28k | size_t extensions_len; |
1262 | 1.28k | const unsigned char *extensions_end; |
1263 | 1.28k | const unsigned char *supported_versions_data; |
1264 | 1.28k | const unsigned char *supported_versions_data_end; |
1265 | 1.28k | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
1266 | 1.28k | int hrr_required = 0; |
1267 | 1.28k | int no_usable_share_for_key_agreement = 0; |
1268 | | |
1269 | 1.28k | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
1270 | 1.28k | int got_psk = 0; |
1271 | 1.28k | struct psk_attributes psk = PSK_ATTRIBUTES_INIT; |
1272 | 1.28k | const unsigned char *pre_shared_key_ext = NULL; |
1273 | 1.28k | const unsigned char *pre_shared_key_ext_end = NULL; |
1274 | 1.28k | #endif |
1275 | | |
1276 | | /* |
1277 | | * ClientHello layout: |
1278 | | * 0 . 1 protocol version |
1279 | | * 2 . 33 random bytes |
1280 | | * 34 . 34 session id length ( 1 byte ) |
1281 | | * 35 . 34+x session id |
1282 | | * .. . .. ciphersuite list length ( 2 bytes ) |
1283 | | * .. . .. ciphersuite list |
1284 | | * .. . .. compression alg. list length ( 1 byte ) |
1285 | | * .. . .. compression alg. list |
1286 | | * .. . .. extensions length ( 2 bytes, optional ) |
1287 | | * .. . .. extensions ( optional ) |
1288 | | */ |
1289 | | |
1290 | | /* |
1291 | | * Minimal length ( with everything empty and extensions omitted ) is |
1292 | | * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can |
1293 | | * read at least up to session id length without worrying. |
1294 | | */ |
1295 | 1.28k | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 38); |
1296 | | |
1297 | | /* ... |
1298 | | * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 |
1299 | | * ... |
1300 | | * with ProtocolVersion defined as: |
1301 | | * uint16 ProtocolVersion; |
1302 | | */ |
1303 | 1.27k | if (mbedtls_ssl_read_version(p, ssl->conf->transport) != |
1304 | 1.27k | MBEDTLS_SSL_VERSION_TLS1_2) { |
1305 | 6 | MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS.")); |
1306 | 6 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, |
1307 | 6 | MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION); |
1308 | 6 | return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; |
1309 | 6 | } |
1310 | 1.27k | p += 2; |
1311 | | |
1312 | | /* ... |
1313 | | * Random random; |
1314 | | * ... |
1315 | | * with Random defined as: |
1316 | | * opaque Random[32]; |
1317 | | */ |
1318 | 1.27k | random = p; |
1319 | 1.27k | p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN; |
1320 | | |
1321 | | /* ... |
1322 | | * opaque legacy_session_id<0..32>; |
1323 | | * ... |
1324 | | */ |
1325 | 1.27k | legacy_session_id_len = *(p++); |
1326 | 1.27k | legacy_session_id = p; |
1327 | | |
1328 | | /* |
1329 | | * Check we have enough data for the legacy session identifier |
1330 | | * and the ciphersuite list length. |
1331 | | */ |
1332 | 1.27k | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_len + 2); |
1333 | 1.26k | p += legacy_session_id_len; |
1334 | | |
1335 | | /* ... |
1336 | | * CipherSuite cipher_suites<2..2^16-2>; |
1337 | | * ... |
1338 | | * with CipherSuite defined as: |
1339 | | * uint8 CipherSuite[2]; |
1340 | | */ |
1341 | 1.26k | cipher_suites_len = MBEDTLS_GET_UINT16_BE(p, 0); |
1342 | 1.26k | p += 2; |
1343 | 1.26k | cipher_suites = p; |
1344 | | |
1345 | | /* |
1346 | | * The length of the ciphersuite list has to be even. |
1347 | | */ |
1348 | 1.26k | if (cipher_suites_len & 1) { |
1349 | 2 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
1350 | 2 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
1351 | 2 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
1352 | 2 | } |
1353 | | |
1354 | | /* Check we have enough data for the ciphersuite list, the legacy |
1355 | | * compression methods and the length of the extensions. |
1356 | | * |
1357 | | * cipher_suites cipher_suites_len bytes |
1358 | | * legacy_compression_methods length 1 byte |
1359 | | */ |
1360 | 1.26k | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 1); |
1361 | 1.25k | p += cipher_suites_len; |
1362 | 1.25k | cipher_suites_end = p; |
1363 | | |
1364 | | /* Check if we have enough data for legacy_compression_methods |
1365 | | * and the length of the extensions (2 bytes). |
1366 | | */ |
1367 | 1.25k | MBEDTLS_SSL_CHK_BUF_READ_PTR(p + 1, end, p[0] + 2); |
1368 | | |
1369 | | /* |
1370 | | * Search for the supported versions extension and parse it to determine |
1371 | | * if the client supports TLS 1.3. |
1372 | | */ |
1373 | 1.24k | ret = mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts( |
1374 | 1.24k | ssl, p + 1 + p[0], end, |
1375 | 1.24k | &supported_versions_data, &supported_versions_data_end); |
1376 | 1.24k | if (ret < 0) { |
1377 | 47 | MBEDTLS_SSL_DEBUG_RET(1, |
1378 | 47 | ("mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts"), ret); |
1379 | 47 | return ret; |
1380 | 47 | } |
1381 | | |
1382 | 1.19k | if (ret == 0) { |
1383 | 958 | return SSL_CLIENT_HELLO_TLS1_2; |
1384 | 958 | } |
1385 | | |
1386 | 241 | if (ret == 1) { |
1387 | 241 | ret = ssl_tls13_parse_supported_versions_ext(ssl, |
1388 | 241 | supported_versions_data, |
1389 | 241 | supported_versions_data_end); |
1390 | 241 | if (ret < 0) { |
1391 | 29 | MBEDTLS_SSL_DEBUG_RET(1, |
1392 | 29 | ("ssl_tls13_parse_supported_versions_ext"), ret); |
1393 | 29 | return ret; |
1394 | 29 | } |
1395 | | |
1396 | | /* |
1397 | | * The supported versions extension was parsed successfully as the |
1398 | | * value returned by ssl_tls13_parse_supported_versions_ext() is |
1399 | | * positive. The return value is then equal to |
1400 | | * MBEDTLS_SSL_VERSION_TLS1_2 or MBEDTLS_SSL_VERSION_TLS1_3, defining |
1401 | | * the TLS version to negotiate. |
1402 | | */ |
1403 | 212 | if (MBEDTLS_SSL_VERSION_TLS1_2 == ret) { |
1404 | 208 | return SSL_CLIENT_HELLO_TLS1_2; |
1405 | 208 | } |
1406 | 212 | } |
1407 | | |
1408 | | /* |
1409 | | * We negotiate TLS 1.3. |
1410 | | */ |
1411 | 4 | ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; |
1412 | 4 | ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; |
1413 | 4 | ssl->session_negotiate->endpoint = ssl->conf->endpoint; |
1414 | | |
1415 | | /* Before doing any crypto, make sure we can. */ |
1416 | 4 | ret = mbedtls_ssl_tls13_crypto_init(ssl); |
1417 | 4 | if (ret != 0) { |
1418 | 4 | return ret; |
1419 | 4 | } |
1420 | | |
1421 | | /* |
1422 | | * We are negotiating the version 1.3 of the protocol. Do what we have |
1423 | | * postponed: copy of the client random bytes, copy of the legacy session |
1424 | | * identifier and selection of the TLS 1.3 cipher suite. |
1425 | | */ |
1426 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", |
1427 | 0 | random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN); |
1428 | 0 | memcpy(&handshake->randbytes[0], random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN); |
1429 | |
|
1430 | 0 | if (legacy_session_id_len > sizeof(ssl->session_negotiate->id)) { |
1431 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); |
1432 | 0 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
1433 | 0 | } |
1434 | 0 | ssl->session_negotiate->id_len = legacy_session_id_len; |
1435 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", |
1436 | 0 | legacy_session_id, legacy_session_id_len); |
1437 | 0 | memcpy(&ssl->session_negotiate->id[0], |
1438 | 0 | legacy_session_id, legacy_session_id_len); |
1439 | | |
1440 | | /* |
1441 | | * Search for a matching ciphersuite |
1442 | | */ |
1443 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello, list of cipher suites", |
1444 | 0 | cipher_suites, cipher_suites_len); |
1445 | |
|
1446 | 0 | ssl_tls13_select_ciphersuite(ssl, cipher_suites, cipher_suites_end, |
1447 | 0 | 0, PSA_ALG_NONE, &handshake->ciphersuite_info); |
1448 | |
|
1449 | 0 | if (handshake->ciphersuite_info == NULL) { |
1450 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, |
1451 | 0 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
1452 | 0 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
1453 | 0 | } |
1454 | 0 | ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id; |
1455 | |
|
1456 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s", |
1457 | 0 | ((unsigned) handshake->ciphersuite_info->id), |
1458 | 0 | handshake->ciphersuite_info->name)); |
1459 | | |
1460 | | /* ... |
1461 | | * opaque legacy_compression_methods<1..2^8-1>; |
1462 | | * ... |
1463 | | */ |
1464 | 0 | if (p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL) { |
1465 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method")); |
1466 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
1467 | 0 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
1468 | 0 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
1469 | 0 | } |
1470 | 0 | p += 2; |
1471 | | |
1472 | | /* ... |
1473 | | * Extension extensions<8..2^16-1>; |
1474 | | * ... |
1475 | | * with Extension defined as: |
1476 | | * struct { |
1477 | | * ExtensionType extension_type; |
1478 | | * opaque extension_data<0..2^16-1>; |
1479 | | * } Extension; |
1480 | | */ |
1481 | 0 | extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); |
1482 | 0 | p += 2; |
1483 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len); |
1484 | 0 | extensions_end = p + extensions_len; |
1485 | |
|
1486 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", p, extensions_len); |
1487 | 0 | handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; |
1488 | |
|
1489 | 0 | while (p < extensions_end) { |
1490 | 0 | unsigned int extension_type; |
1491 | 0 | size_t extension_data_len; |
1492 | 0 | const unsigned char *extension_data_end; |
1493 | 0 | uint32_t allowed_exts = MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH; |
1494 | |
|
1495 | 0 | if (ssl->handshake->hello_retry_request_flag) { |
1496 | | /* Do not accept early data extension in 2nd ClientHello */ |
1497 | 0 | allowed_exts &= ~MBEDTLS_SSL_EXT_MASK(EARLY_DATA); |
1498 | 0 | } |
1499 | | |
1500 | | /* RFC 8446, section 4.2.11 |
1501 | | * |
1502 | | * The "pre_shared_key" extension MUST be the last extension in the |
1503 | | * ClientHello (this facilitates implementation as described below). |
1504 | | * Servers MUST check that it is the last extension and otherwise fail |
1505 | | * the handshake with an "illegal_parameter" alert. |
1506 | | */ |
1507 | 0 | if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) { |
1508 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
1509 | 0 | 3, ("pre_shared_key is not last extension.")); |
1510 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
1511 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
1512 | 0 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
1513 | 0 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
1514 | 0 | } |
1515 | | |
1516 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4); |
1517 | 0 | extension_type = MBEDTLS_GET_UINT16_BE(p, 0); |
1518 | 0 | extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2); |
1519 | 0 | p += 4; |
1520 | |
|
1521 | 0 | MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len); |
1522 | 0 | extension_data_end = p + extension_data_len; |
1523 | |
|
1524 | 0 | ret = mbedtls_ssl_tls13_check_received_extension( |
1525 | 0 | ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type, |
1526 | 0 | allowed_exts); |
1527 | 0 | if (ret != 0) { |
1528 | 0 | return ret; |
1529 | 0 | } |
1530 | | |
1531 | 0 | switch (extension_type) { |
1532 | 0 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
1533 | 0 | case MBEDTLS_TLS_EXT_SERVERNAME: |
1534 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension")); |
1535 | 0 | ret = mbedtls_ssl_parse_server_name_ext(ssl, p, |
1536 | 0 | extension_data_end); |
1537 | 0 | if (ret != 0) { |
1538 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1539 | 0 | 1, "mbedtls_ssl_parse_servername_ext", ret); |
1540 | 0 | return ret; |
1541 | 0 | } |
1542 | 0 | break; |
1543 | 0 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
1544 | | |
1545 | 0 | #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) |
1546 | 0 | case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: |
1547 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension")); |
1548 | | |
1549 | | /* Supported Groups Extension |
1550 | | * |
1551 | | * When sent by the client, the "supported_groups" extension |
1552 | | * indicates the named groups which the client supports, |
1553 | | * ordered from most preferred to least preferred. |
1554 | | */ |
1555 | 0 | ret = ssl_tls13_parse_supported_groups_ext( |
1556 | 0 | ssl, p, extension_data_end); |
1557 | 0 | if (ret != 0) { |
1558 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1559 | 0 | 1, "ssl_tls13_parse_supported_groups_ext", ret); |
1560 | 0 | return ret; |
1561 | 0 | } |
1562 | | |
1563 | 0 | break; |
1564 | 0 | #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH*/ |
1565 | | |
1566 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) |
1567 | 0 | case MBEDTLS_TLS_EXT_KEY_SHARE: |
1568 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension")); |
1569 | | |
1570 | | /* |
1571 | | * Key Share Extension |
1572 | | * |
1573 | | * When sent by the client, the "key_share" extension |
1574 | | * contains the endpoint's cryptographic parameters for |
1575 | | * ECDHE/DHE key establishment methods. |
1576 | | */ |
1577 | 0 | ret = ssl_tls13_parse_key_shares_ext( |
1578 | 0 | ssl, p, extension_data_end); |
1579 | 0 | if (ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH) { |
1580 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("No usable share for key agreement.")); |
1581 | 0 | no_usable_share_for_key_agreement = 1; |
1582 | 0 | } |
1583 | |
|
1584 | 0 | if (ret < 0) { |
1585 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1586 | 0 | 1, "ssl_tls13_parse_key_shares_ext", ret); |
1587 | 0 | return ret; |
1588 | 0 | } |
1589 | | |
1590 | 0 | break; |
1591 | 0 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */ |
1592 | | |
1593 | 0 | case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: |
1594 | | /* Already parsed */ |
1595 | 0 | break; |
1596 | | |
1597 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
1598 | 0 | case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: |
1599 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
1600 | 0 | 3, ("found psk key exchange modes extension")); |
1601 | |
|
1602 | 0 | ret = ssl_tls13_parse_key_exchange_modes_ext( |
1603 | 0 | ssl, p, extension_data_end); |
1604 | 0 | if (ret != 0) { |
1605 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1606 | 0 | 1, "ssl_tls13_parse_key_exchange_modes_ext", ret); |
1607 | 0 | return ret; |
1608 | 0 | } |
1609 | | |
1610 | 0 | break; |
1611 | 0 | #endif |
1612 | | |
1613 | 0 | case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: |
1614 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension")); |
1615 | 0 | if ((handshake->received_extensions & |
1616 | 0 | MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)) == 0) { |
1617 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
1618 | 0 | MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, |
1619 | 0 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
1620 | 0 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
1621 | 0 | } |
1622 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
1623 | | /* Delay processing of the PSK identity once we have |
1624 | | * found out which algorithms to use. We keep a pointer |
1625 | | * to the buffer and the size for later processing. |
1626 | | */ |
1627 | 0 | pre_shared_key_ext = p; |
1628 | 0 | pre_shared_key_ext_end = extension_data_end; |
1629 | 0 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ |
1630 | 0 | break; |
1631 | | |
1632 | 0 | #if defined(MBEDTLS_SSL_ALPN) |
1633 | 0 | case MBEDTLS_TLS_EXT_ALPN: |
1634 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); |
1635 | |
|
1636 | 0 | ret = mbedtls_ssl_parse_alpn_ext(ssl, p, extension_data_end); |
1637 | 0 | if (ret != 0) { |
1638 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1639 | 0 | 1, ("mbedtls_ssl_parse_alpn_ext"), ret); |
1640 | 0 | return ret; |
1641 | 0 | } |
1642 | 0 | break; |
1643 | 0 | #endif /* MBEDTLS_SSL_ALPN */ |
1644 | | |
1645 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
1646 | 0 | case MBEDTLS_TLS_EXT_SIG_ALG: |
1647 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension")); |
1648 | |
|
1649 | 0 | ret = mbedtls_ssl_parse_sig_alg_ext( |
1650 | 0 | ssl, p, extension_data_end); |
1651 | 0 | if (ret != 0) { |
1652 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1653 | 0 | 1, "mbedtls_ssl_parse_sig_alg_ext", ret); |
1654 | 0 | return ret; |
1655 | 0 | } |
1656 | 0 | break; |
1657 | 0 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
1658 | | |
1659 | 0 | #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) |
1660 | 0 | case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT: |
1661 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension")); |
1662 | |
|
1663 | 0 | ret = mbedtls_ssl_tls13_parse_record_size_limit_ext( |
1664 | 0 | ssl, p, extension_data_end); |
1665 | 0 | if (ret != 0) { |
1666 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1667 | 0 | 1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret); |
1668 | 0 | return ret; |
1669 | 0 | } |
1670 | 0 | break; |
1671 | 0 | #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ |
1672 | | |
1673 | 0 | default: |
1674 | 0 | MBEDTLS_SSL_PRINT_EXT( |
1675 | 0 | 3, MBEDTLS_SSL_HS_CLIENT_HELLO, |
1676 | 0 | extension_type, "( ignored )"); |
1677 | 0 | break; |
1678 | 0 | } |
1679 | | |
1680 | 0 | p += extension_data_len; |
1681 | 0 | } |
1682 | | |
1683 | 0 | MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO, |
1684 | 0 | handshake->received_extensions); |
1685 | |
|
1686 | 0 | ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, |
1687 | 0 | MBEDTLS_SSL_HS_CLIENT_HELLO, |
1688 | 0 | p - buf); |
1689 | 0 | if (0 != ret) { |
1690 | 0 | MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret); |
1691 | 0 | return ret; |
1692 | 0 | } |
1693 | | |
1694 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
1695 | | /* Update checksum with either |
1696 | | * - The entire content of the CH message, if no PSK extension is present |
1697 | | * - The content up to but excluding the PSK extension, if present. |
1698 | | * Always parse the pre-shared-key extension when present in the |
1699 | | * ClientHello even if some pre-requisites for PSK key exchange modes are |
1700 | | * not met. That way we always validate the syntax of the extension. |
1701 | | */ |
1702 | 0 | if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) { |
1703 | 0 | ret = handshake->update_checksum(ssl, buf, |
1704 | 0 | pre_shared_key_ext - buf); |
1705 | 0 | if (0 != ret) { |
1706 | 0 | MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); |
1707 | 0 | return ret; |
1708 | 0 | } |
1709 | 0 | ret = ssl_tls13_parse_pre_shared_key_ext(ssl, |
1710 | 0 | pre_shared_key_ext, |
1711 | 0 | pre_shared_key_ext_end, |
1712 | 0 | cipher_suites, |
1713 | 0 | cipher_suites_end, |
1714 | 0 | &psk); |
1715 | 0 | if (ret == 0) { |
1716 | 0 | got_psk = 1; |
1717 | 0 | } else if (ret != MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { |
1718 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1719 | 0 | 1, "ssl_tls13_parse_pre_shared_key_ext", ret); |
1720 | 0 | return ret; |
1721 | 0 | } |
1722 | 0 | } else |
1723 | 0 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ |
1724 | 0 | { |
1725 | 0 | ret = handshake->update_checksum(ssl, buf, p - buf); |
1726 | 0 | if (0 != ret) { |
1727 | 0 | MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); |
1728 | 0 | return ret; |
1729 | 0 | } |
1730 | 0 | } |
1731 | | |
1732 | | /* |
1733 | | * Determine the key exchange algorithm to use. |
1734 | | * There are three types of key exchanges supported in TLS 1.3: |
1735 | | * - (EC)DH with ECDSA, |
1736 | | * - (EC)DH with PSK, |
1737 | | * - plain PSK. |
1738 | | * |
1739 | | * The PSK-based key exchanges may additionally be used with 0-RTT. |
1740 | | * |
1741 | | * Our built-in order of preference is |
1742 | | * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral ) |
1743 | | * 2 ) Certificate Mode ( ephemeral ) |
1744 | | * 3 ) Plain PSK Mode ( psk ) |
1745 | | */ |
1746 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
1747 | 0 | if (got_psk && (psk.key_exchange_mode == |
1748 | 0 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL)) { |
1749 | 0 | handshake->key_exchange_mode = |
1750 | 0 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; |
1751 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral")); |
1752 | |
|
1753 | 0 | } else |
1754 | 0 | #endif |
1755 | 0 | if (ssl_tls13_key_exchange_is_ephemeral_available(ssl)) { |
1756 | 0 | handshake->key_exchange_mode = |
1757 | 0 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; |
1758 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral")); |
1759 | |
|
1760 | 0 | } |
1761 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
1762 | 0 | else if (got_psk && (psk.key_exchange_mode == |
1763 | 0 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK)) { |
1764 | 0 | handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; |
1765 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk")); |
1766 | 0 | } |
1767 | 0 | #endif |
1768 | 0 | else { |
1769 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
1770 | 0 | 1, |
1771 | 0 | ("ClientHello message misses mandatory extensions.")); |
1772 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION, |
1773 | 0 | MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); |
1774 | 0 | return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; |
1775 | 0 | } |
1776 | | |
1777 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
1778 | 0 | if (handshake->key_exchange_mode & |
1779 | 0 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL) { |
1780 | 0 | handshake->ciphersuite_info = psk.ciphersuite_info; |
1781 | 0 | ssl->session_negotiate->ciphersuite = psk.ciphersuite_info->id; |
1782 | |
|
1783 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("Select PSK ciphersuite: %04x - %s", |
1784 | 0 | ((unsigned) psk.ciphersuite_info->id), |
1785 | 0 | psk.ciphersuite_info->name)); |
1786 | |
|
1787 | 0 | if (psk.type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) { |
1788 | 0 | handshake->resume = 1; |
1789 | 0 | } |
1790 | 0 | } |
1791 | 0 | #endif |
1792 | |
|
1793 | 0 | if (handshake->key_exchange_mode != |
1794 | 0 | MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) { |
1795 | 0 | hrr_required = (no_usable_share_for_key_agreement != 0); |
1796 | 0 | } |
1797 | |
|
1798 | 0 | mbedtls_ssl_optimize_checksum(ssl, handshake->ciphersuite_info); |
1799 | |
|
1800 | 0 | return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK; |
1801 | 0 | } |
1802 | | |
1803 | | #if defined(MBEDTLS_SSL_EARLY_DATA) |
1804 | | static int ssl_tls13_check_early_data_requirements(mbedtls_ssl_context *ssl) |
1805 | 0 | { |
1806 | 0 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
1807 | |
|
1808 | 0 | if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) { |
1809 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
1810 | 0 | 1, |
1811 | 0 | ("EarlyData: rejected, feature disabled in server configuration.")); |
1812 | 0 | return -1; |
1813 | 0 | } |
1814 | | |
1815 | 0 | if (!handshake->resume) { |
1816 | | /* We currently support early data only in the case of PSKs established |
1817 | | via a NewSessionTicket message thus in the case of a session |
1818 | | resumption. */ |
1819 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
1820 | 0 | 1, ("EarlyData: rejected, not a session resumption.")); |
1821 | 0 | return -1; |
1822 | 0 | } |
1823 | | |
1824 | | /* RFC 8446 4.2.10 |
1825 | | * |
1826 | | * In order to accept early data, the server MUST have accepted a PSK cipher |
1827 | | * suite and selected the first key offered in the client's "pre_shared_key" |
1828 | | * extension. In addition, it MUST verify that the following values are the |
1829 | | * same as those associated with the selected PSK: |
1830 | | * - The TLS version number |
1831 | | * - The selected cipher suite |
1832 | | * - The selected ALPN [RFC7301] protocol, if any |
1833 | | * |
1834 | | * NOTE: |
1835 | | * - The TLS version number is checked in |
1836 | | * ssl_tls13_offered_psks_check_identity_match_ticket(). |
1837 | | */ |
1838 | | |
1839 | 0 | if (handshake->selected_identity != 0) { |
1840 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
1841 | 0 | 1, ("EarlyData: rejected, the selected key in " |
1842 | 0 | "`pre_shared_key` is not the first one.")); |
1843 | 0 | return -1; |
1844 | 0 | } |
1845 | | |
1846 | 0 | if (handshake->ciphersuite_info->id != |
1847 | 0 | ssl->session_negotiate->ciphersuite) { |
1848 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
1849 | 0 | 1, ("EarlyData: rejected, the selected ciphersuite is not the one " |
1850 | 0 | "of the selected pre-shared key.")); |
1851 | 0 | return -1; |
1852 | |
|
1853 | 0 | } |
1854 | | |
1855 | 0 | if (!mbedtls_ssl_tls13_session_ticket_allow_early_data(ssl->session_negotiate)) { |
1856 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
1857 | 0 | 1, |
1858 | 0 | ("EarlyData: rejected, early_data not allowed in ticket " |
1859 | 0 | "permission bits.")); |
1860 | 0 | return -1; |
1861 | 0 | } |
1862 | | |
1863 | 0 | #if defined(MBEDTLS_SSL_ALPN) |
1864 | 0 | const char *alpn = mbedtls_ssl_get_alpn_protocol(ssl); |
1865 | 0 | size_t alpn_len; |
1866 | |
|
1867 | 0 | if (alpn == NULL && ssl->session_negotiate->ticket_alpn == NULL) { |
1868 | 0 | return 0; |
1869 | 0 | } |
1870 | | |
1871 | 0 | if (alpn != NULL) { |
1872 | 0 | alpn_len = strlen(alpn); |
1873 | 0 | } |
1874 | |
|
1875 | 0 | if (alpn == NULL || |
1876 | 0 | ssl->session_negotiate->ticket_alpn == NULL || |
1877 | 0 | alpn_len != strlen(ssl->session_negotiate->ticket_alpn) || |
1878 | 0 | (memcmp(alpn, ssl->session_negotiate->ticket_alpn, alpn_len) != 0)) { |
1879 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("EarlyData: rejected, the selected ALPN is different " |
1880 | 0 | "from the one associated with the pre-shared key.")); |
1881 | 0 | return -1; |
1882 | 0 | } |
1883 | 0 | #endif |
1884 | | |
1885 | 0 | return 0; |
1886 | 0 | } |
1887 | | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
1888 | | |
1889 | | /* Update the handshake state machine */ |
1890 | | |
1891 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1892 | | static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl, |
1893 | | int hrr_required) |
1894 | 0 | { |
1895 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1896 | | |
1897 | | /* |
1898 | | * Server certificate selection |
1899 | | */ |
1900 | 0 | if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) { |
1901 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret); |
1902 | 0 | return ret; |
1903 | 0 | } |
1904 | 0 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
1905 | 0 | ssl->handshake->sni_name = NULL; |
1906 | 0 | ssl->handshake->sni_name_len = 0; |
1907 | 0 | #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ |
1908 | |
|
1909 | 0 | ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); |
1910 | 0 | if (ret != 0) { |
1911 | 0 | MBEDTLS_SSL_DEBUG_RET(1, |
1912 | 0 | "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret); |
1913 | 0 | return ret; |
1914 | 0 | } |
1915 | | |
1916 | 0 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
1917 | 0 | if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) { |
1918 | 0 | ssl->handshake->early_data_accepted = |
1919 | 0 | (!hrr_required) && (ssl_tls13_check_early_data_requirements(ssl) == 0); |
1920 | |
|
1921 | 0 | if (ssl->handshake->early_data_accepted) { |
1922 | 0 | ret = mbedtls_ssl_tls13_compute_early_transform(ssl); |
1923 | 0 | if (ret != 0) { |
1924 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1925 | 0 | 1, "mbedtls_ssl_tls13_compute_early_transform", ret); |
1926 | 0 | return ret; |
1927 | 0 | } |
1928 | 0 | } else { |
1929 | 0 | ssl->discard_early_data_record = |
1930 | 0 | hrr_required ? |
1931 | 0 | MBEDTLS_SSL_EARLY_DATA_DISCARD : |
1932 | 0 | MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD; |
1933 | 0 | } |
1934 | 0 | } |
1935 | | #else |
1936 | | ((void) hrr_required); |
1937 | | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
1938 | | |
1939 | 0 | return 0; |
1940 | 0 | } |
1941 | | |
1942 | | /* |
1943 | | * Main entry point from the state machine; orchestrates the otherfunctions. |
1944 | | */ |
1945 | | |
1946 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1947 | | static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl) |
1948 | 1.59k | { |
1949 | | |
1950 | 1.59k | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1951 | 1.59k | unsigned char *buf = NULL; |
1952 | 1.59k | size_t buflen = 0; |
1953 | 1.59k | int parse_client_hello_ret; |
1954 | | |
1955 | 1.59k | MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello")); |
1956 | | |
1957 | 1.59k | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( |
1958 | 1.59k | ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, |
1959 | 1.59k | &buf, &buflen)); |
1960 | | |
1961 | 1.28k | MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_parse_client_hello(ssl, buf, |
1962 | 1.28k | buf + buflen)); |
1963 | 1.16k | parse_client_hello_ret = ret; /* Store positive return value of |
1964 | | * parse_client_hello, |
1965 | | * as negative error codes are handled |
1966 | | * by MBEDTLS_SSL_PROC_CHK_NEG. */ |
1967 | | |
1968 | | /* |
1969 | | * Version 1.2 of the protocol has to be used for the handshake. |
1970 | | * If TLS 1.2 is not supported, abort the handshake. Otherwise, set the |
1971 | | * ssl->keep_current_message flag for the ClientHello to be kept and parsed |
1972 | | * as a TLS 1.2 ClientHello. We also change ssl->tls_version to |
1973 | | * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step() |
1974 | | * will dispatch to the TLS 1.2 state machine. |
1975 | | */ |
1976 | 1.16k | if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) { |
1977 | | /* Check if server supports TLS 1.2 */ |
1978 | 1.16k | if (!mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) { |
1979 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
1980 | 0 | 1, ("TLS 1.2 not supported.")); |
1981 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
1982 | 0 | MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, |
1983 | 0 | MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION); |
1984 | 0 | return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; |
1985 | 0 | } |
1986 | 1.16k | ssl->keep_current_message = 1; |
1987 | 1.16k | ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; |
1988 | 1.16k | return 0; |
1989 | 1.16k | } |
1990 | | |
1991 | 0 | MBEDTLS_SSL_PROC_CHK( |
1992 | 0 | ssl_tls13_postprocess_client_hello(ssl, parse_client_hello_ret == |
1993 | 0 | SSL_CLIENT_HELLO_HRR_REQUIRED)); |
1994 | | |
1995 | 0 | if (SSL_CLIENT_HELLO_OK == parse_client_hello_ret) { |
1996 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); |
1997 | 0 | } else { |
1998 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST); |
1999 | 0 | } |
2000 | |
|
2001 | 433 | cleanup: |
2002 | | |
2003 | 433 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello")); |
2004 | 433 | return ret; |
2005 | 0 | } |
2006 | | |
2007 | | /* |
2008 | | * Handler for MBEDTLS_SSL_SERVER_HELLO |
2009 | | */ |
2010 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2011 | | static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl) |
2012 | 0 | { |
2013 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2014 | 0 | unsigned char *server_randbytes = |
2015 | 0 | ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN; |
2016 | |
|
2017 | 0 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes, |
2018 | 0 | MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) { |
2019 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret); |
2020 | 0 | return ret; |
2021 | 0 | } |
2022 | | |
2023 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", server_randbytes, |
2024 | 0 | MBEDTLS_SERVER_HELLO_RANDOM_LEN); |
2025 | |
|
2026 | 0 | #if defined(MBEDTLS_HAVE_TIME) |
2027 | 0 | ssl->session_negotiate->start = mbedtls_time(NULL); |
2028 | 0 | #endif /* MBEDTLS_HAVE_TIME */ |
2029 | |
|
2030 | 0 | return ret; |
2031 | 0 | } |
2032 | | |
2033 | | /* |
2034 | | * ssl_tls13_write_server_hello_supported_versions_ext (): |
2035 | | * |
2036 | | * struct { |
2037 | | * ProtocolVersion selected_version; |
2038 | | * } SupportedVersions; |
2039 | | */ |
2040 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2041 | | static int ssl_tls13_write_server_hello_supported_versions_ext( |
2042 | | mbedtls_ssl_context *ssl, |
2043 | | unsigned char *buf, |
2044 | | unsigned char *end, |
2045 | | size_t *out_len) |
2046 | 0 | { |
2047 | 0 | *out_len = 0; |
2048 | |
|
2049 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, write selected version")); |
2050 | | |
2051 | | /* Check if we have space to write the extension: |
2052 | | * - extension_type (2 bytes) |
2053 | | * - extension_data_length (2 bytes) |
2054 | | * - selected_version (2 bytes) |
2055 | | */ |
2056 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6); |
2057 | | |
2058 | 0 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0); |
2059 | |
|
2060 | 0 | MBEDTLS_PUT_UINT16_BE(2, buf, 2); |
2061 | |
|
2062 | 0 | mbedtls_ssl_write_version(buf + 4, |
2063 | 0 | ssl->conf->transport, |
2064 | 0 | ssl->tls_version); |
2065 | |
|
2066 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [%04x]", |
2067 | 0 | ssl->tls_version)); |
2068 | |
|
2069 | 0 | *out_len = 6; |
2070 | |
|
2071 | 0 | mbedtls_ssl_tls13_set_hs_sent_ext_mask( |
2072 | 0 | ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS); |
2073 | |
|
2074 | 0 | return 0; |
2075 | 0 | } |
2076 | | |
2077 | | |
2078 | | |
2079 | | /* Generate and export a single key share. For hybrid KEMs, this can |
2080 | | * be called multiple times with the different components of the hybrid. */ |
2081 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2082 | | static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl, |
2083 | | uint16_t named_group, |
2084 | | unsigned char *buf, |
2085 | | unsigned char *end, |
2086 | | size_t *out_len) |
2087 | 0 | { |
2088 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2089 | |
|
2090 | 0 | *out_len = 0; |
2091 | |
|
2092 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) |
2093 | 0 | if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group) || |
2094 | 0 | mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) { |
2095 | 0 | ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange( |
2096 | 0 | ssl, named_group, buf, end, out_len); |
2097 | 0 | if (ret != 0) { |
2098 | 0 | MBEDTLS_SSL_DEBUG_RET( |
2099 | 0 | 1, "mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange", |
2100 | 0 | ret); |
2101 | 0 | return ret; |
2102 | 0 | } |
2103 | 0 | } else |
2104 | 0 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */ |
2105 | 0 | if (0 /* Other kinds of KEMs */) { |
2106 | 0 | } else { |
2107 | 0 | ((void) ssl); |
2108 | 0 | ((void) named_group); |
2109 | 0 | ((void) buf); |
2110 | 0 | ((void) end); |
2111 | 0 | ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
2112 | 0 | } |
2113 | | |
2114 | 0 | return ret; |
2115 | 0 | } |
2116 | | |
2117 | | /* |
2118 | | * ssl_tls13_write_key_share_ext |
2119 | | * |
2120 | | * Structure of key_share extension in ServerHello: |
2121 | | * |
2122 | | * struct { |
2123 | | * NamedGroup group; |
2124 | | * opaque key_exchange<1..2^16-1>; |
2125 | | * } KeyShareEntry; |
2126 | | * struct { |
2127 | | * KeyShareEntry server_share; |
2128 | | * } KeyShareServerHello; |
2129 | | */ |
2130 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2131 | | static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl, |
2132 | | unsigned char *buf, |
2133 | | unsigned char *end, |
2134 | | size_t *out_len) |
2135 | 0 | { |
2136 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2137 | 0 | unsigned char *p = buf; |
2138 | 0 | uint16_t group = ssl->handshake->offered_group_id; |
2139 | 0 | unsigned char *server_share = buf + 4; |
2140 | 0 | size_t key_exchange_length; |
2141 | |
|
2142 | 0 | *out_len = 0; |
2143 | |
|
2144 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding key share extension")); |
2145 | |
|
2146 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("server hello, write selected_group: %s (%04x)", |
2147 | 0 | mbedtls_ssl_named_group_to_str(group), |
2148 | 0 | group)); |
2149 | | |
2150 | | /* Check if we have space for header and length fields: |
2151 | | * - extension_type (2 bytes) |
2152 | | * - extension_data_length (2 bytes) |
2153 | | * - group (2 bytes) |
2154 | | * - key_exchange_length (2 bytes) |
2155 | | */ |
2156 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 8); |
2157 | 0 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, p, 0); |
2158 | 0 | MBEDTLS_PUT_UINT16_BE(group, server_share, 0); |
2159 | 0 | p += 8; |
2160 | | |
2161 | | /* When we introduce PQC-ECDHE hybrids, we'll want to call this |
2162 | | * function multiple times. */ |
2163 | 0 | ret = ssl_tls13_generate_and_write_key_share( |
2164 | 0 | ssl, group, server_share + 4, end, &key_exchange_length); |
2165 | 0 | if (ret != 0) { |
2166 | 0 | return ret; |
2167 | 0 | } |
2168 | 0 | p += key_exchange_length; |
2169 | |
|
2170 | 0 | MBEDTLS_PUT_UINT16_BE(key_exchange_length, server_share + 2, 0); |
2171 | |
|
2172 | 0 | MBEDTLS_PUT_UINT16_BE(p - server_share, buf, 2); |
2173 | |
|
2174 | 0 | *out_len = p - buf; |
2175 | |
|
2176 | 0 | mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE); |
2177 | |
|
2178 | 0 | return 0; |
2179 | 0 | } |
2180 | | |
2181 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2182 | | static int ssl_tls13_write_hrr_key_share_ext(mbedtls_ssl_context *ssl, |
2183 | | unsigned char *buf, |
2184 | | unsigned char *end, |
2185 | | size_t *out_len) |
2186 | 0 | { |
2187 | 0 | uint16_t selected_group = ssl->handshake->hrr_selected_group; |
2188 | | /* key_share Extension |
2189 | | * |
2190 | | * struct { |
2191 | | * select (Handshake.msg_type) { |
2192 | | * ... |
2193 | | * case hello_retry_request: |
2194 | | * NamedGroup selected_group; |
2195 | | * ... |
2196 | | * }; |
2197 | | * } KeyShare; |
2198 | | */ |
2199 | |
|
2200 | 0 | *out_len = 0; |
2201 | | |
2202 | | /* |
2203 | | * For a pure PSK key exchange, there is no group to agree upon. The purpose |
2204 | | * of the HRR is then to transmit a cookie to force the client to demonstrate |
2205 | | * reachability at their apparent network address (primarily useful for DTLS). |
2206 | | */ |
2207 | 0 | if (!mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) { |
2208 | 0 | return 0; |
2209 | 0 | } |
2210 | | |
2211 | | /* We should only send the key_share extension if the client's initial |
2212 | | * key share was not acceptable. */ |
2213 | 0 | if (ssl->handshake->offered_group_id != 0) { |
2214 | 0 | MBEDTLS_SSL_DEBUG_MSG(4, ("Skip key_share extension in HRR")); |
2215 | 0 | return 0; |
2216 | 0 | } |
2217 | | |
2218 | 0 | if (selected_group == 0) { |
2219 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("no matching named group found")); |
2220 | 0 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
2221 | 0 | } |
2222 | | |
2223 | | /* Check if we have enough space: |
2224 | | * - extension_type (2 bytes) |
2225 | | * - extension_data_length (2 bytes) |
2226 | | * - selected_group (2 bytes) |
2227 | | */ |
2228 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6); |
2229 | | |
2230 | 0 | MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0); |
2231 | 0 | MBEDTLS_PUT_UINT16_BE(2, buf, 2); |
2232 | 0 | MBEDTLS_PUT_UINT16_BE(selected_group, buf, 4); |
2233 | |
|
2234 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
2235 | 0 | ("HRR selected_group: %s (%x)", |
2236 | 0 | mbedtls_ssl_named_group_to_str(selected_group), |
2237 | 0 | selected_group)); |
2238 | |
|
2239 | 0 | *out_len = 6; |
2240 | |
|
2241 | 0 | mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE); |
2242 | |
|
2243 | 0 | return 0; |
2244 | 0 | } |
2245 | | |
2246 | | /* |
2247 | | * Structure of ServerHello message: |
2248 | | * |
2249 | | * struct { |
2250 | | * ProtocolVersion legacy_version = 0x0303; // TLS v1.2 |
2251 | | * Random random; |
2252 | | * opaque legacy_session_id_echo<0..32>; |
2253 | | * CipherSuite cipher_suite; |
2254 | | * uint8 legacy_compression_method = 0; |
2255 | | * Extension extensions<6..2^16-1>; |
2256 | | * } ServerHello; |
2257 | | */ |
2258 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2259 | | static int ssl_tls13_write_server_hello_body(mbedtls_ssl_context *ssl, |
2260 | | unsigned char *buf, |
2261 | | unsigned char *end, |
2262 | | size_t *out_len, |
2263 | | int is_hrr) |
2264 | 0 | { |
2265 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2266 | 0 | unsigned char *p = buf; |
2267 | 0 | unsigned char *p_extensions_len; |
2268 | 0 | size_t output_len; |
2269 | |
|
2270 | 0 | *out_len = 0; |
2271 | 0 | ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE; |
2272 | | |
2273 | | /* ... |
2274 | | * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 |
2275 | | * ... |
2276 | | * with ProtocolVersion defined as: |
2277 | | * uint16 ProtocolVersion; |
2278 | | */ |
2279 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
2280 | 0 | MBEDTLS_PUT_UINT16_BE(0x0303, p, 0); |
2281 | 0 | p += 2; |
2282 | | |
2283 | | /* ... |
2284 | | * Random random; |
2285 | | * ... |
2286 | | * with Random defined as: |
2287 | | * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN]; |
2288 | | */ |
2289 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN); |
2290 | 0 | if (is_hrr) { |
2291 | 0 | memcpy(p, mbedtls_ssl_tls13_hello_retry_request_magic, |
2292 | 0 | MBEDTLS_SERVER_HELLO_RANDOM_LEN); |
2293 | 0 | } else { |
2294 | 0 | memcpy(p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], |
2295 | 0 | MBEDTLS_SERVER_HELLO_RANDOM_LEN); |
2296 | 0 | } |
2297 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", |
2298 | 0 | p, MBEDTLS_SERVER_HELLO_RANDOM_LEN); |
2299 | 0 | p += MBEDTLS_SERVER_HELLO_RANDOM_LEN; |
2300 | | |
2301 | | /* ... |
2302 | | * opaque legacy_session_id_echo<0..32>; |
2303 | | * ... |
2304 | | */ |
2305 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + ssl->session_negotiate->id_len); |
2306 | 0 | *p++ = (unsigned char) ssl->session_negotiate->id_len; |
2307 | 0 | if (ssl->session_negotiate->id_len > 0) { |
2308 | 0 | memcpy(p, &ssl->session_negotiate->id[0], |
2309 | 0 | ssl->session_negotiate->id_len); |
2310 | 0 | p += ssl->session_negotiate->id_len; |
2311 | |
|
2312 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id, |
2313 | 0 | ssl->session_negotiate->id_len); |
2314 | 0 | } |
2315 | | |
2316 | | /* ... |
2317 | | * CipherSuite cipher_suite; |
2318 | | * ... |
2319 | | * with CipherSuite defined as: |
2320 | | * uint8 CipherSuite[2]; |
2321 | | */ |
2322 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
2323 | 0 | MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0); |
2324 | 0 | p += 2; |
2325 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, |
2326 | 0 | ("server hello, chosen ciphersuite: %s ( id=%d )", |
2327 | 0 | mbedtls_ssl_get_ciphersuite_name( |
2328 | 0 | ssl->session_negotiate->ciphersuite), |
2329 | 0 | ssl->session_negotiate->ciphersuite)); |
2330 | | |
2331 | | /* ... |
2332 | | * uint8 legacy_compression_method = 0; |
2333 | | * ... |
2334 | | */ |
2335 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1); |
2336 | 0 | *p++ = MBEDTLS_SSL_COMPRESS_NULL; |
2337 | | |
2338 | | /* ... |
2339 | | * Extension extensions<6..2^16-1>; |
2340 | | * ... |
2341 | | * struct { |
2342 | | * ExtensionType extension_type; (2 bytes) |
2343 | | * opaque extension_data<0..2^16-1>; |
2344 | | * } Extension; |
2345 | | */ |
2346 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
2347 | 0 | p_extensions_len = p; |
2348 | 0 | p += 2; |
2349 | |
|
2350 | 0 | if ((ret = ssl_tls13_write_server_hello_supported_versions_ext( |
2351 | 0 | ssl, p, end, &output_len)) != 0) { |
2352 | 0 | MBEDTLS_SSL_DEBUG_RET( |
2353 | 0 | 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret); |
2354 | 0 | return ret; |
2355 | 0 | } |
2356 | 0 | p += output_len; |
2357 | |
|
2358 | 0 | if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) { |
2359 | 0 | if (is_hrr) { |
2360 | 0 | ret = ssl_tls13_write_hrr_key_share_ext(ssl, p, end, &output_len); |
2361 | 0 | } else { |
2362 | 0 | ret = ssl_tls13_write_key_share_ext(ssl, p, end, &output_len); |
2363 | 0 | } |
2364 | 0 | if (ret != 0) { |
2365 | 0 | return ret; |
2366 | 0 | } |
2367 | 0 | p += output_len; |
2368 | 0 | } |
2369 | | |
2370 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
2371 | 0 | if (!is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { |
2372 | 0 | ret = ssl_tls13_write_server_pre_shared_key_ext(ssl, p, end, &output_len); |
2373 | 0 | if (ret != 0) { |
2374 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_server_pre_shared_key_ext", |
2375 | 0 | ret); |
2376 | 0 | return ret; |
2377 | 0 | } |
2378 | 0 | p += output_len; |
2379 | 0 | } |
2380 | 0 | #endif |
2381 | | |
2382 | 0 | MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0); |
2383 | |
|
2384 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "server hello extensions", |
2385 | 0 | p_extensions_len, p - p_extensions_len); |
2386 | |
|
2387 | 0 | *out_len = p - buf; |
2388 | |
|
2389 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "server hello", buf, *out_len); |
2390 | |
|
2391 | 0 | MBEDTLS_SSL_PRINT_EXTS( |
2392 | 0 | 3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST : |
2393 | 0 | MBEDTLS_SSL_HS_SERVER_HELLO, |
2394 | 0 | ssl->handshake->sent_extensions); |
2395 | |
|
2396 | 0 | return ret; |
2397 | 0 | } |
2398 | | |
2399 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2400 | | static int ssl_tls13_finalize_server_hello(mbedtls_ssl_context *ssl) |
2401 | 0 | { |
2402 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2403 | 0 | ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl); |
2404 | 0 | if (ret != 0) { |
2405 | 0 | MBEDTLS_SSL_DEBUG_RET(1, |
2406 | 0 | "mbedtls_ssl_tls13_compute_handshake_transform", |
2407 | 0 | ret); |
2408 | 0 | return ret; |
2409 | 0 | } |
2410 | | |
2411 | 0 | return ret; |
2412 | 0 | } |
2413 | | |
2414 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2415 | | static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl) |
2416 | 0 | { |
2417 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2418 | 0 | unsigned char *buf; |
2419 | 0 | size_t buf_len, msg_len; |
2420 | |
|
2421 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello")); |
2422 | |
|
2423 | 0 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl)); |
2424 | | |
2425 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( |
2426 | 0 | ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len)); |
2427 | | |
2428 | 0 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf, |
2429 | 0 | buf + buf_len, |
2430 | 0 | &msg_len, |
2431 | 0 | 0)); |
2432 | | |
2433 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( |
2434 | 0 | ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len)); |
2435 | | |
2436 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( |
2437 | 0 | ssl, buf_len, msg_len)); |
2438 | | |
2439 | 0 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_finalize_server_hello(ssl)); |
2440 | | |
2441 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) |
2442 | | /* The server sends a dummy change_cipher_spec record immediately |
2443 | | * after its first handshake message. This may either be after |
2444 | | * a ServerHello or a HelloRetryRequest. |
2445 | | */ |
2446 | 0 | mbedtls_ssl_handshake_set_state( |
2447 | 0 | ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO); |
2448 | | #else |
2449 | | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); |
2450 | | #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ |
2451 | |
|
2452 | 0 | cleanup: |
2453 | |
|
2454 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); |
2455 | 0 | return ret; |
2456 | 0 | } |
2457 | | |
2458 | | |
2459 | | /* |
2460 | | * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST |
2461 | | */ |
2462 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2463 | | static int ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context *ssl) |
2464 | 0 | { |
2465 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2466 | 0 | if (ssl->handshake->hello_retry_request_flag) { |
2467 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs")); |
2468 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, |
2469 | 0 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
2470 | 0 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
2471 | 0 | } |
2472 | | |
2473 | | /* |
2474 | | * Create stateless transcript hash for HRR |
2475 | | */ |
2476 | 0 | MBEDTLS_SSL_DEBUG_MSG(4, ("Reset transcript for HRR")); |
2477 | 0 | ret = mbedtls_ssl_reset_transcript_for_hrr(ssl); |
2478 | 0 | if (ret != 0) { |
2479 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_transcript_for_hrr", ret); |
2480 | 0 | return ret; |
2481 | 0 | } |
2482 | 0 | mbedtls_ssl_session_reset_msg_layer(ssl, 0); |
2483 | |
|
2484 | 0 | return 0; |
2485 | 0 | } |
2486 | | |
2487 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2488 | | static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl) |
2489 | 0 | { |
2490 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2491 | 0 | unsigned char *buf; |
2492 | 0 | size_t buf_len, msg_len; |
2493 | |
|
2494 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello retry request")); |
2495 | |
|
2496 | 0 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_hello_retry_request(ssl)); |
2497 | | |
2498 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( |
2499 | 0 | ssl, MBEDTLS_SSL_HS_SERVER_HELLO, |
2500 | 0 | &buf, &buf_len)); |
2501 | | |
2502 | 0 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf, |
2503 | 0 | buf + buf_len, |
2504 | 0 | &msg_len, |
2505 | 0 | 1)); |
2506 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( |
2507 | 0 | ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len)); |
2508 | | |
2509 | | |
2510 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len, |
2511 | 0 | msg_len)); |
2512 | | |
2513 | 0 | ssl->handshake->hello_retry_request_flag = 1; |
2514 | |
|
2515 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) |
2516 | | /* The server sends a dummy change_cipher_spec record immediately |
2517 | | * after its first handshake message. This may either be after |
2518 | | * a ServerHello or a HelloRetryRequest. |
2519 | | */ |
2520 | 0 | mbedtls_ssl_handshake_set_state( |
2521 | 0 | ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST); |
2522 | | #else |
2523 | | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); |
2524 | | #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ |
2525 | |
|
2526 | 0 | cleanup: |
2527 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello retry request")); |
2528 | 0 | return ret; |
2529 | 0 | } |
2530 | | |
2531 | | /* |
2532 | | * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS |
2533 | | */ |
2534 | | |
2535 | | /* |
2536 | | * struct { |
2537 | | * Extension extensions<0..2 ^ 16 - 1>; |
2538 | | * } EncryptedExtensions; |
2539 | | * |
2540 | | */ |
2541 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2542 | | static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl, |
2543 | | unsigned char *buf, |
2544 | | unsigned char *end, |
2545 | | size_t *out_len) |
2546 | 0 | { |
2547 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2548 | 0 | unsigned char *p = buf; |
2549 | 0 | size_t extensions_len = 0; |
2550 | 0 | unsigned char *p_extensions_len; |
2551 | 0 | size_t output_len; |
2552 | |
|
2553 | 0 | *out_len = 0; |
2554 | |
|
2555 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
2556 | 0 | p_extensions_len = p; |
2557 | 0 | p += 2; |
2558 | |
|
2559 | 0 | ((void) ssl); |
2560 | 0 | ((void) ret); |
2561 | 0 | ((void) output_len); |
2562 | |
|
2563 | 0 | #if defined(MBEDTLS_SSL_ALPN) |
2564 | 0 | ret = mbedtls_ssl_write_alpn_ext(ssl, p, end, &output_len); |
2565 | 0 | if (ret != 0) { |
2566 | 0 | return ret; |
2567 | 0 | } |
2568 | 0 | p += output_len; |
2569 | 0 | #endif /* MBEDTLS_SSL_ALPN */ |
2570 | |
|
2571 | 0 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
2572 | 0 | if (ssl->handshake->early_data_accepted) { |
2573 | 0 | ret = mbedtls_ssl_tls13_write_early_data_ext( |
2574 | 0 | ssl, 0, p, end, &output_len); |
2575 | 0 | if (ret != 0) { |
2576 | 0 | return ret; |
2577 | 0 | } |
2578 | 0 | p += output_len; |
2579 | 0 | } |
2580 | 0 | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
2581 | | |
2582 | 0 | #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) |
2583 | 0 | if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) { |
2584 | 0 | ret = mbedtls_ssl_tls13_write_record_size_limit_ext( |
2585 | 0 | ssl, p, end, &output_len); |
2586 | 0 | if (ret != 0) { |
2587 | 0 | return ret; |
2588 | 0 | } |
2589 | 0 | p += output_len; |
2590 | 0 | } |
2591 | 0 | #endif |
2592 | | |
2593 | 0 | extensions_len = (p - p_extensions_len) - 2; |
2594 | 0 | MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0); |
2595 | |
|
2596 | 0 | *out_len = p - buf; |
2597 | |
|
2598 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "encrypted extensions", buf, *out_len); |
2599 | |
|
2600 | 0 | MBEDTLS_SSL_PRINT_EXTS( |
2601 | 0 | 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions); |
2602 | |
|
2603 | 0 | return 0; |
2604 | 0 | } |
2605 | | |
2606 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2607 | | static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl) |
2608 | 0 | { |
2609 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2610 | 0 | unsigned char *buf; |
2611 | 0 | size_t buf_len, msg_len; |
2612 | |
|
2613 | 0 | mbedtls_ssl_set_outbound_transform(ssl, |
2614 | 0 | ssl->handshake->transform_handshake); |
2615 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
2616 | 0 | 3, ("switching to handshake transform for outbound data")); |
2617 | |
|
2618 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions")); |
2619 | |
|
2620 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( |
2621 | 0 | ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, |
2622 | 0 | &buf, &buf_len)); |
2623 | | |
2624 | 0 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body( |
2625 | 0 | ssl, buf, buf + buf_len, &msg_len)); |
2626 | | |
2627 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( |
2628 | 0 | ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, |
2629 | 0 | buf, msg_len)); |
2630 | | |
2631 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( |
2632 | 0 | ssl, buf_len, msg_len)); |
2633 | | |
2634 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
2635 | 0 | if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { |
2636 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); |
2637 | 0 | } else { |
2638 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); |
2639 | 0 | } |
2640 | | #else |
2641 | | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); |
2642 | | #endif |
2643 | |
|
2644 | 0 | cleanup: |
2645 | |
|
2646 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write encrypted extensions")); |
2647 | 0 | return ret; |
2648 | 0 | } |
2649 | | |
2650 | | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
2651 | 0 | #define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0 |
2652 | 0 | #define SSL_CERTIFICATE_REQUEST_SKIP 1 |
2653 | | /* Coordination: |
2654 | | * Check whether a CertificateRequest message should be written. |
2655 | | * Returns a negative code on failure, or |
2656 | | * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST |
2657 | | * - SSL_CERTIFICATE_REQUEST_SKIP |
2658 | | * indicating if the writing of the CertificateRequest |
2659 | | * should be skipped or not. |
2660 | | */ |
2661 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2662 | | static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl) |
2663 | 0 | { |
2664 | 0 | int authmode; |
2665 | |
|
2666 | 0 | #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) |
2667 | 0 | if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) { |
2668 | 0 | authmode = ssl->handshake->sni_authmode; |
2669 | 0 | } else |
2670 | 0 | #endif |
2671 | 0 | authmode = ssl->conf->authmode; |
2672 | |
|
2673 | 0 | if (authmode == MBEDTLS_SSL_VERIFY_NONE) { |
2674 | 0 | ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; |
2675 | 0 | return SSL_CERTIFICATE_REQUEST_SKIP; |
2676 | 0 | } |
2677 | | |
2678 | 0 | ssl->handshake->certificate_request_sent = 1; |
2679 | |
|
2680 | 0 | return SSL_CERTIFICATE_REQUEST_SEND_REQUEST; |
2681 | 0 | } |
2682 | | |
2683 | | /* |
2684 | | * struct { |
2685 | | * opaque certificate_request_context<0..2^8-1>; |
2686 | | * Extension extensions<2..2^16-1>; |
2687 | | * } CertificateRequest; |
2688 | | * |
2689 | | */ |
2690 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2691 | | static int ssl_tls13_write_certificate_request_body(mbedtls_ssl_context *ssl, |
2692 | | unsigned char *buf, |
2693 | | const unsigned char *end, |
2694 | | size_t *out_len) |
2695 | 0 | { |
2696 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2697 | 0 | unsigned char *p = buf; |
2698 | 0 | size_t output_len = 0; |
2699 | 0 | unsigned char *p_extensions_len; |
2700 | |
|
2701 | 0 | *out_len = 0; |
2702 | | |
2703 | | /* Check if we have enough space: |
2704 | | * - certificate_request_context (1 byte) |
2705 | | * - extensions length (2 bytes) |
2706 | | */ |
2707 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3); |
2708 | | |
2709 | | /* |
2710 | | * Write certificate_request_context |
2711 | | */ |
2712 | | /* |
2713 | | * We use a zero length context for the normal handshake |
2714 | | * messages. For post-authentication handshake messages |
2715 | | * this request context would be set to a non-zero value. |
2716 | | */ |
2717 | 0 | *p++ = 0x0; |
2718 | | |
2719 | | /* |
2720 | | * Write extensions |
2721 | | */ |
2722 | | /* The extensions must contain the signature_algorithms. */ |
2723 | 0 | p_extensions_len = p; |
2724 | 0 | p += 2; |
2725 | 0 | ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len); |
2726 | 0 | if (ret != 0) { |
2727 | 0 | return ret; |
2728 | 0 | } |
2729 | | |
2730 | 0 | p += output_len; |
2731 | 0 | MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0); |
2732 | |
|
2733 | 0 | *out_len = p - buf; |
2734 | |
|
2735 | 0 | MBEDTLS_SSL_PRINT_EXTS( |
2736 | 0 | 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions); |
2737 | |
|
2738 | 0 | return 0; |
2739 | 0 | } |
2740 | | |
2741 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2742 | | static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl) |
2743 | 0 | { |
2744 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2745 | |
|
2746 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); |
2747 | |
|
2748 | 0 | MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl)); |
2749 | | |
2750 | 0 | if (ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST) { |
2751 | 0 | unsigned char *buf; |
2752 | 0 | size_t buf_len, msg_len; |
2753 | |
|
2754 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( |
2755 | 0 | ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, |
2756 | 0 | &buf, &buf_len)); |
2757 | | |
2758 | 0 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body( |
2759 | 0 | ssl, buf, buf + buf_len, &msg_len)); |
2760 | | |
2761 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( |
2762 | 0 | ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, |
2763 | 0 | buf, msg_len)); |
2764 | | |
2765 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( |
2766 | 0 | ssl, buf_len, msg_len)); |
2767 | 0 | } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) { |
2768 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); |
2769 | 0 | ret = 0; |
2770 | 0 | } else { |
2771 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
2772 | 0 | ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
2773 | 0 | goto cleanup; |
2774 | 0 | } |
2775 | | |
2776 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE); |
2777 | 0 | cleanup: |
2778 | |
|
2779 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request")); |
2780 | 0 | return ret; |
2781 | 0 | } |
2782 | | |
2783 | | /* |
2784 | | * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE |
2785 | | */ |
2786 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2787 | | static int ssl_tls13_write_server_certificate(mbedtls_ssl_context *ssl) |
2788 | 0 | { |
2789 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2790 | |
|
2791 | 0 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
2792 | 0 | if ((ssl_tls13_pick_key_cert(ssl) != 0) || |
2793 | 0 | mbedtls_ssl_own_cert(ssl) == NULL) { |
2794 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("No certificate available.")); |
2795 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, |
2796 | 0 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
2797 | 0 | return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; |
2798 | 0 | } |
2799 | 0 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |
2800 | | |
2801 | 0 | ret = mbedtls_ssl_tls13_write_certificate(ssl); |
2802 | 0 | if (ret != 0) { |
2803 | 0 | return ret; |
2804 | 0 | } |
2805 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY); |
2806 | 0 | return 0; |
2807 | 0 | } |
2808 | | |
2809 | | /* |
2810 | | * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY |
2811 | | */ |
2812 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2813 | | static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl) |
2814 | 0 | { |
2815 | 0 | int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl); |
2816 | 0 | if (ret != 0) { |
2817 | 0 | return ret; |
2818 | 0 | } |
2819 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); |
2820 | 0 | return 0; |
2821 | 0 | } |
2822 | | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
2823 | | |
2824 | | /* |
2825 | | * RFC 8446 section A.2 |
2826 | | * |
2827 | | * | Send ServerHello |
2828 | | * | K_send = handshake |
2829 | | * | Send EncryptedExtensions |
2830 | | * | [Send CertificateRequest] |
2831 | | * Can send | [Send Certificate + CertificateVerify] |
2832 | | * app data | Send Finished |
2833 | | * after --> | K_send = application |
2834 | | * here +--------+--------+ |
2835 | | * No 0-RTT | | 0-RTT |
2836 | | * | | |
2837 | | * K_recv = handshake | | K_recv = early data |
2838 | | * [Skip decrypt errors] | +------> WAIT_EOED -+ |
2839 | | * | | Recv | | Recv EndOfEarlyData |
2840 | | * | | early data | | K_recv = handshake |
2841 | | * | +------------+ | |
2842 | | * | | |
2843 | | * +> WAIT_FLIGHT2 <--------+ |
2844 | | * | |
2845 | | * +--------+--------+ |
2846 | | * No auth | | Client auth |
2847 | | * | | |
2848 | | * | v |
2849 | | * | WAIT_CERT |
2850 | | * | Recv | | Recv Certificate |
2851 | | * | empty | v |
2852 | | * | Certificate | WAIT_CV |
2853 | | * | | | Recv |
2854 | | * | v | CertificateVerify |
2855 | | * +-> WAIT_FINISHED <---+ |
2856 | | * | Recv Finished |
2857 | | * |
2858 | | * |
2859 | | * The following function handles the state changes after WAIT_FLIGHT2 in the |
2860 | | * above diagram. We are not going to receive early data related messages |
2861 | | * anymore, prepare to receive the first handshake message of the client |
2862 | | * second flight. |
2863 | | */ |
2864 | | static void ssl_tls13_prepare_for_handshake_second_flight( |
2865 | | mbedtls_ssl_context *ssl) |
2866 | 0 | { |
2867 | 0 | if (ssl->handshake->certificate_request_sent) { |
2868 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); |
2869 | 0 | } else { |
2870 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate")); |
2871 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify")); |
2872 | |
|
2873 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); |
2874 | 0 | } |
2875 | 0 | } |
2876 | | |
2877 | | /* |
2878 | | * Handler for MBEDTLS_SSL_SERVER_FINISHED |
2879 | | */ |
2880 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2881 | | static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) |
2882 | 0 | { |
2883 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2884 | |
|
2885 | 0 | ret = mbedtls_ssl_tls13_write_finished_message(ssl); |
2886 | 0 | if (ret != 0) { |
2887 | 0 | return ret; |
2888 | 0 | } |
2889 | | |
2890 | 0 | ret = mbedtls_ssl_tls13_compute_application_transform(ssl); |
2891 | 0 | if (ret != 0) { |
2892 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT( |
2893 | 0 | MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, |
2894 | 0 | MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); |
2895 | 0 | return ret; |
2896 | 0 | } |
2897 | | |
2898 | 0 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
2899 | 0 | if (ssl->handshake->early_data_accepted) { |
2900 | | /* See RFC 8446 section A.2 for more information */ |
2901 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
2902 | 0 | 1, ("Switch to early keys for inbound traffic. " |
2903 | 0 | "( K_recv = early data )")); |
2904 | 0 | mbedtls_ssl_set_inbound_transform( |
2905 | 0 | ssl, ssl->handshake->transform_earlydata); |
2906 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA); |
2907 | 0 | return 0; |
2908 | 0 | } |
2909 | 0 | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
2910 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
2911 | 0 | 1, ("Switch to handshake keys for inbound traffic " |
2912 | 0 | "( K_recv = handshake )")); |
2913 | 0 | mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake); |
2914 | |
|
2915 | 0 | ssl_tls13_prepare_for_handshake_second_flight(ssl); |
2916 | |
|
2917 | 0 | return 0; |
2918 | 0 | } |
2919 | | |
2920 | | #if defined(MBEDTLS_SSL_EARLY_DATA) |
2921 | | /* |
2922 | | * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA |
2923 | | */ |
2924 | 0 | #define SSL_GOT_END_OF_EARLY_DATA 0 |
2925 | 0 | #define SSL_GOT_EARLY_DATA 1 |
2926 | | /* Coordination: |
2927 | | * Deals with the ambiguity of not knowing if the next message is an |
2928 | | * EndOfEarlyData message or an application message containing early data. |
2929 | | * Returns a negative code on failure, or |
2930 | | * - SSL_GOT_END_OF_EARLY_DATA |
2931 | | * - SSL_GOT_EARLY_DATA |
2932 | | * indicating which message is received. |
2933 | | */ |
2934 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2935 | | static int ssl_tls13_end_of_early_data_coordinate(mbedtls_ssl_context *ssl) |
2936 | 0 | { |
2937 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
2938 | |
|
2939 | 0 | if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) { |
2940 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); |
2941 | 0 | return ret; |
2942 | 0 | } |
2943 | 0 | ssl->keep_current_message = 1; |
2944 | |
|
2945 | 0 | if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && |
2946 | 0 | ssl->in_msg[0] == MBEDTLS_SSL_HS_END_OF_EARLY_DATA) { |
2947 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("Received an end_of_early_data message.")); |
2948 | 0 | return SSL_GOT_END_OF_EARLY_DATA; |
2949 | 0 | } |
2950 | | |
2951 | 0 | if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) { |
2952 | 0 | if (ssl->in_offt == NULL) { |
2953 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data")); |
2954 | | /* Set the reading pointer */ |
2955 | 0 | ssl->in_offt = ssl->in_msg; |
2956 | 0 | ret = mbedtls_ssl_tls13_check_early_data_len(ssl, ssl->in_msglen); |
2957 | 0 | if (ret != 0) { |
2958 | 0 | return ret; |
2959 | 0 | } |
2960 | 0 | } |
2961 | 0 | return SSL_GOT_EARLY_DATA; |
2962 | 0 | } |
2963 | | |
2964 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, |
2965 | 0 | MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); |
2966 | 0 | return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
2967 | 0 | } |
2968 | | |
2969 | | MBEDTLS_CHECK_RETURN_CRITICAL |
2970 | | static int ssl_tls13_parse_end_of_early_data(mbedtls_ssl_context *ssl, |
2971 | | const unsigned char *buf, |
2972 | | const unsigned char *end) |
2973 | 0 | { |
2974 | | /* RFC 8446 section 4.5 |
2975 | | * |
2976 | | * struct {} EndOfEarlyData; |
2977 | | */ |
2978 | 0 | if (buf != end) { |
2979 | 0 | MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, |
2980 | 0 | MBEDTLS_ERR_SSL_DECODE_ERROR); |
2981 | 0 | return MBEDTLS_ERR_SSL_DECODE_ERROR; |
2982 | 0 | } |
2983 | 0 | return 0; |
2984 | 0 | } |
2985 | | |
2986 | | /* |
2987 | | * RFC 8446 section A.2 |
2988 | | * |
2989 | | * | Send ServerHello |
2990 | | * | K_send = handshake |
2991 | | * | Send EncryptedExtensions |
2992 | | * | [Send CertificateRequest] |
2993 | | * Can send | [Send Certificate + CertificateVerify] |
2994 | | * app data | Send Finished |
2995 | | * after --> | K_send = application |
2996 | | * here +--------+--------+ |
2997 | | * No 0-RTT | | 0-RTT |
2998 | | * | | |
2999 | | * K_recv = handshake | | K_recv = early data |
3000 | | * [Skip decrypt errors] | +------> WAIT_EOED -+ |
3001 | | * | | Recv | | Recv EndOfEarlyData |
3002 | | * | | early data | | K_recv = handshake |
3003 | | * | +------------+ | |
3004 | | * | | |
3005 | | * +> WAIT_FLIGHT2 <--------+ |
3006 | | * | |
3007 | | * +--------+--------+ |
3008 | | * No auth | | Client auth |
3009 | | * | | |
3010 | | * | v |
3011 | | * | WAIT_CERT |
3012 | | * | Recv | | Recv Certificate |
3013 | | * | empty | v |
3014 | | * | Certificate | WAIT_CV |
3015 | | * | | | Recv |
3016 | | * | v | CertificateVerify |
3017 | | * +-> WAIT_FINISHED <---+ |
3018 | | * | Recv Finished |
3019 | | * |
3020 | | * The function handles actions and state changes from 0-RTT to WAIT_FLIGHT2 in |
3021 | | * the above diagram. |
3022 | | */ |
3023 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3024 | | static int ssl_tls13_process_end_of_early_data(mbedtls_ssl_context *ssl) |
3025 | 0 | { |
3026 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3027 | |
|
3028 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_process_end_of_early_data")); |
3029 | |
|
3030 | 0 | MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_end_of_early_data_coordinate(ssl)); |
3031 | | |
3032 | 0 | if (ret == SSL_GOT_END_OF_EARLY_DATA) { |
3033 | 0 | unsigned char *buf; |
3034 | 0 | size_t buf_len; |
3035 | |
|
3036 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( |
3037 | 0 | ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, |
3038 | 0 | &buf, &buf_len)); |
3039 | | |
3040 | 0 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_end_of_early_data( |
3041 | 0 | ssl, buf, buf + buf_len)); |
3042 | | |
3043 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
3044 | 0 | 1, ("Switch to handshake keys for inbound traffic" |
3045 | 0 | "( K_recv = handshake )")); |
3046 | 0 | mbedtls_ssl_set_inbound_transform( |
3047 | 0 | ssl, ssl->handshake->transform_handshake); |
3048 | |
|
3049 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( |
3050 | 0 | ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, |
3051 | 0 | buf, buf_len)); |
3052 | | |
3053 | 0 | ssl_tls13_prepare_for_handshake_second_flight(ssl); |
3054 | |
|
3055 | 0 | } else if (ret == SSL_GOT_EARLY_DATA) { |
3056 | 0 | ret = MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA; |
3057 | 0 | goto cleanup; |
3058 | 0 | } else { |
3059 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); |
3060 | 0 | ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
3061 | 0 | goto cleanup; |
3062 | 0 | } |
3063 | | |
3064 | 0 | cleanup: |
3065 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_process_end_of_early_data")); |
3066 | 0 | return ret; |
3067 | 0 | } |
3068 | | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
3069 | | |
3070 | | /* |
3071 | | * Handler for MBEDTLS_SSL_CLIENT_FINISHED |
3072 | | */ |
3073 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3074 | | static int ssl_tls13_process_client_finished(mbedtls_ssl_context *ssl) |
3075 | 0 | { |
3076 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3077 | |
|
3078 | 0 | ret = mbedtls_ssl_tls13_process_finished_message(ssl); |
3079 | 0 | if (ret != 0) { |
3080 | 0 | return ret; |
3081 | 0 | } |
3082 | | |
3083 | 0 | ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl); |
3084 | 0 | if (ret != 0) { |
3085 | 0 | MBEDTLS_SSL_DEBUG_RET( |
3086 | 0 | 1, "mbedtls_ssl_tls13_compute_resumption_master_secret", ret); |
3087 | 0 | } |
3088 | |
|
3089 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP); |
3090 | 0 | return 0; |
3091 | 0 | } |
3092 | | |
3093 | | /* |
3094 | | * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP |
3095 | | */ |
3096 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3097 | | static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) |
3098 | 0 | { |
3099 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); |
3100 | |
|
3101 | 0 | mbedtls_ssl_tls13_handshake_wrapup(ssl); |
3102 | |
|
3103 | 0 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ |
3104 | 0 | defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
3105 | | /* TODO: Remove the check of SOME_PSK_ENABLED since SESSION_TICKETS requires |
3106 | | * SOME_PSK_ENABLED to be enabled. Here is just to make CI happy. It is |
3107 | | * expected to be resolved with issue#6395. |
3108 | | */ |
3109 | | /* Sent NewSessionTicket message only when client supports PSK */ |
3110 | 0 | if (mbedtls_ssl_tls13_is_some_psk_supported(ssl)) { |
3111 | 0 | mbedtls_ssl_handshake_set_state( |
3112 | 0 | ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); |
3113 | 0 | } else |
3114 | 0 | #endif |
3115 | 0 | { |
3116 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); |
3117 | 0 | } |
3118 | 0 | return 0; |
3119 | 0 | } |
3120 | | |
3121 | | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
3122 | | /* |
3123 | | * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET |
3124 | | */ |
3125 | 0 | #define SSL_NEW_SESSION_TICKET_SKIP 0 |
3126 | 0 | #define SSL_NEW_SESSION_TICKET_WRITE 1 |
3127 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3128 | | static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ssl) |
3129 | 0 | { |
3130 | | /* Check whether the use of session tickets is enabled */ |
3131 | 0 | if (ssl->conf->f_ticket_write == NULL) { |
3132 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled," |
3133 | 0 | " callback is not set")); |
3134 | 0 | return SSL_NEW_SESSION_TICKET_SKIP; |
3135 | 0 | } |
3136 | 0 | if (ssl->conf->new_session_tickets_count == 0) { |
3137 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled," |
3138 | 0 | " configured count is zero")); |
3139 | 0 | return SSL_NEW_SESSION_TICKET_SKIP; |
3140 | 0 | } |
3141 | | |
3142 | 0 | if (ssl->handshake->new_session_tickets_count == 0) { |
3143 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: all tickets have " |
3144 | 0 | "been sent.")); |
3145 | 0 | return SSL_NEW_SESSION_TICKET_SKIP; |
3146 | 0 | } |
3147 | | |
3148 | 0 | return SSL_NEW_SESSION_TICKET_WRITE; |
3149 | 0 | } |
3150 | | |
3151 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3152 | | static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, |
3153 | | unsigned char *ticket_nonce, |
3154 | | size_t ticket_nonce_size) |
3155 | 0 | { |
3156 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3157 | 0 | mbedtls_ssl_session *session = ssl->session; |
3158 | 0 | mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
3159 | 0 | psa_algorithm_t psa_hash_alg; |
3160 | 0 | int hash_length; |
3161 | |
|
3162 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg")); |
3163 | | |
3164 | | /* Set ticket_flags depends on the advertised psk key exchange mode */ |
3165 | 0 | mbedtls_ssl_tls13_session_clear_ticket_flags( |
3166 | 0 | session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); |
3167 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
3168 | 0 | mbedtls_ssl_tls13_session_set_ticket_flags( |
3169 | 0 | session, ssl->handshake->tls13_kex_modes); |
3170 | 0 | #endif |
3171 | |
|
3172 | 0 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
3173 | 0 | if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED && |
3174 | 0 | ssl->conf->max_early_data_size > 0) { |
3175 | 0 | mbedtls_ssl_tls13_session_set_ticket_flags( |
3176 | 0 | session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA); |
3177 | 0 | session->max_early_data_size = ssl->conf->max_early_data_size; |
3178 | 0 | } |
3179 | 0 | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
3180 | |
|
3181 | 0 | MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags); |
3182 | |
|
3183 | 0 | #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) |
3184 | 0 | if (session->ticket_alpn == NULL) { |
3185 | 0 | ret = mbedtls_ssl_session_set_ticket_alpn(session, ssl->alpn_chosen); |
3186 | 0 | if (ret != 0) { |
3187 | 0 | return ret; |
3188 | 0 | } |
3189 | 0 | } |
3190 | 0 | #endif |
3191 | | |
3192 | | /* Generate ticket_age_add */ |
3193 | 0 | if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, |
3194 | 0 | (unsigned char *) &session->ticket_age_add, |
3195 | 0 | sizeof(session->ticket_age_add)) != 0)) { |
3196 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret); |
3197 | 0 | return ret; |
3198 | 0 | } |
3199 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u", |
3200 | 0 | (unsigned int) session->ticket_age_add)); |
3201 | | |
3202 | | /* Generate ticket_nonce */ |
3203 | 0 | ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size); |
3204 | 0 | if (ret != 0) { |
3205 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret); |
3206 | 0 | return ret; |
3207 | 0 | } |
3208 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", |
3209 | 0 | ticket_nonce, ticket_nonce_size); |
3210 | |
|
3211 | 0 | ciphersuite_info = |
3212 | 0 | (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info; |
3213 | 0 | psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac); |
3214 | 0 | hash_length = PSA_HASH_LENGTH(psa_hash_alg); |
3215 | 0 | if (hash_length == -1 || |
3216 | 0 | (size_t) hash_length > sizeof(session->resumption_key)) { |
3217 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
3218 | 0 | } |
3219 | | |
3220 | | /* In this code the psk key length equals the length of the hash */ |
3221 | 0 | session->resumption_key_len = hash_length; |
3222 | 0 | session->ciphersuite = ciphersuite_info->id; |
3223 | | |
3224 | | /* Compute resumption key |
3225 | | * |
3226 | | * HKDF-Expand-Label( resumption_master_secret, |
3227 | | * "resumption", ticket_nonce, Hash.length ) |
3228 | | */ |
3229 | 0 | ret = mbedtls_ssl_tls13_hkdf_expand_label( |
3230 | 0 | psa_hash_alg, |
3231 | 0 | session->app_secrets.resumption_master_secret, |
3232 | 0 | hash_length, |
3233 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption), |
3234 | 0 | ticket_nonce, |
3235 | 0 | ticket_nonce_size, |
3236 | 0 | session->resumption_key, |
3237 | 0 | hash_length); |
3238 | |
|
3239 | 0 | if (ret != 0) { |
3240 | 0 | MBEDTLS_SSL_DEBUG_RET(2, |
3241 | 0 | "Creating the ticket-resumed PSK failed", |
3242 | 0 | ret); |
3243 | 0 | return ret; |
3244 | 0 | } |
3245 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK", |
3246 | 0 | session->resumption_key, |
3247 | 0 | session->resumption_key_len); |
3248 | |
|
3249 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret", |
3250 | 0 | session->app_secrets.resumption_master_secret, |
3251 | 0 | hash_length); |
3252 | |
|
3253 | 0 | return 0; |
3254 | 0 | } |
3255 | | |
3256 | | /* This function creates a NewSessionTicket message in the following format: |
3257 | | * |
3258 | | * struct { |
3259 | | * uint32 ticket_lifetime; |
3260 | | * uint32 ticket_age_add; |
3261 | | * opaque ticket_nonce<0..255>; |
3262 | | * opaque ticket<1..2^16-1>; |
3263 | | * Extension extensions<0..2^16-2>; |
3264 | | * } NewSessionTicket; |
3265 | | * |
3266 | | * The ticket inside the NewSessionTicket message is an encrypted container |
3267 | | * carrying the necessary information so that the server is later able to |
3268 | | * re-start the communication. |
3269 | | * |
3270 | | * The following fields are placed inside the ticket by the |
3271 | | * f_ticket_write() function: |
3272 | | * |
3273 | | * - creation time (ticket_creation_time) |
3274 | | * - flags (ticket_flags) |
3275 | | * - age add (ticket_age_add) |
3276 | | * - key (resumption_key) |
3277 | | * - key length (resumption_key_len) |
3278 | | * - ciphersuite (ciphersuite) |
3279 | | * - max_early_data_size (max_early_data_size) |
3280 | | */ |
3281 | | MBEDTLS_CHECK_RETURN_CRITICAL |
3282 | | static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl, |
3283 | | unsigned char *buf, |
3284 | | unsigned char *end, |
3285 | | size_t *out_len, |
3286 | | unsigned char *ticket_nonce, |
3287 | | size_t ticket_nonce_size) |
3288 | 0 | { |
3289 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3290 | 0 | unsigned char *p = buf; |
3291 | 0 | mbedtls_ssl_session *session = ssl->session; |
3292 | 0 | size_t ticket_len; |
3293 | 0 | uint32_t ticket_lifetime; |
3294 | 0 | unsigned char *p_extensions_len; |
3295 | |
|
3296 | 0 | *out_len = 0; |
3297 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg")); |
3298 | | |
3299 | | /* |
3300 | | * ticket_lifetime 4 bytes |
3301 | | * ticket_age_add 4 bytes |
3302 | | * ticket_nonce 1 + ticket_nonce_size bytes |
3303 | | * ticket >=2 bytes |
3304 | | */ |
3305 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + 4 + 1 + ticket_nonce_size + 2); |
3306 | | |
3307 | | /* Generate ticket and ticket_lifetime */ |
3308 | 0 | #if defined(MBEDTLS_HAVE_TIME) |
3309 | 0 | session->ticket_creation_time = mbedtls_ms_time(); |
3310 | 0 | #endif |
3311 | 0 | ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket, |
3312 | 0 | session, |
3313 | 0 | p + 9 + ticket_nonce_size + 2, |
3314 | 0 | end, |
3315 | 0 | &ticket_len, |
3316 | 0 | &ticket_lifetime); |
3317 | 0 | if (ret != 0) { |
3318 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "write_ticket", ret); |
3319 | 0 | return ret; |
3320 | 0 | } |
3321 | | |
3322 | | /* RFC 8446 section 4.6.1 |
3323 | | * |
3324 | | * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit |
3325 | | * unsigned integer in network byte order from the time of ticket |
3326 | | * issuance. Servers MUST NOT use any value greater than |
3327 | | * 604800 seconds (7 days) ... |
3328 | | */ |
3329 | 0 | if (ticket_lifetime > MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) { |
3330 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
3331 | 0 | 1, ("Ticket lifetime (%u) is greater than 7 days.", |
3332 | 0 | (unsigned int) ticket_lifetime)); |
3333 | 0 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
3334 | 0 | } |
3335 | | |
3336 | 0 | MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0); |
3337 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u", |
3338 | 0 | (unsigned int) ticket_lifetime)); |
3339 | | |
3340 | | /* Write ticket_age_add */ |
3341 | 0 | MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 4); |
3342 | 0 | MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u", |
3343 | 0 | (unsigned int) session->ticket_age_add)); |
3344 | | |
3345 | | /* Write ticket_nonce */ |
3346 | 0 | p[8] = (unsigned char) ticket_nonce_size; |
3347 | 0 | if (ticket_nonce_size > 0) { |
3348 | 0 | memcpy(p + 9, ticket_nonce, ticket_nonce_size); |
3349 | 0 | } |
3350 | 0 | p += 9 + ticket_nonce_size; |
3351 | | |
3352 | | /* Write ticket */ |
3353 | 0 | MBEDTLS_PUT_UINT16_BE(ticket_len, p, 0); |
3354 | 0 | p += 2; |
3355 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "ticket", p, ticket_len); |
3356 | 0 | p += ticket_len; |
3357 | | |
3358 | | /* Ticket Extensions |
3359 | | * |
3360 | | * Extension extensions<0..2^16-2>; |
3361 | | */ |
3362 | 0 | ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE; |
3363 | |
|
3364 | 0 | MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); |
3365 | 0 | p_extensions_len = p; |
3366 | 0 | p += 2; |
3367 | |
|
3368 | 0 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
3369 | 0 | if (mbedtls_ssl_tls13_session_ticket_allow_early_data(session)) { |
3370 | 0 | size_t output_len; |
3371 | |
|
3372 | 0 | if ((ret = mbedtls_ssl_tls13_write_early_data_ext( |
3373 | 0 | ssl, 1, p, end, &output_len)) != 0) { |
3374 | 0 | MBEDTLS_SSL_DEBUG_RET( |
3375 | 0 | 1, "mbedtls_ssl_tls13_write_early_data_ext", ret); |
3376 | 0 | return ret; |
3377 | 0 | } |
3378 | 0 | p += output_len; |
3379 | 0 | } else { |
3380 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
3381 | 0 | 4, ("early_data not allowed, " |
3382 | 0 | "skip early_data extension in NewSessionTicket")); |
3383 | 0 | } |
3384 | | |
3385 | 0 | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
3386 | | |
3387 | 0 | MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0); |
3388 | |
|
3389 | 0 | *out_len = p - buf; |
3390 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "ticket", buf, *out_len); |
3391 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket")); |
3392 | |
|
3393 | 0 | MBEDTLS_SSL_PRINT_EXTS( |
3394 | 0 | 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions); |
3395 | |
|
3396 | 0 | return 0; |
3397 | 0 | } |
3398 | | |
3399 | | /* |
3400 | | * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET |
3401 | | */ |
3402 | | static int ssl_tls13_write_new_session_ticket(mbedtls_ssl_context *ssl) |
3403 | 0 | { |
3404 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3405 | |
|
3406 | 0 | MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_write_new_session_ticket_coordinate(ssl)); |
3407 | | |
3408 | 0 | if (ret == SSL_NEW_SESSION_TICKET_WRITE) { |
3409 | 0 | unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH]; |
3410 | 0 | unsigned char *buf; |
3411 | 0 | size_t buf_len, msg_len; |
3412 | |
|
3413 | 0 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket( |
3414 | 0 | ssl, ticket_nonce, sizeof(ticket_nonce))); |
3415 | | |
3416 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( |
3417 | 0 | ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, |
3418 | 0 | &buf, &buf_len)); |
3419 | | |
3420 | 0 | MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body( |
3421 | 0 | ssl, buf, buf + buf_len, &msg_len, |
3422 | 0 | ticket_nonce, sizeof(ticket_nonce))); |
3423 | | |
3424 | 0 | MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( |
3425 | 0 | ssl, buf_len, msg_len)); |
3426 | | |
3427 | | /* Limit session tickets count to one when resumption connection. |
3428 | | * |
3429 | | * See document of mbedtls_ssl_conf_new_session_tickets. |
3430 | | */ |
3431 | 0 | if (ssl->handshake->resume == 1) { |
3432 | 0 | ssl->handshake->new_session_tickets_count = 0; |
3433 | 0 | } else { |
3434 | 0 | ssl->handshake->new_session_tickets_count--; |
3435 | 0 | } |
3436 | |
|
3437 | 0 | mbedtls_ssl_handshake_set_state( |
3438 | 0 | ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH); |
3439 | 0 | } else { |
3440 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); |
3441 | 0 | } |
3442 | | |
3443 | 0 | cleanup: |
3444 | |
|
3445 | 0 | return ret; |
3446 | 0 | } |
3447 | | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
3448 | | |
3449 | | /* |
3450 | | * TLS 1.3 State Machine -- server side |
3451 | | */ |
3452 | | int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl) |
3453 | 3.19k | { |
3454 | 3.19k | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
3455 | | |
3456 | 3.19k | if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) { |
3457 | 0 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
3458 | 0 | } |
3459 | | |
3460 | 3.19k | MBEDTLS_SSL_DEBUG_MSG(2, ("tls13 server state: %s(%d)", |
3461 | 3.19k | mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state), |
3462 | 3.19k | ssl->state)); |
3463 | | |
3464 | 3.19k | switch (ssl->state) { |
3465 | | /* start state */ |
3466 | 1.59k | case MBEDTLS_SSL_HELLO_REQUEST: |
3467 | 1.59k | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); |
3468 | 1.59k | ret = 0; |
3469 | 1.59k | break; |
3470 | | |
3471 | 1.59k | case MBEDTLS_SSL_CLIENT_HELLO: |
3472 | 1.59k | ret = ssl_tls13_process_client_hello(ssl); |
3473 | 1.59k | if (ret != 0) { |
3474 | 433 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_process_client_hello", ret); |
3475 | 433 | } |
3476 | 1.59k | break; |
3477 | | |
3478 | 0 | case MBEDTLS_SSL_HELLO_RETRY_REQUEST: |
3479 | 0 | ret = ssl_tls13_write_hello_retry_request(ssl); |
3480 | 0 | if (ret != 0) { |
3481 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_hello_retry_request", ret); |
3482 | 0 | return ret; |
3483 | 0 | } |
3484 | 0 | break; |
3485 | | |
3486 | 0 | case MBEDTLS_SSL_SERVER_HELLO: |
3487 | 0 | ret = ssl_tls13_write_server_hello(ssl); |
3488 | 0 | break; |
3489 | | |
3490 | 0 | case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: |
3491 | 0 | ret = ssl_tls13_write_encrypted_extensions(ssl); |
3492 | 0 | if (ret != 0) { |
3493 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_encrypted_extensions", ret); |
3494 | 0 | return ret; |
3495 | 0 | } |
3496 | 0 | break; |
3497 | | |
3498 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
3499 | 0 | case MBEDTLS_SSL_CERTIFICATE_REQUEST: |
3500 | 0 | ret = ssl_tls13_write_certificate_request(ssl); |
3501 | 0 | break; |
3502 | | |
3503 | 0 | case MBEDTLS_SSL_SERVER_CERTIFICATE: |
3504 | 0 | ret = ssl_tls13_write_server_certificate(ssl); |
3505 | 0 | break; |
3506 | | |
3507 | 0 | case MBEDTLS_SSL_CERTIFICATE_VERIFY: |
3508 | 0 | ret = ssl_tls13_write_certificate_verify(ssl); |
3509 | 0 | break; |
3510 | 0 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
3511 | | |
3512 | | /* |
3513 | | * Injection of dummy-CCS's for middlebox compatibility |
3514 | | */ |
3515 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) |
3516 | 0 | case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST: |
3517 | 0 | ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); |
3518 | 0 | if (ret == 0) { |
3519 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); |
3520 | 0 | } |
3521 | 0 | break; |
3522 | | |
3523 | 0 | case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO: |
3524 | 0 | ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); |
3525 | 0 | if (ret != 0) { |
3526 | 0 | break; |
3527 | 0 | } |
3528 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); |
3529 | 0 | break; |
3530 | 0 | #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ |
3531 | | |
3532 | 0 | case MBEDTLS_SSL_SERVER_FINISHED: |
3533 | 0 | ret = ssl_tls13_write_server_finished(ssl); |
3534 | 0 | break; |
3535 | | |
3536 | 0 | #if defined(MBEDTLS_SSL_EARLY_DATA) |
3537 | 0 | case MBEDTLS_SSL_END_OF_EARLY_DATA: |
3538 | 0 | ret = ssl_tls13_process_end_of_early_data(ssl); |
3539 | 0 | break; |
3540 | 0 | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
3541 | | |
3542 | 0 | case MBEDTLS_SSL_CLIENT_FINISHED: |
3543 | 0 | ret = ssl_tls13_process_client_finished(ssl); |
3544 | 0 | break; |
3545 | | |
3546 | 0 | case MBEDTLS_SSL_HANDSHAKE_WRAPUP: |
3547 | 0 | ret = ssl_tls13_handshake_wrapup(ssl); |
3548 | 0 | break; |
3549 | | |
3550 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) |
3551 | 0 | case MBEDTLS_SSL_CLIENT_CERTIFICATE: |
3552 | 0 | ret = mbedtls_ssl_tls13_process_certificate(ssl); |
3553 | 0 | if (ret == 0) { |
3554 | 0 | if (ssl->session_negotiate->peer_cert != NULL) { |
3555 | 0 | mbedtls_ssl_handshake_set_state( |
3556 | 0 | ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY); |
3557 | 0 | } else { |
3558 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify")); |
3559 | 0 | mbedtls_ssl_handshake_set_state( |
3560 | 0 | ssl, MBEDTLS_SSL_CLIENT_FINISHED); |
3561 | 0 | } |
3562 | 0 | } |
3563 | 0 | break; |
3564 | | |
3565 | 0 | case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: |
3566 | 0 | ret = mbedtls_ssl_tls13_process_certificate_verify(ssl); |
3567 | 0 | if (ret == 0) { |
3568 | 0 | mbedtls_ssl_handshake_set_state( |
3569 | 0 | ssl, MBEDTLS_SSL_CLIENT_FINISHED); |
3570 | 0 | } |
3571 | 0 | break; |
3572 | 0 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ |
3573 | | |
3574 | 0 | #if defined(MBEDTLS_SSL_SESSION_TICKETS) |
3575 | 0 | case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET: |
3576 | 0 | ret = ssl_tls13_write_new_session_ticket(ssl); |
3577 | 0 | if (ret != 0) { |
3578 | 0 | MBEDTLS_SSL_DEBUG_RET(1, |
3579 | 0 | "ssl_tls13_write_new_session_ticket ", |
3580 | 0 | ret); |
3581 | 0 | } |
3582 | 0 | break; |
3583 | 0 | case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH: |
3584 | | /* This state is necessary to do the flush of the New Session |
3585 | | * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET |
3586 | | * as part of ssl_prepare_handshake_step. |
3587 | | */ |
3588 | 0 | ret = 0; |
3589 | |
|
3590 | 0 | if (ssl->handshake->new_session_tickets_count == 0) { |
3591 | 0 | mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); |
3592 | 0 | } else { |
3593 | 0 | mbedtls_ssl_handshake_set_state( |
3594 | 0 | ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); |
3595 | 0 | } |
3596 | 0 | break; |
3597 | | |
3598 | 0 | #endif /* MBEDTLS_SSL_SESSION_TICKETS */ |
3599 | | |
3600 | 0 | default: |
3601 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); |
3602 | 0 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
3603 | 3.19k | } |
3604 | | |
3605 | 3.19k | return ret; |
3606 | 3.19k | } |
3607 | | |
3608 | | #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */ |