1 /* 2 * TLS 1.3 server-side functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 #include "common.h" 21 22 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 23 24 #include "mbedtls/debug.h" 25 #include "mbedtls/error.h" 26 #include "mbedtls/platform.h" 27 #include "mbedtls/constant_time.h" 28 29 #include "ssl_misc.h" 30 #include "ssl_tls13_keys.h" 31 #include "ssl_debug_helpers.h" 32 33 34 static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite( 35 mbedtls_ssl_context *ssl, 36 unsigned int cipher_suite) 37 { 38 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 39 if (!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) { 40 return NULL; 41 } 42 43 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite); 44 if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info, 45 ssl->tls_version, 46 ssl->tls_version) != 0)) { 47 return NULL; 48 } 49 return ciphersuite_info; 50 } 51 52 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 53 /* From RFC 8446: 54 * 55 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode; 56 * struct { 57 * PskKeyExchangeMode ke_modes<1..255>; 58 * } PskKeyExchangeModes; 59 */ 60 MBEDTLS_CHECK_RETURN_CRITICAL 61 static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl, 62 const unsigned char *buf, 63 const unsigned char *end) 64 { 65 const unsigned char *p = buf; 66 size_t ke_modes_len; 67 int ke_modes = 0; 68 69 /* Read ke_modes length (1 Byte) */ 70 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1); 71 ke_modes_len = *p++; 72 /* Currently, there are only two PSK modes, so even without looking 73 * at the content, something's wrong if the list has more than 2 items. */ 74 if (ke_modes_len > 2) { 75 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 76 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 77 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 78 } 79 80 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ke_modes_len); 81 82 while (ke_modes_len-- != 0) { 83 switch (*p++) { 84 case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE: 85 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; 86 MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK KEX MODE")); 87 break; 88 case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE: 89 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; 90 MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK_EPHEMERAL KEX MODE")); 91 break; 92 default: 93 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 94 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 95 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 96 } 97 } 98 99 ssl->handshake->tls13_kex_modes = ke_modes; 100 return 0; 101 } 102 103 #define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1 104 #define SSL_TLS1_3_OFFERED_PSK_MATCH 0 105 106 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 107 108 MBEDTLS_CHECK_RETURN_CRITICAL 109 static int ssl_tls13_offered_psks_check_identity_match_ticket( 110 mbedtls_ssl_context *ssl, 111 const unsigned char *identity, 112 size_t identity_len, 113 uint32_t obfuscated_ticket_age, 114 mbedtls_ssl_session *session) 115 { 116 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 117 unsigned char *ticket_buffer; 118 #if defined(MBEDTLS_HAVE_TIME) 119 mbedtls_time_t now; 120 uint64_t age_in_s; 121 int64_t age_diff_in_ms; 122 #endif 123 124 ((void) obfuscated_ticket_age); 125 126 MBEDTLS_SSL_DEBUG_MSG(2, ("=> check_identity_match_ticket")); 127 128 /* Ticket parser is not configured, Skip */ 129 if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) { 130 return 0; 131 } 132 133 /* We create a copy of the encrypted ticket since the ticket parsing 134 * function is allowed to use its input buffer as an output buffer 135 * (in-place decryption). We do, however, need the original buffer for 136 * computing the PSK binder value. 137 */ 138 ticket_buffer = mbedtls_calloc(1, identity_len); 139 if (ticket_buffer == NULL) { 140 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small")); 141 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 142 } 143 memcpy(ticket_buffer, identity, identity_len); 144 145 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, 146 session, 147 ticket_buffer, identity_len)) != 0) { 148 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) { 149 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic")); 150 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) { 151 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired")); 152 } else { 153 MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret); 154 } 155 } 156 157 /* We delete the temporary buffer */ 158 mbedtls_free(ticket_buffer); 159 160 if (ret != 0) { 161 goto exit; 162 } 163 164 /* RFC 8446 section 4.2.9 165 * 166 * Servers SHOULD NOT send NewSessionTicket with tickets that are not 167 * compatible with the advertised modes; however, if a server does so, 168 * the impact will just be that the client's attempts at resumption fail. 169 * 170 * We regard the ticket with incompatible key exchange modes as not match. 171 */ 172 ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR; 173 MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, 174 session->ticket_flags); 175 if (mbedtls_ssl_tls13_check_kex_modes( 176 ssl, 177 mbedtls_ssl_session_get_ticket_flags( 178 session, 179 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL))) { 180 MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode")); 181 goto exit; 182 } 183 184 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED; 185 #if defined(MBEDTLS_HAVE_TIME) 186 now = mbedtls_time(NULL); 187 188 if (now < session->start) { 189 MBEDTLS_SSL_DEBUG_MSG( 190 3, ("Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG 191 ", start=%" MBEDTLS_PRINTF_LONGLONG " )", 192 (long long) now, (long long) session->start)); 193 goto exit; 194 } 195 196 age_in_s = (uint64_t) (now - session->start); 197 198 /* RFC 8446 section 4.6.1 199 * 200 * Servers MUST NOT use any value greater than 604800 seconds (7 days). 201 * 202 * RFC 8446 section 4.2.11.1 203 * 204 * Clients MUST NOT attempt to use tickets which have ages greater than 205 * the "ticket_lifetime" value which was provided with the ticket. 206 * 207 * For time being, the age MUST be less than 604800 seconds (7 days). 208 */ 209 if (age_in_s > 604800) { 210 MBEDTLS_SSL_DEBUG_MSG( 211 3, ("Ticket age exceeds limitation ticket_age=%lu", 212 (long unsigned int) age_in_s)); 213 goto exit; 214 } 215 216 /* RFC 8446 section 4.2.10 217 * 218 * For PSKs provisioned via NewSessionTicket, a server MUST validate that 219 * the ticket age for the selected PSK identity (computed by subtracting 220 * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is 221 * within a small tolerance of the time since the ticket was issued. 222 * 223 * NOTE: When `now == session->start`, `age_diff_in_ms` may be negative 224 * as the age units are different on the server (s) and in the 225 * client (ms) side. Add a -1000 ms tolerance window to take this 226 * into account. 227 */ 228 age_diff_in_ms = age_in_s * 1000; 229 age_diff_in_ms -= (obfuscated_ticket_age - session->ticket_age_add); 230 if (age_diff_in_ms <= -1000 || 231 age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) { 232 MBEDTLS_SSL_DEBUG_MSG( 233 3, ("Ticket age outside tolerance window ( diff=%d )", 234 (int) age_diff_in_ms)); 235 goto exit; 236 } 237 238 ret = 0; 239 240 #endif /* MBEDTLS_HAVE_TIME */ 241 242 exit: 243 if (ret != 0) { 244 mbedtls_ssl_session_free(session); 245 } 246 247 MBEDTLS_SSL_DEBUG_MSG(2, ("<= check_identity_match_ticket")); 248 return ret; 249 } 250 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 251 252 MBEDTLS_CHECK_RETURN_CRITICAL 253 static int ssl_tls13_offered_psks_check_identity_match( 254 mbedtls_ssl_context *ssl, 255 const unsigned char *identity, 256 size_t identity_len, 257 uint32_t obfuscated_ticket_age, 258 int *psk_type, 259 mbedtls_ssl_session *session) 260 { 261 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 262 263 ((void) session); 264 ((void) obfuscated_ticket_age); 265 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; 266 267 MBEDTLS_SSL_DEBUG_BUF(4, "identity", identity, identity_len); 268 ssl->handshake->resume = 0; 269 270 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 271 if (ssl_tls13_offered_psks_check_identity_match_ticket( 272 ssl, identity, identity_len, obfuscated_ticket_age, 273 session) == SSL_TLS1_3_OFFERED_PSK_MATCH) { 274 ssl->handshake->resume = 1; 275 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; 276 ret = mbedtls_ssl_set_hs_psk(ssl, 277 session->resumption_key, 278 session->resumption_key_len); 279 if (ret != 0) { 280 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); 281 return ret; 282 } 283 284 MBEDTLS_SSL_DEBUG_BUF(4, "Ticket-resumed PSK:", 285 session->resumption_key, 286 session->resumption_key_len); 287 MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u", 288 (unsigned) obfuscated_ticket_age)); 289 return SSL_TLS1_3_OFFERED_PSK_MATCH; 290 } 291 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 292 293 /* Check identity with external configured function */ 294 if (ssl->conf->f_psk != NULL) { 295 if (ssl->conf->f_psk( 296 ssl->conf->p_psk, ssl, identity, identity_len) == 0) { 297 return SSL_TLS1_3_OFFERED_PSK_MATCH; 298 } 299 return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; 300 } 301 302 MBEDTLS_SSL_DEBUG_BUF(5, "identity", identity, identity_len); 303 /* Check identity with pre-configured psk */ 304 if (ssl->conf->psk_identity != NULL && 305 identity_len == ssl->conf->psk_identity_len && 306 mbedtls_ct_memcmp(ssl->conf->psk_identity, 307 identity, identity_len) == 0) { 308 ret = mbedtls_ssl_set_hs_psk(ssl, ssl->conf->psk, ssl->conf->psk_len); 309 if (ret != 0) { 310 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); 311 return ret; 312 } 313 return SSL_TLS1_3_OFFERED_PSK_MATCH; 314 } 315 316 return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; 317 } 318 319 MBEDTLS_CHECK_RETURN_CRITICAL 320 static int ssl_tls13_offered_psks_check_binder_match(mbedtls_ssl_context *ssl, 321 const unsigned char *binder, 322 size_t binder_len, 323 int psk_type, 324 psa_algorithm_t psk_hash_alg) 325 { 326 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 327 328 unsigned char transcript[PSA_HASH_MAX_SIZE]; 329 size_t transcript_len; 330 unsigned char *psk; 331 size_t psk_len; 332 unsigned char server_computed_binder[PSA_HASH_MAX_SIZE]; 333 334 /* Get current state of handshake transcript. */ 335 ret = mbedtls_ssl_get_handshake_transcript( 336 ssl, mbedtls_hash_info_md_from_psa(psk_hash_alg), 337 transcript, sizeof(transcript), &transcript_len); 338 if (ret != 0) { 339 return ret; 340 } 341 342 ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len); 343 if (ret != 0) { 344 return ret; 345 } 346 347 ret = mbedtls_ssl_tls13_create_psk_binder(ssl, psk_hash_alg, 348 psk, psk_len, psk_type, 349 transcript, 350 server_computed_binder); 351 #if defined(MBEDTLS_USE_PSA_CRYPTO) 352 mbedtls_free((void *) psk); 353 #endif 354 if (ret != 0) { 355 MBEDTLS_SSL_DEBUG_MSG(1, ("PSK binder calculation failed.")); 356 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 357 } 358 359 MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( computed ): ", 360 server_computed_binder, transcript_len); 361 MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len); 362 363 if (mbedtls_ct_memcmp(server_computed_binder, binder, binder_len) == 0) { 364 return SSL_TLS1_3_OFFERED_PSK_MATCH; 365 } 366 367 mbedtls_platform_zeroize(server_computed_binder, 368 sizeof(server_computed_binder)); 369 return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; 370 } 371 372 MBEDTLS_CHECK_RETURN_CRITICAL 373 static int ssl_tls13_select_ciphersuite_for_psk( 374 mbedtls_ssl_context *ssl, 375 const unsigned char *cipher_suites, 376 const unsigned char *cipher_suites_end, 377 uint16_t *selected_ciphersuite, 378 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info) 379 { 380 psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256; 381 382 *selected_ciphersuite = 0; 383 *selected_ciphersuite_info = NULL; 384 385 /* RFC 8446, page 55. 386 * 387 * For externally established PSKs, the Hash algorithm MUST be set when the 388 * PSK is established or default to SHA-256 if no such algorithm is defined. 389 * 390 */ 391 392 /* 393 * Search for a matching ciphersuite 394 */ 395 for (const unsigned char *p = cipher_suites; 396 p < cipher_suites_end; p += 2) { 397 uint16_t cipher_suite; 398 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 399 400 cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0); 401 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl, 402 cipher_suite); 403 if (ciphersuite_info == NULL) { 404 continue; 405 } 406 407 /* MAC of selected ciphersuite MUST be same with PSK binder if exist. 408 * Otherwise, client should reject. 409 */ 410 if (psk_hash_alg == mbedtls_psa_translate_md(ciphersuite_info->mac)) { 411 *selected_ciphersuite = cipher_suite; 412 *selected_ciphersuite_info = ciphersuite_info; 413 return 0; 414 } 415 } 416 MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite")); 417 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 418 } 419 420 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 421 MBEDTLS_CHECK_RETURN_CRITICAL 422 static int ssl_tls13_select_ciphersuite_for_resumption( 423 mbedtls_ssl_context *ssl, 424 const unsigned char *cipher_suites, 425 const unsigned char *cipher_suites_end, 426 mbedtls_ssl_session *session, 427 uint16_t *selected_ciphersuite, 428 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info) 429 { 430 431 *selected_ciphersuite = 0; 432 *selected_ciphersuite_info = NULL; 433 for (const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2) { 434 uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0); 435 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 436 437 if (cipher_suite != session->ciphersuite) { 438 continue; 439 } 440 441 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl, 442 cipher_suite); 443 if (ciphersuite_info == NULL) { 444 continue; 445 } 446 447 *selected_ciphersuite = cipher_suite; 448 *selected_ciphersuite_info = ciphersuite_info; 449 450 return 0; 451 } 452 453 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 454 } 455 456 MBEDTLS_CHECK_RETURN_CRITICAL 457 static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst, 458 const mbedtls_ssl_session *src) 459 { 460 dst->ticket_age_add = src->ticket_age_add; 461 dst->ticket_flags = src->ticket_flags; 462 dst->resumption_key_len = src->resumption_key_len; 463 if (src->resumption_key_len == 0) { 464 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 465 } 466 memcpy(dst->resumption_key, src->resumption_key, src->resumption_key_len); 467 468 return 0; 469 } 470 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 471 472 /* Parser for pre_shared_key extension in client hello 473 * struct { 474 * opaque identity<1..2^16-1>; 475 * uint32 obfuscated_ticket_age; 476 * } PskIdentity; 477 * 478 * opaque PskBinderEntry<32..255>; 479 * 480 * struct { 481 * PskIdentity identities<7..2^16-1>; 482 * PskBinderEntry binders<33..2^16-1>; 483 * } OfferedPsks; 484 * 485 * struct { 486 * select (Handshake.msg_type) { 487 * case client_hello: OfferedPsks; 488 * .... 489 * }; 490 * } PreSharedKeyExtension; 491 */ 492 MBEDTLS_CHECK_RETURN_CRITICAL 493 static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl, 494 const unsigned char *pre_shared_key_ext, 495 const unsigned char *pre_shared_key_ext_end, 496 const unsigned char *ciphersuites, 497 const unsigned char *ciphersuites_end) 498 { 499 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 500 const unsigned char *identities = pre_shared_key_ext; 501 const unsigned char *p_identity_len; 502 size_t identities_len; 503 const unsigned char *identities_end; 504 const unsigned char *binders; 505 const unsigned char *p_binder_len; 506 size_t binders_len; 507 const unsigned char *binders_end; 508 int matched_identity = -1; 509 int identity_id = -1; 510 511 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key extension", 512 pre_shared_key_ext, 513 pre_shared_key_ext_end - pre_shared_key_ext); 514 515 /* identities_len 2 bytes 516 * identities_data >= 7 bytes 517 */ 518 MBEDTLS_SSL_CHK_BUF_READ_PTR(identities, pre_shared_key_ext_end, 7 + 2); 519 identities_len = MBEDTLS_GET_UINT16_BE(identities, 0); 520 p_identity_len = identities + 2; 521 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, pre_shared_key_ext_end, 522 identities_len); 523 identities_end = p_identity_len + identities_len; 524 525 /* binders_len 2 bytes 526 * binders >= 33 bytes 527 */ 528 binders = identities_end; 529 MBEDTLS_SSL_CHK_BUF_READ_PTR(binders, pre_shared_key_ext_end, 33 + 2); 530 binders_len = MBEDTLS_GET_UINT16_BE(binders, 0); 531 p_binder_len = binders + 2; 532 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len); 533 binders_end = p_binder_len + binders_len; 534 535 ret = ssl->handshake->update_checksum(ssl, pre_shared_key_ext, 536 identities_end - pre_shared_key_ext); 537 if (0 != ret) { 538 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); 539 return ret; 540 } 541 542 while (p_identity_len < identities_end && p_binder_len < binders_end) { 543 const unsigned char *identity; 544 size_t identity_len; 545 uint32_t obfuscated_ticket_age; 546 const unsigned char *binder; 547 size_t binder_len; 548 int psk_type; 549 uint16_t cipher_suite; 550 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 551 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 552 mbedtls_ssl_session session; 553 mbedtls_ssl_session_init(&session); 554 #endif 555 556 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4); 557 identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0); 558 identity = p_identity_len + 2; 559 MBEDTLS_SSL_CHK_BUF_READ_PTR(identity, identities_end, identity_len + 4); 560 obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE(identity, identity_len); 561 p_identity_len += identity_len + 6; 562 563 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, binders_end, 1 + 32); 564 binder_len = *p_binder_len; 565 binder = p_binder_len + 1; 566 MBEDTLS_SSL_CHK_BUF_READ_PTR(binder, binders_end, binder_len); 567 p_binder_len += binder_len + 1; 568 569 identity_id++; 570 if (matched_identity != -1) { 571 continue; 572 } 573 574 ret = ssl_tls13_offered_psks_check_identity_match( 575 ssl, identity, identity_len, obfuscated_ticket_age, 576 &psk_type, &session); 577 if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) { 578 continue; 579 } 580 581 MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity")); 582 switch (psk_type) { 583 case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL: 584 ret = ssl_tls13_select_ciphersuite_for_psk( 585 ssl, ciphersuites, ciphersuites_end, 586 &cipher_suite, &ciphersuite_info); 587 break; 588 case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION: 589 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 590 ret = ssl_tls13_select_ciphersuite_for_resumption( 591 ssl, ciphersuites, ciphersuites_end, &session, 592 &cipher_suite, &ciphersuite_info); 593 if (ret != 0) { 594 mbedtls_ssl_session_free(&session); 595 } 596 #else 597 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 598 #endif 599 break; 600 default: 601 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 602 } 603 if (ret != 0) { 604 /* See below, no cipher_suite available, abort handshake */ 605 MBEDTLS_SSL_PEND_FATAL_ALERT( 606 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, 607 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 608 MBEDTLS_SSL_DEBUG_RET( 609 2, "ssl_tls13_select_ciphersuite", ret); 610 return ret; 611 } 612 613 ret = ssl_tls13_offered_psks_check_binder_match( 614 ssl, binder, binder_len, psk_type, 615 mbedtls_psa_translate_md(ciphersuite_info->mac)); 616 if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) { 617 /* For security reasons, the handshake should be aborted when we 618 * fail to validate a binder value. See RFC 8446 section 4.2.11.2 619 * and appendix E.6. */ 620 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 621 mbedtls_ssl_session_free(&session); 622 #endif 623 MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder.")); 624 MBEDTLS_SSL_DEBUG_RET(1, 625 "ssl_tls13_offered_psks_check_binder_match", ret); 626 MBEDTLS_SSL_PEND_FATAL_ALERT( 627 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, 628 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 629 return ret; 630 } 631 632 matched_identity = identity_id; 633 634 /* Update handshake parameters */ 635 ssl->handshake->ciphersuite_info = ciphersuite_info; 636 ssl->session_negotiate->ciphersuite = cipher_suite; 637 MBEDTLS_SSL_DEBUG_MSG(2, ("overwrite ciphersuite: %04x - %s", 638 cipher_suite, ciphersuite_info->name)); 639 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 640 if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) { 641 ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate, 642 &session); 643 mbedtls_ssl_session_free(&session); 644 if (ret != 0) { 645 return ret; 646 } 647 } 648 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 649 } 650 651 if (p_identity_len != identities_end || p_binder_len != binders_end) { 652 MBEDTLS_SSL_DEBUG_MSG(3, ("pre_shared_key extension decode error")); 653 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, 654 MBEDTLS_ERR_SSL_DECODE_ERROR); 655 return MBEDTLS_ERR_SSL_DECODE_ERROR; 656 } 657 658 /* Update the handshake transcript with the binder list. */ 659 ret = ssl->handshake->update_checksum(ssl, 660 identities_end, 661 (size_t) (binders_end - identities_end)); 662 if (0 != ret) { 663 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); 664 return ret; 665 } 666 if (matched_identity == -1) { 667 MBEDTLS_SSL_DEBUG_MSG(3, ("No matched PSK or ticket.")); 668 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 669 } 670 671 ssl->handshake->selected_identity = (uint16_t) matched_identity; 672 MBEDTLS_SSL_DEBUG_MSG(3, ("Pre shared key found")); 673 674 return 0; 675 } 676 677 /* 678 * struct { 679 * select ( Handshake.msg_type ) { 680 * .... 681 * case server_hello: 682 * uint16 selected_identity; 683 * } 684 * } PreSharedKeyExtension; 685 */ 686 static int ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, 687 unsigned char *buf, 688 unsigned char *end, 689 size_t *olen) 690 { 691 unsigned char *p = (unsigned char *) buf; 692 693 *olen = 0; 694 695 int not_using_psk = 0; 696 #if defined(MBEDTLS_USE_PSA_CRYPTO) 697 not_using_psk = (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)); 698 #else 699 not_using_psk = (ssl->handshake->psk == NULL); 700 #endif 701 if (not_using_psk) { 702 /* We shouldn't have called this extension writer unless we've 703 * chosen to use a PSK. */ 704 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 705 } 706 707 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding pre_shared_key extension")); 708 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); 709 710 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0); 711 MBEDTLS_PUT_UINT16_BE(2, p, 2); 712 713 MBEDTLS_PUT_UINT16_BE(ssl->handshake->selected_identity, p, 4); 714 715 *olen = 6; 716 717 MBEDTLS_SSL_DEBUG_MSG(4, ("sent selected_identity: %u", 718 ssl->handshake->selected_identity)); 719 720 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY); 721 722 return 0; 723 } 724 725 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 726 727 /* From RFC 8446: 728 * struct { 729 * ProtocolVersion versions<2..254>; 730 * } SupportedVersions; 731 */ 732 MBEDTLS_CHECK_RETURN_CRITICAL 733 static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl, 734 const unsigned char *buf, 735 const unsigned char *end) 736 { 737 const unsigned char *p = buf; 738 size_t versions_len; 739 const unsigned char *versions_end; 740 uint16_t tls_version; 741 int tls13_supported = 0; 742 743 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1); 744 versions_len = p[0]; 745 p += 1; 746 747 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, versions_len); 748 versions_end = p + versions_len; 749 while (p < versions_end) { 750 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, versions_end, 2); 751 tls_version = mbedtls_ssl_read_version(p, ssl->conf->transport); 752 p += 2; 753 754 /* In this implementation we only support TLS 1.3 and DTLS 1.3. */ 755 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 756 tls13_supported = 1; 757 break; 758 } 759 } 760 761 if (!tls13_supported) { 762 MBEDTLS_SSL_DEBUG_MSG(1, ("TLS 1.3 is not supported by the client")); 763 764 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, 765 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION); 766 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; 767 } 768 769 MBEDTLS_SSL_DEBUG_MSG(1, ("Negotiated version. Supported is [%04x]", 770 (unsigned int) tls_version)); 771 772 return 0; 773 } 774 775 #if defined(MBEDTLS_ECDH_C) 776 /* 777 * 778 * From RFC 8446: 779 * enum { 780 * ... (0xFFFF) 781 * } NamedGroup; 782 * struct { 783 * NamedGroup named_group_list<2..2^16-1>; 784 * } NamedGroupList; 785 */ 786 MBEDTLS_CHECK_RETURN_CRITICAL 787 static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl, 788 const unsigned char *buf, 789 const unsigned char *end) 790 { 791 const unsigned char *p = buf; 792 size_t named_group_list_len; 793 const unsigned char *named_group_list_end; 794 795 MBEDTLS_SSL_DEBUG_BUF(3, "supported_groups extension", p, end - buf); 796 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 797 named_group_list_len = MBEDTLS_GET_UINT16_BE(p, 0); 798 p += 2; 799 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, named_group_list_len); 800 named_group_list_end = p + named_group_list_len; 801 ssl->handshake->hrr_selected_group = 0; 802 803 while (p < named_group_list_end) { 804 uint16_t named_group; 805 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, named_group_list_end, 2); 806 named_group = MBEDTLS_GET_UINT16_BE(p, 0); 807 p += 2; 808 809 MBEDTLS_SSL_DEBUG_MSG(2, 810 ("got named group: %s(%04x)", 811 mbedtls_ssl_named_group_to_str(named_group), 812 named_group)); 813 814 if (!mbedtls_ssl_named_group_is_offered(ssl, named_group) || 815 !mbedtls_ssl_named_group_is_supported(named_group) || 816 ssl->handshake->hrr_selected_group != 0) { 817 continue; 818 } 819 820 MBEDTLS_SSL_DEBUG_MSG(2, 821 ("add named group %s(%04x) into received list.", 822 mbedtls_ssl_named_group_to_str(named_group), 823 named_group)); 824 825 ssl->handshake->hrr_selected_group = named_group; 826 } 827 828 return 0; 829 830 } 831 #endif /* MBEDTLS_ECDH_C */ 832 833 #define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1 834 835 #if defined(MBEDTLS_ECDH_C) 836 /* 837 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the 838 * extension is correct and stores the first acceptable key share and its associated group. 839 * 840 * Possible return values are: 841 * - 0: Successful processing of the client provided key share extension. 842 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client 843 * does not match a group supported by the server. A HelloRetryRequest will 844 * be needed. 845 * - A negative value for fatal errors. 846 */ 847 MBEDTLS_CHECK_RETURN_CRITICAL 848 static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl, 849 const unsigned char *buf, 850 const unsigned char *end) 851 { 852 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 853 unsigned char const *p = buf; 854 unsigned char const *client_shares_end; 855 size_t client_shares_len; 856 857 /* From RFC 8446: 858 * 859 * struct { 860 * KeyShareEntry client_shares<0..2^16-1>; 861 * } KeyShareClientHello; 862 * 863 */ 864 865 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 866 client_shares_len = MBEDTLS_GET_UINT16_BE(p, 0); 867 p += 2; 868 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, client_shares_len); 869 870 ssl->handshake->offered_group_id = 0; 871 client_shares_end = p + client_shares_len; 872 873 /* We try to find a suitable key share entry and copy it to the 874 * handshake context. Later, we have to find out whether we can do 875 * something with the provided key share or whether we have to 876 * dismiss it and send a HelloRetryRequest message. 877 */ 878 879 while (p < client_shares_end) { 880 uint16_t group; 881 size_t key_exchange_len; 882 const unsigned char *key_exchange; 883 884 /* 885 * struct { 886 * NamedGroup group; 887 * opaque key_exchange<1..2^16-1>; 888 * } KeyShareEntry; 889 */ 890 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, 4); 891 group = MBEDTLS_GET_UINT16_BE(p, 0); 892 key_exchange_len = MBEDTLS_GET_UINT16_BE(p, 2); 893 p += 4; 894 key_exchange = p; 895 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, key_exchange_len); 896 p += key_exchange_len; 897 898 /* Continue parsing even if we have already found a match, 899 * for input validation purposes. 900 */ 901 if (!mbedtls_ssl_named_group_is_offered(ssl, group) || 902 !mbedtls_ssl_named_group_is_supported(group) || 903 ssl->handshake->offered_group_id != 0) { 904 continue; 905 } 906 907 /* 908 * For now, we only support ECDHE groups. 909 */ 910 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group)) { 911 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH group: %s (%04x)", 912 mbedtls_ssl_named_group_to_str(group), 913 group)); 914 ret = mbedtls_ssl_tls13_read_public_ecdhe_share( 915 ssl, key_exchange - 2, key_exchange_len + 2); 916 if (ret != 0) { 917 return ret; 918 } 919 920 } else { 921 MBEDTLS_SSL_DEBUG_MSG(4, ("Unrecognized NamedGroup %u", 922 (unsigned) group)); 923 continue; 924 } 925 926 ssl->handshake->offered_group_id = group; 927 } 928 929 930 if (ssl->handshake->offered_group_id == 0) { 931 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching key share")); 932 return SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH; 933 } 934 return 0; 935 } 936 #endif /* MBEDTLS_ECDH_C */ 937 938 MBEDTLS_CHECK_RETURN_CRITICAL 939 static int ssl_tls13_client_hello_has_exts(mbedtls_ssl_context *ssl, 940 int exts_mask) 941 { 942 int masked = ssl->handshake->received_extensions & exts_mask; 943 return masked == exts_mask; 944 } 945 946 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 947 MBEDTLS_CHECK_RETURN_CRITICAL 948 static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( 949 mbedtls_ssl_context *ssl) 950 { 951 return ssl_tls13_client_hello_has_exts( 952 ssl, 953 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | 954 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | 955 MBEDTLS_SSL_EXT_MASK(SIG_ALG)); 956 } 957 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 958 959 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) 960 MBEDTLS_CHECK_RETURN_CRITICAL 961 static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange( 962 mbedtls_ssl_context *ssl) 963 { 964 return ssl_tls13_client_hello_has_exts( 965 ssl, 966 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | 967 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)); 968 } 969 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */ 970 971 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) 972 MBEDTLS_CHECK_RETURN_CRITICAL 973 static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( 974 mbedtls_ssl_context *ssl) 975 { 976 return ssl_tls13_client_hello_has_exts( 977 ssl, 978 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | 979 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | 980 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | 981 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)); 982 } 983 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */ 984 985 MBEDTLS_CHECK_RETURN_CRITICAL 986 static int ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context *ssl) 987 { 988 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 989 return mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) && 990 ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl); 991 #else 992 ((void) ssl); 993 return 0; 994 #endif 995 } 996 997 MBEDTLS_CHECK_RETURN_CRITICAL 998 static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl) 999 { 1000 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) 1001 return mbedtls_ssl_conf_tls13_psk_enabled(ssl) && 1002 mbedtls_ssl_tls13_psk_enabled(ssl) && 1003 ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl); 1004 #else 1005 ((void) ssl); 1006 return 0; 1007 #endif 1008 } 1009 1010 MBEDTLS_CHECK_RETURN_CRITICAL 1011 static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl) 1012 { 1013 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) 1014 return mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) && 1015 mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) && 1016 ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl); 1017 #else 1018 ((void) ssl); 1019 return 0; 1020 #endif 1021 } 1022 1023 static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl) 1024 { 1025 /* 1026 * Determine the key exchange algorithm to use. 1027 * There are three types of key exchanges supported in TLS 1.3: 1028 * - (EC)DH with ECDSA, 1029 * - (EC)DH with PSK, 1030 * - plain PSK. 1031 * 1032 * The PSK-based key exchanges may additionally be used with 0-RTT. 1033 * 1034 * Our built-in order of preference is 1035 * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral ) 1036 * 2 ) Certificate Mode ( ephemeral ) 1037 * 3 ) Plain PSK Mode ( psk ) 1038 */ 1039 1040 ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; 1041 1042 if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) { 1043 ssl->handshake->key_exchange_mode = 1044 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; 1045 MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral")); 1046 } else 1047 if (ssl_tls13_check_ephemeral_key_exchange(ssl)) { 1048 ssl->handshake->key_exchange_mode = 1049 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; 1050 MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral")); 1051 } else 1052 if (ssl_tls13_check_psk_key_exchange(ssl)) { 1053 ssl->handshake->key_exchange_mode = 1054 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; 1055 MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk")); 1056 } else { 1057 MBEDTLS_SSL_DEBUG_MSG( 1058 1, 1059 ("ClientHello message misses mandatory extensions.")); 1060 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION, 1061 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 1062 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1063 } 1064 1065 return 0; 1066 1067 } 1068 1069 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 1070 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 1071 1072 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1073 static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg) 1074 { 1075 switch (sig_alg) { 1076 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: 1077 return PSA_ALG_ECDSA(PSA_ALG_SHA_256); 1078 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: 1079 return PSA_ALG_ECDSA(PSA_ALG_SHA_384); 1080 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: 1081 return PSA_ALG_ECDSA(PSA_ALG_SHA_512); 1082 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: 1083 return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256); 1084 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: 1085 return PSA_ALG_RSA_PSS(PSA_ALG_SHA_384); 1086 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 1087 return PSA_ALG_RSA_PSS(PSA_ALG_SHA_512); 1088 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: 1089 return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256); 1090 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: 1091 return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384); 1092 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: 1093 return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_512); 1094 default: 1095 return PSA_ALG_NONE; 1096 } 1097 } 1098 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1099 1100 /* 1101 * Pick best ( private key, certificate chain ) pair based on the signature 1102 * algorithms supported by the client. 1103 */ 1104 MBEDTLS_CHECK_RETURN_CRITICAL 1105 static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl) 1106 { 1107 mbedtls_ssl_key_cert *key_cert, *key_cert_list; 1108 const uint16_t *sig_alg = ssl->handshake->received_sig_algs; 1109 1110 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1111 if (ssl->handshake->sni_key_cert != NULL) { 1112 key_cert_list = ssl->handshake->sni_key_cert; 1113 } else 1114 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1115 key_cert_list = ssl->conf->key_cert; 1116 1117 if (key_cert_list == NULL) { 1118 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate")); 1119 return -1; 1120 } 1121 1122 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) { 1123 if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) { 1124 continue; 1125 } 1126 1127 if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) { 1128 continue; 1129 } 1130 1131 for (key_cert = key_cert_list; key_cert != NULL; 1132 key_cert = key_cert->next) { 1133 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1134 psa_algorithm_t psa_alg = PSA_ALG_NONE; 1135 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1136 1137 MBEDTLS_SSL_DEBUG_CRT(3, "certificate (chain) candidate", 1138 key_cert->cert); 1139 1140 /* 1141 * This avoids sending the client a cert it'll reject based on 1142 * keyUsage or other extensions. 1143 */ 1144 if (mbedtls_x509_crt_check_key_usage( 1145 key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0 || 1146 mbedtls_x509_crt_check_extended_key_usage( 1147 key_cert->cert, MBEDTLS_OID_SERVER_AUTH, 1148 MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) != 0) { 1149 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: " 1150 "(extended) key usage extension")); 1151 continue; 1152 } 1153 1154 MBEDTLS_SSL_DEBUG_MSG(3, 1155 ("ssl_tls13_pick_key_cert:" 1156 "check signature algorithm %s [%04x]", 1157 mbedtls_ssl_sig_alg_to_str(*sig_alg), 1158 *sig_alg)); 1159 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1160 psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg(*sig_alg); 1161 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1162 1163 if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match( 1164 *sig_alg, &key_cert->cert->pk) 1165 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1166 && psa_alg != PSA_ALG_NONE && 1167 mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg, 1168 PSA_KEY_USAGE_SIGN_HASH) == 1 1169 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1170 ) { 1171 ssl->handshake->key_cert = key_cert; 1172 MBEDTLS_SSL_DEBUG_MSG(3, 1173 ("ssl_tls13_pick_key_cert:" 1174 "selected signature algorithm" 1175 " %s [%04x]", 1176 mbedtls_ssl_sig_alg_to_str(*sig_alg), 1177 *sig_alg)); 1178 MBEDTLS_SSL_DEBUG_CRT( 1179 3, "selected certificate (chain)", 1180 ssl->handshake->key_cert->cert); 1181 return 0; 1182 } 1183 } 1184 } 1185 1186 MBEDTLS_SSL_DEBUG_MSG(2, ("ssl_tls13_pick_key_cert:" 1187 "no suitable certificate found")); 1188 return -1; 1189 } 1190 #endif /* MBEDTLS_X509_CRT_PARSE_C && 1191 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 1192 1193 /* 1194 * 1195 * STATE HANDLING: ClientHello 1196 * 1197 * There are three possible classes of outcomes when parsing the ClientHello: 1198 * 1199 * 1) The ClientHello was well-formed and matched the server's configuration. 1200 * 1201 * In this case, the server progresses to sending its ServerHello. 1202 * 1203 * 2) The ClientHello was well-formed but didn't match the server's 1204 * configuration. 1205 * 1206 * For example, the client might not have offered a key share which 1207 * the server supports, or the server might require a cookie. 1208 * 1209 * In this case, the server sends a HelloRetryRequest. 1210 * 1211 * 3) The ClientHello was ill-formed 1212 * 1213 * In this case, we abort the handshake. 1214 * 1215 */ 1216 1217 /* 1218 * Structure of this message: 1219 * 1220 * uint16 ProtocolVersion; 1221 * opaque Random[32]; 1222 * uint8 CipherSuite[2]; // Cryptographic suite selector 1223 * 1224 * struct { 1225 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2 1226 * Random random; 1227 * opaque legacy_session_id<0..32>; 1228 * CipherSuite cipher_suites<2..2^16-2>; 1229 * opaque legacy_compression_methods<1..2^8-1>; 1230 * Extension extensions<8..2^16-1>; 1231 * } ClientHello; 1232 */ 1233 1234 #define SSL_CLIENT_HELLO_OK 0 1235 #define SSL_CLIENT_HELLO_HRR_REQUIRED 1 1236 1237 MBEDTLS_CHECK_RETURN_CRITICAL 1238 static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, 1239 const unsigned char *buf, 1240 const unsigned char *end) 1241 { 1242 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1243 const unsigned char *p = buf; 1244 size_t legacy_session_id_len; 1245 size_t cipher_suites_len; 1246 const unsigned char *cipher_suites_end; 1247 size_t extensions_len; 1248 const unsigned char *extensions_end; 1249 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 1250 int hrr_required = 0; 1251 1252 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 1253 const unsigned char *cipher_suites; 1254 const unsigned char *pre_shared_key_ext = NULL; 1255 const unsigned char *pre_shared_key_ext_end = NULL; 1256 #endif 1257 1258 /* 1259 * ClientHello layout: 1260 * 0 . 1 protocol version 1261 * 2 . 33 random bytes 1262 * 34 . 34 session id length ( 1 byte ) 1263 * 35 . 34+x session id 1264 * .. . .. ciphersuite list length ( 2 bytes ) 1265 * .. . .. ciphersuite list 1266 * .. . .. compression alg. list length ( 1 byte ) 1267 * .. . .. compression alg. list 1268 * .. . .. extensions length ( 2 bytes, optional ) 1269 * .. . .. extensions ( optional ) 1270 */ 1271 1272 /* 1273 * Minimal length ( with everything empty and extensions omitted ) is 1274 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can 1275 * read at least up to session id length without worrying. 1276 */ 1277 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 38); 1278 1279 /* ... 1280 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 1281 * ... 1282 * with ProtocolVersion defined as: 1283 * uint16 ProtocolVersion; 1284 */ 1285 if (mbedtls_ssl_read_version(p, ssl->conf->transport) != 1286 MBEDTLS_SSL_VERSION_TLS1_2) { 1287 MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS.")); 1288 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, 1289 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION); 1290 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; 1291 } 1292 p += 2; 1293 1294 /* 1295 * Only support TLS 1.3 currently, temporarily set the version. 1296 */ 1297 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 1298 1299 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1300 /* Store minor version for later use with ticket serialization. */ 1301 ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 1302 ssl->session_negotiate->endpoint = ssl->conf->endpoint; 1303 #endif 1304 1305 /* ... 1306 * Random random; 1307 * ... 1308 * with Random defined as: 1309 * opaque Random[32]; 1310 */ 1311 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", 1312 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN); 1313 1314 memcpy(&handshake->randbytes[0], p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN); 1315 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN; 1316 1317 /* ... 1318 * opaque legacy_session_id<0..32>; 1319 * ... 1320 */ 1321 legacy_session_id_len = p[0]; 1322 p++; 1323 1324 if (legacy_session_id_len > sizeof(ssl->session_negotiate->id)) { 1325 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); 1326 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1327 } 1328 1329 ssl->session_negotiate->id_len = legacy_session_id_len; 1330 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", 1331 p, legacy_session_id_len); 1332 /* 1333 * Check we have enough data for the legacy session identifier 1334 * and the ciphersuite list length. 1335 */ 1336 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_len + 2); 1337 1338 memcpy(&ssl->session_negotiate->id[0], p, legacy_session_id_len); 1339 p += legacy_session_id_len; 1340 1341 cipher_suites_len = MBEDTLS_GET_UINT16_BE(p, 0); 1342 p += 2; 1343 1344 /* 1345 * The length of the ciphersuite list has to be even. 1346 */ 1347 if (cipher_suites_len & 1) { 1348 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, 1349 MBEDTLS_ERR_SSL_DECODE_ERROR); 1350 return MBEDTLS_ERR_SSL_DECODE_ERROR; 1351 } 1352 1353 /* Check we have enough data for the ciphersuite list, the legacy 1354 * compression methods and the length of the extensions. 1355 * 1356 * cipher_suites cipher_suites_len bytes 1357 * legacy_compression_methods 2 bytes 1358 * extensions_len 2 bytes 1359 */ 1360 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 2 + 2); 1361 1362 /* ... 1363 * CipherSuite cipher_suites<2..2^16-2>; 1364 * ... 1365 * with CipherSuite defined as: 1366 * uint8 CipherSuite[2]; 1367 */ 1368 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 1369 cipher_suites = p; 1370 #endif 1371 cipher_suites_end = p + cipher_suites_len; 1372 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist", 1373 p, cipher_suites_len); 1374 1375 /* 1376 * Search for a matching ciphersuite 1377 */ 1378 for (; p < cipher_suites_end; p += 2) { 1379 uint16_t cipher_suite; 1380 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 1381 1382 /* 1383 * "cipher_suite_end - p is even" is an invariant of the loop. As 1384 * cipher_suites_end - p > 0, we have cipher_suites_end - p >= 2 and 1385 * it is thus safe to read two bytes. 1386 */ 1387 cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0); 1388 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( 1389 ssl, cipher_suite); 1390 if (ciphersuite_info == NULL) { 1391 continue; 1392 } 1393 1394 ssl->session_negotiate->ciphersuite = cipher_suite; 1395 handshake->ciphersuite_info = ciphersuite_info; 1396 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s", 1397 cipher_suite, 1398 ciphersuite_info->name)); 1399 break; 1400 } 1401 1402 if (handshake->ciphersuite_info == NULL) { 1403 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, 1404 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 1405 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1406 } 1407 p = cipher_suites_end; 1408 1409 /* ... 1410 * opaque legacy_compression_methods<1..2^8-1>; 1411 * ... 1412 */ 1413 if (p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL) { 1414 MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method")); 1415 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 1416 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 1417 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1418 } 1419 p += 2; 1420 1421 /* ... 1422 * Extension extensions<8..2^16-1>; 1423 * ... 1424 * with Extension defined as: 1425 * struct { 1426 * ExtensionType extension_type; 1427 * opaque extension_data<0..2^16-1>; 1428 * } Extension; 1429 */ 1430 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0); 1431 p += 2; 1432 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len); 1433 extensions_end = p + extensions_len; 1434 1435 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", p, extensions_len); 1436 1437 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE; 1438 1439 while (p < extensions_end) { 1440 unsigned int extension_type; 1441 size_t extension_data_len; 1442 const unsigned char *extension_data_end; 1443 1444 /* RFC 8446, section 4.2.11 1445 * 1446 * The "pre_shared_key" extension MUST be the last extension in the 1447 * ClientHello (this facilitates implementation as described below). 1448 * Servers MUST check that it is the last extension and otherwise fail 1449 * the handshake with an "illegal_parameter" alert. 1450 */ 1451 if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) { 1452 MBEDTLS_SSL_DEBUG_MSG( 1453 3, ("pre_shared_key is not last extension.")); 1454 MBEDTLS_SSL_PEND_FATAL_ALERT( 1455 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 1456 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 1457 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1458 } 1459 1460 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4); 1461 extension_type = MBEDTLS_GET_UINT16_BE(p, 0); 1462 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2); 1463 p += 4; 1464 1465 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len); 1466 extension_data_end = p + extension_data_len; 1467 1468 ret = mbedtls_ssl_tls13_check_received_extension( 1469 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type, 1470 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH); 1471 if (ret != 0) { 1472 return ret; 1473 } 1474 1475 switch (extension_type) { 1476 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1477 case MBEDTLS_TLS_EXT_SERVERNAME: 1478 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension")); 1479 ret = mbedtls_ssl_parse_server_name_ext(ssl, p, 1480 extension_data_end); 1481 if (ret != 0) { 1482 MBEDTLS_SSL_DEBUG_RET( 1483 1, "mbedtls_ssl_parse_servername_ext", ret); 1484 return ret; 1485 } 1486 break; 1487 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1488 1489 #if defined(MBEDTLS_ECDH_C) 1490 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: 1491 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension")); 1492 1493 /* Supported Groups Extension 1494 * 1495 * When sent by the client, the "supported_groups" extension 1496 * indicates the named groups which the client supports, 1497 * ordered from most preferred to least preferred. 1498 */ 1499 ret = ssl_tls13_parse_supported_groups_ext( 1500 ssl, p, extension_data_end); 1501 if (ret != 0) { 1502 MBEDTLS_SSL_DEBUG_RET(1, 1503 "mbedtls_ssl_parse_supported_groups_ext", ret); 1504 return ret; 1505 } 1506 1507 break; 1508 #endif /* MBEDTLS_ECDH_C */ 1509 1510 #if defined(MBEDTLS_ECDH_C) 1511 case MBEDTLS_TLS_EXT_KEY_SHARE: 1512 MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension")); 1513 1514 /* 1515 * Key Share Extension 1516 * 1517 * When sent by the client, the "key_share" extension 1518 * contains the endpoint's cryptographic parameters for 1519 * ECDHE/DHE key establishment methods. 1520 */ 1521 ret = ssl_tls13_parse_key_shares_ext( 1522 ssl, p, extension_data_end); 1523 if (ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH) { 1524 MBEDTLS_SSL_DEBUG_MSG(2, ("HRR needed ")); 1525 hrr_required = 1; 1526 } 1527 1528 if (ret < 0) { 1529 MBEDTLS_SSL_DEBUG_RET( 1530 1, "ssl_tls13_parse_key_shares_ext", ret); 1531 return ret; 1532 } 1533 1534 break; 1535 #endif /* MBEDTLS_ECDH_C */ 1536 1537 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: 1538 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported versions extension")); 1539 1540 ret = ssl_tls13_parse_supported_versions_ext( 1541 ssl, p, extension_data_end); 1542 if (ret != 0) { 1543 MBEDTLS_SSL_DEBUG_RET(1, 1544 ("ssl_tls13_parse_supported_versions_ext"), ret); 1545 return ret; 1546 } 1547 break; 1548 1549 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 1550 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: 1551 MBEDTLS_SSL_DEBUG_MSG(3, ("found psk key exchange modes extension")); 1552 1553 ret = ssl_tls13_parse_key_exchange_modes_ext( 1554 ssl, p, extension_data_end); 1555 if (ret != 0) { 1556 MBEDTLS_SSL_DEBUG_RET( 1557 1, "ssl_tls13_parse_key_exchange_modes_ext", ret); 1558 return ret; 1559 } 1560 1561 break; 1562 #endif 1563 1564 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: 1565 MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension")); 1566 if ((handshake->received_extensions & 1567 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)) == 0) { 1568 MBEDTLS_SSL_PEND_FATAL_ALERT( 1569 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 1570 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 1571 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 1572 } 1573 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 1574 /* Delay processing of the PSK identity once we have 1575 * found out which algorithms to use. We keep a pointer 1576 * to the buffer and the size for later processing. 1577 */ 1578 pre_shared_key_ext = p; 1579 pre_shared_key_ext_end = extension_data_end; 1580 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 1581 break; 1582 1583 #if defined(MBEDTLS_SSL_ALPN) 1584 case MBEDTLS_TLS_EXT_ALPN: 1585 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension")); 1586 1587 ret = mbedtls_ssl_parse_alpn_ext(ssl, p, extension_data_end); 1588 if (ret != 0) { 1589 MBEDTLS_SSL_DEBUG_RET( 1590 1, ("mbedtls_ssl_parse_alpn_ext"), ret); 1591 return ret; 1592 } 1593 break; 1594 #endif /* MBEDTLS_SSL_ALPN */ 1595 1596 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 1597 case MBEDTLS_TLS_EXT_SIG_ALG: 1598 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension")); 1599 1600 ret = mbedtls_ssl_parse_sig_alg_ext( 1601 ssl, p, extension_data_end); 1602 if (ret != 0) { 1603 MBEDTLS_SSL_DEBUG_MSG(1, 1604 ( 1605 "ssl_parse_supported_signature_algorithms_server_ext ( %d )", 1606 ret)); 1607 return ret; 1608 } 1609 break; 1610 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 1611 1612 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 1613 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT: 1614 MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension")); 1615 1616 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(ssl, p, extension_data_end); 1617 1618 /* TODO: Return unconditionally here until we handle the record size limit correctly. 1619 * Once handled correctly, only return in case of errors. */ 1620 return ret; 1621 1622 break; 1623 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 1624 1625 default: 1626 MBEDTLS_SSL_PRINT_EXT( 1627 3, MBEDTLS_SSL_HS_CLIENT_HELLO, 1628 extension_type, "( ignored )"); 1629 break; 1630 } 1631 1632 p += extension_data_len; 1633 } 1634 1635 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO, 1636 handshake->received_extensions); 1637 1638 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, 1639 MBEDTLS_SSL_HS_CLIENT_HELLO, 1640 p - buf); 1641 if (0 != ret) { 1642 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret); 1643 return ret; 1644 } 1645 1646 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 1647 /* Update checksum with either 1648 * - The entire content of the CH message, if no PSK extension is present 1649 * - The content up to but excluding the PSK extension, if present. 1650 */ 1651 /* If we've settled on a PSK-based exchange, parse PSK identity ext */ 1652 if (mbedtls_ssl_tls13_some_psk_enabled(ssl) && 1653 mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) && 1654 (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY))) { 1655 ret = handshake->update_checksum(ssl, buf, 1656 pre_shared_key_ext - buf); 1657 if (0 != ret) { 1658 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); 1659 return ret; 1660 } 1661 ret = ssl_tls13_parse_pre_shared_key_ext(ssl, 1662 pre_shared_key_ext, 1663 pre_shared_key_ext_end, 1664 cipher_suites, 1665 cipher_suites_end); 1666 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { 1667 handshake->received_extensions &= ~MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY); 1668 } else if (ret != 0) { 1669 MBEDTLS_SSL_DEBUG_RET( 1670 1, "ssl_tls13_parse_pre_shared_key_ext", ret); 1671 return ret; 1672 } 1673 } else 1674 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 1675 { 1676 ret = handshake->update_checksum(ssl, buf, p - buf); 1677 if (0 != ret) { 1678 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret); 1679 return ret; 1680 } 1681 } 1682 1683 ret = ssl_tls13_determine_key_exchange_mode(ssl); 1684 if (ret < 0) { 1685 return ret; 1686 } 1687 1688 mbedtls_ssl_optimize_checksum(ssl, handshake->ciphersuite_info); 1689 1690 return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK; 1691 } 1692 1693 /* Update the handshake state machine */ 1694 1695 MBEDTLS_CHECK_RETURN_CRITICAL 1696 static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl) 1697 { 1698 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1699 1700 /* 1701 * Server certificate selection 1702 */ 1703 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) { 1704 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret); 1705 return ret; 1706 } 1707 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1708 ssl->handshake->sni_name = NULL; 1709 ssl->handshake->sni_name_len = 0; 1710 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1711 1712 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); 1713 if (ret != 0) { 1714 MBEDTLS_SSL_DEBUG_RET(1, 1715 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret); 1716 return ret; 1717 } 1718 1719 return 0; 1720 1721 } 1722 1723 /* 1724 * Main entry point from the state machine; orchestrates the otherfunctions. 1725 */ 1726 1727 MBEDTLS_CHECK_RETURN_CRITICAL 1728 static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl) 1729 { 1730 1731 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1732 unsigned char *buf = NULL; 1733 size_t buflen = 0; 1734 int parse_client_hello_ret; 1735 1736 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello")); 1737 1738 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg( 1739 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, 1740 &buf, &buflen)); 1741 1742 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_parse_client_hello(ssl, buf, 1743 buf + buflen)); 1744 parse_client_hello_ret = ret; /* Store return value of parse_client_hello, 1745 * only SSL_CLIENT_HELLO_OK or 1746 * SSL_CLIENT_HELLO_HRR_REQUIRED at this 1747 * stage as negative error codes are handled 1748 * by MBEDTLS_SSL_PROC_CHK_NEG. */ 1749 1750 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_client_hello(ssl)); 1751 1752 if (parse_client_hello_ret == SSL_CLIENT_HELLO_OK) { 1753 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); 1754 } else { 1755 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST); 1756 } 1757 1758 cleanup: 1759 1760 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello")); 1761 return ret; 1762 } 1763 1764 /* 1765 * Handler for MBEDTLS_SSL_SERVER_HELLO 1766 */ 1767 MBEDTLS_CHECK_RETURN_CRITICAL 1768 static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl) 1769 { 1770 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1771 unsigned char *server_randbytes = 1772 ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN; 1773 if (ssl->conf->f_rng == NULL) { 1774 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); 1775 return MBEDTLS_ERR_SSL_NO_RNG; 1776 } 1777 1778 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes, 1779 MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) { 1780 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret); 1781 return ret; 1782 } 1783 1784 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", server_randbytes, 1785 MBEDTLS_SERVER_HELLO_RANDOM_LEN); 1786 1787 #if defined(MBEDTLS_HAVE_TIME) 1788 ssl->session_negotiate->start = time(NULL); 1789 #endif /* MBEDTLS_HAVE_TIME */ 1790 1791 return ret; 1792 } 1793 1794 /* 1795 * ssl_tls13_write_server_hello_supported_versions_ext (): 1796 * 1797 * struct { 1798 * ProtocolVersion selected_version; 1799 * } SupportedVersions; 1800 */ 1801 MBEDTLS_CHECK_RETURN_CRITICAL 1802 static int ssl_tls13_write_server_hello_supported_versions_ext( 1803 mbedtls_ssl_context *ssl, 1804 unsigned char *buf, 1805 unsigned char *end, 1806 size_t *out_len) 1807 { 1808 *out_len = 0; 1809 1810 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, write selected version")); 1811 1812 /* Check if we have space to write the extension: 1813 * - extension_type (2 bytes) 1814 * - extension_data_length (2 bytes) 1815 * - selected_version (2 bytes) 1816 */ 1817 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6); 1818 1819 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0); 1820 1821 MBEDTLS_PUT_UINT16_BE(2, buf, 2); 1822 1823 mbedtls_ssl_write_version(buf + 4, 1824 ssl->conf->transport, 1825 ssl->tls_version); 1826 1827 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [%04x]", 1828 ssl->tls_version)); 1829 1830 *out_len = 6; 1831 1832 mbedtls_ssl_tls13_set_hs_sent_ext_mask( 1833 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS); 1834 1835 return 0; 1836 } 1837 1838 1839 1840 /* Generate and export a single key share. For hybrid KEMs, this can 1841 * be called multiple times with the different components of the hybrid. */ 1842 MBEDTLS_CHECK_RETURN_CRITICAL 1843 static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl, 1844 uint16_t named_group, 1845 unsigned char *buf, 1846 unsigned char *end, 1847 size_t *out_len) 1848 { 1849 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1850 1851 *out_len = 0; 1852 1853 #if defined(MBEDTLS_ECDH_C) 1854 if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) { 1855 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( 1856 ssl, named_group, buf, end, out_len); 1857 if (ret != 0) { 1858 MBEDTLS_SSL_DEBUG_RET( 1859 1, "mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange", 1860 ret); 1861 return ret; 1862 } 1863 } else 1864 #endif /* MBEDTLS_ECDH_C */ 1865 if (0 /* Other kinds of KEMs */) { 1866 } else { 1867 ((void) ssl); 1868 ((void) named_group); 1869 ((void) buf); 1870 ((void) end); 1871 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; 1872 } 1873 1874 return ret; 1875 } 1876 1877 /* 1878 * ssl_tls13_write_key_share_ext 1879 * 1880 * Structure of key_share extension in ServerHello: 1881 * 1882 * struct { 1883 * NamedGroup group; 1884 * opaque key_exchange<1..2^16-1>; 1885 * } KeyShareEntry; 1886 * struct { 1887 * KeyShareEntry server_share; 1888 * } KeyShareServerHello; 1889 */ 1890 MBEDTLS_CHECK_RETURN_CRITICAL 1891 static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl, 1892 unsigned char *buf, 1893 unsigned char *end, 1894 size_t *out_len) 1895 { 1896 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1897 unsigned char *p = buf; 1898 uint16_t group = ssl->handshake->offered_group_id; 1899 unsigned char *server_share = buf + 4; 1900 size_t key_exchange_length; 1901 1902 *out_len = 0; 1903 1904 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding key share extension")); 1905 1906 MBEDTLS_SSL_DEBUG_MSG(2, ("server hello, write selected_group: %s (%04x)", 1907 mbedtls_ssl_named_group_to_str(group), 1908 group)); 1909 1910 /* Check if we have space for header and length fields: 1911 * - extension_type (2 bytes) 1912 * - extension_data_length (2 bytes) 1913 * - group (2 bytes) 1914 * - key_exchange_length (2 bytes) 1915 */ 1916 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 8); 1917 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, p, 0); 1918 MBEDTLS_PUT_UINT16_BE(group, server_share, 0); 1919 p += 8; 1920 1921 /* When we introduce PQC-ECDHE hybrids, we'll want to call this 1922 * function multiple times. */ 1923 ret = ssl_tls13_generate_and_write_key_share( 1924 ssl, group, server_share + 4, end, &key_exchange_length); 1925 if (ret != 0) { 1926 return ret; 1927 } 1928 p += key_exchange_length; 1929 1930 MBEDTLS_PUT_UINT16_BE(key_exchange_length, server_share + 2, 0); 1931 1932 MBEDTLS_PUT_UINT16_BE(p - server_share, buf, 2); 1933 1934 *out_len = p - buf; 1935 1936 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE); 1937 1938 return 0; 1939 } 1940 1941 MBEDTLS_CHECK_RETURN_CRITICAL 1942 static int ssl_tls13_write_hrr_key_share_ext(mbedtls_ssl_context *ssl, 1943 unsigned char *buf, 1944 unsigned char *end, 1945 size_t *out_len) 1946 { 1947 uint16_t selected_group = ssl->handshake->hrr_selected_group; 1948 /* key_share Extension 1949 * 1950 * struct { 1951 * select (Handshake.msg_type) { 1952 * ... 1953 * case hello_retry_request: 1954 * NamedGroup selected_group; 1955 * ... 1956 * }; 1957 * } KeyShare; 1958 */ 1959 1960 *out_len = 0; 1961 1962 /* 1963 * For a pure PSK key exchange, there is no group to agree upon. The purpose 1964 * of the HRR is then to transmit a cookie to force the client to demonstrate 1965 * reachability at their apparent network address (primarily useful for DTLS). 1966 */ 1967 if (!mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) { 1968 return 0; 1969 } 1970 1971 /* We should only send the key_share extension if the client's initial 1972 * key share was not acceptable. */ 1973 if (ssl->handshake->offered_group_id != 0) { 1974 MBEDTLS_SSL_DEBUG_MSG(4, ("Skip key_share extension in HRR")); 1975 return 0; 1976 } 1977 1978 if (selected_group == 0) { 1979 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching named group found")); 1980 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 1981 } 1982 1983 /* Check if we have enough space: 1984 * - extension_type (2 bytes) 1985 * - extension_data_length (2 bytes) 1986 * - selected_group (2 bytes) 1987 */ 1988 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6); 1989 1990 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0); 1991 MBEDTLS_PUT_UINT16_BE(2, buf, 2); 1992 MBEDTLS_PUT_UINT16_BE(selected_group, buf, 4); 1993 1994 MBEDTLS_SSL_DEBUG_MSG(3, 1995 ("HRR selected_group: %s (%x)", 1996 mbedtls_ssl_named_group_to_str(selected_group), 1997 selected_group)); 1998 1999 *out_len = 6; 2000 2001 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE); 2002 2003 return 0; 2004 } 2005 2006 /* 2007 * Structure of ServerHello message: 2008 * 2009 * struct { 2010 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2 2011 * Random random; 2012 * opaque legacy_session_id_echo<0..32>; 2013 * CipherSuite cipher_suite; 2014 * uint8 legacy_compression_method = 0; 2015 * Extension extensions<6..2^16-1>; 2016 * } ServerHello; 2017 */ 2018 MBEDTLS_CHECK_RETURN_CRITICAL 2019 static int ssl_tls13_write_server_hello_body(mbedtls_ssl_context *ssl, 2020 unsigned char *buf, 2021 unsigned char *end, 2022 size_t *out_len, 2023 int is_hrr) 2024 { 2025 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2026 unsigned char *p = buf; 2027 unsigned char *p_extensions_len; 2028 size_t output_len; 2029 2030 *out_len = 0; 2031 ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE; 2032 2033 /* ... 2034 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 2035 * ... 2036 * with ProtocolVersion defined as: 2037 * uint16 ProtocolVersion; 2038 */ 2039 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 2040 MBEDTLS_PUT_UINT16_BE(0x0303, p, 0); 2041 p += 2; 2042 2043 /* ... 2044 * Random random; 2045 * ... 2046 * with Random defined as: 2047 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN]; 2048 */ 2049 MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN); 2050 if (is_hrr) { 2051 memcpy(p, mbedtls_ssl_tls13_hello_retry_request_magic, 2052 MBEDTLS_SERVER_HELLO_RANDOM_LEN); 2053 } else { 2054 memcpy(p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], 2055 MBEDTLS_SERVER_HELLO_RANDOM_LEN); 2056 } 2057 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", 2058 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN); 2059 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN; 2060 2061 /* ... 2062 * opaque legacy_session_id_echo<0..32>; 2063 * ... 2064 */ 2065 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + ssl->session_negotiate->id_len); 2066 *p++ = (unsigned char) ssl->session_negotiate->id_len; 2067 if (ssl->session_negotiate->id_len > 0) { 2068 memcpy(p, &ssl->session_negotiate->id[0], 2069 ssl->session_negotiate->id_len); 2070 p += ssl->session_negotiate->id_len; 2071 2072 MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id, 2073 ssl->session_negotiate->id_len); 2074 } 2075 2076 /* ... 2077 * CipherSuite cipher_suite; 2078 * ... 2079 * with CipherSuite defined as: 2080 * uint8 CipherSuite[2]; 2081 */ 2082 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 2083 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0); 2084 p += 2; 2085 MBEDTLS_SSL_DEBUG_MSG(3, 2086 ("server hello, chosen ciphersuite: %s ( id=%d )", 2087 mbedtls_ssl_get_ciphersuite_name( 2088 ssl->session_negotiate->ciphersuite), 2089 ssl->session_negotiate->ciphersuite)); 2090 2091 /* ... 2092 * uint8 legacy_compression_method = 0; 2093 * ... 2094 */ 2095 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1); 2096 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 2097 2098 /* ... 2099 * Extension extensions<6..2^16-1>; 2100 * ... 2101 * struct { 2102 * ExtensionType extension_type; (2 bytes) 2103 * opaque extension_data<0..2^16-1>; 2104 * } Extension; 2105 */ 2106 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 2107 p_extensions_len = p; 2108 p += 2; 2109 2110 if ((ret = ssl_tls13_write_server_hello_supported_versions_ext( 2111 ssl, p, end, &output_len)) != 0) { 2112 MBEDTLS_SSL_DEBUG_RET( 2113 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret); 2114 return ret; 2115 } 2116 p += output_len; 2117 2118 if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) { 2119 if (is_hrr) { 2120 ret = ssl_tls13_write_hrr_key_share_ext(ssl, p, end, &output_len); 2121 } else { 2122 ret = ssl_tls13_write_key_share_ext(ssl, p, end, &output_len); 2123 } 2124 if (ret != 0) { 2125 return ret; 2126 } 2127 p += output_len; 2128 } 2129 2130 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 2131 if (!is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { 2132 ret = ssl_tls13_write_server_pre_shared_key_ext(ssl, p, end, &output_len); 2133 if (ret != 0) { 2134 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_server_pre_shared_key_ext", 2135 ret); 2136 return ret; 2137 } 2138 p += output_len; 2139 } 2140 #endif 2141 2142 MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0); 2143 2144 MBEDTLS_SSL_DEBUG_BUF(4, "server hello extensions", 2145 p_extensions_len, p - p_extensions_len); 2146 2147 *out_len = p - buf; 2148 2149 MBEDTLS_SSL_DEBUG_BUF(3, "server hello", buf, *out_len); 2150 2151 MBEDTLS_SSL_PRINT_EXTS( 2152 3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST : 2153 MBEDTLS_SSL_HS_SERVER_HELLO, 2154 ssl->handshake->sent_extensions); 2155 2156 return ret; 2157 } 2158 2159 MBEDTLS_CHECK_RETURN_CRITICAL 2160 static int ssl_tls13_finalize_server_hello(mbedtls_ssl_context *ssl) 2161 { 2162 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2163 ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl); 2164 if (ret != 0) { 2165 MBEDTLS_SSL_DEBUG_RET(1, 2166 "mbedtls_ssl_tls13_compute_handshake_transform", 2167 ret); 2168 return ret; 2169 } 2170 2171 return ret; 2172 } 2173 2174 MBEDTLS_CHECK_RETURN_CRITICAL 2175 static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl) 2176 { 2177 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2178 unsigned char *buf; 2179 size_t buf_len, msg_len; 2180 2181 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello")); 2182 2183 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl)); 2184 2185 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, 2186 MBEDTLS_SSL_HS_SERVER_HELLO, &buf, 2187 &buf_len)); 2188 2189 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf, 2190 buf + buf_len, 2191 &msg_len, 2192 0)); 2193 2194 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( 2195 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len)); 2196 2197 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( 2198 ssl, buf_len, msg_len)); 2199 2200 MBEDTLS_SSL_PROC_CHK(ssl_tls13_finalize_server_hello(ssl)); 2201 2202 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 2203 /* The server sends a dummy change_cipher_spec record immediately 2204 * after its first handshake message. This may either be after 2205 * a ServerHello or a HelloRetryRequest. 2206 */ 2207 mbedtls_ssl_handshake_set_state( 2208 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO); 2209 #else 2210 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); 2211 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ 2212 2213 cleanup: 2214 2215 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); 2216 return ret; 2217 } 2218 2219 2220 /* 2221 * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST 2222 */ 2223 MBEDTLS_CHECK_RETURN_CRITICAL 2224 static int ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context *ssl) 2225 { 2226 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2227 if (ssl->handshake->hello_retry_request_count > 0) { 2228 MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs")); 2229 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, 2230 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 2231 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 2232 } 2233 2234 /* 2235 * Create stateless transcript hash for HRR 2236 */ 2237 MBEDTLS_SSL_DEBUG_MSG(4, ("Reset transcript for HRR")); 2238 ret = mbedtls_ssl_reset_transcript_for_hrr(ssl); 2239 if (ret != 0) { 2240 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_transcript_for_hrr", ret); 2241 return ret; 2242 } 2243 mbedtls_ssl_session_reset_msg_layer(ssl, 0); 2244 2245 return 0; 2246 } 2247 2248 MBEDTLS_CHECK_RETURN_CRITICAL 2249 static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl) 2250 { 2251 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2252 unsigned char *buf; 2253 size_t buf_len, msg_len; 2254 2255 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello retry request")); 2256 2257 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_hello_retry_request(ssl)); 2258 2259 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( 2260 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, 2261 &buf, &buf_len)); 2262 2263 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf, 2264 buf + buf_len, 2265 &msg_len, 2266 1)); 2267 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( 2268 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len)); 2269 2270 2271 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 2272 msg_len)); 2273 2274 ssl->handshake->hello_retry_request_count++; 2275 2276 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 2277 /* The server sends a dummy change_cipher_spec record immediately 2278 * after its first handshake message. This may either be after 2279 * a ServerHello or a HelloRetryRequest. 2280 */ 2281 mbedtls_ssl_handshake_set_state( 2282 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST); 2283 #else 2284 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); 2285 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ 2286 2287 cleanup: 2288 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello retry request")); 2289 return ret; 2290 } 2291 2292 /* 2293 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS 2294 */ 2295 2296 /* 2297 * struct { 2298 * Extension extensions<0..2 ^ 16 - 1>; 2299 * } EncryptedExtensions; 2300 * 2301 */ 2302 MBEDTLS_CHECK_RETURN_CRITICAL 2303 static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl, 2304 unsigned char *buf, 2305 unsigned char *end, 2306 size_t *out_len) 2307 { 2308 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2309 unsigned char *p = buf; 2310 size_t extensions_len = 0; 2311 unsigned char *p_extensions_len; 2312 size_t output_len; 2313 2314 *out_len = 0; 2315 2316 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 2317 p_extensions_len = p; 2318 p += 2; 2319 2320 ((void) ssl); 2321 ((void) ret); 2322 ((void) output_len); 2323 2324 #if defined(MBEDTLS_SSL_ALPN) 2325 ret = mbedtls_ssl_write_alpn_ext(ssl, p, end, &output_len); 2326 if (ret != 0) { 2327 return ret; 2328 } 2329 p += output_len; 2330 #endif /* MBEDTLS_SSL_ALPN */ 2331 2332 extensions_len = (p - p_extensions_len) - 2; 2333 MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0); 2334 2335 *out_len = p - buf; 2336 2337 MBEDTLS_SSL_DEBUG_BUF(4, "encrypted extensions", buf, *out_len); 2338 2339 MBEDTLS_SSL_PRINT_EXTS( 2340 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions); 2341 2342 return 0; 2343 } 2344 2345 MBEDTLS_CHECK_RETURN_CRITICAL 2346 static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl) 2347 { 2348 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2349 unsigned char *buf; 2350 size_t buf_len, msg_len; 2351 2352 mbedtls_ssl_set_outbound_transform(ssl, 2353 ssl->handshake->transform_handshake); 2354 MBEDTLS_SSL_DEBUG_MSG( 2355 3, ("switching to handshake transform for outbound data")); 2356 2357 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions")); 2358 2359 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, 2360 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf, 2361 &buf_len)); 2362 2363 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body( 2364 ssl, buf, buf + buf_len, &msg_len)); 2365 2366 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( 2367 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len)); 2368 2369 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( 2370 ssl, buf_len, msg_len)); 2371 2372 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2373 if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { 2374 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); 2375 } else { 2376 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); 2377 } 2378 #else 2379 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); 2380 #endif 2381 2382 cleanup: 2383 2384 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write encrypted extensions")); 2385 return ret; 2386 } 2387 2388 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2389 #define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0 2390 #define SSL_CERTIFICATE_REQUEST_SKIP 1 2391 /* Coordination: 2392 * Check whether a CertificateRequest message should be written. 2393 * Returns a negative code on failure, or 2394 * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST 2395 * - SSL_CERTIFICATE_REQUEST_SKIP 2396 * indicating if the writing of the CertificateRequest 2397 * should be skipped or not. 2398 */ 2399 MBEDTLS_CHECK_RETURN_CRITICAL 2400 static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl) 2401 { 2402 int authmode; 2403 2404 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2405 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) { 2406 authmode = ssl->handshake->sni_authmode; 2407 } else 2408 #endif 2409 authmode = ssl->conf->authmode; 2410 2411 if (authmode == MBEDTLS_SSL_VERIFY_NONE) { 2412 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; 2413 return SSL_CERTIFICATE_REQUEST_SKIP; 2414 } 2415 2416 ssl->handshake->certificate_request_sent = 1; 2417 2418 return SSL_CERTIFICATE_REQUEST_SEND_REQUEST; 2419 } 2420 2421 /* 2422 * struct { 2423 * opaque certificate_request_context<0..2^8-1>; 2424 * Extension extensions<2..2^16-1>; 2425 * } CertificateRequest; 2426 * 2427 */ 2428 MBEDTLS_CHECK_RETURN_CRITICAL 2429 static int ssl_tls13_write_certificate_request_body(mbedtls_ssl_context *ssl, 2430 unsigned char *buf, 2431 const unsigned char *end, 2432 size_t *out_len) 2433 { 2434 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2435 unsigned char *p = buf; 2436 size_t output_len = 0; 2437 unsigned char *p_extensions_len; 2438 2439 *out_len = 0; 2440 2441 /* Check if we have enough space: 2442 * - certificate_request_context (1 byte) 2443 * - extensions length (2 bytes) 2444 */ 2445 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3); 2446 2447 /* 2448 * Write certificate_request_context 2449 */ 2450 /* 2451 * We use a zero length context for the normal handshake 2452 * messages. For post-authentication handshake messages 2453 * this request context would be set to a non-zero value. 2454 */ 2455 *p++ = 0x0; 2456 2457 /* 2458 * Write extensions 2459 */ 2460 /* The extensions must contain the signature_algorithms. */ 2461 p_extensions_len = p; 2462 p += 2; 2463 ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len); 2464 if (ret != 0) { 2465 return ret; 2466 } 2467 2468 p += output_len; 2469 MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0); 2470 2471 *out_len = p - buf; 2472 2473 MBEDTLS_SSL_PRINT_EXTS( 2474 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions); 2475 2476 return 0; 2477 } 2478 2479 MBEDTLS_CHECK_RETURN_CRITICAL 2480 static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl) 2481 { 2482 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2483 2484 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request")); 2485 2486 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl)); 2487 2488 if (ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST) { 2489 unsigned char *buf; 2490 size_t buf_len, msg_len; 2491 2492 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, 2493 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, 2494 &buf, &buf_len)); 2495 2496 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body( 2497 ssl, buf, buf + buf_len, &msg_len)); 2498 2499 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( 2500 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len)); 2501 2502 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( 2503 ssl, buf_len, msg_len)); 2504 } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) { 2505 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request")); 2506 ret = 0; 2507 } else { 2508 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 2509 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2510 goto cleanup; 2511 } 2512 2513 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE); 2514 cleanup: 2515 2516 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request")); 2517 return ret; 2518 } 2519 2520 /* 2521 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE 2522 */ 2523 MBEDTLS_CHECK_RETURN_CRITICAL 2524 static int ssl_tls13_write_server_certificate(mbedtls_ssl_context *ssl) 2525 { 2526 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2527 2528 #if defined(MBEDTLS_X509_CRT_PARSE_C) 2529 if ((ssl_tls13_pick_key_cert(ssl) != 0) || 2530 mbedtls_ssl_own_cert(ssl) == NULL) { 2531 MBEDTLS_SSL_DEBUG_MSG(2, ("No certificate available.")); 2532 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, 2533 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 2534 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 2535 } 2536 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 2537 2538 ret = mbedtls_ssl_tls13_write_certificate(ssl); 2539 if (ret != 0) { 2540 return ret; 2541 } 2542 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY); 2543 return 0; 2544 } 2545 2546 /* 2547 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY 2548 */ 2549 MBEDTLS_CHECK_RETURN_CRITICAL 2550 static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl) 2551 { 2552 int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl); 2553 if (ret != 0) { 2554 return ret; 2555 } 2556 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED); 2557 return 0; 2558 } 2559 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 2560 2561 /* 2562 * Handler for MBEDTLS_SSL_SERVER_FINISHED 2563 */ 2564 MBEDTLS_CHECK_RETURN_CRITICAL 2565 static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl) 2566 { 2567 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2568 2569 ret = mbedtls_ssl_tls13_write_finished_message(ssl); 2570 if (ret != 0) { 2571 return ret; 2572 } 2573 2574 ret = mbedtls_ssl_tls13_compute_application_transform(ssl); 2575 if (ret != 0) { 2576 MBEDTLS_SSL_PEND_FATAL_ALERT( 2577 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, 2578 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 2579 return ret; 2580 } 2581 2582 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic")); 2583 mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake); 2584 2585 if (ssl->handshake->certificate_request_sent) { 2586 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); 2587 } else { 2588 MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate")); 2589 MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify")); 2590 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED); 2591 } 2592 2593 return 0; 2594 } 2595 2596 /* 2597 * Handler for MBEDTLS_SSL_CLIENT_FINISHED 2598 */ 2599 MBEDTLS_CHECK_RETURN_CRITICAL 2600 static int ssl_tls13_process_client_finished(mbedtls_ssl_context *ssl) 2601 { 2602 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2603 2604 ret = mbedtls_ssl_tls13_process_finished_message(ssl); 2605 if (ret != 0) { 2606 return ret; 2607 } 2608 2609 ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl); 2610 if (ret != 0) { 2611 MBEDTLS_SSL_DEBUG_RET(1, 2612 "mbedtls_ssl_tls13_compute_resumption_master_secret", ret); 2613 } 2614 2615 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP); 2616 return 0; 2617 } 2618 2619 /* 2620 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP 2621 */ 2622 MBEDTLS_CHECK_RETURN_CRITICAL 2623 static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) 2624 { 2625 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done")); 2626 2627 mbedtls_ssl_tls13_handshake_wrapup(ssl); 2628 2629 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 2630 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 2631 /* TODO: Remove the check of SOME_PSK_ENABLED since SESSION_TICKETS requires 2632 * SOME_PSK_ENABLED to be enabled. Here is just to make CI happy. It is 2633 * expected to be resolved with issue#6395. 2634 */ 2635 /* Sent NewSessionTicket message only when client supports PSK */ 2636 if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) { 2637 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); 2638 } else 2639 #endif 2640 { 2641 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); 2642 } 2643 return 0; 2644 } 2645 2646 /* 2647 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET 2648 */ 2649 #define SSL_NEW_SESSION_TICKET_SKIP 0 2650 #define SSL_NEW_SESSION_TICKET_WRITE 1 2651 MBEDTLS_CHECK_RETURN_CRITICAL 2652 static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ssl) 2653 { 2654 /* Check whether the use of session tickets is enabled */ 2655 if (ssl->conf->f_ticket_write == NULL) { 2656 MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled," 2657 " callback is not set")); 2658 return SSL_NEW_SESSION_TICKET_SKIP; 2659 } 2660 if (ssl->conf->new_session_tickets_count == 0) { 2661 MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled," 2662 " configured count is zero")); 2663 return SSL_NEW_SESSION_TICKET_SKIP; 2664 } 2665 2666 if (ssl->handshake->new_session_tickets_count == 0) { 2667 MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: all tickets have " 2668 "been sent.")); 2669 return SSL_NEW_SESSION_TICKET_SKIP; 2670 } 2671 2672 return SSL_NEW_SESSION_TICKET_WRITE; 2673 } 2674 2675 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 2676 MBEDTLS_CHECK_RETURN_CRITICAL 2677 static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, 2678 unsigned char *ticket_nonce, 2679 size_t ticket_nonce_size) 2680 { 2681 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2682 mbedtls_ssl_session *session = ssl->session; 2683 mbedtls_ssl_ciphersuite_t *ciphersuite_info; 2684 psa_algorithm_t psa_hash_alg; 2685 int hash_length; 2686 2687 MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg")); 2688 2689 #if defined(MBEDTLS_HAVE_TIME) 2690 session->start = mbedtls_time(NULL); 2691 #endif 2692 2693 /* Set ticket_flags depends on the advertised psk key exchange mode */ 2694 mbedtls_ssl_session_clear_ticket_flags( 2695 session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 2696 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 2697 mbedtls_ssl_session_set_ticket_flags( 2698 session, ssl->handshake->tls13_kex_modes); 2699 #endif 2700 MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags); 2701 2702 /* Generate ticket_age_add */ 2703 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, 2704 (unsigned char *) &session->ticket_age_add, 2705 sizeof(session->ticket_age_add)) != 0)) { 2706 MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret); 2707 return ret; 2708 } 2709 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u", 2710 (unsigned int) session->ticket_age_add)); 2711 2712 /* Generate ticket_nonce */ 2713 ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size); 2714 if (ret != 0) { 2715 MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret); 2716 return ret; 2717 } 2718 MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", 2719 ticket_nonce, ticket_nonce_size); 2720 2721 ciphersuite_info = 2722 (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info; 2723 psa_hash_alg = mbedtls_psa_translate_md(ciphersuite_info->mac); 2724 hash_length = PSA_HASH_LENGTH(psa_hash_alg); 2725 if (hash_length == -1 || 2726 (size_t) hash_length > sizeof(session->resumption_key)) { 2727 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2728 } 2729 2730 /* In this code the psk key length equals the length of the hash */ 2731 session->resumption_key_len = hash_length; 2732 session->ciphersuite = ciphersuite_info->id; 2733 2734 /* Compute resumption key 2735 * 2736 * HKDF-Expand-Label( resumption_master_secret, 2737 * "resumption", ticket_nonce, Hash.length ) 2738 */ 2739 ret = mbedtls_ssl_tls13_hkdf_expand_label( 2740 psa_hash_alg, 2741 session->app_secrets.resumption_master_secret, 2742 hash_length, 2743 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption), 2744 ticket_nonce, 2745 ticket_nonce_size, 2746 session->resumption_key, 2747 hash_length); 2748 2749 if (ret != 0) { 2750 MBEDTLS_SSL_DEBUG_RET(2, 2751 "Creating the ticket-resumed PSK failed", 2752 ret); 2753 return ret; 2754 } 2755 MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK", 2756 session->resumption_key, 2757 session->resumption_key_len); 2758 2759 MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret", 2760 session->app_secrets.resumption_master_secret, 2761 hash_length); 2762 2763 return 0; 2764 } 2765 2766 /* This function creates a NewSessionTicket message in the following format: 2767 * 2768 * struct { 2769 * uint32 ticket_lifetime; 2770 * uint32 ticket_age_add; 2771 * opaque ticket_nonce<0..255>; 2772 * opaque ticket<1..2^16-1>; 2773 * Extension extensions<0..2^16-2>; 2774 * } NewSessionTicket; 2775 * 2776 * The ticket inside the NewSessionTicket message is an encrypted container 2777 * carrying the necessary information so that the server is later able to 2778 * re-start the communication. 2779 * 2780 * The following fields are placed inside the ticket by the 2781 * f_ticket_write() function: 2782 * 2783 * - creation time (start) 2784 * - flags (flags) 2785 * - age add (ticket_age_add) 2786 * - key (key) 2787 * - key length (key_len) 2788 * - ciphersuite (ciphersuite) 2789 */ 2790 MBEDTLS_CHECK_RETURN_CRITICAL 2791 static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl, 2792 unsigned char *buf, 2793 unsigned char *end, 2794 size_t *out_len, 2795 unsigned char *ticket_nonce, 2796 size_t ticket_nonce_size) 2797 { 2798 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2799 unsigned char *p = buf; 2800 mbedtls_ssl_session *session = ssl->session; 2801 size_t ticket_len; 2802 uint32_t ticket_lifetime; 2803 2804 *out_len = 0; 2805 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg")); 2806 2807 /* 2808 * ticket_lifetime 4 bytes 2809 * ticket_age_add 4 bytes 2810 * ticket_nonce 1 + ticket_nonce_size bytes 2811 * ticket >=2 bytes 2812 */ 2813 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + 4 + 1 + ticket_nonce_size + 2); 2814 2815 /* Generate ticket and ticket_lifetime */ 2816 ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket, 2817 session, 2818 p + 9 + ticket_nonce_size + 2, 2819 end, 2820 &ticket_len, 2821 &ticket_lifetime); 2822 if (ret != 0) { 2823 MBEDTLS_SSL_DEBUG_RET(1, "write_ticket", ret); 2824 return ret; 2825 } 2826 /* RFC 8446 4.6.1 2827 * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit 2828 * unsigned integer in network byte order from the time of ticket 2829 * issuance. Servers MUST NOT use any value greater than 2830 * 604800 seconds (7 days). The value of zero indicates that the 2831 * ticket should be discarded immediately. Clients MUST NOT cache 2832 * tickets for longer than 7 days, regardless of the ticket_lifetime, 2833 * and MAY delete tickets earlier based on local policy. A server 2834 * MAY treat a ticket as valid for a shorter period of time than what 2835 * is stated in the ticket_lifetime. 2836 */ 2837 if (ticket_lifetime > 604800) { 2838 ticket_lifetime = 604800; 2839 } 2840 MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0); 2841 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u", 2842 (unsigned int) ticket_lifetime)); 2843 2844 /* Write ticket_age_add */ 2845 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 4); 2846 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u", 2847 (unsigned int) session->ticket_age_add)); 2848 2849 /* Write ticket_nonce */ 2850 p[8] = (unsigned char) ticket_nonce_size; 2851 if (ticket_nonce_size > 0) { 2852 memcpy(p + 9, ticket_nonce, ticket_nonce_size); 2853 } 2854 p += 9 + ticket_nonce_size; 2855 2856 /* Write ticket */ 2857 MBEDTLS_PUT_UINT16_BE(ticket_len, p, 0); 2858 p += 2; 2859 MBEDTLS_SSL_DEBUG_BUF(4, "ticket", p, ticket_len); 2860 p += ticket_len; 2861 2862 /* Ticket Extensions 2863 * 2864 * Note: We currently don't have any extensions. 2865 * Set length to zero. 2866 */ 2867 ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE; 2868 2869 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 2870 MBEDTLS_PUT_UINT16_BE(0, p, 0); 2871 p += 2; 2872 2873 *out_len = p - buf; 2874 MBEDTLS_SSL_DEBUG_BUF(4, "ticket", buf, *out_len); 2875 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket")); 2876 2877 MBEDTLS_SSL_PRINT_EXTS( 2878 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions); 2879 2880 return 0; 2881 } 2882 2883 /* 2884 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET 2885 */ 2886 static int ssl_tls13_write_new_session_ticket(mbedtls_ssl_context *ssl) 2887 { 2888 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2889 2890 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_write_new_session_ticket_coordinate(ssl)); 2891 2892 if (ret == SSL_NEW_SESSION_TICKET_WRITE) { 2893 unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH]; 2894 unsigned char *buf; 2895 size_t buf_len, msg_len; 2896 2897 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket( 2898 ssl, ticket_nonce, sizeof(ticket_nonce))); 2899 2900 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, 2901 MBEDTLS_SSL_HS_NEW_SESSION_TICKET, 2902 &buf, &buf_len)); 2903 2904 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body( 2905 ssl, buf, buf + buf_len, &msg_len, 2906 ticket_nonce, sizeof(ticket_nonce))); 2907 2908 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( 2909 ssl, buf_len, msg_len)); 2910 2911 /* Limit session tickets count to one when resumption connection. 2912 * 2913 * See document of mbedtls_ssl_conf_new_session_tickets. 2914 */ 2915 if (ssl->handshake->resume == 1) { 2916 ssl->handshake->new_session_tickets_count = 0; 2917 } else { 2918 ssl->handshake->new_session_tickets_count--; 2919 } 2920 2921 mbedtls_ssl_handshake_set_state( 2922 ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH); 2923 } else { 2924 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); 2925 } 2926 2927 cleanup: 2928 2929 return ret; 2930 } 2931 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 2932 2933 /* 2934 * TLS 1.3 State Machine -- server side 2935 */ 2936 int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl) 2937 { 2938 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2939 2940 if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) { 2941 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2942 } 2943 2944 MBEDTLS_SSL_DEBUG_MSG(2, ("tls13 server state: %s(%d)", 2945 mbedtls_ssl_states_str(ssl->state), 2946 ssl->state)); 2947 2948 switch (ssl->state) { 2949 /* start state */ 2950 case MBEDTLS_SSL_HELLO_REQUEST: 2951 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); 2952 ret = 0; 2953 break; 2954 2955 case MBEDTLS_SSL_CLIENT_HELLO: 2956 ret = ssl_tls13_process_client_hello(ssl); 2957 if (ret != 0) { 2958 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_process_client_hello", ret); 2959 } 2960 break; 2961 2962 case MBEDTLS_SSL_HELLO_RETRY_REQUEST: 2963 ret = ssl_tls13_write_hello_retry_request(ssl); 2964 if (ret != 0) { 2965 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_hello_retry_request", ret); 2966 return ret; 2967 } 2968 break; 2969 2970 case MBEDTLS_SSL_SERVER_HELLO: 2971 ret = ssl_tls13_write_server_hello(ssl); 2972 break; 2973 2974 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: 2975 ret = ssl_tls13_write_encrypted_extensions(ssl); 2976 if (ret != 0) { 2977 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_encrypted_extensions", ret); 2978 return ret; 2979 } 2980 break; 2981 2982 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2983 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 2984 ret = ssl_tls13_write_certificate_request(ssl); 2985 break; 2986 2987 case MBEDTLS_SSL_SERVER_CERTIFICATE: 2988 ret = ssl_tls13_write_server_certificate(ssl); 2989 break; 2990 2991 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 2992 ret = ssl_tls13_write_certificate_verify(ssl); 2993 break; 2994 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 2995 2996 /* 2997 * Injection of dummy-CCS's for middlebox compatibility 2998 */ 2999 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 3000 case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST: 3001 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); 3002 if (ret == 0) { 3003 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); 3004 } 3005 break; 3006 3007 case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO: 3008 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); 3009 if (ret == 0) { 3010 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); 3011 } 3012 break; 3013 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ 3014 3015 case MBEDTLS_SSL_SERVER_FINISHED: 3016 ret = ssl_tls13_write_server_finished(ssl); 3017 break; 3018 3019 case MBEDTLS_SSL_CLIENT_FINISHED: 3020 ret = ssl_tls13_process_client_finished(ssl); 3021 break; 3022 3023 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 3024 ret = ssl_tls13_handshake_wrapup(ssl); 3025 break; 3026 3027 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 3028 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 3029 ret = mbedtls_ssl_tls13_process_certificate(ssl); 3030 if (ret == 0) { 3031 if (ssl->session_negotiate->peer_cert != NULL) { 3032 mbedtls_ssl_handshake_set_state( 3033 ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY); 3034 } else { 3035 MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify")); 3036 mbedtls_ssl_handshake_set_state( 3037 ssl, MBEDTLS_SSL_CLIENT_FINISHED); 3038 } 3039 } 3040 break; 3041 3042 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: 3043 ret = mbedtls_ssl_tls13_process_certificate_verify(ssl); 3044 if (ret == 0) { 3045 mbedtls_ssl_handshake_set_state( 3046 ssl, MBEDTLS_SSL_CLIENT_FINISHED); 3047 } 3048 break; 3049 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 3050 3051 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3052 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET: 3053 ret = ssl_tls13_write_new_session_ticket(ssl); 3054 if (ret != 0) { 3055 MBEDTLS_SSL_DEBUG_RET(1, 3056 "ssl_tls13_write_new_session_ticket ", 3057 ret); 3058 } 3059 break; 3060 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH: 3061 /* This state is necessary to do the flush of the New Session 3062 * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET 3063 * as part of ssl_prepare_handshake_step. 3064 */ 3065 ret = 0; 3066 3067 if (ssl->handshake->new_session_tickets_count == 0) { 3068 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); 3069 } else { 3070 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET); 3071 } 3072 break; 3073 3074 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3075 3076 default: 3077 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state)); 3078 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3079 } 3080 3081 return ret; 3082 } 3083 3084 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */ 3085