1 /*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS ( https://tls.mbed.org )
20 */
21
22 #include "common.h"
23
24 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
25
26 #if defined(MBEDTLS_SSL_CLI_C)
27
28 #include <string.h>
29
30 #include "mbedtls/debug.h"
31 #include "mbedtls/error.h"
32 #include "mbedtls/platform.h"
33
34 #include "ssl_misc.h"
35 #include "ecdh_misc.h"
36 #include "ssl_tls13_keys.h"
37
38 /* Write extensions */
39
40 /*
41 * ssl_tls13_write_supported_versions_ext():
42 *
43 * struct {
44 * ProtocolVersion versions<2..254>;
45 * } SupportedVersions;
46 */
ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)47 static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
48 unsigned char *buf,
49 unsigned char *end,
50 size_t *olen )
51 {
52 unsigned char *p = buf;
53
54 *olen = 0;
55
56 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported versions extension" ) );
57
58 /* Check if we have space to write the extension:
59 * - extension_type (2 bytes)
60 * - extension_data_length (2 bytes)
61 * - versions_length (1 byte )
62 * - versions (2 bytes)
63 */
64 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 );
65
66 /* Write extension_type */
67 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
68
69 /* Write extension_data_length */
70 MBEDTLS_PUT_UINT16_BE( 3, p, 2 );
71 p += 4;
72
73 /* Length of versions */
74 *p++ = 0x2;
75
76 /* Write values of supported versions.
77 *
78 * They are defined by the configuration.
79 *
80 * Currently, only one version is advertised.
81 */
82 mbedtls_ssl_write_version( ssl->conf->max_major_ver,
83 ssl->conf->max_minor_ver,
84 ssl->conf->transport, p );
85
86 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [%d:%d]",
87 ssl->conf->max_major_ver,
88 ssl->conf->max_minor_ver ) );
89
90 *olen = 7;
91
92 return( 0 );
93 }
94
ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)95 static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
96 const unsigned char *buf,
97 const unsigned char *end )
98 {
99 ((void) ssl);
100
101 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2);
102 if( buf[0] != MBEDTLS_SSL_MAJOR_VERSION_3 ||
103 buf[1] != MBEDTLS_SSL_MINOR_VERSION_4 )
104 {
105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) );
106
107 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
108 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
109 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
110 }
111
112 return( 0 );
113 }
114
115 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
116
117 /*
118 * Functions for writing supported_groups extension.
119 *
120 * Stucture of supported_groups:
121 * enum {
122 * secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
123 * x25519(0x001D), x448(0x001E),
124 * ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
125 * ffdhe6144(0x0103), ffdhe8192(0x0104),
126 * ffdhe_private_use(0x01FC..0x01FF),
127 * ecdhe_private_use(0xFE00..0xFEFF),
128 * (0xFFFF)
129 * } NamedGroup;
130 * struct {
131 * NamedGroup named_group_list<2..2^16-1>;
132 * } NamedGroupList;
133 */
134 #if defined(MBEDTLS_ECDH_C)
135 /*
136 * In versions of TLS prior to TLS 1.3, this extension was named
137 * 'elliptic_curves' and only contained elliptic curve groups.
138 */
ssl_tls13_write_named_group_list_ecdhe(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)139 static int ssl_tls13_write_named_group_list_ecdhe( mbedtls_ssl_context *ssl,
140 unsigned char *buf,
141 unsigned char *end,
142 size_t *olen )
143 {
144 unsigned char *p = buf;
145
146 *olen = 0;
147
148 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
149
150 if( group_list == NULL )
151 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
152
153 for ( ; *group_list != 0; group_list++ )
154 {
155 const mbedtls_ecp_curve_info *info;
156 info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
157 if( info == NULL )
158 continue;
159
160 if( !mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) )
161 continue;
162
163 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2);
164 MBEDTLS_PUT_UINT16_BE( *group_list, p, 0 );
165 p += 2;
166
167 MBEDTLS_SSL_DEBUG_MSG( 3, ( "NamedGroup: %s ( %x )",
168 info->name, *group_list ) );
169 }
170
171 *olen = p - buf;
172
173 return( 0 );
174 }
175 #else
ssl_tls13_write_named_group_list_ecdhe(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)176 static int ssl_tls13_write_named_group_list_ecdhe( mbedtls_ssl_context *ssl,
177 unsigned char *buf,
178 unsigned char *end,
179 size_t *olen )
180 {
181 ((void) ssl);
182 ((void) buf);
183 ((void) end);
184 *olen = 0;
185 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
186 }
187 #endif /* MBEDTLS_ECDH_C */
188
ssl_tls13_write_named_group_list_dhe(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)189 static int ssl_tls13_write_named_group_list_dhe( mbedtls_ssl_context *ssl,
190 unsigned char *buf,
191 unsigned char *end,
192 size_t *olen )
193 {
194 ((void) ssl);
195 ((void) buf);
196 ((void) end);
197 *olen = 0;
198 MBEDTLS_SSL_DEBUG_MSG( 3, ( "write_named_group_dhe is not implemented" ) );
199 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
200 }
201
ssl_tls13_write_supported_groups_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)202 static int ssl_tls13_write_supported_groups_ext( mbedtls_ssl_context *ssl,
203 unsigned char *buf,
204 unsigned char *end,
205 size_t *olen )
206 {
207 unsigned char *p = buf ;
208 unsigned char *named_group_list_ptr; /* Start of named_group_list */
209 size_t named_group_list_len; /* Length of named_group_list */
210 size_t output_len = 0;
211 int ret_ecdhe, ret_dhe;
212
213 *olen = 0;
214
215 if( !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
216 return( 0 );
217
218 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_groups extension" ) );
219
220 /* Check if we have space for header and length fields:
221 * - extension_type (2 bytes)
222 * - extension_data_length (2 bytes)
223 * - named_group_list_length (2 bytes)
224 */
225 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
226 p += 6;
227
228 named_group_list_ptr = p;
229 ret_ecdhe = ssl_tls13_write_named_group_list_ecdhe( ssl, p, end, &output_len );
230 if( ret_ecdhe != 0 )
231 {
232 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_named_group_list_ecdhe", ret_ecdhe );
233 }
234 p += output_len;
235
236 ret_dhe = ssl_tls13_write_named_group_list_dhe( ssl, p, end, &output_len );
237 if( ret_dhe != 0 )
238 {
239 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_named_group_list_dhe", ret_dhe );
240 }
241 p += output_len;
242
243 /* Both ECDHE and DHE failed. */
244 if( ret_ecdhe != 0 && ret_dhe != 0 )
245 {
246 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Both ECDHE and DHE groups are fail. " ) );
247 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
248 }
249
250 /* Length of named_group_list*/
251 named_group_list_len = p - named_group_list_ptr;
252 if( named_group_list_len == 0 )
253 {
254 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No group available." ) );
255 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
256 }
257
258 /* Write extension_type */
259 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, buf, 0 );
260 /* Write extension_data_length */
261 MBEDTLS_PUT_UINT16_BE( named_group_list_len + 2, buf, 2 );
262 /* Write length of named_group_list */
263 MBEDTLS_PUT_UINT16_BE( named_group_list_len, buf, 4 );
264
265 MBEDTLS_SSL_DEBUG_BUF( 3, "Supported groups extension", buf + 4, named_group_list_len + 2 );
266
267 *olen = p - buf;
268
269 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
270
271 return( 0 );
272 }
273
274 /*
275 * Functions for writing key_share extension.
276 */
277 #if defined(MBEDTLS_ECDH_C)
ssl_tls13_generate_and_write_ecdh_key_exchange(mbedtls_ssl_context * ssl,uint16_t named_group,unsigned char * buf,unsigned char * end,size_t * olen)278 static int ssl_tls13_generate_and_write_ecdh_key_exchange(
279 mbedtls_ssl_context *ssl,
280 uint16_t named_group,
281 unsigned char *buf,
282 unsigned char *end,
283 size_t *olen )
284 {
285 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
286 const mbedtls_ecp_curve_info *curve_info =
287 mbedtls_ecp_curve_info_from_tls_id( named_group );
288
289 if( curve_info == NULL )
290 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
291
292 MBEDTLS_SSL_DEBUG_MSG( 3, ( "offer curve %s", curve_info->name ) );
293
294 if( ( ret = mbedtls_ecdh_setup_no_everest( &ssl->handshake->ecdh_ctx,
295 curve_info->grp_id ) ) != 0 )
296 {
297 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_setup_no_everest", ret );
298 return( ret );
299 }
300
301 ret = mbedtls_ecdh_tls13_make_params( &ssl->handshake->ecdh_ctx, olen,
302 buf, end - buf,
303 ssl->conf->f_rng, ssl->conf->p_rng );
304 if( ret != 0 )
305 {
306 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_tls13_make_params", ret );
307 return( ret );
308 }
309
310 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
311 MBEDTLS_DEBUG_ECDH_Q );
312 return( 0 );
313 }
314 #endif /* MBEDTLS_ECDH_C */
315
ssl_tls13_get_default_group_id(mbedtls_ssl_context * ssl,uint16_t * group_id)316 static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
317 uint16_t *group_id )
318 {
319 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
320
321
322 #if defined(MBEDTLS_ECDH_C)
323 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
324 /* Pick first available ECDHE group compatible with TLS 1.3 */
325 if( group_list == NULL )
326 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
327
328 for ( ; *group_list != 0; group_list++ )
329 {
330 const mbedtls_ecp_curve_info *info;
331 info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
332 if( info != NULL &&
333 mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) )
334 {
335 *group_id = *group_list;
336 return( 0 );
337 }
338 }
339 #else
340 ((void) ssl);
341 ((void) group_id);
342 #endif /* MBEDTLS_ECDH_C */
343
344 /*
345 * Add DHE named groups here.
346 * Pick first available DHE group compatible with TLS 1.3
347 */
348
349 return( ret );
350 }
351
352 /*
353 * ssl_tls13_write_key_share_ext
354 *
355 * Structure of key_share extension in ClientHello:
356 *
357 * struct {
358 * NamedGroup group;
359 * opaque key_exchange<1..2^16-1>;
360 * } KeyShareEntry;
361 * struct {
362 * KeyShareEntry client_shares<0..2^16-1>;
363 * } KeyShareClientHello;
364 */
ssl_tls13_write_key_share_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)365 static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
366 unsigned char *buf,
367 unsigned char *end,
368 size_t *olen )
369 {
370 unsigned char *p = buf;
371 unsigned char *client_shares_ptr; /* Start of client_shares */
372 size_t client_shares_len; /* Length of client_shares */
373 uint16_t group_id;
374 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
375
376 *olen = 0;
377
378 if( !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
379 return( 0 );
380
381 /* Check if we have space for header and length fields:
382 * - extension_type (2 bytes)
383 * - extension_data_length (2 bytes)
384 * - client_shares_length (2 bytes)
385 */
386 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
387 p += 6;
388
389 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello: adding key share extension" ) );
390
391 /* HRR could already have requested something else. */
392 group_id = ssl->handshake->offered_group_id;
393 if( !mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) &&
394 !mbedtls_ssl_tls13_named_group_is_dhe( group_id ) )
395 {
396 MBEDTLS_SSL_PROC_CHK( ssl_tls13_get_default_group_id( ssl,
397 &group_id ) );
398 }
399
400 /*
401 * Dispatch to type-specific key generation function.
402 *
403 * So far, we're only supporting ECDHE. With the introduction
404 * of PQC KEMs, we'll want to have multiple branches, one per
405 * type of KEM, and dispatch to the corresponding crypto. And
406 * only one key share entry is allowed.
407 */
408 client_shares_ptr = p;
409 #if defined(MBEDTLS_ECDH_C)
410 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
411 {
412 /* Pointer to group */
413 unsigned char *group_ptr = p;
414 /* Length of key_exchange */
415 size_t key_exchange_len;
416
417 /* Check there is space for header of KeyShareEntry
418 * - group (2 bytes)
419 * - key_exchange_length (2 bytes)
420 */
421 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
422 p += 4;
423 ret = ssl_tls13_generate_and_write_ecdh_key_exchange( ssl, group_id,
424 p, end,
425 &key_exchange_len );
426 p += key_exchange_len;
427 if( ret != 0 )
428 return( ret );
429
430 /* Write group */
431 MBEDTLS_PUT_UINT16_BE( group_id, group_ptr, 0 );
432 /* Write key_exchange_length */
433 MBEDTLS_PUT_UINT16_BE( key_exchange_len, group_ptr, 2 );
434 }
435 else
436 #endif /* MBEDTLS_ECDH_C */
437 if( 0 /* other KEMs? */ )
438 {
439 /* Do something */
440 }
441 else
442 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
443
444 /* Length of client_shares */
445 client_shares_len = p - client_shares_ptr;
446 if( client_shares_len == 0)
447 {
448 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No key share defined." ) );
449 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
450 }
451 /* Write extension_type */
452 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
453 /* Write extension_data_length */
454 MBEDTLS_PUT_UINT16_BE( client_shares_len + 2, buf, 2 );
455 /* Write client_shares_length */
456 MBEDTLS_PUT_UINT16_BE( client_shares_len, buf, 4 );
457
458 /* Update offered_group_id field */
459 ssl->handshake->offered_group_id = group_id;
460
461 /* Output the total length of key_share extension. */
462 *olen = p - buf;
463
464 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *olen );
465
466 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
467
468 cleanup:
469
470 return( ret );
471 }
472
473 #if defined(MBEDTLS_ECDH_C)
474
ssl_tls13_check_ecdh_params(const mbedtls_ssl_context * ssl)475 static int ssl_tls13_check_ecdh_params( const mbedtls_ssl_context *ssl )
476 {
477 const mbedtls_ecp_curve_info *curve_info;
478 mbedtls_ecp_group_id grp_id;
479 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
480 grp_id = ssl->handshake->ecdh_ctx.grp.id;
481 #else
482 grp_id = ssl->handshake->ecdh_ctx.grp_id;
483 #endif
484
485 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
486 if( curve_info == NULL )
487 {
488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
489 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
490 }
491
492 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
493
494 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
495 return( -1 );
496
497 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
498 MBEDTLS_DEBUG_ECDH_QP );
499
500 return( 0 );
501 }
502
ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t buf_len)503 static int ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
504 const unsigned char *buf,
505 size_t buf_len )
506 {
507 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
508
509 ret = mbedtls_ecdh_tls13_read_public( &ssl->handshake->ecdh_ctx,
510 buf, buf_len );
511 if( ret != 0 )
512 {
513 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_tls13_read_public" ), ret );
514
515 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
516 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
517 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
518 }
519
520 if( ssl_tls13_check_ecdh_params( ssl ) != 0 )
521 {
522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ssl_tls13_check_ecdh_params() failed!" ) );
523
524 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
525 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
526 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
527 }
528
529 return( 0 );
530 }
531 #endif /* MBEDTLS_ECDH_C */
532
533 /*
534 * ssl_tls13_parse_key_share_ext()
535 * Parse key_share extension in Server Hello
536 *
537 * struct {
538 * KeyShareEntry server_share;
539 * } KeyShareServerHello;
540 * struct {
541 * NamedGroup group;
542 * opaque key_exchange<1..2^16-1>;
543 * } KeyShareEntry;
544 */
ssl_tls13_parse_key_share_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)545 static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
546 const unsigned char *buf,
547 const unsigned char *end )
548 {
549 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
550 const unsigned char *p = buf;
551 uint16_t group, offered_group;
552
553 /* ...
554 * NamedGroup group; (2 bytes)
555 * ...
556 */
557 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
558 group = MBEDTLS_GET_UINT16_BE( p, 0 );
559 p += 2;
560
561 /* Check that the chosen group matches the one we offered. */
562 offered_group = ssl->handshake->offered_group_id;
563 if( offered_group != group )
564 {
565 MBEDTLS_SSL_DEBUG_MSG( 1,
566 ( "Invalid server key share, our group %u, their group %u",
567 (unsigned) offered_group, (unsigned) group ) );
568 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
569 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
570 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
571 }
572
573 #if defined(MBEDTLS_ECDH_C)
574 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
575 {
576 /* Complete ECDHE key agreement */
577 ret = ssl_tls13_read_public_ecdhe_share( ssl, p, end - p );
578 if( ret != 0 )
579 return( ret );
580 }
581 else
582 #endif /* MBEDTLS_ECDH_C */
583 if( 0 /* other KEMs? */ )
584 {
585 /* Do something */
586 }
587 else
588 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
589
590 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
591 return( ret );
592 }
593
594 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
595
596 /* Write cipher_suites
597 * CipherSuite cipher_suites<2..2^16-2>;
598 */
ssl_tls13_write_client_hello_cipher_suites(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)599 static int ssl_tls13_write_client_hello_cipher_suites(
600 mbedtls_ssl_context *ssl,
601 unsigned char *buf,
602 unsigned char *end,
603 size_t *olen )
604 {
605 unsigned char *p = buf;
606 const int *ciphersuite_list;
607 unsigned char *cipher_suites_ptr; /* Start of the cipher_suites list */
608 size_t cipher_suites_len;
609
610 *olen = 0 ;
611
612 /*
613 * Ciphersuite list
614 *
615 * This is a list of the symmetric cipher options supported by
616 * the client, specifically the record protection algorithm
617 * ( including secret key length ) and a hash to be used with
618 * HKDF, in descending order of client preference.
619 */
620 ciphersuite_list = ssl->conf->ciphersuite_list;
621
622 /* Check there is space for the cipher suite list length (2 bytes). */
623 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
624 p += 2;
625
626 /* Write cipher_suites */
627 cipher_suites_ptr = p;
628 for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
629 {
630 int cipher_suite = ciphersuite_list[i];
631 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
632
633 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
634 if( ciphersuite_info == NULL )
635 continue;
636 if( !( MBEDTLS_SSL_MINOR_VERSION_4 >= ciphersuite_info->min_minor_ver &&
637 MBEDTLS_SSL_MINOR_VERSION_4 <= ciphersuite_info->max_minor_ver ) )
638 continue;
639
640 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x, %s",
641 (unsigned int) cipher_suite,
642 ciphersuite_info->name ) );
643
644 /* Check there is space for the cipher suite identifier (2 bytes). */
645 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
646 MBEDTLS_PUT_UINT16_BE( cipher_suite, p, 0 );
647 p += 2;
648 }
649
650 /* Write the cipher_suites length in number of bytes */
651 cipher_suites_len = p - cipher_suites_ptr;
652 MBEDTLS_PUT_UINT16_BE( cipher_suites_len, buf, 0 );
653 MBEDTLS_SSL_DEBUG_MSG( 3,
654 ( "client hello, got %" MBEDTLS_PRINTF_SIZET " cipher suites",
655 cipher_suites_len/2 ) );
656
657 /* Output the total length of cipher_suites field. */
658 *olen = p - buf;
659
660 return( 0 );
661 }
662
663 /*
664 * Structure of ClientHello message:
665 *
666 * struct {
667 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
668 * Random random;
669 * opaque legacy_session_id<0..32>;
670 * CipherSuite cipher_suites<2..2^16-2>;
671 * opaque legacy_compression_methods<1..2^8-1>;
672 * Extension extensions<8..2^16-1>;
673 * } ClientHello;
674 */
ssl_tls13_write_client_hello_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)675 static int ssl_tls13_write_client_hello_body( mbedtls_ssl_context *ssl,
676 unsigned char *buf,
677 unsigned char *end,
678 size_t *olen )
679 {
680
681 int ret;
682 unsigned char *extensions_len_ptr; /* Pointer to extensions length */
683 size_t output_len; /* Length of buffer used by function */
684 size_t extensions_len; /* Length of the list of extensions*/
685
686 /* Buffer management */
687 unsigned char *p = buf;
688
689 *olen = 0;
690
691 /* No validation needed here. It has been done by ssl_conf_check() */
692 ssl->major_ver = ssl->conf->min_major_ver;
693 ssl->minor_ver = ssl->conf->min_minor_ver;
694
695 /*
696 * Write legacy_version
697 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
698 *
699 * For TLS 1.3 we use the legacy version number {0x03, 0x03}
700 * instead of the true version number.
701 */
702 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
703 MBEDTLS_PUT_UINT16_BE( 0x0303, p, 0 );
704 p += 2;
705
706 /* Write the random bytes ( random ).*/
707 MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
708 memcpy( p, ssl->handshake->randbytes, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
709 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
710 p, MBEDTLS_CLIENT_HELLO_RANDOM_LEN );
711 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
712
713 /*
714 * Write legacy_session_id
715 *
716 * Versions of TLS before TLS 1.3 supported a "session resumption" feature
717 * which has been merged with pre-shared keys in this version. A client
718 * which has a cached session ID set by a pre-TLS 1.3 server SHOULD set
719 * this field to that value. In compatibility mode, this field MUST be
720 * non-empty, so a client not offering a pre-TLS 1.3 session MUST generate
721 * a new 32-byte value. This value need not be random but SHOULD be
722 * unpredictable to avoid implementations fixating on a specific value
723 * ( also known as ossification ). Otherwise, it MUST be set as a zero-length
724 * vector ( i.e., a zero-valued single byte length field ).
725 */
726 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
727 *p++ = 0; /* session id length set to zero */
728
729 /* Write cipher_suites */
730 ret = ssl_tls13_write_client_hello_cipher_suites( ssl, p, end, &output_len );
731 if( ret != 0 )
732 return( ret );
733 p += output_len;
734
735 /* Write legacy_compression_methods
736 *
737 * For every TLS 1.3 ClientHello, this vector MUST contain exactly
738 * one byte set to zero, which corresponds to the 'null' compression
739 * method in prior versions of TLS.
740 */
741 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
742 *p++ = 1;
743 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
744
745 /* Write extensions */
746
747 /* Keeping track of the included extensions */
748 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
749
750 /* First write extensions, then the total length */
751 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
752 extensions_len_ptr = p;
753 p += 2;
754
755 /* Write supported_versions extension
756 *
757 * Supported Versions Extension is mandatory with TLS 1.3.
758 */
759 ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &output_len );
760 if( ret != 0 )
761 return( ret );
762 p += output_len;
763
764 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
765 /* Write supported_groups extension
766 *
767 * It is REQUIRED for ECDHE cipher_suites.
768 */
769 ret = ssl_tls13_write_supported_groups_ext( ssl, p, end, &output_len );
770 if( ret != 0 )
771 return( ret );
772 p += output_len;
773
774 /* Write key_share extension
775 *
776 * We need to send the key shares under three conditions:
777 * 1) A certificate-based ciphersuite is being offered. In this case
778 * supported_groups and supported_signature extensions have been
779 * successfully added.
780 * 2) A PSK-based ciphersuite with ECDHE is offered. In this case the
781 * psk_key_exchange_modes has been added as the last extension.
782 * 3) Or, in case all ciphers are supported ( which includes #1 and #2
783 * from above )
784 */
785 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
786 if( ret != 0 )
787 return( ret );
788 p += output_len;
789
790 /* Write signature_algorithms extension
791 *
792 * It is REQUIRED for certificate authenticated cipher_suites.
793 */
794 ret = mbedtls_ssl_tls13_write_sig_alg_ext( ssl, p, end, &output_len );
795 if( ret != 0 )
796 return( ret );
797 p += output_len;
798
799 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
800
801 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
802 /* Write server name extension */
803 ret = mbedtls_ssl_write_hostname_ext( ssl, p, end, &output_len );
804 if( ret != 0 )
805 return( ret );
806 p += output_len;
807 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
808
809 /* Add more extensions here */
810
811 /* Write the length of the list of extensions. */
812 extensions_len = p - extensions_len_ptr - 2;
813 MBEDTLS_PUT_UINT16_BE( extensions_len, extensions_len_ptr, 0 );
814 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %" MBEDTLS_PRINTF_SIZET ,
815 extensions_len ) );
816 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", extensions_len_ptr, extensions_len );
817
818 *olen = p - buf;
819 return( 0 );
820 }
821
ssl_tls13_finalize_client_hello(mbedtls_ssl_context * ssl)822 static int ssl_tls13_finalize_client_hello( mbedtls_ssl_context *ssl )
823 {
824 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
825 return( 0 );
826 }
827
ssl_tls13_prepare_client_hello(mbedtls_ssl_context * ssl)828 static int ssl_tls13_prepare_client_hello( mbedtls_ssl_context *ssl )
829 {
830 int ret;
831
832 if( ssl->conf->f_rng == NULL )
833 {
834 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
835 return( MBEDTLS_ERR_SSL_NO_RNG );
836 }
837
838 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng,
839 ssl->handshake->randbytes,
840 MBEDTLS_CLIENT_HELLO_RANDOM_LEN ) ) != 0 )
841 {
842 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
843 return( ret );
844 }
845
846 return( 0 );
847 }
848
849 /*
850 * Write ClientHello handshake message.
851 * Handler for MBEDTLS_SSL_CLIENT_HELLO
852 */
ssl_tls13_write_client_hello(mbedtls_ssl_context * ssl)853 static int ssl_tls13_write_client_hello( mbedtls_ssl_context *ssl )
854 {
855 int ret = 0;
856 unsigned char *buf;
857 size_t buf_len, msg_len;
858
859 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
860
861 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_client_hello( ssl ) );
862
863 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg(
864 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
865 &buf, &buf_len ) );
866
867 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_client_hello_body( ssl, buf,
868 buf + buf_len,
869 &msg_len ) );
870
871 mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl,
872 MBEDTLS_SSL_HS_CLIENT_HELLO,
873 msg_len );
874 ssl->handshake->update_checksum( ssl, buf, msg_len );
875
876 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_client_hello( ssl ) );
877 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl,
878 buf_len,
879 msg_len ) );
880
881 cleanup:
882
883 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
884 return ret;
885 }
886
887 /*
888 * Functions for parsing and processing Server Hello
889 */
890 /* Returns a negative value on failure, and otherwise
891 * - SSL_SERVER_HELLO_COORDINATE_HELLO or
892 * - SSL_SERVER_HELLO_COORDINATE_HRR
893 * to indicate which message is expected and to be parsed next. */
894 #define SSL_SERVER_HELLO_COORDINATE_HELLO 0
895 #define SSL_SERVER_HELLO_COORDINATE_HRR 1
ssl_server_hello_is_hrr(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)896 static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
897 const unsigned char *buf,
898 const unsigned char *end )
899 {
900 static const unsigned char magic_hrr_string[MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
901 { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
902 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
903 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
904 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33 ,0x9C };
905
906 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
907 *
908 * Server Hello and HRR are only distinguished by Random set to the
909 * special value of the SHA-256 of "HelloRetryRequest".
910 *
911 * struct {
912 * ProtocolVersion legacy_version = 0x0303;
913 * Random random;
914 * opaque legacy_session_id_echo<0..32>;
915 * CipherSuite cipher_suite;
916 * uint8 legacy_compression_method = 0;
917 * Extension extensions<6..2^16-1>;
918 * } ServerHello;
919 *
920 */
921 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 + sizeof( magic_hrr_string ) );
922
923 if( memcmp( buf + 2, magic_hrr_string, sizeof( magic_hrr_string ) ) == 0 )
924 {
925 return( SSL_SERVER_HELLO_COORDINATE_HRR );
926 }
927
928 return( SSL_SERVER_HELLO_COORDINATE_HELLO );
929 }
930
931 /* Fetch and preprocess
932 * Returns a negative value on failure, and otherwise
933 * - SSL_SERVER_HELLO_COORDINATE_HELLO or
934 * - SSL_SERVER_HELLO_COORDINATE_HRR
935 */
ssl_tls13_server_hello_coordinate(mbedtls_ssl_context * ssl,unsigned char ** buf,size_t * buf_len)936 static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl,
937 unsigned char **buf,
938 size_t *buf_len )
939 {
940 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
941
942 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_read_record( ssl, 0 ) );
943
944 if( ( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) ||
945 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) )
946 {
947 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected message" ) );
948
949 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
950 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
951 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
952 }
953
954 *buf = ssl->in_msg + 4;
955 *buf_len = ssl->in_hslen - 4;
956
957 ret = ssl_server_hello_is_hrr( ssl, *buf, *buf + *buf_len );
958 switch( ret )
959 {
960 case SSL_SERVER_HELLO_COORDINATE_HELLO:
961 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) );
962 break;
963 case SSL_SERVER_HELLO_COORDINATE_HRR:
964 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
965 break;
966 }
967
968 cleanup:
969
970 return( ret );
971 }
972
ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context * ssl,const unsigned char ** buf,const unsigned char * end)973 static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl,
974 const unsigned char **buf,
975 const unsigned char *end )
976 {
977 const unsigned char *p = *buf;
978 size_t legacy_session_id_echo_len;
979
980 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
981 legacy_session_id_echo_len = *p++ ;
982
983 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len );
984
985 /* legacy_session_id_echo */
986 if( ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
987 memcmp( ssl->session_negotiate->id, p , legacy_session_id_echo_len ) != 0 )
988 {
989 MBEDTLS_SSL_DEBUG_BUF( 3, "Expected Session ID",
990 ssl->session_negotiate->id,
991 ssl->session_negotiate->id_len );
992 MBEDTLS_SSL_DEBUG_BUF( 3, "Received Session ID", p,
993 legacy_session_id_echo_len );
994
995 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
996 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
997
998 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
999 }
1000
1001 p += legacy_session_id_echo_len;
1002 *buf = p;
1003
1004 MBEDTLS_SSL_DEBUG_BUF( 3, "Session ID", ssl->session_negotiate->id,
1005 ssl->session_negotiate->id_len );
1006 return( 0 );
1007 }
1008
ssl_tls13_cipher_suite_is_offered(mbedtls_ssl_context * ssl,int cipher_suite)1009 static int ssl_tls13_cipher_suite_is_offered( mbedtls_ssl_context *ssl,
1010 int cipher_suite )
1011 {
1012 const int *ciphersuite_list = ssl->conf->ciphersuite_list;
1013
1014 /* Check whether we have offered this ciphersuite */
1015 for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
1016 {
1017 if( ciphersuite_list[i] == cipher_suite )
1018 {
1019 return( 1 );
1020 }
1021 }
1022 return( 0 );
1023 }
1024
1025 /* Parse ServerHello message and configure context
1026 *
1027 * struct {
1028 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1029 * Random random;
1030 * opaque legacy_session_id_echo<0..32>;
1031 * CipherSuite cipher_suite;
1032 * uint8 legacy_compression_method = 0;
1033 * Extension extensions<6..2^16-1>;
1034 * } ServerHello;
1035 */
ssl_tls13_parse_server_hello(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1036 static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
1037 const unsigned char *buf,
1038 const unsigned char *end )
1039 {
1040 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1041 const unsigned char *p = buf;
1042 size_t extensions_len;
1043 const unsigned char *extensions_end;
1044 uint16_t cipher_suite;
1045 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1046
1047 /*
1048 * Check there is space for minimal fields
1049 *
1050 * - legacy_version ( 2 bytes)
1051 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
1052 * - legacy_session_id_echo ( 1 byte ), minimum size
1053 * - cipher_suite ( 2 bytes)
1054 * - legacy_compression_method ( 1 byte )
1055 */
1056 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6 );
1057
1058 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello", p, end - p );
1059 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", p, 2 );
1060
1061 /* ...
1062 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1063 * ...
1064 * with ProtocolVersion defined as:
1065 * uint16 ProtocolVersion;
1066 */
1067 if( !( p[0] == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1068 p[1] == MBEDTLS_SSL_MINOR_VERSION_3 ) )
1069 {
1070 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1071 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1072 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
1073 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
1074 }
1075 p += 2;
1076
1077 /* ...
1078 * Random random;
1079 * ...
1080 * with Random defined as:
1081 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
1082 */
1083 memcpy( &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
1084 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1085 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
1086 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1087 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
1088
1089 /* ...
1090 * opaque legacy_session_id_echo<0..32>;
1091 * ...
1092 */
1093 if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
1094 {
1095 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1096 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1097 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1098 }
1099
1100 /* ...
1101 * CipherSuite cipher_suite;
1102 * ...
1103 * with CipherSuite defined as:
1104 * uint8 CipherSuite[2];
1105 */
1106 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1107 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
1108 p += 2;
1109
1110
1111 /*
1112 * Check whether this ciphersuite is supported and offered.
1113 * Via the force_ciphersuite version we may have instructed the client
1114 * to use a different ciphersuite.
1115 */
1116 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
1117 if( ciphersuite_info == NULL ||
1118 ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) == 0 )
1119 {
1120 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite(%04x) not found or not offered",
1121 cipher_suite ) );
1122
1123 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1124 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1125 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1126 }
1127
1128
1129 /* Configure ciphersuites */
1130 mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info );
1131
1132 ssl->handshake->ciphersuite_info = ciphersuite_info;
1133 ssl->session_negotiate->ciphersuite = cipher_suite;
1134
1135 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s",
1136 cipher_suite, ciphersuite_info->name ) );
1137
1138 #if defined(MBEDTLS_HAVE_TIME)
1139 ssl->session_negotiate->start = time( NULL );
1140 #endif /* MBEDTLS_HAVE_TIME */
1141
1142 /* ...
1143 * uint8 legacy_compression_method = 0;
1144 * ...
1145 */
1146 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
1147 if( p[0] != 0 )
1148 {
1149 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
1150 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1151 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1152 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1153 }
1154 p++;
1155
1156 /* ...
1157 * Extension extensions<6..2^16-1>;
1158 * ...
1159 * struct {
1160 * ExtensionType extension_type; (2 bytes)
1161 * opaque extension_data<0..2^16-1>;
1162 * } Extension;
1163 */
1164 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1165 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1166 p += 2;
1167
1168 /* Check extensions do not go beyond the buffer of data. */
1169 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1170 extensions_end = p + extensions_len;
1171
1172 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
1173
1174 while( p < extensions_end )
1175 {
1176 unsigned int extension_type;
1177 size_t extension_data_len;
1178
1179 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
1180 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1181 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1182 p += 4;
1183
1184 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1185
1186 switch( extension_type )
1187 {
1188 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1189 MBEDTLS_SSL_DEBUG_MSG( 3,
1190 ( "found supported_versions extension" ) );
1191
1192 ret = ssl_tls13_parse_supported_versions_ext( ssl,
1193 p,
1194 p + extension_data_len );
1195 if( ret != 0 )
1196 return( ret );
1197 break;
1198
1199 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1200 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) );
1201 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) );
1202
1203 MBEDTLS_SSL_PEND_FATAL_ALERT(
1204 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1205 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1206 return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1207
1208 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1209 case MBEDTLS_TLS_EXT_KEY_SHARE:
1210 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
1211 if( ( ret = ssl_tls13_parse_key_share_ext( ssl,
1212 p, p + extension_data_len ) ) != 0 )
1213 {
1214 MBEDTLS_SSL_DEBUG_RET( 1,
1215 "ssl_tls13_parse_key_share_ext",
1216 ret );
1217 return( ret );
1218 }
1219 break;
1220 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1221
1222 default:
1223 MBEDTLS_SSL_DEBUG_MSG(
1224 3,
1225 ( "unknown extension found: %u ( ignoring )",
1226 extension_type ) );
1227
1228 MBEDTLS_SSL_PEND_FATAL_ALERT(
1229 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1230 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1231 return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1232 }
1233
1234 p += extension_data_len;
1235 }
1236
1237 return( 0 );
1238 }
1239
ssl_tls13_finalize_server_hello(mbedtls_ssl_context * ssl)1240 static int ssl_tls13_finalize_server_hello( mbedtls_ssl_context *ssl )
1241 {
1242 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1243 mbedtls_ssl_key_set traffic_keys;
1244 mbedtls_ssl_transform *transform_handshake = NULL;
1245 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1246
1247 /* Determine the key exchange mode:
1248 * 1) If both the pre_shared_key and key_share extensions were received
1249 * then the key exchange mode is PSK with EPHEMERAL.
1250 * 2) If only the pre_shared_key extension was received then the key
1251 * exchange mode is PSK-only.
1252 * 3) If only the key_share extension was received then the key
1253 * exchange mode is EPHEMERAL-only.
1254 */
1255 switch( handshake->extensions_present &
1256 ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) )
1257 {
1258 /* Only the pre_shared_key extension was received */
1259 case MBEDTLS_SSL_EXT_PRE_SHARED_KEY:
1260 handshake->tls1_3_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK;
1261 break;
1262
1263 /* Only the key_share extension was received */
1264 case MBEDTLS_SSL_EXT_KEY_SHARE:
1265 handshake->tls1_3_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL;
1266 break;
1267
1268 /* Both the pre_shared_key and key_share extensions were received */
1269 case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ):
1270 handshake->tls1_3_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1271 break;
1272
1273 /* Neither pre_shared_key nor key_share extension was received */
1274 default:
1275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) );
1276 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1277 goto cleanup;
1278 }
1279
1280 /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
1281 *
1282 * TODO: We don't have to do this in case we offered 0-RTT and the
1283 * server accepted it. In this case, we could skip generating
1284 * the early secret. */
1285 ret = mbedtls_ssl_tls1_3_key_schedule_stage_early( ssl );
1286 if( ret != 0 )
1287 {
1288 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_key_schedule_stage_early_data",
1289 ret );
1290 goto cleanup;
1291 }
1292
1293 /* Compute handshake secret */
1294 ret = mbedtls_ssl_tls13_key_schedule_stage_handshake( ssl );
1295 if( ret != 0 )
1296 {
1297 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_master_secret", ret );
1298 goto cleanup;
1299 }
1300
1301 /* Next evolution in key schedule: Establish handshake secret and
1302 * key material. */
1303 ret = mbedtls_ssl_tls13_generate_handshake_keys( ssl, &traffic_keys );
1304 if( ret != 0 )
1305 {
1306 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_generate_handshake_keys",
1307 ret );
1308 goto cleanup;
1309 }
1310
1311 transform_handshake = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
1312 if( transform_handshake == NULL )
1313 {
1314 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1315 goto cleanup;
1316 }
1317
1318 ret = mbedtls_ssl_tls13_populate_transform( transform_handshake,
1319 ssl->conf->endpoint,
1320 ssl->session_negotiate->ciphersuite,
1321 &traffic_keys,
1322 ssl );
1323 if( ret != 0 )
1324 {
1325 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
1326 goto cleanup;
1327 }
1328
1329 handshake->transform_handshake = transform_handshake;
1330 mbedtls_ssl_set_inbound_transform( ssl, transform_handshake );
1331
1332 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
1333 ssl->session_in = ssl->session_negotiate;
1334
1335 /*
1336 * State machine update
1337 */
1338 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
1339
1340 cleanup:
1341
1342 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
1343 if( ret != 0 )
1344 {
1345 mbedtls_free( transform_handshake );
1346
1347 MBEDTLS_SSL_PEND_FATAL_ALERT(
1348 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1349 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1350 }
1351 return( ret );
1352 }
1353
1354 /*
1355 * Wait and parse ServerHello handshake message.
1356 * Handler for MBEDTLS_SSL_SERVER_HELLO
1357 */
ssl_tls1_3_process_server_hello(mbedtls_ssl_context * ssl)1358 static int ssl_tls1_3_process_server_hello( mbedtls_ssl_context *ssl )
1359 {
1360 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1361 unsigned char *buf;
1362 size_t buf_len;
1363
1364 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
1365
1366 /* Coordination step
1367 * - Fetch record
1368 * - Make sure it's either a ServerHello or a HRR.
1369 * - Switch processing routine in case of HRR
1370 */
1371 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
1372 ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
1373
1374 ret = ssl_tls13_server_hello_coordinate( ssl, &buf, &buf_len );
1375 /* Parsing step
1376 * We know what message to expect by now and call
1377 * the respective parsing function.
1378 */
1379 if( ret == SSL_SERVER_HELLO_COORDINATE_HELLO )
1380 {
1381 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
1382 buf + buf_len ) );
1383
1384 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl,
1385 MBEDTLS_SSL_HS_SERVER_HELLO,
1386 buf, buf_len );
1387
1388 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_server_hello( ssl ) );
1389 }
1390 else if( ret == SSL_SERVER_HELLO_COORDINATE_HRR )
1391 {
1392 MBEDTLS_SSL_DEBUG_MSG( 1, ( "HRR not supported" ) );
1393 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ,
1394 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1395 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1396 }
1397
1398 cleanup:
1399 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s", __func__ ) );
1400 return( ret );
1401 }
1402
1403 /*
1404 *
1405 * EncryptedExtensions message
1406 *
1407 * The EncryptedExtensions message contains any extensions which
1408 * should be protected, i.e., any which are not needed to establish
1409 * the cryptographic context.
1410 */
1411
1412 /*
1413 * Overview
1414 */
1415
1416 /* Main entry point; orchestrates the other functions */
1417 static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl );
1418
1419 static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
1420 const unsigned char *buf,
1421 const unsigned char *end );
1422 static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl );
1423
1424 /*
1425 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
1426 */
ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context * ssl)1427 static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
1428 {
1429 int ret;
1430 unsigned char *buf;
1431 size_t buf_len;
1432
1433 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) );
1434
1435 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl,
1436 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
1437 &buf, &buf_len ) );
1438
1439 /* Process the message contents */
1440 MBEDTLS_SSL_PROC_CHK(
1441 ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
1442
1443 mbedtls_ssl_tls1_3_add_hs_msg_to_checksum(
1444 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, buf_len );
1445
1446 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_encrypted_extensions( ssl ) );
1447
1448 cleanup:
1449
1450 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) );
1451 return( ret );
1452
1453 }
1454
1455 /* Parse EncryptedExtensions message
1456 * struct {
1457 * Extension extensions<0..2^16-1>;
1458 * } EncryptedExtensions;
1459 */
ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1460 static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
1461 const unsigned char *buf,
1462 const unsigned char *end )
1463 {
1464 int ret = 0;
1465 size_t extensions_len;
1466 const unsigned char *p = buf;
1467 const unsigned char *extensions_end;
1468
1469 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1470 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1471 p += 2;
1472
1473 MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len );
1474 extensions_end = p + extensions_len;
1475 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1476
1477 while( p < extensions_end )
1478 {
1479 unsigned int extension_type;
1480 size_t extension_data_len;
1481
1482 /*
1483 * struct {
1484 * ExtensionType extension_type; (2 bytes)
1485 * opaque extension_data<0..2^16-1>;
1486 * } Extension;
1487 */
1488 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
1489 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1490 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1491 p += 4;
1492
1493 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1494
1495 /* The client MUST check EncryptedExtensions for the
1496 * presence of any forbidden extensions and if any are found MUST abort
1497 * the handshake with an "unsupported_extension" alert.
1498 */
1499 switch( extension_type )
1500 {
1501
1502 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1503 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extensions supported groups" ) );
1504 break;
1505
1506 default:
1507 MBEDTLS_SSL_DEBUG_MSG(
1508 3, ( "unsupported extension found: %u ", extension_type) );
1509 MBEDTLS_SSL_PEND_FATAL_ALERT(
1510 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1511 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1512 return ( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1513 }
1514
1515 p += extension_data_len;
1516 }
1517
1518 /* Check that we consumed all the message. */
1519 if( p != end )
1520 {
1521 MBEDTLS_SSL_DEBUG_MSG( 1, ( "EncryptedExtension lengths misaligned" ) );
1522 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1523 MBEDTLS_ERR_SSL_DECODE_ERROR );
1524 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1525 }
1526
1527 return( ret );
1528 }
1529
ssl_tls13_postprocess_encrypted_extensions(mbedtls_ssl_context * ssl)1530 static int ssl_tls13_postprocess_encrypted_extensions( mbedtls_ssl_context *ssl )
1531 {
1532 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1533 if( mbedtls_ssl_tls1_3_some_psk_enabled( ssl ) )
1534 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1535 else
1536 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
1537 #else
1538 ((void) ssl);
1539 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1540 #endif
1541 return( 0 );
1542 }
1543
1544 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1545 /*
1546 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
1547 */
ssl_tls13_process_certificate_request(mbedtls_ssl_context * ssl)1548 static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
1549 {
1550 int ret = mbedtls_ssl_read_record( ssl, 0 );
1551
1552 if( ret != 0 )
1553 {
1554 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1555 return( ret );
1556 }
1557
1558 if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) &&
1559 ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) )
1560 {
1561 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CertificateRequest not supported" ) );
1562 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1563 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1564 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1565 }
1566
1567 ssl->keep_current_message = 1;
1568 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
1569
1570 return( 0 );
1571 }
1572
1573 /*
1574 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
1575 */
ssl_tls1_3_process_server_certificate(mbedtls_ssl_context * ssl)1576 static int ssl_tls1_3_process_server_certificate( mbedtls_ssl_context *ssl )
1577 {
1578 int ret;
1579
1580 ret = mbedtls_ssl_tls13_process_certificate( ssl );
1581 if( ret != 0 )
1582 return( ret );
1583
1584 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
1585 return( 0 );
1586 }
1587
1588 /*
1589 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
1590 */
ssl_tls1_3_process_certificate_verify(mbedtls_ssl_context * ssl)1591 static int ssl_tls1_3_process_certificate_verify( mbedtls_ssl_context *ssl )
1592 {
1593 int ret;
1594
1595 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
1596 if( ret != 0 )
1597 return( ret );
1598
1599 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
1600 return( 0 );
1601 }
1602 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1603 /*
1604 * Handler for MBEDTLS_SSL_SERVER_FINISHED
1605 */
ssl_tls1_3_process_server_finished(mbedtls_ssl_context * ssl)1606 static int ssl_tls1_3_process_server_finished( mbedtls_ssl_context *ssl )
1607 {
1608 int ret;
1609
1610 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
1611 if( ret != 0 )
1612 return( ret );
1613
1614 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
1615 return( 0 );
1616 }
1617
1618 /*
1619 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
1620 */
ssl_tls1_3_write_client_finished(mbedtls_ssl_context * ssl)1621 static int ssl_tls1_3_write_client_finished( mbedtls_ssl_context *ssl )
1622 {
1623 MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) );
1624 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
1625 return( 0 );
1626 }
1627
1628 /*
1629 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
1630 */
ssl_tls1_3_flush_buffers(mbedtls_ssl_context * ssl)1631 static int ssl_tls1_3_flush_buffers( mbedtls_ssl_context *ssl )
1632 {
1633 MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) );
1634 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
1635 return( 0 );
1636 }
1637
1638 /*
1639 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
1640 */
ssl_tls1_3_handshake_wrapup(mbedtls_ssl_context * ssl)1641 static int ssl_tls1_3_handshake_wrapup( mbedtls_ssl_context *ssl )
1642 {
1643 ((void) ssl);
1644 MBEDTLS_SSL_DEBUG_MSG( 1, ( "%s hasn't been implemented", __func__ ) );
1645 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1646 }
1647
mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context * ssl)1648 int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
1649 {
1650 int ret = 0;
1651
1652 MBEDTLS_SSL_DEBUG_MSG( 2, ( "tls1_3 client state: %d", ssl->state ) );
1653
1654 switch( ssl->state )
1655 {
1656 /*
1657 * ssl->state is initialized as HELLO_REQUEST. It is the same
1658 * as CLIENT_HELLO state.
1659 */
1660 case MBEDTLS_SSL_HELLO_REQUEST:
1661 case MBEDTLS_SSL_CLIENT_HELLO:
1662 ret = ssl_tls13_write_client_hello( ssl );
1663 break;
1664
1665 case MBEDTLS_SSL_SERVER_HELLO:
1666 ret = ssl_tls1_3_process_server_hello( ssl );
1667 break;
1668
1669 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
1670 ret = ssl_tls13_process_encrypted_extensions( ssl );
1671 break;
1672
1673 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1674 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
1675 ret = ssl_tls13_process_certificate_request( ssl );
1676 break;
1677
1678 case MBEDTLS_SSL_SERVER_CERTIFICATE:
1679 ret = ssl_tls1_3_process_server_certificate( ssl );
1680 break;
1681
1682 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
1683 ret = ssl_tls1_3_process_certificate_verify( ssl );
1684 break;
1685 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1686
1687 case MBEDTLS_SSL_SERVER_FINISHED:
1688 ret = ssl_tls1_3_process_server_finished( ssl );
1689 break;
1690
1691 case MBEDTLS_SSL_CLIENT_FINISHED:
1692 ret = ssl_tls1_3_write_client_finished( ssl );
1693 break;
1694
1695 case MBEDTLS_SSL_FLUSH_BUFFERS:
1696 ret = ssl_tls1_3_flush_buffers( ssl );
1697 break;
1698
1699 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
1700 ret = ssl_tls1_3_handshake_wrapup( ssl );
1701 break;
1702
1703 default:
1704 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
1705 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1706 }
1707
1708 return( ret );
1709 }
1710
1711 #endif /* MBEDTLS_SSL_CLI_C */
1712
1713 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1714