/* * TLS 1.3 client-side functions * * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ #include "common.h" #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) #include <string.h> #include "debug_internal.h" #include "mbedtls/error.h" #include "mbedtls/platform.h" #include "ssl_misc.h" #include "ssl_client.h" #include "ssl_tls13_keys.h" #include "ssl_debug_helpers.h" #include "mbedtls/psa_util.h" #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) /* Define a local translating function to save code size by not using too many * arguments in each translating place. */ static int local_err_translation(psa_status_t status) { … } #define PSA_TO_MBEDTLS_ERR(status) … #endif /* Write extensions */ /* * ssl_tls13_write_supported_versions_ext(): * * struct { * ProtocolVersion versions<2..254>; * } SupportedVersions; */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, size_t *out_len) { … } MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } #if defined(MBEDTLS_SSL_ALPN) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len) { … } #endif /* MBEDTLS_SSL_ALPN */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl) { … } /* * Functions for writing key_share extension. */ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl, uint16_t *group_id) { … } /* * ssl_tls13_write_key_share_ext * * Structure of key_share extension in ClientHello: * * struct { * NamedGroup group; * opaque key_exchange<1..2^16-1>; * } KeyShareEntry; * struct { * KeyShareEntry client_shares<0..2^16-1>; * } KeyShareClientHello; */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, size_t *out_len) { … } #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */ /* * ssl_tls13_parse_hrr_key_share_ext() * Parse key_share extension in Hello Retry Request * * struct { * NamedGroup selected_group; * } KeyShareHelloRetryRequest; */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } /* * ssl_tls13_parse_key_share_ext() * Parse key_share extension in Server Hello * * struct { * KeyShareEntry server_share; * } KeyShareServerHello; * struct { * NamedGroup group; * opaque key_exchange<1..2^16-1>; * } KeyShareEntry; */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } /* * ssl_tls13_parse_cookie_ext() * Parse cookie extension in Hello Retry Request * * struct { * opaque cookie<1..2^16-1>; * } Cookie; * * When sending a HelloRetryRequest, the server MAY provide a "cookie" * extension to the client (this is an exception to the usual rule that * the only extensions that may be sent are those that appear in the * ClientHello). When sending the new ClientHello, the client MUST copy * the contents of the extension received in the HelloRetryRequest into * a "cookie" extension in the new ClientHello. Clients MUST NOT use * cookies in their initial ClientHello in subsequent connections. */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, size_t *out_len) { … } #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) /* * ssl_tls13_write_psk_key_exchange_modes_ext() structure: * * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode; * * struct { * PskKeyExchangeMode ke_modes<1..255>; * } PskKeyExchangeModes; */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, size_t *out_len) { … } #if defined(MBEDTLS_SSL_SESSION_TICKETS) static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite) { … } static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl) { … } #if defined(MBEDTLS_SSL_EARLY_DATA) static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl) { mbedtls_ssl_session *session = ssl->session_negotiate; return ssl->handshake->resume && session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && mbedtls_ssl_tls13_session_ticket_allow_early_data(session) && mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite); } #endif MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl, psa_algorithm_t *hash_alg, const unsigned char **identity, size_t *identity_len) { … } MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl, psa_algorithm_t *hash_alg, const unsigned char **psk, size_t *psk_len) { … } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl, psa_algorithm_t *hash_alg, const unsigned char **identity, size_t *identity_len) { … } MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl, psa_algorithm_t *hash_alg, const unsigned char **psk, size_t *psk_len) { … } static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl) { … } MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, const unsigned char *identity, size_t identity_len, uint32_t obfuscated_ticket_age, size_t *out_len) { … } MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, int psk_type, psa_algorithm_t hash_alg, const unsigned char *psk, size_t psk_len, size_t *out_len) { … } /* * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure: * * struct { * opaque identity<1..2^16-1>; * uint32 obfuscated_ticket_age; * } PskIdentity; * * opaque PskBinderEntry<32..255>; * * struct { * PskIdentity identities<7..2^16-1>; * PskBinderEntry binders<33..2^16-1>; * } OfferedPsks; * * struct { * select (Handshake.msg_type) { * case client_hello: OfferedPsks; * ... * }; * } PreSharedKeyExtension; * */ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, size_t *out_len, size_t *binders_len) { … } int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end) { … } /* * struct { * opaque identity<1..2^16-1>; * uint32 obfuscated_ticket_age; * } PskIdentity; * * opaque PskBinderEntry<32..255>; * * struct { * * select (Handshake.msg_type) { * ... * case server_hello: uint16 selected_identity; * }; * * } PreSharedKeyExtension; * */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, size_t *out_len) { … } int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) { … } /* * Functions for parsing and processing Server Hello */ /** * \brief Detect if the ServerHello contains a supported_versions extension * or not. * * \param[in] ssl SSL context * \param[in] buf Buffer containing the ServerHello message * \param[in] end End of the buffer containing the ServerHello message * * \return 0 if the ServerHello does not contain a supported_versions extension * \return 1 if the ServerHello contains a supported_versions extension * \return A negative value if an error occurred while parsing the ServerHello. */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_is_supported_versions_ext_present( mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } /* Returns a negative value on failure, and otherwise * - 1 if the last eight bytes of the ServerHello random bytes indicate that * the server is TLS 1.3 capable but negotiating TLS 1.2 or below. * - 0 otherwise */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } /* Returns a negative value on failure, and otherwise * - SSL_SERVER_HELLO or * - SSL_SERVER_HELLO_HRR * to indicate which message is expected and to be parsed next. */ #define SSL_SERVER_HELLO … #define SSL_SERVER_HELLO_HRR … MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } /* * Returns a negative value on failure, and otherwise * - SSL_SERVER_HELLO or * - SSL_SERVER_HELLO_HRR or * - SSL_SERVER_HELLO_TLS1_2 */ #define SSL_SERVER_HELLO_TLS1_2 … MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl, const unsigned char **buf, const unsigned char *end) { … } /* Parse ServerHello message and configure context * * struct { * ProtocolVersion legacy_version = 0x0303; // TLS 1.2 * Random random; * opaque legacy_session_id_echo<0..32>; * CipherSuite cipher_suite; * uint8 legacy_compression_method = 0; * Extension extensions<6..2^16-1>; * } ServerHello; */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end, int is_hrr) { … } #if defined(MBEDTLS_DEBUG_C) static const char *ssl_tls13_get_kex_mode_str(int mode) { … } #endif /* MBEDTLS_DEBUG_C */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) { … } MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl) { … } /* * Wait and parse ServerHello handshake message. * Handler for MBEDTLS_SSL_SERVER_HELLO */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl) { … } /* * * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS * * The EncryptedExtensions message contains any extensions which * should be protected, i.e., any which are not needed to establish * the cryptographic context. */ /* Parse EncryptedExtensions message * struct { * Extension extensions<0..2^16-1>; * } EncryptedExtensions; */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl) { … } #if defined(MBEDTLS_SSL_EARLY_DATA) /* * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA * * RFC 8446 section 4.5 * * struct {} EndOfEarlyData; * * If the server sent an "early_data" extension in EncryptedExtensions, the * client MUST send an EndOfEarlyData message after receiving the server * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message. */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *buf = NULL; size_t buf_len; MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData")); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, &buf, &buf_len)); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0)); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0)); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); cleanup: MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData")); return ret; } int mbedtls_ssl_get_early_data_status(mbedtls_ssl_context *ssl) { if ((ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) || (!mbedtls_ssl_is_handshake_over(ssl))) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } switch (ssl->early_data_state) { case MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT: return MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED; break; case MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED: return MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; break; case MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED: return MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; break; default: return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } } #endif /* MBEDTLS_SSL_EARLY_DATA */ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) /* * STATE HANDLING: CertificateRequest * */ #define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST … #define SSL_CERTIFICATE_REQUEST_SKIP … /* Coordination: * Deals with the ambiguity of not knowing if a CertificateRequest * will be sent. Returns a negative code on failure, or * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST * - SSL_CERTIFICATE_REQUEST_SKIP * indicating if a Certificate Request is expected or not. */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl) { … } /* * ssl_tls13_parse_certificate_request() * Parse certificate request * struct { * opaque certificate_request_context<0..2^8-1>; * Extension extensions<2..2^16-1>; * } CertificateRequest; */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } /* * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl) { … } /* * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl) { … } /* * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl) { … } #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ /* * Handler for MBEDTLS_SSL_SERVER_FINISHED */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl) { … } /* * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl) { … } #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) /* * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl) { … } #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ /* * Handler for MBEDTLS_SSL_CLIENT_FINISHED */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl) { … } /* * Handler for MBEDTLS_SSL_FLUSH_BUFFERS */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl) { … } /* * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl) { … } #if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_EARLY_DATA) /* From RFC 8446 section 4.2.10 * * struct { * select (Handshake.msg_type) { * case new_session_ticket: uint32 max_early_data_size; * ... * }; * } EarlyDataIndication; */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_new_session_ticket_early_data_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { mbedtls_ssl_session *session = ssl->session; MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4); session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0); mbedtls_ssl_tls13_session_set_ticket_flags( session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA); MBEDTLS_SSL_DEBUG_MSG( 3, ("received max_early_data_size: %u", (unsigned int) session->max_early_data_size)); return 0; } #endif /* MBEDTLS_SSL_EARLY_DATA */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end) { … } /* * From RFC8446, page 74 * * struct { * uint32 ticket_lifetime; * uint32 ticket_age_add; * opaque ticket_nonce<0..255>; * opaque ticket<1..2^16-1>; * Extension extensions<0..2^16-2>; * } NewSessionTicket; * */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, unsigned char **ticket_nonce, size_t *ticket_nonce_len) { … } /* Non negative return values for ssl_tls13_postprocess_new_session_ticket(). * - POSTPROCESS_NEW_SESSION_TICKET_SIGNAL, all good, we have to signal the * application that a valid ticket has been received. * - POSTPROCESS_NEW_SESSION_TICKET_DISCARD, no fatal error, we keep the * connection alive but we do not signal the ticket to the application. */ #define POSTPROCESS_NEW_SESSION_TICKET_SIGNAL … #define POSTPROCESS_NEW_SESSION_TICKET_DISCARD … MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl, unsigned char *ticket_nonce, size_t ticket_nonce_len) { … } /* * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl) { … } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl) { … } #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
Codebase Browser
godot