diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index f9bbf0c8b..350ee2cb2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -505,6 +505,7 @@ #define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY 15 #define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE 16 #define MBEDTLS_SSL_HS_FINISHED 20 +#define MBEDTLS_SSL_HS_MESSAGE_HASH 254 /* * TLS extensions @@ -643,6 +644,7 @@ typedef enum MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY, #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED, + MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO, #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ } diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 788fafdd9..0c43c795a 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -591,6 +591,11 @@ struct mbedtls_ssl_handshake_params int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_SSL_CLI_C) + /*!< Number of Hello Retry Request messages received from the server. */ + int hello_retry_request_count; +#endif /* MBEDTLS_SSL_CLI_C */ + #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */ @@ -687,15 +692,19 @@ struct mbedtls_ssl_handshake_params } buffering; +#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) + unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie + * for dtls / tls 1.3 + * Srv: unused */ + unsigned char verify_cookie_len; /*!< Cli: cookie length for + * dtls / tls 1.3 + * Srv: flag for sending a cookie */ +#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */ + #if defined(MBEDTLS_SSL_PROTO_DTLS) unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ - unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie - Srv: unused */ - unsigned char verify_cookie_len; /*!< Cli: cookie length - Srv: flag for sending a cookie */ - uint32_t retransmit_timeout; /*!< Current value of timeout */ mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */ mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */ @@ -1442,6 +1451,8 @@ void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl, void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ); int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); +void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, + int partial ); /* * Send pending alert @@ -1721,6 +1732,8 @@ void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, unsigned char const *msg, size_t msg_len ); +int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ); + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5e8b60b9b..f261a6a89 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3400,8 +3400,8 @@ error: * If partial is non-zero, keep data in the input buffer and client ID. * (Use when a DTLS client reconnects from the same port.) */ -static void ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, - int partial ) +void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, + int partial ) { #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) size_t in_buf_len = ssl->in_buf_len; @@ -3453,12 +3453,32 @@ static void ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, mbedtls_ssl_dtls_replay_reset( ssl ); #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->transform ) { mbedtls_ssl_transform_free( ssl->transform ); mbedtls_free( ssl->transform ); ssl->transform = NULL; } +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + mbedtls_ssl_transform_free( ssl->transform_application ); + mbedtls_free( ssl->transform_application ); + ssl->transform_application = NULL; + + if( ssl->handshake != NULL ) + { + mbedtls_ssl_transform_free( ssl->handshake->transform_earlydata ); + mbedtls_free( ssl->handshake->transform_earlydata ); + ssl->handshake->transform_earlydata = NULL; + + mbedtls_ssl_transform_free( ssl->handshake->transform_handshake ); + mbedtls_free( ssl->handshake->transform_handshake ); + ssl->handshake->transform_handshake = NULL; + } + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ } int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) @@ -3467,7 +3487,7 @@ int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) ssl->state = MBEDTLS_SSL_HELLO_REQUEST; - ssl_session_reset_msg_layer( ssl, partial ); + mbedtls_ssl_session_reset_msg_layer( ssl, partial ); /* Reset renegotiation state */ #if defined(MBEDTLS_SSL_RENEGOTIATION) @@ -5669,11 +5689,14 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) mbedtls_pk_free( &handshake->peer_pubkey ); #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -#if defined(MBEDTLS_SSL_PROTO_DTLS) +#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_free( handshake->verify_cookie ); +#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */ + +#if defined(MBEDTLS_SSL_PROTO_DTLS) mbedtls_ssl_flight_free( handshake->flight ); mbedtls_ssl_buffering_free( ssl ); -#endif +#endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_ECDH_C) && \ defined(MBEDTLS_USE_PSA_CRYPTO) @@ -7384,6 +7407,7 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, } return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } + #endif /* !MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index d046495cb..ca91d67da 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -115,6 +115,28 @@ static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl ) +{ + uint16_t group_id = ssl->handshake->offered_group_id; + if( group_id == 0 ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + +#if defined(MBEDTLS_ECDH_C) + if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) ) + { + mbedtls_ecdh_free( &ssl->handshake->ecdh_ctx ); + return( 0 ); + } + else +#endif /* MBEDTLS_ECDH_C */ + if( 0 /* other KEMs? */ ) + { + /* Do something */ + } + + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); +} + /* * Functions for writing key_share extension. */ @@ -371,6 +393,76 @@ static int ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_ECDH_C */ +/* + * ssl_tls13_parse_hrr_key_share_ext() + * Parse key_share extension in Hello Retry Request + * + * struct { + * NamedGroup selected_group; + * } KeyShareHelloRetryRequest; + */ +static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) +{ + const mbedtls_ecp_curve_info *curve_info = NULL; + const unsigned char *p = buf; + int selected_group; + int found = 0; + + const uint16_t *group_list = mbedtls_ssl_get_groups( ssl ); + if( group_list == NULL ) + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); + + MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", p, end - buf ); + + /* Read selected_group */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); + selected_group = MBEDTLS_GET_UINT16_BE( p, 0 ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", selected_group ) ); + + /* Upon receipt of this extension in a HelloRetryRequest, the client + * MUST first verify that the selected_group field corresponds to a + * group which was provided in the "supported_groups" extension in the + * original ClientHello. + * The supported_group was based on the info in ssl->conf->group_list. + * + * If the server provided a key share that was not sent in the ClientHello + * then the client MUST abort the handshake with an "illegal_parameter" alert. + */ + for( ; *group_list != 0; group_list++ ) + { + curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list ); + if( curve_info == NULL || curve_info->tls_id != selected_group ) + continue; + + /* We found a match */ + found = 1; + break; + } + + /* Client MUST verify that the selected_group field does not + * correspond to a group which was provided in the "key_share" + * extension in the original ClientHello. If the server sent an + * HRR message with a key share already provided in the + * ClientHello then the client MUST abort the handshake with + * an "illegal_parameter" alert. + */ + if( found == 0 || selected_group == ssl->handshake->offered_group_id ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + + /* Remember server's preference for next ClientHello */ + ssl->handshake->offered_group_id = selected_group; + + return( 0 ); +} + /* * ssl_tls13_parse_key_share_ext() * Parse key_share extension in Server Hello @@ -434,6 +526,55 @@ static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +/* + * ssl_tls13_parse_cookie_ext() + * Parse cookie extension in Hello Retry Request + * + * struct { + * opaque cookie<1..2^16-1>; + * } Cookie; + * + * When sending a HelloRetryRequest, the server MAY provide a "cookie" + * extension to the client (this is an exception to the usual rule that + * the only extensions that may be sent are those that appear in the + * ClientHello). When sending the new ClientHello, the client MUST copy + * the contents of the extension received in the HelloRetryRequest into + * a "cookie" extension in the new ClientHello. Clients MUST NOT use + * cookies in their initial ClientHello in subsequent connections. + */ +static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) +{ + size_t cookie_len; + const unsigned char *p = buf; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + + /* Retrieve length field of cookie */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); + cookie_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len ); + MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len ); + + mbedtls_free( handshake->verify_cookie ); + handshake->verify_cookie_len = 0; + handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); + if( handshake->verify_cookie == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "alloc failed ( %" MBEDTLS_PRINTF_SIZET " bytes )", + cookie_len ) ); + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + + memcpy( handshake->verify_cookie, p, cookie_len ); + handshake->verify_cookie_len = (unsigned char) cookie_len; + + return( 0 ); +} + /* Write cipher_suites * CipherSuite cipher_suites<2..2^16-2>; */ @@ -747,7 +888,8 @@ cleanup: /* Returns a negative value on failure, and otherwise * - SSL_SERVER_HELLO_COORDINATE_HELLO or * - SSL_SERVER_HELLO_COORDINATE_HRR - * to indicate which message is expected and to be parsed next. */ + * to indicate which message is expected and to be parsed next. + */ #define SSL_SERVER_HELLO_COORDINATE_HELLO 0 #define SSL_SERVER_HELLO_COORDINATE_HRR 1 static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl, @@ -796,20 +938,9 @@ static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_read_record( ssl, 0 ) ); - - if( ( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) || - ( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected message" ) ); - - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, - MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); - } - - *buf = ssl->in_msg + 4; - *buf_len = ssl->in_hslen - 4; + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl, + MBEDTLS_SSL_HS_SERVER_HELLO, + buf, buf_len ) ); ret = ssl_server_hello_is_hrr( ssl, *buf, *buf + *buf_len ); switch( ret ) @@ -819,6 +950,36 @@ static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl, break; case SSL_SERVER_HELLO_COORDINATE_HRR: MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) ); + /* If a client receives a second + * HelloRetryRequest in the same connection (i.e., where the ClientHello + * was itself in response to a HelloRetryRequest), it MUST abort the + * handshake with an "unexpected_message" alert. + */ + if( ssl->handshake->hello_retry_request_count > 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE, + MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + } + /* + * Clients must abort the handshake with an "illegal_parameter" + * alert if the HelloRetryRequest would not result in any change + * in the ClientHello. + * In a PSK only key exchange that what we expect. + */ + if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "Unexpected HRR in pure PSK key exchange." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + + ssl->handshake->hello_retry_request_count++; + break; } @@ -892,14 +1053,18 @@ static int ssl_tls13_cipher_suite_is_offered( mbedtls_ssl_context *ssl, */ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, const unsigned char *buf, - const unsigned char *end ) + const unsigned char *end, + int is_hrr ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const unsigned char *p = buf; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; size_t extensions_len; const unsigned char *extensions_end; uint16_t cipher_suite; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + int supported_versions_ext_found = 0; + int fatal_alert = 0; /* * Check there is space for minimal fields @@ -927,7 +1092,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); - return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); + ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; + goto cleanup; } p += 2; @@ -937,10 +1103,13 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, * with Random defined as: * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN]; */ - memcpy( &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p, - MBEDTLS_SERVER_HELLO_RANDOM_LEN ); - MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", - p, MBEDTLS_SERVER_HELLO_RANDOM_LEN ); + if( !is_hrr ) + { + memcpy( &handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p, + MBEDTLS_SERVER_HELLO_RANDOM_LEN ); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", + p, MBEDTLS_SERVER_HELLO_RANDOM_LEN ); + } p += MBEDTLS_SERVER_HELLO_RANDOM_LEN; /* ... @@ -949,9 +1118,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, */ if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 ) { - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; + goto cleanup; } /* ... @@ -965,28 +1133,40 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, p += 2; + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); /* * Check whether this ciphersuite is supported and offered. * Via the force_ciphersuite version we may have instructed the client * to use a different ciphersuite. */ - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); if( ciphersuite_info == NULL || ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) == 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite(%04x) not found or not offered", - cipher_suite ) ); - - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; + } + /* + * If we received an HRR before and that the proposed selected + * ciphersuite in this server hello is not the same as the one + * proposed in the HRR, we abort the handshake and send an + * "illegal_parameter" alert. + */ + else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) && + ( cipher_suite != ssl->session_negotiate->ciphersuite ) ) + { + fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; } + if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter", + cipher_suite ) ); + goto cleanup; + } /* Configure ciphersuites */ mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info ); - ssl->handshake->ciphersuite_info = ciphersuite_info; + handshake->ciphersuite_info = ciphersuite_info; ssl->session_negotiate->ciphersuite = cipher_suite; MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s", @@ -1004,9 +1184,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, if( p[0] != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; + goto cleanup; } p++; @@ -1032,6 +1211,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, { unsigned int extension_type; size_t extension_data_len; + const unsigned char *extension_data_end; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); @@ -1039,39 +1219,69 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, p += 4; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); + extension_data_end = p + extension_data_len; switch( extension_type ) { + case MBEDTLS_TLS_EXT_COOKIE: + + if( !is_hrr ) + { + fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; + goto cleanup; + } + + ret = ssl_tls13_parse_cookie_ext( ssl, + p, extension_data_end ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "ssl_tls13_parse_cookie_ext", + ret ); + goto cleanup; + } + break; + case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: + supported_versions_ext_found = 1; MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_versions extension" ) ); ret = ssl_tls13_parse_supported_versions_ext( ssl, p, - p + extension_data_len ); + extension_data_end ); if( ret != 0 ) - return( ret ); + goto cleanup; break; case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, - MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); - return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); + fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; + goto cleanup; #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) case MBEDTLS_TLS_EXT_KEY_SHARE: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) ); - if( ( ret = ssl_tls13_parse_key_share_ext( ssl, - p, p + extension_data_len ) ) != 0 ) + if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) + { + fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; + goto cleanup; + } + + if( is_hrr ) + ret = ssl_tls13_parse_hrr_key_share_ext( ssl, + p, extension_data_end ); + else + ret = ssl_tls13_parse_key_share_ext( ssl, + p, extension_data_end ); + if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_parse_key_share_ext", ret ); - return( ret ); + goto cleanup; } break; #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ @@ -1082,19 +1292,38 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, ( "unknown extension found: %u ( ignoring )", extension_type ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, - MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); - return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); + fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT; + goto cleanup; } p += extension_data_len; } - return( 0 ); + if( !supported_versions_ext_found ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions not found" ) ); + fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; + goto cleanup; + } + +cleanup: + + if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, + MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); + ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; + } + else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } + return( ret ); } -static int ssl_tls13_finalize_server_hello( mbedtls_ssl_context *ssl ) +static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_ssl_key_set traffic_keys; @@ -1208,6 +1437,40 @@ cleanup: return( ret ); } +static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl ) +{ +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + /* If not offering early data, the client sends a dummy CCS record + * immediately before its second flight. This may either be before + * its second ClientHello or before its encrypted handshake flight. + */ + mbedtls_ssl_handshake_set_state( ssl, + MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO ); +#else + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + + mbedtls_ssl_session_reset_msg_layer( ssl, 0 ); + + /* + * We are going to re-generate a shared secret corresponding to the group + * selected by the server, which is different from the group for which we + * generated a shared secret in the first client hello. + * Thus, reset the shared secret. + */ + ret = ssl_tls13_reset_key_share( ssl ); + if( ret != 0 ) + return( ret ); +#else + ((void) ssl); +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + + return( 0 ); +} + /* * Wait and parse ServerHello handshake message. * Handler for MBEDTLS_SSL_SERVER_HELLO @@ -1215,8 +1478,9 @@ cleanup: static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - unsigned char *buf; - size_t buf_len; + unsigned char *buf = NULL; + size_t buf_len = 0; + int is_hrr = 0; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) ); @@ -1229,31 +1493,29 @@ static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl ) ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; ret = ssl_tls13_server_hello_coordinate( ssl, &buf, &buf_len ); - /* Parsing step - * We know what message to expect by now and call - * the respective parsing function. - */ - if( ret == SSL_SERVER_HELLO_COORDINATE_HELLO ) - { - MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf, - buf + buf_len ) ); + if( ret < 0 ) + goto cleanup; + else + is_hrr = ( ret == SSL_SERVER_HELLO_COORDINATE_HRR ); - mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, - MBEDTLS_SSL_HS_SERVER_HELLO, - buf, buf_len ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf, + buf + buf_len, + is_hrr ) ); + if( is_hrr ) + MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) ); - MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_server_hello( ssl ) ); - } - else if( ret == SSL_SERVER_HELLO_COORDINATE_HRR ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "HRR not supported" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE , - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - } + mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, + MBEDTLS_SSL_HS_SERVER_HELLO, + buf, buf_len ); + + if( is_hrr ) + MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) ); + else + MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) ); cleanup: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s", __func__ ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__, + is_hrr?"HelloRetryRequest":"ServerHello" ) ); return( ret ); } @@ -1492,8 +1754,6 @@ static int ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl ) if( ret != 0 ) return( ret ); - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); - return( 0 ); } #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ @@ -1604,6 +1864,7 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) */ #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: + case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: ret = ssl_tls13_write_change_cipher_spec( ssl ); break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index a87af94dc..9aa214873 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1058,6 +1058,32 @@ void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) */ #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) +static int ssl_tls13_finalize_change_cipher_spec( mbedtls_ssl_context* ssl ) +{ + +#if defined(MBEDTLS_SSL_CLI_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + switch( ssl->state ) + { + case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); + break; + case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: + mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + break; + default: + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + } +#else + ((void) ssl); +#endif /* MBEDTLS_SSL_CLI_C */ + + return( 0 ); +} + static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, @@ -1088,6 +1114,9 @@ int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl ) ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; + /* Update state */ + MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_change_cipher_spec( ssl ) ); + /* Dispatch message */ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 1 ) ); @@ -1099,6 +1128,80 @@ cleanup: #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ +/* Reset SSL context and update hash for handling HRR. + * + * Replace Transcript-Hash(X) by + * Transcript-Hash( message_hash || + * 00 00 Hash.length || + * X ) + * A few states of the handshake are preserved, including: + * - session ID + * - session ticket + * - negotiated ciphersuite + */ +int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ]; + size_t hash_len; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + uint16_t cipher_suite = ssl->session_negotiate->ciphersuite; + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) ); + + ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac, + hash_transcript + 4, + MBEDTLS_MD_MAX_SIZE, + &hash_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret ); + return( ret ); + } + + hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH; + hash_transcript[1] = 0; + hash_transcript[2] = 0; + hash_transcript[3] = (unsigned char) hash_len; + + hash_len += 4; + + if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 ) + { +#if defined(MBEDTLS_SHA256_C) + MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript", + hash_transcript, hash_len ); + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort( &ssl->handshake->fin_sha256_psa ); + psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 ); +#else + mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 ); +#endif +#endif /* MBEDTLS_SHA256_C */ + } + else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) + { +#if defined(MBEDTLS_SHA384_C) + MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript", + hash_transcript, hash_len ); + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_hash_abort( &ssl->handshake->fin_sha384_psa ); + psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 ); +#else + mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 ); +#endif +#endif /* MBEDTLS_SHA384_C */ + } + +#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C) + ssl->handshake->update_checksum( ssl, hash_transcript, hash_len ); +#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */ + return( ret ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7a1436fab..295b82ea8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9214,13 +9214,29 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_disabled MBEDTLS_USE_PSA_CRYPTO requires_openssl_tls1_3 -run_test "TLS 1.3: HelloRetryRequest check - openssl" \ +run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_128_GCM_SHA256 - openssl" \ + "$O_NEXT_SRV -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI debug_level=4 force_version=tls13" \ + 0 \ + -c "received HelloRetryRequest message" \ + -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \ + -c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \ + -c "HTTP/1.0 200 ok" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_openssl_tls1_3 +run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_256_GCM_SHA384 - openssl" \ "$O_NEXT_SRV -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=4 force_version=tls13" \ - 1 \ + 0 \ -c "received HelloRetryRequest message" \ - -c "HRR not supported" \ - -c "Last error was: -0x6E00 - SSL - The handshake negotiation failed" + -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \ + -c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \ + -c "HTTP/1.0 200 ok" requires_gnutls_tls1_3 requires_gnutls_next_no_ticket @@ -9229,14 +9245,30 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_disabled MBEDTLS_USE_PSA_CRYPTO -run_test "TLS 1.3: HelloRetryRequest check - gnutls" \ - "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ +run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_128_GCM_SHA256 - gnutls" \ + "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \ "$P_CLI debug_level=4 force_version=tls13" \ - 1 \ + 0 \ -c "received HelloRetryRequest message" \ - -c "HRR not supported" \ - -c "Last error was: -0x6E00 - SSL - The handshake negotiation failed" \ - -s "HELLO RETRY REQUEST was queued" + -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \ + -c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \ + -c "HTTP/1.0 200 OK" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_256_GCM_SHA384 - gnutls" \ + "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \ + "$P_CLI debug_level=4 force_version=tls13" \ + 0 \ + -c "received HelloRetryRequest message" \ + -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \ + -c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \ + -c "HTTP/1.0 200 OK" for i in $(ls opt-testcases/*.sh) do