diff --git a/library/ecdh.c b/library/ecdh.c index 9dfa86806..ac6016544 100644 --- a/library/ecdh.c +++ b/library/ecdh.c @@ -31,6 +31,7 @@ #include "mbedtls/ecdh.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +#include "ssl_misc.h" #include @@ -726,4 +727,88 @@ int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen, #endif } +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + +static int ecdh_tls13_make_params_internal( mbedtls_ecdh_context_mbed *ctx, + size_t *olen, int point_format, + unsigned char *buf, size_t blen, + int ( *f_rng )( void *, + unsigned char *, + size_t), + void *p_rng, int restart_enabled ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_ECP_RESTARTABLE) + mbedtls_ecp_restart_ctx *rs_ctx = NULL; +#endif + + if( ctx->grp.pbits == 0 ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + +#if defined(MBEDTLS_ECP_RESTARTABLE) + if( restart_enabled ) + rs_ctx = &ctx->rs; +#else + (void) restart_enabled; +#endif + +#if defined(MBEDTLS_ECP_RESTARTABLE) + if( ( ret = ecdh_gen_public_restartable( &ctx->grp, &ctx->d, &ctx->Q, + f_rng, p_rng, rs_ctx ) ) != 0 ) + return( ret ); +#else + if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q, + f_rng, p_rng ) ) != 0 ) + return( ret ); +#endif /* MBEDTLS_ECP_RESTARTABLE */ + + ret = mbedtls_ecp_point_write_binary( &ctx->grp, &ctx->Q, point_format, + olen, buf, blen ); + if( ret != 0 ) + return( ret ); + + return( 0 ); +} + +int mbedtls_ecdh_tls13_make_params( mbedtls_ecdh_context *ctx, size_t *olen, + unsigned char *buf, size_t blen, + int ( *f_rng )( void *, unsigned char *, size_t ), + void *p_rng ) +{ + int restart_enabled = 0; + ECDH_VALIDATE_RET( ctx != NULL ); + ECDH_VALIDATE_RET( olen != NULL ); + ECDH_VALIDATE_RET( buf != NULL ); + ECDH_VALIDATE_RET( f_rng != NULL ); + +#if defined(MBEDTLS_ECP_RESTARTABLE) + restart_enabled = ctx->restart_enabled; +#else + (void) restart_enabled; +#endif + +#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) + return( ecdh_tls13_make_params_internal( ctx, olen, ctx->point_format, buf, blen, + f_rng, p_rng, restart_enabled ) ); +#else + switch( ctx->var ) + { +#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) + case MBEDTLS_ECDH_VARIANT_EVEREST: + return( mbedtls_everest_make_params( &ctx->ctx.everest_ecdh, olen, + buf, blen, f_rng, p_rng ) ); +#endif + case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0: + return( ecdh_tls13_make_params_internal( &ctx->ctx.mbed_ecdh, olen, + ctx->point_format, buf, blen, + f_rng, p_rng, + restart_enabled ) ); + default: + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; + } +#endif +} + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + #endif /* MBEDTLS_ECDH_C */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d9c82960f..f8f5fe6c9 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -649,6 +649,16 @@ struct mbedtls_ssl_handshake_params void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); mbedtls_ssl_tls_prf_cb *tls_prf; +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + uint16_t offered_group_id; /* The NamedGroup value for the group + * that is being used for ephemeral + * key exchange. + * + * On the client: Defaults to the first + * entry in the client's group list, + * but can be overwritten by the HRR. */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + mbedtls_ssl_ciphersuite_t const *ciphersuite_info; size_t pmslen; /*!< premaster length */ @@ -1491,6 +1501,16 @@ int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, size_t *olen); +#if defined(MBEDTLS_ECDH_C) +/* + * TLS 1.3 version of mbedtls_ecdh_make_params in ecdh.h + */ +int mbedtls_ecdh_tls13_make_params( mbedtls_ecdh_context *ctx, size_t *olen, + unsigned char *buf, size_t blen, + int ( *f_rng )( void *, unsigned char *, size_t ), + void *p_rng ); +#endif /* MBEDTLS_ECDH_C */ + #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index df2f9eb7d..8323b6778 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -28,7 +28,8 @@ #include #include "ssl_misc.h" -#include +#include "mbedtls/debug.h" +#include "mbedtls/error.h" #define CLIENT_HELLO_RANDOM_LEN 32 @@ -257,24 +258,212 @@ static int ssl_tls13_write_supported_groups_ext( mbedtls_ssl_context *ssl, return( ret ); } -static int ssl_tls13_write_key_shares_ext( mbedtls_ssl_context *ssl, - unsigned char *buf, - unsigned char *end, - size_t *olen ) +/* + * Functions for writing key_share extension. + */ +#if defined(MBEDTLS_ECDH_C) +static int ssl_key_share_gen_and_write_ecdhe( mbedtls_ssl_context *ssl, + uint16_t named_group, + unsigned char *buf, + unsigned char *end, + size_t *olen ) { - ((void) ssl); - ((void) buf); - ((void) end); - *olen = 0; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "key share extension is not available" ) ); + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + const mbedtls_ecp_curve_info *curve_info = + mbedtls_ecp_curve_info_from_tls_id( named_group ); + + if( curve_info == NULL ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "offer curve %s", curve_info->name ) ); + + if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx, + curve_info->grp_id ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); + return( ret ); + } + + ret = mbedtls_ecdh_tls13_make_params( &ssl->handshake->ecdh_ctx, olen, + buf, end - buf, + ssl->conf->f_rng, ssl->conf->p_rng ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_tls13_make_params", ret ); + return( ret ); + } + + MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, + MBEDTLS_DEBUG_ECDH_Q ); return( 0 ); } +#endif /* MBEDTLS_ECDH_C */ + +static int ssl_named_group_get_default_id( mbedtls_ssl_context *ssl, + uint16_t *named_group_id ) +{ + int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + + /* Pick first entry of curve list. + * + * TODO: When we introduce PQC KEMs, we'll have a NamedGroup + * list instead, and can just return its first element. + */ + + /* Check if ecdhe named groups are available and pick first entry */ +#if defined(MBEDTLS_ECDH_C) +#if !defined(MBEDTLS_ECP_C) + ((void) ssl); +#endif +#if defined(MBEDTLS_ECP_C) + for ( const mbedtls_ecp_group_id * grp_id = ssl->conf->curve_list; + *grp_id != MBEDTLS_ECP_DP_NONE; + grp_id++ ) + { + const mbedtls_ecp_curve_info *info; + info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); +#else + for ( const mbedtls_ecp_curve_info *info = mbedtls_ecp_curve_list(); + info->grp_id != MBEDTLS_ECP_DP_NONE; + info++ ) + { +#endif + if( info != NULL && mbedtls_ssl_named_group_is_ecdhe( info->tls_id ) ) + { + *named_group_id = info->tls_id; + return( 0 ); + } + } +#else + ((void) ssl); + ((void) named_group_id); +#endif /* MBEDTLS_ECDH_C */ + + /* + * Add DHE named groups here. + * Check if ecdhe named groups are available and pick first entry + */ + + return( ret ); +} + +/* + * ssl_tls13_write_key_share_ext + * + * Structure of key_share extension in ClientHelo: + * + * struct { + * NamedGroup group; + * opaque key_exchange<1..2^16-1>; + * } KeyShareEntry; + * struct { + * KeyShareEntry client_shares<0..2^16-1>; + * } KeyShareClientHello; + */ +static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *olen ) +{ + unsigned char *p = buf; + unsigned char *client_shares_ptr; /* Start of client_shares */ + uint16_t group_id; + + int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + + *olen = 0; + + if( !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) + return( 0 ); + + /* Check if we have space for headers and length fields: + * - extension_type (2 bytes) + * - extension_data_length (2 bytes) + * - client_shares_length (2 bytes) + */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 ); + p += 6; + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello: adding key share extension" ) ); + + /* HRR could already have requested something else. */ + group_id = ssl->handshake->offered_group_id; + if( !mbedtls_ssl_named_group_is_ecdhe( group_id ) && + !mbedtls_ssl_named_group_is_dhe( group_id ) ) + { + MBEDTLS_SSL_PROC_CHK( ssl_named_group_get_default_id( ssl, + &group_id ) ); + } + + /* + * Dispatch to type-specific key generation function. + * + * So far, we're only supporting ECDHE. With the introduction + * of PQC KEMs, we'll want to have multiple branches, one per + * type of KEM, and dispatch to the corresponding crypto. And + * only one key share entry is allowed. + */ + client_shares_ptr = p; +#if defined(MBEDTLS_ECDH_C) + if( mbedtls_ssl_named_group_is_ecdhe( group_id ) ) + { + /* Pointer of group */ + unsigned char *group_id_ptr = p; + /* Length of key_exchange */ + size_t key_exchange_len; + + /* Check there is space for header of KeyShareEntry + * - group (2 bytes) + * - key_exchange_length (2 bytes) + */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); + p += 4; + ret = ssl_key_share_gen_and_write_ecdhe( ssl, group_id, + p, end, + &key_exchange_len ); + p += key_exchange_len; + if( ret != 0 ) + return( ret ); + + /* Write group */ + MBEDTLS_PUT_UINT16_BE( group_id, group_id_ptr, 0 ); + /* Write key_exchange_length */ + MBEDTLS_PUT_UINT16_BE( key_exchange_len, group_id_ptr, 2 ); + } + else +#endif /* MBEDTLS_ECDH_C */ + if( 0 /* other KEMs? */ ) + { + /* Do something */ + } + else + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + /* Write extension_type */ + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 ); + /* Write extension_data_length */ + MBEDTLS_PUT_UINT16_BE( p - client_shares_ptr + 2, buf, 2 ); + /* Write client_shares_length */ + MBEDTLS_PUT_UINT16_BE( p - client_shares_ptr, buf, 4 ); + + /* Update offered_group_id field */ + ssl->handshake->offered_group_id = group_id; + + /* Output the total length of key_share extension. */ + *olen = p - buf; + + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *olen ); + + ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE; + +cleanup: + + return( ret ); +} #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -/* - * Functions for writing ClientHello message. - */ /* Write cipher_suites * CipherSuite cipher_suites<2..2^16-2>; */ @@ -464,7 +653,7 @@ static int ssl_tls13_write_client_hello_body( mbedtls_ssl_context *ssl, * 3) Or, in case all ciphers are supported ( which includes #1 and #2 * from above ) */ - ret = ssl_tls13_write_key_shares_ext( ssl, p, end, &output_len ); + ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len ); if( ret != 0 ) return( ret ); p += output_len;