1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15 #include "hitls_build.h"
16 #ifdef HITLS_TLS_HOST_CLIENT
17 #include <stdint.h>
18 #include <stdbool.h>
19 #include "bsl_sal.h"
20 #include "securec.h"
21 #include "tls_binlog_id.h"
22 #include "bsl_log_internal.h"
23 #include "bsl_log.h"
24 #include "bsl_err_internal.h"
25 #include "hitls_error.h"
26 #include "hitls_sni.h"
27 #include "hitls_security.h"
28 #include "tls.h"
29 #ifdef HITLS_TLS_FEATURE_SECURITY
30 #include "security.h"
31 #endif
32 #include "hs.h"
33 #include "hs_ctx.h"
34 #include "hs_verify.h"
35 #include "hs_common.h"
36 #include "hs_extensions.h"
37 #include "hs_msg.h"
38 #include "record.h"
39 #include "transcript_hash.h"
40 #include "session_mgr.h"
41 #include "alpn.h"
42 #include "alert.h"
43 #include "hs_kx.h"
44 #include "config_type.h"
45
46 typedef int32_t (*CheckExtFunc)(TLS_Ctx *ctx, const ServerHelloMsg *serverHello);
47
ClientCheckPointFormats(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)48 static int32_t ClientCheckPointFormats(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
49 {
50 if ((!ctx->hsCtx->extFlag.havePointFormats) && serverHello->havePointFormats) {
51 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15255, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
52 "client did not send but get point formats.", 0, 0, 0, 0);
53 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNSUPPORTED_EXTENSION);
54 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
55 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
56 }
57
58 /* The key exchange algorithm is not ECDHE */
59 if ((ctx->negotiatedInfo.cipherSuiteInfo.authAlg != HITLS_AUTH_ECDSA) &&
60 (ctx->negotiatedInfo.cipherSuiteInfo.kxAlg != HITLS_KEY_EXCH_ECDHE) &&
61 (ctx->negotiatedInfo.cipherSuiteInfo.kxAlg != HITLS_KEY_EXCH_ECDH) &&
62 (ctx->negotiatedInfo.cipherSuiteInfo.kxAlg != HITLS_KEY_EXCH_ECDHE_PSK)) {
63 return HITLS_SUCCESS;
64 }
65
66 if (!serverHello->havePointFormats) {
67 return HITLS_SUCCESS;
68 }
69
70 for (uint8_t i = 0u; i < serverHello->pointFormatsSize; i++) {
71 /* The point format list contains uncompressed (0) */
72 if (serverHello->pointFormats[i] == 0u) {
73 return HITLS_SUCCESS;
74 }
75 }
76
77 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15256, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
78 "the point format extension in server hello is incorrect.", 0, 0, 0, 0);
79 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
80 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_POINT_FORMAT);
81 return HITLS_MSG_HANDLE_UNSUPPORT_POINT_FORMAT;
82 }
83 #ifdef HITLS_TLS_FEATURE_ALPN
ClientCheckNegotiatedAlpnOfServerHello(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)84 static int32_t ClientCheckNegotiatedAlpnOfServerHello(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
85 {
86 return ClientCheckNegotiatedAlpn(
87 ctx, serverHello->haveSelectedAlpn, serverHello->alpnSelected, serverHello->alpnSelectedSize);
88 }
89 #endif /* HITLS_TLS_FEATURE_ALPN */
90 #ifdef HITLS_TLS_FEATURE_SNI
ClientCheckServerName(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)91 static int32_t ClientCheckServerName(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
92 {
93 if ((ctx->hsCtx->extFlag.haveServerName == false) && (serverHello->haveServerName == true)) {
94 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15263, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
95 "client did not send server_name but get extended server_name .", 0, 0, 0, 0);
96 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNSUPPORTED_EXTENSION);
97 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
98 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
99 }
100
101 /* Received null server_name extension for server hello message */
102 if ((ctx->hsCtx->extFlag.haveServerName == true) && (serverHello->haveServerName == true)) {
103 /* Not in session resumption, and the client has previously sent the server_name extension */
104 if (ctx->session == NULL && ctx->config.tlsConfig.serverName != NULL &&
105 ctx->config.tlsConfig.serverNameSize > 0) {
106 /* The server negotiates the extension of the server_name of the client successfully */
107 ctx->negotiatedInfo.isSniStateOK = true;
108 ctx->hsCtx->serverNameSize = ctx->config.tlsConfig.serverNameSize;
109
110 BSL_SAL_FREE(ctx->hsCtx->serverName);
111 ctx->hsCtx->serverName =
112 (uint8_t *)BSL_SAL_Dump(ctx->config.tlsConfig.serverName, ctx->hsCtx->serverNameSize * sizeof(uint8_t));
113 if (ctx->hsCtx->serverName == NULL) {
114 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17082, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
115 "Dump fail", 0, 0, 0, 0);
116 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
117 return HITLS_MEMCPY_FAIL;
118 }
119 }
120 }
121
122 return HITLS_SUCCESS;
123 }
124 #endif /* HITLS_TLS_FEATURE_SNI */
ClientCheckExtendedMasterSecret(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)125 static int32_t ClientCheckExtendedMasterSecret(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
126 {
127 if ((!ctx->hsCtx->extFlag.haveExtendedMasterSecret) && serverHello->haveExtendedMasterSecret) {
128 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15264, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
129 "client did not send but get extended master secret.", 0, 0, 0, 0);
130 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNSUPPORTED_EXTENSION);
131 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
132 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
133 }
134 /* tls1.3 Ignore Extended Master Secret */
135 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13 || ctx->negotiatedInfo.version < HITLS_VERSION_TLS12) {
136 ctx->negotiatedInfo.isExtendedMasterSecret = false;
137 return HITLS_SUCCESS;
138 }
139 #ifdef HITLS_TLS_FEATURE_SESSION
140 /* rfc 7627 5.3 Client and Server Behavior: Abbreviated Handshake
141 If a client receives a ServerHello that accepts an abbreviated
142 handshake, it behaves as follows:
143 o If the original session did not use the "extended_master_secret"
144 extension but the new ServerHello contains the extension, the
145 client MUST abort the handshake.
146 o If the original session used the extension but the new ServerHello
147 does not contain the extension, the client MUST abort the
148 handshake. */
149 if (ctx->negotiatedInfo.isResume && ctx->session != NULL) {
150 uint8_t haveExtMasterSecret;
151 HITLS_SESS_GetHaveExtMasterSecret(ctx->session, &haveExtMasterSecret);
152 bool preEms = haveExtMasterSecret != 0;
153 if (serverHello->haveExtendedMasterSecret != preEms) {
154 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17083, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
155 "ExtendedMasterSecret err", 0, 0, 0, 0);
156 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
157 return HITLS_MSG_HANDLE_INVALID_EXTENDED_MASTER_SECRET;
158 }
159 }
160 #endif /* HITLS_TLS_FEATURE_SESSION */
161 if (ctx->config.tlsConfig.isSupportExtendMasterSecret && !serverHello->haveExtendedMasterSecret) {
162 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17084, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
163 "ExtendedMasterSecret err", 0, 0, 0, 0);
164 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
165 return HITLS_MSG_HANDLE_INVALID_EXTENDED_MASTER_SECRET;
166 }
167 /* Configure the negotiation content to support the extended master secret */
168 ctx->negotiatedInfo.isExtendedMasterSecret = (ctx->hsCtx->extFlag.haveExtendedMasterSecret &&
169 serverHello->haveExtendedMasterSecret);
170 return HITLS_SUCCESS;
171 }
172 #ifdef HITLS_TLS_PROTO_TLS13
ClientCheckKeyShare(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)173 static int32_t ClientCheckKeyShare(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
174 {
175 if ((!ctx->hsCtx->extFlag.haveKeyShare) && serverHello->haveKeyShare) {
176 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15265, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
177 "client did not send but get key share.", 0, 0, 0, 0);
178 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNSUPPORTED_EXTENSION);
179 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
180 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
181 }
182
183 return HITLS_SUCCESS;
184 }
185
ClientCheckPreShareKey(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)186 static int32_t ClientCheckPreShareKey(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
187 {
188 if ((!ctx->hsCtx->extFlag.havePreShareKey) && serverHello->haveSelectedIdentity) {
189 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15266, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
190 "client did not send but get pre share key.", 0, 0, 0, 0);
191 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNSUPPORTED_EXTENSION);
192 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
193 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
194 }
195
196 return HITLS_SUCCESS;
197 }
198
ClientCheckSupportedVersions(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)199 static int32_t ClientCheckSupportedVersions(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
200 {
201 if ((!ctx->hsCtx->extFlag.haveSupportedVers) && serverHello->haveSupportedVersion) {
202 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16133, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
203 "client did not send but get supported versions.", 0, 0, 0, 0);
204 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNSUPPORTED_EXTENSION);
205 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
206 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
207 }
208
209 return HITLS_SUCCESS;
210 }
211 #endif /* HITLS_TLS_PROTO_TLS13 */
212 #if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12)
ClientCheckRenegoInfoDuringFirstHandshake(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)213 static int32_t ClientCheckRenegoInfoDuringFirstHandshake(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
214 {
215 /* If the peer does not support the renegotiation, return */
216 if (!serverHello->haveSecRenego) {
217 /* Renegotiate info is not checked in tls13 protocol. */
218 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
219 return HITLS_SUCCESS;
220 }
221 if (!ctx->config.tlsConfig.allowLegacyRenegotiate) {
222 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15899, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
223 "Legacy Renegotiate is not allowed.", 0, 0, 0, 0);
224 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
225 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_RENEGOTIATION_FAIL);
226 return HITLS_MSG_HANDLE_RENEGOTIATION_FAIL;
227 }
228 return HITLS_SUCCESS;
229 }
230
231 /* For the first handshake, if the security renegotiation information is not empty, a failure message is returned.
232 */
233 if (serverHello->secRenegoInfoSize != 0) {
234 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15958, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
235 "secRenegoInfoSize should be 0 in client initial handhsake.", 0, 0, 0, 0);
236 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
237 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_RENEGOTIATION_FAIL);
238 return HITLS_MSG_HANDLE_RENEGOTIATION_FAIL;
239 }
240
241 /* Configure the security renegotiation function */
242 ctx->negotiatedInfo.isSecureRenegotiation = true;
243 return HITLS_SUCCESS;
244 }
245 #ifdef HITLS_TLS_FEATURE_RENEGOTIATION
ClientCheckRenegoInfoDuringRenegotiation(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)246 static int32_t ClientCheckRenegoInfoDuringRenegotiation(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
247 {
248 /* Verify the security renegotiation information */
249 const uint8_t *clientData = ctx->negotiatedInfo.clientVerifyData;
250 uint32_t clientDataSize = ctx->negotiatedInfo.clientVerifyDataSize;
251 const uint8_t *serverData = ctx->negotiatedInfo.serverVerifyData;
252 uint32_t serverDataSize = ctx->negotiatedInfo.serverVerifyDataSize;
253 if (clientData == NULL || serverData == NULL) {
254 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17085, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "intput null", 0, 0, 0, 0);
255 BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT);
256 return HITLS_NULL_INPUT;
257 }
258 if (serverHello->secRenegoInfoSize != (clientDataSize + serverDataSize)) {
259 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15900, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
260 "secRenegoInfoSize(%u) error, expect %u.", serverHello->secRenegoInfoSize,
261 (clientDataSize + serverDataSize), 0, 0);
262 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
263 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_RENEGOTIATION_FAIL);
264 return HITLS_MSG_HANDLE_RENEGOTIATION_FAIL;
265 }
266 if (memcmp(serverHello->secRenegoInfo, clientData, clientDataSize) != 0) {
267 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15901, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
268 "check client secRenegoInfo verify data failed during renegotiation.", 0, 0, 0, 0);
269 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
270 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_RENEGOTIATION_FAIL);
271 return HITLS_MSG_HANDLE_RENEGOTIATION_FAIL;
272 }
273 if (memcmp(&serverHello->secRenegoInfo[clientDataSize], serverData, serverDataSize) != 0) {
274 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15902, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
275 "check server secRenegoInfo verify data failed during renegotiation.", 0, 0, 0, 0);
276 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
277 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_RENEGOTIATION_FAIL);
278 return HITLS_MSG_HANDLE_RENEGOTIATION_FAIL;
279 }
280 return HITLS_SUCCESS;
281 }
282 #endif /* HITLS_TLS_FEATURE_RENEGOTIATION */
ClientCheckAndProcessRenegoInfo(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)283 static int32_t ClientCheckAndProcessRenegoInfo(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
284 {
285 /* Not in the renegotiation state */
286 if (!ctx->negotiatedInfo.isRenegotiation) {
287 return ClientCheckRenegoInfoDuringFirstHandshake(ctx, serverHello);
288 }
289 #ifdef HITLS_TLS_FEATURE_RENEGOTIATION
290 /* Renegotiation state */
291 return ClientCheckRenegoInfoDuringRenegotiation(ctx, serverHello);
292 #else
293 return HITLS_SUCCESS;
294 #endif /* HITLS_TLS_FEATURE_RENEGOTIATION */
295 }
296 #endif /* defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12) */
297 #ifdef HITLS_TLS_FEATURE_SESSION_TICKET
ClientCheckTicketExternsion(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)298 static int32_t ClientCheckTicketExternsion(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
299 {
300 if ((!ctx->hsCtx->extFlag.haveTicket) && serverHello->haveTicket) {
301 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15972, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
302 "client did not send but get ticket externsion.", 0, 0, 0, 0);
303 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNSUPPORTED_EXTENSION);
304 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
305 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
306 }
307
308 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13 && serverHello->haveTicket) {
309 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15912, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
310 "TLS1.3 client get server hello ticket externsion.", 0, 0, 0, 0);
311 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNSUPPORTED_EXTENSION);
312 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
313 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
314 }
315
316 /* Set whether to support ticket extension */
317 ctx->negotiatedInfo.isTicket = serverHello->haveTicket;
318 return HITLS_SUCCESS;
319 }
320 #endif /* HITLS_TLS_FEATURE_SESSION_TICKET */
321 #ifdef HITLS_TLS_FEATURE_ETM
ClientCheckEncryptThenMac(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)322 static int32_t ClientCheckEncryptThenMac(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
323 {
324 if (!ctx->hsCtx->extFlag.haveEncryptThenMac && serverHello->haveEncryptThenMac) {
325 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15920, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
326 "client did not send but get encrypt then mac.", 0, 0, 0, 0);
327 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNSUPPORTED_EXTENSION);
328 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
329 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
330 }
331
332 /* The user does not support the EncryptThenMac extension, but receives the EncryptThenMac extension from the server
333 */
334 if (!ctx->config.tlsConfig.isEncryptThenMac && serverHello->haveEncryptThenMac) {
335 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15931, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
336 "client do not support encrypt then mac.", 0, 0, 0, 0);
337 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNSUPPORTED_EXTENSION);
338 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
339 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
340 }
341
342 /* During renegotiation, EncryptThenMac cannot be converted to MacThenEncrypt */
343 if (ctx->negotiatedInfo.isRenegotiation && ctx->negotiatedInfo.isEncryptThenMac &&
344 !serverHello->haveEncryptThenMac) {
345 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15934, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
346 "regotiation should not change encrypt then mac to mac then encrypt.", 0, 0, 0, 0);
347 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
348 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR);
349 return HITLS_MSG_HANDLE_ENCRYPT_THEN_MAC_ERR;
350 }
351
352 /* This extension does not need to be negotiated for tls1.3 */
353 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
354 return HITLS_SUCCESS;
355 }
356
357 /* Set the negotiated EncryptThenMac */
358 if (serverHello->haveEncryptThenMac) {
359 ctx->negotiatedInfo.isEncryptThenMac = true;
360 } else {
361 ctx->negotiatedInfo.isEncryptThenMac = false;
362 }
363
364 return HITLS_SUCCESS;
365 }
366 #endif /* HITLS_TLS_FEATURE_ETM */
367
ClientCheckExtensionsFlag(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)368 static int32_t ClientCheckExtensionsFlag(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
369 {
370 static const CheckExtFunc extInfoList[] = {
371 ClientCheckPointFormats,
372 #ifdef HITLS_TLS_FEATURE_SNI
373 ClientCheckServerName,
374 #endif /* HITLS_TLS_FEATURE_SNI */
375 ClientCheckExtendedMasterSecret,
376 #ifdef HITLS_TLS_FEATURE_ALPN
377 ClientCheckNegotiatedAlpnOfServerHello,
378 #endif /* HITLS_TLS_FEATURE_ALPN */
379 #ifdef HITLS_TLS_PROTO_TLS13
380 ClientCheckKeyShare,
381 ClientCheckPreShareKey,
382 ClientCheckSupportedVersions,
383 #endif /* HITLS_TLS_PROTO_TLS13 */
384 #if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12)
385 ClientCheckAndProcessRenegoInfo,
386 #endif /* defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12) */
387 #ifdef HITLS_TLS_FEATURE_SESSION_TICKET
388 ClientCheckTicketExternsion,
389 #endif /* HITLS_TLS_FEATURE_SESSION_TICKET */
390 #ifdef HITLS_TLS_FEATURE_ETM
391 ClientCheckEncryptThenMac,
392 #endif /* HITLS_TLS_FEATURE_ETM */
393 };
394
395 int32_t ret;
396 for (uint32_t i = 0; i < sizeof(extInfoList) / sizeof(extInfoList[0]); i++) {
397 ret = extInfoList[i](ctx, serverHello);
398 if (ret != HITLS_SUCCESS) {
399 return ret;
400 }
401 }
402
403 return HITLS_SUCCESS;
404 }
405
IsCipherSuiteSupport(const TLS_Ctx * ctx,uint16_t cipherSuite)406 static bool IsCipherSuiteSupport(const TLS_Ctx *ctx, uint16_t cipherSuite)
407 {
408 if (!IsCipherSuiteAllowed(ctx, cipherSuite)) {
409 return false;
410 }
411 #ifdef HITLS_TLS_PROTO_TLS13
412 if (ctx->negotiatedInfo.version == HITLS_VERSION_TLS13) {
413 for (uint32_t index = 0; index < ctx->config.tlsConfig.tls13cipherSuitesSize; index++) {
414 if (cipherSuite == ctx->config.tlsConfig.tls13CipherSuites[index]) {
415 return true;
416 }
417 }
418 }
419 #endif /* HITLS_TLS_PROTO_TLS13 */
420 for (uint32_t index = 0; index < ctx->config.tlsConfig.cipherSuitesSize; index++) {
421 if (cipherSuite == ctx->config.tlsConfig.cipherSuites[index]) {
422 return true;
423 }
424 }
425 return false;
426 }
427
ClientCheckCipherSuite(TLS_Ctx * ctx,const ServerHelloMsg * serverHello,bool isHrr)428 static int32_t ClientCheckCipherSuite(TLS_Ctx *ctx, const ServerHelloMsg *serverHello, bool isHrr)
429 {
430 int32_t ret = HITLS_SUCCESS;
431 (void)isHrr;
432 if (!IsCipherSuiteSupport(ctx, serverHello->cipherSuite)) {
433 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15269, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
434 "no supported cipher suites found.", 0, 0, 0, 0);
435 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
436 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_CIPHER_SUITE_ERR);
437 return HITLS_MSG_HANDLE_CIPHER_SUITE_ERR;
438 }
439 #ifdef HITLS_TLS_PROTO_TLS13
440 /* In TLS1.3, if the hello retry request message is received, ensure that the cipherSuite of the server hello
441 * message is the same as the cipherSuite */
442 if (!isHrr && ctx->hsCtx->haveHrr) {
443 if (serverHello->cipherSuite != ctx->negotiatedInfo.cipherSuiteInfo.cipherSuite) {
444 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15270, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
445 "cipherSuite in server hello (0x%02x) is defferent from hello retry request (0x%02x).",
446 serverHello->cipherSuite, ctx->negotiatedInfo.cipherSuiteInfo.cipherSuite, 0, 0);
447 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
448 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ILLEGAL_CIPHER_SUITE);
449 return HITLS_MSG_HANDLE_ILLEGAL_CIPHER_SUITE;
450 }
451 return HITLS_SUCCESS;
452 }
453 #endif /* HITLS_TLS_PROTO_TLS13 */
454
455 ret = CFG_GetCipherSuiteInfo(serverHello->cipherSuite, &ctx->negotiatedInfo.cipherSuiteInfo);
456 if (ret != HITLS_SUCCESS) {
457 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15271, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
458 "get cipher suite information fail.", 0, 0, 0, 0);
459 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
460 return ret;
461 }
462 #ifdef HITLS_TLS_FEATURE_SECURITY
463 /* Check the security of the cipher suite */
464 ret = SECURITY_SslCheck((HITLS_Ctx *)ctx, HITLS_SECURITY_SECOP_CIPHER_SHARED, 0, 0,
465 (void *)&ctx->negotiatedInfo.cipherSuiteInfo);
466 if (ret != SECURITY_SUCCESS) {
467 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17087, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
468 "SslCheck fail, ret %d", ret, 0, 0, 0);
469 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INSUFFICIENT_SECURITY);
470 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSECURE_CIPHER_SUITE);
471 return HITLS_MSG_HANDLE_UNSECURE_CIPHER_SUITE;
472 }
473 #endif /* HITLS_TLS_FEATURE_SECURITY */
474 /* Sets the key negotiation algorithm. */
475 ctx->hsCtx->kxCtx->keyExchAlgo = ctx->negotiatedInfo.cipherSuiteInfo.kxAlg;
476
477 BSL_LOG_BINLOG_VARLEN(BINLOG_ID15272, BSL_LOG_LEVEL_INFO, BSL_LOG_BINLOG_TYPE_RUN,
478 "ClientCheckCipherSuite: negotiated ciphersuite is [%s].",
479 ctx->negotiatedInfo.cipherSuiteInfo.name);
480 return HITLS_SUCCESS;
481 }
482
483 #if defined(HITLS_TLS_PROTO_TLS_BASIC) || defined(HITLS_TLS_PROTO_DTLS12)
ClientCheckVersion(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)484 static int32_t ClientCheckVersion(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
485 {
486 uint16_t clientMinVersion = ctx->config.tlsConfig.minVersion;
487 uint16_t clientMaxVersion = ctx->config.tlsConfig.maxVersion;
488 uint16_t serverVersion = serverHello->version;
489
490 if (IS_SUPPORT_DATAGRAM(ctx->config.tlsConfig.originVersionMask)) {
491 if ((serverVersion > clientMinVersion) || (serverVersion < clientMaxVersion)) {
492 /* The DTLS version selected by the server is too early and the negotiation cannot be continued */
493 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15267, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
494 "client support version is from %02x to %02x, server selected unsupported version %02x.",
495 clientMinVersion, clientMaxVersion, serverVersion, 0);
496 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_PROTOCOL_VERSION);
497 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_VERSION);
498 return HITLS_MSG_HANDLE_UNSUPPORT_VERSION;
499 }
500 } else {
501 if ((serverVersion < clientMinVersion) || (serverVersion > clientMaxVersion)) {
502 /* The TLS version selected by the server is too early and cannot be negotiated */
503 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15268, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
504 "client support version is from %02x to %02x, server selected unsupported version %02x.",
505 clientMinVersion, clientMaxVersion, serverVersion, 0);
506 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_PROTOCOL_VERSION);
507 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_VERSION);
508 return HITLS_MSG_HANDLE_UNSUPPORT_VERSION;
509 }
510 }
511 #ifdef HITLS_TLS_FEATURE_SECURITY
512 int32_t ret = SECURITY_SslCheck((HITLS_Ctx *)ctx, HITLS_SECURITY_SECOP_VERSION, 0, serverHello->version, NULL);
513 if (ret != SECURITY_SUCCESS) {
514 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17088, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
515 "SslCheck fail, ret %d", ret, 0, 0, 0);
516 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INSUFFICIENT_SECURITY);
517 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSECURE_VERSION);
518 return HITLS_MSG_HANDLE_UNSECURE_VERSION;
519 }
520 #endif /* HITLS_TLS_FEATURE_SECURITY */
521 ctx->negotiatedInfo.version = serverVersion;
522 return HITLS_SUCCESS;
523 }
524
525 #ifdef HITLS_TLS_FEATURE_SESSION
ClientCheckResumeServerHello(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)526 static int32_t ClientCheckResumeServerHello(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
527 {
528 uint16_t version = 0;
529 uint16_t cipherSuite = 0;
530 uint8_t haveExtMasterSecret = 0;
531
532 HITLS_SESS_GetProtocolVersion(ctx->session, &version);
533 HITLS_SESS_GetCipherSuite(ctx->session, &cipherSuite);
534 HITLS_SESS_GetHaveExtMasterSecret(ctx->session, &haveExtMasterSecret);
535
536 /* Check the version information */
537 if (serverHello->version != version) {
538 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15273, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
539 "the version of resume server hello is different from the pre connect.", 0, 0, 0, 0);
540 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
541 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ILLEGAL_VERSION);
542 return HITLS_MSG_HANDLE_ILLEGAL_VERSION;
543 }
544
545 /* Check the cipher suite information */
546 if (serverHello->cipherSuite != cipherSuite) {
547 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15274, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
548 "the cipher suite of resume server hello is different from the pre connect.", 0, 0, 0, 0);
549 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
550 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ILLEGAL_CIPHER_SUITE);
551 return HITLS_MSG_HANDLE_ILLEGAL_CIPHER_SUITE;
552 }
553
554 /* Check the extended master secret information */
555 if (serverHello->haveExtendedMasterSecret != (bool)haveExtMasterSecret) {
556 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15275, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
557 "session resume error:can not downgrade from extended master secret.", 0, 0, 0, 0);
558 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
559 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ILLEGAL_EXTRENED_MASTER_SECRET);
560 return HITLS_MSG_HANDLE_ILLEGAL_EXTRENED_MASTER_SECRET;
561 }
562
563 return HITLS_SUCCESS;
564 }
565
SessionIdCmp(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)566 static bool SessionIdCmp(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
567 {
568 HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
569
570 if ((hsCtx->sessionIdSize == 0u) || (serverHello->sessionIdSize == 0u)) {
571 return false;
572 }
573
574 if (hsCtx->sessionIdSize != serverHello->sessionIdSize) {
575 return false;
576 }
577
578 if (memcmp(hsCtx->sessionId, serverHello->sessionId, hsCtx->sessionIdSize) != 0) {
579 return false;
580 }
581
582 return true;
583 }
584
ClientCopySessionId(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)585 static int32_t ClientCopySessionId(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
586 {
587 int32_t ret = HITLS_SUCCESS;
588 HS_Ctx *hsCtx = (HS_Ctx *)ctx->hsCtx;
589
590 BSL_SAL_FREE(hsCtx->sessionId);
591
592 hsCtx->sessionId = (uint8_t *)BSL_SAL_Calloc(1u, HITLS_SESSION_ID_MAX_SIZE);
593 if (hsCtx->sessionId == NULL) {
594 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15276, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
595 "session Id malloc fail.", 0, 0, 0, 0);
596 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
597 return HITLS_MEMALLOC_FAIL;
598 }
599
600 ret = memcpy_s(hsCtx->sessionId, HITLS_SESSION_ID_MAX_SIZE, serverHello->sessionId, serverHello->sessionIdSize);
601 if (ret != EOK) {
602 BSL_SAL_FREE(hsCtx->sessionId);
603 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15277, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
604 "session Id memcpy fail.", 0, 0, 0, 0);
605 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
606 return HITLS_MEMCPY_FAIL;
607 }
608
609 hsCtx->sessionIdSize = serverHello->sessionIdSize;
610 return HITLS_SUCCESS;
611 }
612
ClientCheckIfResumeFromSession(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)613 static int32_t ClientCheckIfResumeFromSession(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
614 {
615 bool isResume = false;
616
617 ctx->negotiatedInfo.isResume = false;
618
619 if (ctx->session == NULL || serverHello->sessionIdSize == 0u) {
620 return HITLS_SUCCESS;
621 }
622
623 isResume = SessionIdCmp(ctx, serverHello);
624 if (isResume == true) {
625 /* Resume the session */
626 ctx->negotiatedInfo.isResume = true;
627 /* Check whether the version number, cipher suite, and master key extension match */
628 return ClientCheckResumeServerHello(ctx, serverHello);
629 }
630
631 return HITLS_SUCCESS;
632 }
633 #endif /* HITLS_TLS_FEATURE_SESSION */
634
ClientCheckServerHello(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)635 static int32_t ClientCheckServerHello(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
636 {
637 int32_t ret = ClientCheckVersion(ctx, serverHello);
638 if (ret != HITLS_SUCCESS) {
639 return ret;
640 }
641
642 ret = memcpy_s(ctx->hsCtx->serverRandom, HS_RANDOM_SIZE, serverHello->randomValue, HS_RANDOM_SIZE);
643 if (ret != EOK) {
644 return ret;
645 }
646 #ifdef HITLS_TLS_FEATURE_SESSION
647 /* Check the session resumption. Check whether the session ID, version number, cipher suite, and master key
648 * extension match */
649 ret = ClientCheckIfResumeFromSession(ctx, serverHello);
650 if (ret != HITLS_SUCCESS) {
651 return ret;
652 }
653
654 /* Save the session ID for complete handshake */
655 if (ctx->negotiatedInfo.isResume == false && serverHello->sessionIdSize > 0) {
656 ret = ClientCopySessionId(ctx, serverHello);
657 if (ret != HITLS_SUCCESS) {
658 return ret;
659 }
660 }
661 #endif /* HITLS_TLS_FEATURE_SESSION */
662 ret = ClientCheckCipherSuite(ctx, serverHello, false);
663 if (ret != HITLS_SUCCESS) {
664 return ret;
665 }
666
667 ret = HS_CheckReceivedExtension(ctx, SERVER_HELLO, serverHello->extensionTypeMask,
668 HS_EX_TYPE_TLS1_2_ALLOWED_OF_SERVER_HELLO);
669 if (ret != HITLS_SUCCESS) {
670 return ret;
671 }
672
673 return ClientCheckExtensionsFlag(ctx, serverHello);
674 }
675 // The client processes the Server Hello message
ClientRecvServerHelloProcess(TLS_Ctx * ctx,const HS_Msg * msg)676 int32_t ClientRecvServerHelloProcess(TLS_Ctx *ctx, const HS_Msg *msg)
677 {
678 int32_t ret = HITLS_SUCCESS;
679 const ServerHelloMsg *serverHello = &msg->body.serverHello;
680
681 ret = ClientCheckServerHello(ctx, serverHello);
682 if (ret != HITLS_SUCCESS) {
683 return ret;
684 }
685
686 ret = VERIFY_SetHash(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
687 ctx->hsCtx->verifyCtx, ctx->negotiatedInfo.cipherSuiteInfo.hashAlg);
688 if (ret != HITLS_SUCCESS) {
689 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17089, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
690 "VERIFY_SetHash fail", 0, 0, 0, 0);
691 return ret;
692 }
693 #ifdef HITLS_TLS_FEATURE_SESSION
694 if (ctx->negotiatedInfo.isResume == true) {
695 ret = HS_ResumeKeyEstablish(ctx);
696 if (ret != HITLS_SUCCESS) {
697 return ret;
698 }
699 if (ctx->negotiatedInfo.isTicket) {
700 return HS_ChangeState(ctx, TRY_RECV_NEW_SESSION_TICKET);
701 }
702 /* Calculate the 'server verify data' for verifying the 'finished' message of the server. */
703 ret = VERIFY_CalcVerifyData(ctx, false, ctx->hsCtx->masterKey, MASTER_SECRET_LEN);
704 if (ret != HITLS_SUCCESS) {
705 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15278, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
706 "client Calculate server finished data error.", 0, 0, 0, 0);
707 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
708 return ret;
709 }
710 ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_READY);
711 ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_ACTIVE_CIPHER_SPEC);
712 return HS_ChangeState(ctx, TRY_RECV_FINISH);
713 }
714 #endif /* HITLS_TLS_FEATURE_SESSION */
715 /* If the server rejects the session resume request, the system clears the ccs that may be received in disorder */
716 ctx->method.ctrlCCS(ctx, CCS_CMD_RECV_EXIT_READY);
717
718 /* Update the state machine. */
719 /* If the PSK, DHE_PSK, ECDHE_PSK, or ANON_DH key negotiation is used, skip TRY_RECV_CERTIFICATIONATE */
720 #ifdef HITLS_TLS_FEATURE_PSK
721 if (!IsNeedCertPrepare(&ctx->negotiatedInfo.cipherSuiteInfo)) {
722 return HS_ChangeState(ctx, TRY_RECV_SERVER_KEY_EXCHANGE);
723 }
724 #endif /* HITLS_TLS_FEATURE_PSK */
725 return HS_ChangeState(ctx, TRY_RECV_CERTIFICATE);
726 }
727 #endif /* HITLS_TLS_PROTO_TLS_BASIC || HITLS_TLS_PROTO_DTLS12 */
728 #ifdef HITLS_TLS_PROTO_TLS13
Tls13ClientCheckHelloRetryRequest(TLS_Ctx * ctx,const ServerHelloMsg * helloRetryRequest)729 static int32_t Tls13ClientCheckHelloRetryRequest(TLS_Ctx *ctx, const ServerHelloMsg *helloRetryRequest)
730 {
731 /* If the second Hello Retry Request message is received over the same link, an alert message needs to be sent */
732 if (ctx->hsCtx->haveHrr) {
733 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15279, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
734 "duplicate hello retry request.", 0, 0, 0, 0);
735 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_UNEXPECTED_MESSAGE);
736 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_DUPLICATE_HELLO_RETYR_REQUEST);
737 return HITLS_MSG_HANDLE_DUPLICATE_HELLO_RETYR_REQUEST;
738 }
739
740 ctx->hsCtx->haveHrr = true; /* Update state: The hello retry request has been received */
741
742 /* The supportedVersion is a mandatory extension */
743 if (helloRetryRequest->haveSupportedVersion == false) {
744 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15280, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
745 "missing supported version extension in server hello or hello retry request.", 0, 0, 0, 0);
746 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_MISSING_EXTENSION);
747 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_MISSING_EXTENSION);
748 return HITLS_MSG_HANDLE_MISSING_EXTENSION;
749 }
750
751 /* If the hello retry request does not modify the client hello, an alert message is sent */
752 if ((helloRetryRequest->haveCookie == false) &&
753 (helloRetryRequest->haveKeyShare == false)) {
754 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15281, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
755 "the hello retry reques would not result in any change in the client hello.", 0, 0, 0, 0);
756 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
757 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_MISSING_EXTENSION);
758 return HITLS_MSG_HANDLE_MISSING_EXTENSION;
759 }
760
761 return HITLS_SUCCESS;
762 }
763
Tls13ClientCheckSessionId(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)764 static int32_t Tls13ClientCheckSessionId(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
765 {
766 /* The legacy_session_id_echo field must be the same as the sent field */
767 if (ctx->hsCtx->sessionIdSize != serverHello->sessionIdSize) {
768 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17090, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
769 "sessionIdSize err", 0, 0, 0, 0);
770 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ILLEGAL_SESSION_ID);
771 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
772 return HITLS_MSG_HANDLE_ILLEGAL_SESSION_ID;
773 }
774 if (serverHello->sessionIdSize != 0) {
775 if (memcmp(ctx->hsCtx->sessionId, serverHello->sessionId, serverHello->sessionIdSize) != 0) {
776 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17091, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
777 "sessionId err", 0, 0, 0, 0);
778 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ILLEGAL_SESSION_ID);
779 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
780 return HITLS_MSG_HANDLE_ILLEGAL_SESSION_ID;
781 }
782 }
783 return HITLS_SUCCESS;
784 }
785
Tls13ClientCheckServerHello(TLS_Ctx * ctx,const ServerHelloMsg * serverHello,bool isHrr)786 static int32_t Tls13ClientCheckServerHello(TLS_Ctx *ctx, const ServerHelloMsg *serverHello, bool isHrr)
787 {
788 int32_t ret = HITLS_SUCCESS;
789
790 ctx->negotiatedInfo.version = serverHello->supportedVersion;
791
792 ret = memcpy_s(ctx->hsCtx->serverRandom, HS_RANDOM_SIZE, serverHello->randomValue, HS_RANDOM_SIZE);
793 if (ret != EOK) {
794 return ret;
795 }
796
797 ret = Tls13ClientCheckSessionId(ctx, serverHello);
798 if (ret != HITLS_SUCCESS) {
799 return ret;
800 }
801
802 return ClientCheckCipherSuite(ctx, serverHello, isHrr);
803 }
804
ClientCheckHrrKeyShareExtension(TLS_Ctx * ctx,const ServerHelloMsg * helloRetryRequest)805 static int32_t ClientCheckHrrKeyShareExtension(TLS_Ctx *ctx, const ServerHelloMsg *helloRetryRequest)
806 {
807 if (helloRetryRequest->haveKeyShare == false) {
808 return HITLS_SUCCESS;
809 }
810
811 /* The keyshare extension of hrr contains only group and does not contain other fields */
812 if (helloRetryRequest->keyShare.keyExchangeSize != 0) {
813 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15282, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
814 "the keyshare keyExchangeSize is not 0 in hrr keyshare.", 0, 0, 0, 0);
815 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
816 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ILLEGAL_SELECTED_GROUP);
817 return HITLS_MSG_HANDLE_ILLEGAL_SELECTED_GROUP;
818 }
819
820 uint16_t selectedGroup = helloRetryRequest->keyShare.group;
821 const uint16_t *groups = ctx->config.tlsConfig.groups;
822 uint32_t numOfGroups = ctx->config.tlsConfig.groupsSize;
823
824 /* The selected group exist in the key share extension of the original client hello and no cookie exchange requested */
825 if (ctx->negotiatedInfo.cookie == NULL && (selectedGroup == ctx->hsCtx->kxCtx->keyExchParam.share.group ||
826 selectedGroup == ctx->hsCtx->kxCtx->keyExchParam.share.secondGroup)) {
827 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15283, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
828 "the selected group extension is corresponded to a group in client hello key share.", 0, 0, 0, 0);
829 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
830 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ILLEGAL_SELECTED_GROUP);
831 return HITLS_MSG_HANDLE_ILLEGAL_SELECTED_GROUP;
832 }
833
834 /* The selected group must exist in the supported groups extension of the original client hello */
835 bool found = false;
836 for (uint32_t i = 0; i < numOfGroups; i++) {
837 if (selectedGroup == groups[i]) {
838 found = true;
839 break;
840 }
841 }
842 if (found == false) {
843 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15284, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
844 "the selected group extension could not correspond to a group in client hello supported groups.",
845 0, 0, 0, 0);
846 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
847 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ILLEGAL_SELECTED_GROUP);
848 return HITLS_MSG_HANDLE_ILLEGAL_SELECTED_GROUP;
849 }
850 if (selectedGroup == ctx->hsCtx->kxCtx->keyExchParam.share.secondGroup) {
851 SAL_CRYPT_FreeEcdhKey(ctx->hsCtx->kxCtx->key);
852 ctx->hsCtx->kxCtx->key = ctx->hsCtx->kxCtx->secondKey;
853 ctx->hsCtx->kxCtx->secondKey = NULL;
854 ctx->hsCtx->kxCtx->keyExchParam.share.group = selectedGroup;
855 ctx->hsCtx->kxCtx->keyExchParam.share.secondGroup = HITLS_NAMED_GROUP_BUTT;
856 }
857 // Save the selected group
858 ctx->negotiatedInfo.negotiatedGroup = selectedGroup;
859 return HITLS_SUCCESS;
860 }
861
862 /* If an implementation receives an extension
863 * which it recognizes and which is not specified for the message in
864 * which it appears, it MUST abort the handshake with an
865 * "illegal_parameter" alert. */
ClientCheckHrrExtraExtension(TLS_Ctx * ctx,const ServerHelloMsg * helloRetryRequest)866 static int32_t ClientCheckHrrExtraExtension(TLS_Ctx *ctx, const ServerHelloMsg *helloRetryRequest)
867 {
868 if (helloRetryRequest->haveServerName || helloRetryRequest->haveExtendedMasterSecret ||
869 helloRetryRequest->havePointFormats || helloRetryRequest->haveSelectedAlpn ||
870 helloRetryRequest->haveSelectedIdentity || helloRetryRequest->haveSecRenego || helloRetryRequest->haveTicket ||
871 helloRetryRequest->haveEncryptThenMac) {
872 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17092, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
873 "these extensions are not specified in the hrr message", 0, 0, 0, 0);
874 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
875 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE);
876 return HITLS_MSG_HANDLE_UNSUPPORT_EXTENSION_TYPE;
877 }
878 return HITLS_SUCCESS;
879 }
880
ClientCheckHrrCookieExtension(TLS_Ctx * ctx,const ServerHelloMsg * helloRetryRequest)881 static int32_t ClientCheckHrrCookieExtension(TLS_Ctx *ctx, const ServerHelloMsg *helloRetryRequest)
882 {
883 if (helloRetryRequest->haveCookie == false) {
884 return HITLS_SUCCESS;
885 }
886
887 BSL_SAL_FREE(ctx->negotiatedInfo.cookie); // Clearing Old Memory
888
889 ctx->negotiatedInfo.cookie = BSL_SAL_Dump(helloRetryRequest->cookie, helloRetryRequest->cookieLen);
890 if (ctx->negotiatedInfo.cookie == NULL) {
891 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15285, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
892 "cookie malloc fail when process hello retry request.", 0, 0, 0, 0);
893 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
894 return HITLS_MEMALLOC_FAIL;
895 }
896 ctx->negotiatedInfo.cookieSize = helloRetryRequest->cookieLen;
897
898 return HITLS_SUCCESS;
899 }
900
Tls13ClientCheckHrrExtension(TLS_Ctx * ctx,const ServerHelloMsg * helloRetryRequest)901 static int32_t Tls13ClientCheckHrrExtension(TLS_Ctx *ctx, const ServerHelloMsg *helloRetryRequest)
902 {
903 int32_t ret = HITLS_SUCCESS;
904
905 ret = HS_CheckReceivedExtension(ctx, HELLO_RETRY_REQUEST, helloRetryRequest->extensionTypeMask,
906 HS_EX_TYPE_TLS1_3_ALLOWED_OF_HELLO_RETRY_REQUEST);
907 if (ret != HITLS_SUCCESS) {
908 return ret;
909 }
910
911 /* Check whether there are redundant extensions */
912 ret = ClientCheckHrrExtraExtension(ctx, helloRetryRequest);
913 if (ret != HITLS_SUCCESS) {
914 return ret;
915 }
916
917 /* Check the key share extension */
918 ret = ClientCheckHrrCookieExtension(ctx, helloRetryRequest);
919 if (ret != HITLS_SUCCESS) {
920 return ret;
921 }
922
923 /* Check the cookie extension */
924 return ClientCheckHrrKeyShareExtension(ctx, helloRetryRequest);
925 }
926
Tls13ClientRecvHelloRetryRequestProcess(TLS_Ctx * ctx,const HS_Msg * msg)927 int32_t Tls13ClientRecvHelloRetryRequestProcess(TLS_Ctx *ctx, const HS_Msg *msg)
928 {
929 int32_t ret = HITLS_SUCCESS;
930 const ServerHelloMsg *helloRetryRequest = &msg->body.serverHello;
931
932 ret = Tls13ClientCheckHelloRetryRequest(ctx, helloRetryRequest);
933 if (ret != HITLS_SUCCESS) {
934 return ret;
935 }
936
937 /* Check whether the format of the Hello Retry Request message is the same as that of the Server Hello message
938 * except the extended fields */
939 ret = Tls13ClientCheckServerHello(ctx, helloRetryRequest, true);
940 if (ret != HITLS_SUCCESS) {
941 return ret;
942 }
943
944 ret = Tls13ClientCheckHrrExtension(ctx, helloRetryRequest);
945 if (ret != HITLS_SUCCESS) {
946 return ret;
947 }
948
949 /* According to RFC 8446 4.4.1, If the Hello Retry Request message is sent, special Transcript-Hash data needs to be
950 * constructed */
951 ret = VERIFY_HelloRetryRequestVerifyProcess(ctx);
952 if (ret != HITLS_SUCCESS) {
953 return ret;
954 }
955
956 return HS_ChangeState(ctx, TRY_SEND_CLIENT_HELLO);
957 }
958 #ifdef HITLS_TLS_PROTO_TLS_BASIC
CheckDowngradeRandom(TLS_Ctx * ctx,const ServerHelloMsg * serverHello,uint16_t * negotiatedVersion)959 static int32_t CheckDowngradeRandom(TLS_Ctx *ctx, const ServerHelloMsg *serverHello, uint16_t *negotiatedVersion)
960 {
961 const uint8_t *downgradeArr = NULL;
962 uint32_t downgradeArrLen = 0;
963
964 if (serverHello->version == HITLS_VERSION_TLS12) {
965 /* The server that attempts to negotiate TLS1.2 should not send the server hello with the random */
966 downgradeArr = HS_GetTls12DowngradeRandom(&downgradeArrLen);
967 if (memcmp(&serverHello->randomValue[HS_RANDOM_SIZE - downgradeArrLen], downgradeArr, downgradeArrLen) != 0) {
968 *negotiatedVersion = HITLS_VERSION_TLS12;
969 return HITLS_SUCCESS;
970 }
971 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15286, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
972 "tls1.2 server hello with downgrade random value.", 0, 0, 0, 0);
973 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
974 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_VERSION);
975 return HITLS_MSG_HANDLE_UNSUPPORT_VERSION;
976 }
977
978 return HITLS_SUCCESS;
979 }
980 #endif /* HITLS_TLS_PROTO_TLS_BASIC */
GetNegotiatedVersion(TLS_Ctx * ctx,const ServerHelloMsg * serverHello,uint16_t * negotiatedVersion)981 static int32_t GetNegotiatedVersion(TLS_Ctx *ctx, const ServerHelloMsg *serverHello, uint16_t *negotiatedVersion)
982 {
983 /* As a client that supports TLS1.3, if the received server hello message does not contain the supported version
984 * extension, the peer end wants to negotiate a version earlier than TLS1.3 */
985 if (!serverHello->haveSupportedVersion) {
986 if (serverHello->version < HITLS_VERSION_TLS12) {
987 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16169, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
988 "client cannot negotiate a version.", 0, 0, 0, 0);
989 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_PROTOCOL_VERSION);
990 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_VERSION);
991 return HITLS_MSG_HANDLE_UNSUPPORT_VERSION;
992 }
993 return CheckDowngradeRandom(ctx, serverHello, negotiatedVersion);
994 }
995
996 /* If the serverHello of TLS1.3 is used, the version selected by the server must be earlier than TLS1.3, and the
997 * legacy_version field must be TLS1.2 */
998 if (serverHello->version != HITLS_VERSION_TLS12) {
999 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15288, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
1000 "server version error, legacy version is 0x%02x.", serverHello->version, 0, 0, 0);
1001 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_PROTOCOL_VERSION);
1002 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_VERSION);
1003 return HITLS_MSG_HANDLE_UNSUPPORT_VERSION;
1004 }
1005 /* If the "supported_versions" extension in the ServerHello contains a version not offered by the client or
1006 * contains a version prior to TLS 1.3, the client MUST abort the handshake with an "illegal_parameter" alert. */
1007 if (serverHello->supportedVersion != HITLS_VERSION_TLS13) {
1008 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17307, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
1009 "server version error, selected version is 0x%02x.", serverHello->supportedVersion, 0, 0, 0);
1010 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
1011 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_UNSUPPORT_VERSION);
1012 return HITLS_MSG_HANDLE_UNSUPPORT_VERSION;
1013 }
1014
1015 *negotiatedVersion = HITLS_VERSION_TLS13;
1016 return HITLS_SUCCESS;
1017 }
1018
ClientProcessKeyShare(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)1019 static int32_t ClientProcessKeyShare(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
1020 {
1021 if (serverHello->haveKeyShare == false) {
1022 return HITLS_SUCCESS;
1023 }
1024 uint32_t keyshareLen = 0u;
1025 /* The keyshare extension of the server must contain the keyExchange field */
1026 if (serverHello->keyShare.keyExchangeSize == 0 || serverHello->keyShare.group == HITLS_NAMED_GROUP_BUTT ||
1027 /* Check whether the sent support group is the same as the negotiated group */
1028 (serverHello->keyShare.group != ctx->hsCtx->kxCtx->keyExchParam.share.group &&
1029 serverHello->keyShare.group != ctx->hsCtx->kxCtx->keyExchParam.share.secondGroup)) {
1030 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15289, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
1031 "the keyshare parameter is illegal.", 0, 0, 0, 0);
1032 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
1033 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ILLEGAL_SELECTED_GROUP);
1034 return HITLS_MSG_HANDLE_ILLEGAL_SELECTED_GROUP;
1035 }
1036
1037 const KeyShare *keyShare = &serverHello->keyShare;
1038 if (keyShare->group == ctx->hsCtx->kxCtx->keyExchParam.share.secondGroup) {
1039 SAL_CRYPT_FreeEcdhKey(ctx->hsCtx->kxCtx->key);
1040 ctx->hsCtx->kxCtx->key = ctx->hsCtx->kxCtx->secondKey;
1041 ctx->hsCtx->kxCtx->secondKey = NULL;
1042 ctx->hsCtx->kxCtx->keyExchParam.share.group = keyShare->group;
1043 ctx->hsCtx->kxCtx->keyExchParam.share.secondGroup = HITLS_NAMED_GROUP_BUTT;
1044 }
1045 const TLS_GroupInfo *groupInfo = ConfigGetGroupInfo(&ctx->config.tlsConfig, keyShare->group);
1046 if (groupInfo == NULL) {
1047 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16247, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
1048 "group info not found", 0, 0, 0, 0);
1049 return HITLS_INVALID_INPUT;
1050 }
1051 if (groupInfo->isKem) {
1052 keyshareLen = groupInfo->ciphertextLen;
1053 } else {
1054 keyshareLen = groupInfo->pubkeyLen;
1055 }
1056 if (keyshareLen == 0u || keyshareLen != keyShare->keyExchangeSize) {
1057 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17326, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
1058 "invalid keyShare length [%d]", keyShare->keyExchangeSize, 0, 0, 0);
1059 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
1060 return HITLS_MSG_HANDLE_ILLEGAL_SELECTED_GROUP;
1061 }
1062 uint8_t *peerPubkey = BSL_SAL_Dump(keyShare->keyExchange, keyshareLen);
1063 if (peerPubkey == NULL) {
1064 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID15290, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
1065 "malloc peerPubkey fail when process server hello key share.", 0, 0, 0, 0);
1066 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
1067 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
1068 return HITLS_MEMALLOC_FAIL;
1069 }
1070
1071 BSL_SAL_FREE(ctx->hsCtx->kxCtx->peerPubkey);
1072 ctx->hsCtx->kxCtx->peerPubkey = peerPubkey;
1073 ctx->hsCtx->kxCtx->pubKeyLen = keyshareLen;
1074 ctx->negotiatedInfo.negotiatedGroup = serverHello->keyShare.group;
1075
1076 return HITLS_SUCCESS;
1077 }
1078
ClientProcessPreSharedKey(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)1079 static int32_t ClientProcessPreSharedKey(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
1080 {
1081 if (serverHello->haveSelectedIdentity == false) {
1082 return HITLS_SUCCESS;
1083 }
1084 PskInfo13 *pskInfo = &ctx->hsCtx->kxCtx->pskInfo13;
1085 HITLS_Session *pskSession = NULL;
1086 bool isResumePsk = false;
1087 BSL_SAL_FREE(pskInfo->psk);
1088
1089 if (pskInfo->resumeSession != NULL && serverHello->selectedIdentity == 0) {
1090 pskSession = pskInfo->resumeSession;
1091 isResumePsk = true;
1092 } else if (pskInfo->userPskSess == NULL || serverHello->selectedIdentity != pskInfo->userPskSess->num) {
1093 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
1094 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_ILLEGAL_PSK_IDENTITY);
1095 return HITLS_MSG_HANDLE_ILLEGAL_PSK_IDENTITY;
1096 } else {
1097 pskSession = pskInfo->userPskSess->pskSession;
1098 }
1099 pskInfo->selectIndex = serverHello->selectedIdentity;
1100
1101 uint8_t psk[HS_PSK_MAX_LEN] = {0};
1102 uint32_t pskLen = HS_PSK_MAX_LEN;
1103
1104 uint16_t cipherSuite = 0;
1105 HITLS_SESS_GetCipherSuite(pskSession, &cipherSuite);
1106 CipherSuiteInfo cipherInfo = {0};
1107 int32_t ret = CFG_GetCipherSuiteInfo(cipherSuite, &cipherInfo);
1108 if (ret != HITLS_SUCCESS) {
1109 return RETURN_ALERT_PROCESS(ctx, ret, BINLOG_ID17093, "GetCipherSuiteInfo fail", ALERT_INTERNAL_ERROR);
1110 }
1111
1112 /* The hash algorithm used by the PSK must match the negotiated cipher suite */
1113 if (cipherInfo.hashAlg != ctx->negotiatedInfo.cipherSuiteInfo.hashAlg) {
1114 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
1115 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_PSK_SESSION_INVALID_CIPHER_SUITE);
1116 return HITLS_MSG_HANDLE_PSK_SESSION_INVALID_CIPHER_SUITE;
1117 }
1118
1119 /* The session is available and the PSK is obtained */
1120 ret = HITLS_SESS_GetMasterKey(pskSession, psk, &pskLen);
1121 if (ret != HITLS_SUCCESS) {
1122 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_HANDSHAKE_FAILURE);
1123 return ret;
1124 }
1125
1126 pskInfo->psk = BSL_SAL_Dump(psk, pskLen);
1127 BSL_SAL_CleanseData(psk, HS_PSK_MAX_LEN);
1128 if (pskInfo->psk == NULL) {
1129 (void)memset_s(psk, HS_PSK_MAX_LEN, 0, HS_PSK_MAX_LEN);
1130 return RETURN_ALERT_PROCESS(ctx, HITLS_MEMALLOC_FAIL, BINLOG_ID17094, "dump psk fail", ALERT_INTERNAL_ERROR);
1131 }
1132 pskInfo->pskLen = pskLen;
1133 ctx->negotiatedInfo.isResume = isResumePsk;
1134 return HITLS_SUCCESS;
1135 }
1136
GetServertls13AuthType(const ServerHelloMsg * serverHello)1137 static uint32_t GetServertls13AuthType(const ServerHelloMsg *serverHello)
1138 {
1139 uint32_t tls13BasicKeyExMode = 0;
1140 if (serverHello->haveKeyShare && serverHello->haveSelectedIdentity) {
1141 tls13BasicKeyExMode = TLS13_KE_MODE_PSK_WITH_DHE;
1142 } else if (serverHello->haveSelectedIdentity) {
1143 tls13BasicKeyExMode = TLS13_KE_MODE_PSK_ONLY;
1144 } else if (serverHello->haveKeyShare) {
1145 tls13BasicKeyExMode = TLS13_CERT_AUTH_WITH_DHE;
1146 }
1147 return tls13BasicKeyExMode;
1148 }
1149
Tls13ProcessServerHelloExtension(TLS_Ctx * ctx,const ServerHelloMsg * serverHello)1150 static int32_t Tls13ProcessServerHelloExtension(TLS_Ctx *ctx, const ServerHelloMsg *serverHello)
1151 {
1152 int32_t ret = 0;
1153
1154 ret = HS_CheckReceivedExtension(ctx, SERVER_HELLO, serverHello->extensionTypeMask,
1155 HS_EX_TYPE_TLS1_3_ALLOWED_OF_SERVER_HELLO);
1156 if (ret != HITLS_SUCCESS) {
1157 return ret;
1158 }
1159
1160 /* Check whether the extension that is not sent is received */
1161 ret = ClientCheckExtensionsFlag(ctx, serverHello);
1162 if (ret != HITLS_SUCCESS) {
1163 return ret;
1164 }
1165
1166 uint32_t tls13BasicKeyExMode = GetServertls13AuthType(serverHello) & ctx->negotiatedInfo.tls13BasicKeyExMode;
1167 if (tls13BasicKeyExMode == 0) {
1168 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16141, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
1169 "server selects the mode in which the client does not send.", 0, 0, 0, 0);
1170 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_ILLEGAL_PARAMETER);
1171 BSL_ERR_PUSH_ERROR(HITLS_MSG_HANDLE_HANDSHAKE_FAILURE);
1172 return HITLS_MSG_HANDLE_HANDSHAKE_FAILURE;
1173 }
1174 ctx->negotiatedInfo.tls13BasicKeyExMode = tls13BasicKeyExMode;
1175
1176 ret = ClientProcessKeyShare(ctx, serverHello);
1177 if (ret != HITLS_SUCCESS) {
1178 return ret;
1179 }
1180
1181 return ClientProcessPreSharedKey(ctx, serverHello);
1182 }
1183
Tls13ProcessServerHello(TLS_Ctx * ctx,const HS_Msg * msg)1184 int32_t Tls13ProcessServerHello(TLS_Ctx *ctx, const HS_Msg *msg)
1185 {
1186 int32_t ret = HITLS_SUCCESS;
1187 const ServerHelloMsg *serverHello = &msg->body.serverHello;
1188
1189 /* Check all fields except the extended fields in the server hello message */
1190 ret = Tls13ClientCheckServerHello(ctx, serverHello, false);
1191 if (ret != HITLS_SUCCESS) {
1192 return ret;
1193 }
1194
1195 ret = Tls13ProcessServerHelloExtension(ctx, serverHello);
1196 if (ret != HITLS_SUCCESS) {
1197 return ret;
1198 }
1199
1200 ret = VERIFY_SetHash(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
1201 ctx->hsCtx->verifyCtx, ctx->negotiatedInfo.cipherSuiteInfo.hashAlg);
1202 if (ret != HITLS_SUCCESS) {
1203 return ret;
1204 }
1205
1206 /* Client key derivation */
1207 ret = HS_TLS13CalcServerHelloProcessSecret(ctx);
1208 if (ret != HITLS_SUCCESS) {
1209 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17095, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
1210 "CalcServerHelloProcessSecret fail", 0, 0, 0, 0);
1211 return ret;
1212 }
1213
1214 ret = HS_TLS13DeriveHandshakeTrafficSecret(ctx);
1215 if (ret != HITLS_SUCCESS) {
1216 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17096, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
1217 "DeriveHandshakeTrafficSecret fail", 0, 0, 0, 0);
1218 return ret;
1219 }
1220
1221 /* The message after ServerHello is encrypted by ServerTrafficSecret and needs to be activated for decryption */
1222 uint32_t hashLen = SAL_CRYPT_DigestSize(ctx->negotiatedInfo.cipherSuiteInfo.hashAlg);
1223 if (hashLen == 0) {
1224 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17097, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
1225 return HITLS_CRYPT_ERR_DIGEST;
1226 }
1227 ret = HS_SwitchTrafficKey(ctx, ctx->hsCtx->serverHsTrafficSecret, hashLen, false);
1228 if (ret != HITLS_SUCCESS) {
1229 return ret;
1230 }
1231
1232 return HS_ChangeState(ctx, TRY_RECV_ENCRYPTED_EXTENSIONS);
1233 }
1234
Tls13ClientRecvServerHelloProcess(TLS_Ctx * ctx,const HS_Msg * msg)1235 int32_t Tls13ClientRecvServerHelloProcess(TLS_Ctx *ctx, const HS_Msg *msg)
1236 {
1237 int32_t ret = HITLS_SUCCESS;
1238 const ServerHelloMsg *serverHello = &msg->body.serverHello;
1239
1240 /* Obtain the intention of the server and determine the version to be negotiated by the server */
1241 uint16_t negotiatedVersion = 0;
1242 ret = GetNegotiatedVersion(ctx, serverHello, &negotiatedVersion);
1243 if (ret != HITLS_SUCCESS) {
1244 return ret;
1245 }
1246 #ifdef HITLS_TLS_PROTO_TLS_BASIC
1247 if (negotiatedVersion < HITLS_VERSION_TLS13) {
1248 /* The keyshare is prepared when the TLS1.3 clientHello message is sent, so the old memory needs to be freed
1249 * here first */
1250 HS_KeyExchCtxFree(ctx->hsCtx->kxCtx);
1251 ctx->hsCtx->kxCtx = HS_KeyExchCtxNew();
1252
1253 if (ctx->hsCtx->kxCtx == NULL) {
1254 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17098, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
1255 "KeyExchCtxNew fail", 0, 0, 0, 0);
1256 ctx->method.sendAlert(ctx, ALERT_LEVEL_FATAL, ALERT_INTERNAL_ERROR);
1257 BSL_ERR_PUSH_ERROR(HITLS_MEMALLOC_FAIL);
1258 return HITLS_MEMALLOC_FAIL;
1259 }
1260
1261 return ClientRecvServerHelloProcess(ctx, msg);
1262 }
1263 #endif /* only for tls13 */
1264 uint32_t hrrRandomSize = 0;
1265 const uint8_t *hrrRandom = HS_GetHrrRandom(&hrrRandomSize);
1266
1267 /* Check the random number. If the message is a hello retry request message, update the client hello message */
1268 if (memcmp(serverHello->randomValue, hrrRandom, hrrRandomSize) == 0) {
1269 return Tls13ClientRecvHelloRetryRequestProcess(ctx, msg);
1270 }
1271
1272 return Tls13ProcessServerHello(ctx, msg);
1273 }
1274 #endif /* HITLS_TLS_PROTO_TLS13 */
1275 #endif /* HITLS_TLS_HOST_CLIENT */