TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 0f40a41cea69cf781f44ca29e8df0d76bc4010da / . / library / ssl_tls13_client.c
blob: 1e8df1b399e81b87c65ed7dd6750c2176d8bc90a [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]6 */
7
8#include "common.h"
9
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]10#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]11
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]12#include <string.h>
13
Valerio Settib4f50762024-01-17 10:24:52 +0100[diff] [blame]14#include "debug_internal.h"
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]15#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]16#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]17
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]18#include "ssl_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]19#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]20#include "ssl_tls13_keys.h"
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]21#include "ssl_debug_helpers.h"
Valerio Setti384fbde2024-01-02 13:26:40 +0100[diff] [blame]22#include "mbedtls/psa_util.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]23
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]24#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]25/* Define a local translating function to save code size by not using too many
26 * arguments in each translating place. */
27static int local_err_translation(psa_status_t status)
28{
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]30 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]31 psa_generic_status_to_mbedtls);
32}
33#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kureka6033ac2023-05-30 15:16:34 -0400[diff] [blame]34#endif
35
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]36/* Write extensions */
37
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]38/*
39 * ssl_tls13_write_supported_versions_ext():
40 *
41 * struct {
42 * ProtocolVersion versions<2..254>;
43 * } SupportedVersions;
44 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]45MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]46static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,
47 unsigned char *buf,
48 unsigned char *end,
49 size_t *out_len)
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]50{
51 unsigned char *p = buf;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]52 unsigned char versions_len = (ssl->handshake->min_tls_version <=
53 MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]54
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]55 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]56
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]57 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]58
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]59 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]60 * - extension_type (2 bytes)
61 * - extension_data_length (2 bytes)
62 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]63 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]64 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]66
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]67 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);
68 MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]69 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]70
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]71 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]72 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]73
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]74 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]76 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]77 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]78 mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,
79 MBEDTLS_SSL_VERSION_TLS1_3);
80 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]81
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]83 if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {
84 mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
85 MBEDTLS_SSL_VERSION_TLS1_2);
86 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]87 }
88
89 *out_len = 5 + versions_len;
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]90
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]91 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]92 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]93
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]94 return 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]95}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]96
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]97MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
99 const unsigned char *buf,
100 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]101{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]102 ((void) ssl);
103
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]104 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
105 if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=
106 MBEDTLS_SSL_VERSION_TLS1_3) {
107 MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]108
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
110 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
111 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]112 }
113
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114 if (&buf[2] != end) {
Xiaokang Qian91bb3f02023-04-03 09:07:03 +0000[diff] [blame]115 MBEDTLS_SSL_DEBUG_MSG(
116 1, ("supported_versions ext data length incorrect"));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]117 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
118 MBEDTLS_ERR_SSL_DECODE_ERROR);
119 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]120 }
121
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]122 return 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]123}
124
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]125#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]126MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]127static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,
128 const unsigned char *buf, size_t len)
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]129{
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]130 const unsigned char *p = buf;
131 const unsigned char *end = buf + len;
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]132 size_t protocol_name_list_len, protocol_name_len;
133 const unsigned char *protocol_name_list_end;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]134
135 /* If we didn't send it, the server shouldn't send it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]136 if (ssl->conf->alpn_list == NULL) {
137 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
138 }
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]139
140 /*
141 * opaque ProtocolName<1..2^8-1>;
142 *
143 * struct {
144 * ProtocolName protocol_name_list<2..2^16-1>
145 * } ProtocolNameList;
146 *
147 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
148 */
149
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]150 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
151 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]152 p += 2;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]153
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]154 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]155 protocol_name_list_end = p + protocol_name_list_len;
156
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]157 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]158 protocol_name_len = *p++;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]159
160 /* Check that the server chosen protocol was in our list and save it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]161 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);
162 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
163 if (protocol_name_len == strlen(*alpn) &&
164 memcmp(p, *alpn, protocol_name_len) == 0) {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]165 ssl->alpn_chosen = *alpn;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]166 return 0;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]167 }
168 }
169
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]170 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]171}
172#endif /* MBEDTLS_SSL_ALPN */
173
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]174MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]175static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]176{
177 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]178
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]179 if (group_id == 0) {
180 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
181 }
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]182
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]183#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]184 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]185 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
187 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
188
189 /* Destroy generated private key. */
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]190 status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]191 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]192 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]193 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
194 return ret;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]195 }
196
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]197 ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]198 return 0;
199 } else
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]200#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]201 if (0 /* other KEMs? */) {
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]202 /* Do something */
203 }
204
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]205 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]206}
207
208/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]209 * Functions for writing key_share extension.
210 */
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]211#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]212MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]213static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
214 uint16_t *group_id)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]215{
216 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
217
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]218
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]219#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]220 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]221 /* Pick first available ECDHE group compatible with TLS 1.3 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]222 if (group_list == NULL) {
223 return MBEDTLS_ERR_SSL_BAD_CONFIG;
224 }
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]225
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]226 for (; *group_list != 0; group_list++) {
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]227#if defined(PSA_WANT_ALG_ECDH)
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]228 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
229 *group_list, NULL, NULL) == PSA_SUCCESS) &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]230 mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]231 *group_id = *group_list;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]232 return 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]233 }
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]234#endif
235#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]236 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]237 *group_id = *group_list;
238 return 0;
239 }
240#endif
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]241 }
242#else
243 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]244 ((void) group_id);
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]245#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]246
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]247 return ret;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]248}
249
250/*
251 * ssl_tls13_write_key_share_ext
252 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]253 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]254 *
255 * struct {
256 * NamedGroup group;
257 * opaque key_exchange<1..2^16-1>;
258 * } KeyShareEntry;
259 * struct {
260 * KeyShareEntry client_shares<0..2^16-1>;
261 * } KeyShareClientHello;
262 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]263MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]264static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
265 unsigned char *buf,
266 unsigned char *end,
267 size_t *out_len)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]268{
269 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]270 unsigned char *client_shares; /* Start of client_shares */
271 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]272 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]273 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
274
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]275 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]276
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]277 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]278 * - extension_type (2 bytes)
279 * - extension_data_length (2 bytes)
280 * - client_shares_length (2 bytes)
281 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]283 p += 6;
284
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]285 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]286
287 /* HRR could already have requested something else. */
288 group_id = ssl->handshake->offered_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]289 if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]290 !mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]291 MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,
292 &group_id));
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]293 }
294
295 /*
296 * Dispatch to type-specific key generation function.
297 *
298 * So far, we're only supporting ECDHE. With the introduction
299 * of PQC KEMs, we'll want to have multiple branches, one per
300 * type of KEM, and dispatch to the corresponding crypto. And
301 * only one key share entry is allowed.
302 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]303 client_shares = p;
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]304#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
305 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]306 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]307 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]308 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]309 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]310 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]311
312 /* Check there is space for header of KeyShareEntry
313 * - group (2 bytes)
314 * - key_exchange_length (2 bytes)
315 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]316 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]317 p += 4;
Przemek Stekiel408569f2023-07-06 11:26:44 +0200[diff] [blame]318 ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 ssl, group_id, p, end, &key_exchange_len);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]320 p += key_exchange_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]321 if (ret != 0) {
322 return ret;
323 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]324
325 /* Write group */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]326 MBEDTLS_PUT_UINT16_BE(group_id, group, 0);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]327 /* Write key_exchange_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]328 MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);
329 } else
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]330#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]331 if (0 /* other KEMs? */) {
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]332 /* Do something */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]333 } else {
334 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]335 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]336
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]337 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]338 client_shares_len = p - client_shares;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]339 if (client_shares_len == 0) {
340 MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));
341 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]342 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]343 /* Write extension_type */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]345 /* Write extension_data_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]346 MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]347 /* Write client_shares_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]349
350 /* Update offered_group_id field */
351 ssl->handshake->offered_group_id = group_id;
352
353 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]354 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]355
Xiaokang Qian91bb3f02023-04-03 09:07:03 +0000[diff] [blame]356 MBEDTLS_SSL_DEBUG_BUF(
357 3, "client hello, key_share extension", buf, *out_len);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]358
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]359 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]360
361cleanup:
362
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]363 return ret;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]364}
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]365#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]366
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]367/*
368 * ssl_tls13_parse_hrr_key_share_ext()
369 * Parse key_share extension in Hello Retry Request
370 *
371 * struct {
372 * NamedGroup selected_group;
373 * } KeyShareHelloRetryRequest;
374 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]375MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]376static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
377 const unsigned char *buf,
378 const unsigned char *end)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]379{
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]380#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]381 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]382 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]383 int found = 0;
384
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]385 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
386 if (group_list == NULL) {
387 return MBEDTLS_ERR_SSL_BAD_CONFIG;
388 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]391
392 /* Read selected_group */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]393 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
394 selected_group = MBEDTLS_GET_UINT16_BE(p, 0);
395 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]396
397 /* Upon receipt of this extension in a HelloRetryRequest, the client
398 * MUST first verify that the selected_group field corresponds to a
399 * group which was provided in the "supported_groups" extension in the
400 * original ClientHello.
401 * The supported_group was based on the info in ssl->conf->group_list.
402 *
403 * If the server provided a key share that was not sent in the ClientHello
404 * then the client MUST abort the handshake with an "illegal_parameter" alert.
405 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 for (; *group_list != 0; group_list++) {
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]407#if defined(PSA_WANT_ALG_ECDH)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]408 if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
409 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
410 *group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
411 *group_list != selected_group) {
412 found = 1;
413 break;
414 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 }
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]416#endif /* PSA_WANT_ALG_ECDH */
417#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]418 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]419 found = 1;
420 break;
421 }
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]422#endif /* PSA_WANT_ALG_FFDH */
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]423 }
424
425 /* Client MUST verify that the selected_group field does not
426 * correspond to a group which was provided in the "key_share"
427 * extension in the original ClientHello. If the server sent an
428 * HRR message with a key share already provided in the
429 * ClientHello then the client MUST abort the handshake with
430 * an "illegal_parameter" alert.
431 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]432 if (found == 0 || selected_group == ssl->handshake->offered_group_id) {
433 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]434 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]435 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
436 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
437 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]438 }
439
440 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]441 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]442
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]443 return 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]444#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400[diff] [blame]445 (void) ssl;
446 (void) buf;
447 (void) end;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 return MBEDTLS_ERR_SSL_BAD_CONFIG;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]449#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]450}
451
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]452/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]453 * ssl_tls13_parse_key_share_ext()
454 * Parse key_share extension in Server Hello
455 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]456 * struct {
457 * KeyShareEntry server_share;
458 * } KeyShareServerHello;
459 * struct {
460 * NamedGroup group;
461 * opaque key_exchange<1..2^16-1>;
462 * } KeyShareEntry;
463 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]464MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]465static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
466 const unsigned char *buf,
467 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]468{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]469 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]470 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]471 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]472
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]473 /* ...
474 * NamedGroup group; (2 bytes)
475 * ...
476 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]477 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
478 group = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]479 p += 2;
480
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]481 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]482 offered_group = ssl->handshake->offered_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]483 if (offered_group != group) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]484 MBEDTLS_SSL_DEBUG_MSG(
485 1, ("Invalid server key share, our group %u, their group %u",
486 (unsigned) offered_group, (unsigned) group));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
488 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
489 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]490 }
491
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]492#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]493 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]494 mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]495 MBEDTLS_SSL_DEBUG_MSG(2,
496 ("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]497 ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 if (ret != 0) {
499 return ret;
500 }
501 } else
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]502#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 if (0 /* other KEMs? */) {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]504 /* Do something */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]505 } else {
506 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]507 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]509 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]510}
511
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]512/*
513 * ssl_tls13_parse_cookie_ext()
514 * Parse cookie extension in Hello Retry Request
515 *
516 * struct {
517 * opaque cookie<1..2^16-1>;
518 * } Cookie;
519 *
520 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
521 * extension to the client (this is an exception to the usual rule that
522 * the only extensions that may be sent are those that appear in the
523 * ClientHello). When sending the new ClientHello, the client MUST copy
524 * the contents of the extension received in the HelloRetryRequest into
525 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
526 * cookies in their initial ClientHello in subsequent connections.
527 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]528MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]529static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,
530 const unsigned char *buf,
531 const unsigned char *end)
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]532{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]533 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]534 const unsigned char *p = buf;
535 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
536
537 /* Retrieve length field of cookie */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]538 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
539 cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]540 p += 2;
541
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]542 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);
543 MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]544
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]545 mbedtls_free(handshake->cookie);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]546 handshake->cookie_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]547 handshake->cookie = mbedtls_calloc(1, cookie_len);
548 if (handshake->cookie == NULL) {
549 MBEDTLS_SSL_DEBUG_MSG(1,
550 ("alloc failed ( %ud bytes )",
551 cookie_len));
552 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]553 }
554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]555 memcpy(handshake->cookie, p, cookie_len);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]556 handshake->cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]557
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]558 return 0;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]559}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]560
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]561MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]562static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,
563 unsigned char *buf,
564 unsigned char *end,
565 size_t *out_len)
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]566{
567 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]568 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]569 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]570
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]571 if (handshake->cookie == NULL) {
572 MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));
573 return 0;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]574 }
575
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]576 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
577 handshake->cookie,
578 handshake->cookie_len);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]580 MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]581
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]582 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]583
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]584 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);
585 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);
586 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]587 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]588
589 /* Cookie */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]590 memcpy(p, handshake->cookie, handshake->cookie_len);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]591
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]592 *out_len = handshake->cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]593
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]595
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 return 0;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]597}
598
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]599#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]600/*
601 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
602 *
603 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
604 *
605 * struct {
606 * PskKeyExchangeMode ke_modes<1..255>;
607 * } PskKeyExchangeModes;
608 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]609MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]610static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
611 unsigned char *buf,
612 unsigned char *end,
613 size_t *out_len)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]614{
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]615 unsigned char *p = buf;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]616 int ke_modes_len = 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]617
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]618 ((void) ke_modes_len);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]619 *out_len = 0;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]620
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]621 /* Skip writing extension if no PSK key exchange mode
XiaokangQian7c12d312022-07-20 07:25:43 +0000[diff] [blame]622 * is enabled in the config.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]623 */
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]624 if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625 MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
626 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]627 }
628
629 /* Require 7 bytes of data, otherwise fail,
630 * even if extension might be shorter.
631 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]633 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 3, ("client hello, adding psk_key_exchange_modes extension"));
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]635
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]636 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]637
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]638 /* Skip extension length (2 bytes) and
639 * ke_modes length (1 byte) for now.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]640 */
641 p += 5;
642
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]643 if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]644 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]645 ke_modes_len++;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]646
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]647 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]648 }
649
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]650 if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]651 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
652 ke_modes_len++;
653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]655 }
656
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]657 /* Now write the extension and ke_modes length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]658 MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]659 buf[4] = ke_modes_len;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]660
661 *out_len = p - buf;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]662
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]663 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]664 ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]665
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]666 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]667}
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]668
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]669static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]670{
Jerry Yu21f90952022-10-08 10:30:53 +0800[diff] [blame]671 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]672 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]673
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]674 if (ciphersuite_info != NULL) {
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]675 return mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]678 return PSA_ALG_NONE;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]679}
680
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]681#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]682static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]683{
684 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]685 return ssl->handshake->resume &&
Pengyu Lv93566782022-12-07 12:10:05 +0800[diff] [blame]686 session != NULL && session->ticket != NULL &&
Pengyu Lvfc2cb962023-11-10 10:22:36 +0800[diff] [blame]687 mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]688 ssl, mbedtls_ssl_tls13_session_get_ticket_flags(
Pengyu Lv9b84ea72023-01-16 14:08:23 +0800[diff] [blame]689 session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]690}
691
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]692#if defined(MBEDTLS_SSL_EARLY_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]693static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]694{
695 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]696 return ssl->handshake->resume &&
697 session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]698 mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&
Jerry Yuc2b1bc42023-11-22 10:08:13 +0800[diff] [blame]699 mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]700}
701#endif
702
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]703MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]704static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,
705 psa_algorithm_t *hash_alg,
706 const unsigned char **identity,
707 size_t *identity_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]708{
709 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]710
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]711 if (!ssl_tls13_has_configured_ticket(ssl)) {
712 return -1;
713 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]714
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]715 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]716 *identity = session->ticket;
717 *identity_len = session->ticket_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]718 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]719}
720
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]721MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]722static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,
723 psa_algorithm_t *hash_alg,
724 const unsigned char **psk,
725 size_t *psk_len)
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]726{
727
728 mbedtls_ssl_session *session = ssl->session_negotiate;
729
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]730 if (!ssl_tls13_has_configured_ticket(ssl)) {
731 return -1;
732 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]733
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]734 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]735 *psk = session->resumption_key;
736 *psk_len = session->resumption_key_len;
737
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]738 return 0;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]739}
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]740#endif /* MBEDTLS_SSL_SESSION_TICKETS */
741
742MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]743static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,
744 psa_algorithm_t *hash_alg,
745 const unsigned char **identity,
746 size_t *identity_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]747{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]748
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]749 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
750 return -1;
751 }
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]752
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]753 *hash_alg = PSA_ALG_SHA_256;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]754 *identity = ssl->conf->psk_identity;
755 *identity_len = ssl->conf->psk_identity_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]756 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]757}
758
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]759MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]760static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,
761 psa_algorithm_t *hash_alg,
762 const unsigned char **psk,
763 size_t *psk_len)
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]764{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]765
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]766 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
767 return -1;
768 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]769
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]770 *hash_alg = PSA_ALG_SHA_256;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]771 *psk = ssl->conf->psk;
772 *psk_len = ssl->conf->psk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]773 return 0;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]774}
775
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]776static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]777{
778 int configured_psk_count = 0;
779#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]780 if (ssl_tls13_has_configured_ticket(ssl)) {
781 MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]782 configured_psk_count++;
783 }
784#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]785 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
786 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]787 configured_psk_count++;
788 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]789 return configured_psk_count;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]790}
791
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]792MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]793static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,
794 unsigned char *buf,
795 unsigned char *end,
796 const unsigned char *identity,
797 size_t identity_len,
798 uint32_t obfuscated_ticket_age,
799 size_t *out_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]800{
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]801 ((void) ssl);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]802 *out_len = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]803
804 /*
805 * - identity_len (2 bytes)
806 * - identity (psk_identity_len bytes)
807 * - obfuscated_ticket_age (4 bytes)
808 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]809 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]810
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]811 MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);
812 memcpy(buf + 2, identity, identity_len);
813 MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]814
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]815 MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]816
817 *out_len = 6 + identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]818
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]819 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]820}
821
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]822MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]823static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,
824 unsigned char *buf,
825 unsigned char *end,
826 int psk_type,
827 psa_algorithm_t hash_alg,
828 const unsigned char *psk,
829 size_t psk_len,
830 size_t *out_len)
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]831{
832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]833 unsigned char binder_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]834 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]835 size_t transcript_len = 0;
836
837 *out_len = 0;
838
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]839 binder_len = PSA_HASH_LENGTH(hash_alg);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]840
841 /*
842 * - binder_len (1 bytes)
843 * - binder (binder_len bytes)
844 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]845 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]846
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]847 buf[0] = binder_len;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]848
849 /* Get current state of handshake transcript. */
850 ret = mbedtls_ssl_get_handshake_transcript(
Manuel Pégourié-Gonnard2d6d9932023-03-28 11:38:08 +0200[diff] [blame]851 ssl, mbedtls_md_type_from_psa_alg(hash_alg),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]852 transcript, sizeof(transcript), &transcript_len);
853 if (ret != 0) {
854 return ret;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]855 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]856
857 ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,
858 psk, psk_len, psk_type,
859 transcript, buf + 1);
860 if (ret != 0) {
861 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);
862 return ret;
863 }
864 MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]865
866 *out_len = 1 + binder_len;
867
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]868 return 0;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]869}
870
871/*
872 * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
873 *
874 * struct {
875 * opaque identity<1..2^16-1>;
876 * uint32 obfuscated_ticket_age;
877 * } PskIdentity;
878 *
879 * opaque PskBinderEntry<32..255>;
880 *
881 * struct {
882 * PskIdentity identities<7..2^16-1>;
883 * PskBinderEntry binders<33..2^16-1>;
884 * } OfferedPsks;
885 *
886 * struct {
887 * select (Handshake.msg_type) {
888 * case client_hello: OfferedPsks;
889 * ...
890 * };
891 * } PreSharedKeyExtension;
892 *
893 */
XiaokangQian3ad67bf2022-07-21 02:26:21 +0000[diff] [blame]894int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]895 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
896 size_t *out_len, size_t *binders_len)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]897{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]898 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]899 int configured_psk_count = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]900 unsigned char *p = buf;
Xiaokang Qian854db282022-12-19 07:31:27 +0000[diff] [blame]901 psa_algorithm_t hash_alg = PSA_ALG_NONE;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]902 const unsigned char *identity;
903 size_t identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]904 size_t l_binders_len = 0;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]905 size_t output_len;
Xiaokang Qian7179f812023-02-03 03:38:44 +0000[diff] [blame]906
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]907 *out_len = 0;
908 *binders_len = 0;
909
910 /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]911 configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);
912 if (configured_psk_count == 0) {
913 MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));
914 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]915 }
916
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]917 MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",
918 configured_psk_count));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]919
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]920 /* Check if we have space to write the extension, binders included.
921 * - extension_type (2 bytes)
922 * - extension_data_len (2 bytes)
923 * - identities_len (2 bytes)
924 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]925 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]926 p += 6;
927
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]928#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]929 if (ssl_tls13_ticket_get_identity(
930 ssl, &hash_alg, &identity, &identity_len) == 0) {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]931#if defined(MBEDTLS_HAVE_TIME)
Jerry Yucebffc32022-12-15 18:00:05 +0800[diff] [blame]932 mbedtls_ms_time_t now = mbedtls_ms_time();
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]933 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yucf913512023-11-14 11:06:52 +0800[diff] [blame]934 /* The ticket age has been checked to be smaller than the
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]935 * `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than
936 * 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the
937 * cast to `uint32_t` of the ticket age is safe. */
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]938 uint32_t obfuscated_ticket_age =
Jerry Yu342a5552023-11-10 14:23:39 +0800[diff] [blame]939 (uint32_t) (now - session->ticket_reception_time);
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]940 obfuscated_ticket_age += session->ticket_age_add;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]941
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]942 ret = ssl_tls13_write_identity(ssl, p, end,
943 identity, identity_len,
944 obfuscated_ticket_age,
945 &output_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]946#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]947 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,
948 0, &output_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]949#endif /* MBEDTLS_HAVE_TIME */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]950 if (ret != 0) {
951 return ret;
952 }
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]953
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]954 p += output_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]955 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]956 }
957#endif /* MBEDTLS_SSL_SESSION_TICKETS */
958
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]959 if (ssl_tls13_psk_get_identity(
960 ssl, &hash_alg, &identity, &identity_len) == 0) {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]961
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,
963 &output_len);
964 if (ret != 0) {
965 return ret;
966 }
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]967
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]968 p += output_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]969 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]970 }
971
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]972 MBEDTLS_SSL_DEBUG_MSG(3,
973 ("client hello, adding pre_shared_key extension, "
974 "omitting PSK binder list"));
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]975
976 /* Take into account the two bytes for the length of the binders. */
977 l_binders_len += 2;
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]978 /* Check if there is enough space for binders */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]979 MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]980
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]981 /*
982 * - extension_type (2 bytes)
983 * - extension_data_len (2 bytes)
984 * - identities_len (2 bytes)
985 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]986 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);
987 MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);
988 MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]989
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]990 *out_len = (p - buf) + l_binders_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]991 *binders_len = l_binders_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]992
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]993 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]994
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]995 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]996}
997
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]998int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]999 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1000{
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1001 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1002 unsigned char *p = buf;
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1003 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1004 const unsigned char *psk;
1005 size_t psk_len;
1006 size_t output_len;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1007
1008 /* Check if we have space to write binders_len.
1009 * - binders_len (2 bytes)
1010 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1011 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1012 p += 2;
1013
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1014#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1015 if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1016
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1017 ret = ssl_tls13_write_binder(ssl, p, end,
1018 MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
1019 hash_alg, psk, psk_len,
1020 &output_len);
1021 if (ret != 0) {
1022 return ret;
1023 }
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1024 p += output_len;
1025 }
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1026#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1027
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1028 if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1029
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1030 ret = ssl_tls13_write_binder(ssl, p, end,
1031 MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
1032 hash_alg, psk, psk_len,
1033 &output_len);
1034 if (ret != 0) {
1035 return ret;
1036 }
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1037 p += output_len;
1038 }
1039
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1040 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1041
1042 /*
1043 * - binders_len (2 bytes)
1044 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1045 MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1046
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1047 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1048
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1049 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1050 ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1051
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1052 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1053}
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1054
1055/*
1056 * struct {
1057 * opaque identity<1..2^16-1>;
1058 * uint32 obfuscated_ticket_age;
1059 * } PskIdentity;
1060 *
1061 * opaque PskBinderEntry<32..255>;
1062 *
1063 * struct {
1064 *
1065 * select (Handshake.msg_type) {
1066 * ...
1067 * case server_hello: uint16 selected_identity;
1068 * };
1069 *
1070 * } PreSharedKeyExtension;
1071 *
1072 */
1073MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1074static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
1075 const unsigned char *buf,
1076 const unsigned char *end)
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1077{
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1078 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1079 int selected_identity;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1080 const unsigned char *psk;
1081 size_t psk_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1082 psa_algorithm_t hash_alg;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1083
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1084 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
1085 selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);
Xiaokang Qian2a674932023-01-04 03:15:09 +0000[diff] [blame]1086 ssl->handshake->selected_identity = (uint16_t) selected_identity;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1087
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1088 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1089
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1090 if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {
1091 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1092
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1093 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1094 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1095 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1096 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1097
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1098#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1099 if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {
1100 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1101 } else
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1102#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1103 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
1104 ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);
1105 } else {
1106 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1107 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1108 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1109 if (ret != 0) {
1110 return ret;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1111 }
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1112
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]1113 if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac)
Xiaokang Qianeb31cbc2023-02-07 02:08:56 +0000[diff] [blame]1114 != hash_alg) {
1115 MBEDTLS_SSL_DEBUG_MSG(
1116 1, ("Invalid ciphersuite for external psk."));
1117
1118 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1119 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1120 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1121 }
1122
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1123 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1124 if (ret != 0) {
1125 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1126 return ret;
1127 }
1128
1129 return 0;
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1130}
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1131#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1132
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1133int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
1134 unsigned char *buf,
1135 unsigned char *end,
1136 size_t *out_len)
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1137{
1138 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1139 unsigned char *p = buf;
1140 size_t ext_len;
1141
1142 *out_len = 0;
1143
1144 /* Write supported_versions extension
1145 *
1146 * Supported Versions Extension is mandatory with TLS 1.3.
1147 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1148 ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);
1149 if (ret != 0) {
1150 return ret;
1151 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1152 p += ext_len;
1153
1154 /* Echo the cookie if the server provided one in its preceding
1155 * HelloRetryRequest message.
1156 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1157 ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);
1158 if (ret != 0) {
1159 return ret;
1160 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1161 p += ext_len;
1162
Yanray Wang42017cd2023-11-08 11:15:23 +0800[diff] [blame]1163#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1164 ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
Waleed Elmelegy148dfb62024-01-04 18:02:35 +0000[diff] [blame]1165 ssl, p, end, &ext_len);
Yanray Wang42017cd2023-11-08 11:15:23 +0800[diff] [blame]1166 if (ret != 0) {
1167 return ret;
1168 }
1169 p += ext_len;
1170#endif
1171
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1172#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1173 if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1174 ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
1175 if (ret != 0) {
1176 return ret;
1177 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1178 p += ext_len;
1179 }
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1180#endif
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1181
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1182#if defined(MBEDTLS_SSL_EARLY_DATA)
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]1183 if (ssl->handshake->hello_retry_request_count == 0) {
1184 if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
1185 ssl_tls13_early_data_has_valid_ticket(ssl) &&
1186 ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
1187 ret = mbedtls_ssl_tls13_write_early_data_ext(
1188 ssl, 0, p, end, &ext_len);
1189 if (ret != 0) {
1190 return ret;
1191 }
1192 p += ext_len;
Jerry Yu52335392023-11-23 18:06:06 +0800[diff] [blame]1193
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]1194 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_SENT;
1195 } else {
1196 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1197 }
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1198 }
1199#endif /* MBEDTLS_SSL_EARLY_DATA */
1200
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1201#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1202 /* For PSK-based key exchange we need the pre_shared_key extension
1203 * and the psk_key_exchange_modes extension.
1204 *
1205 * The pre_shared_key extension MUST be the last extension in the
1206 * ClientHello. Servers MUST check that it is the last extension and
1207 * otherwise fail the handshake with an "illegal_parameter" alert.
1208 *
1209 * Add the psk_key_exchange_modes extension.
1210 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1211 ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);
1212 if (ret != 0) {
1213 return ret;
1214 }
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1215 p += ext_len;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1216#endif
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1217
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1218 *out_len = p - buf;
1219
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1220 return 0;
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1221}
1222
Xiaokang Qian934ce6f2023-02-06 10:23:04 +0000[diff] [blame]1223int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1224{
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1225 ((void) ssl);
Xiaokang Qian79f77522023-01-28 10:35:29 +0000[diff] [blame]1226
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1227#if defined(MBEDTLS_SSL_EARLY_DATA)
1228 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1229 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1230 const unsigned char *psk;
1231 size_t psk_len;
1232 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]1233
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]1234 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_SENT) {
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1235 MBEDTLS_SSL_DEBUG_MSG(
1236 1, ("Set hs psk for early data when writing the first psk"));
1237
1238 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1239 if (ret != 0) {
1240 MBEDTLS_SSL_DEBUG_RET(
1241 1, "ssl_tls13_ticket_get_psk", ret);
1242 return ret;
1243 }
1244
1245 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1246 if (ret != 0) {
1247 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1248 return ret;
1249 }
1250
Xiaokang Qian64bc9bc2023-02-07 02:32:23 +0000[diff] [blame]1251 /*
1252 * Early data are going to be encrypted using the ciphersuite
1253 * associated with the pre-shared key used for the handshake.
1254 * Note that if the server rejects early data, the handshake
1255 * based on the pre-shared key may complete successfully
1256 * with a selected ciphersuite different from the ciphersuite
1257 * associated with the pre-shared key. Only the hashes of the
1258 * two ciphersuites have to be the same. In that case, the
1259 * encrypted handshake data and application data are
1260 * encrypted using a different ciphersuite than the one used for
1261 * the rejected early data.
1262 */
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1263 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
1264 ssl->session_negotiate->ciphersuite);
1265 ssl->handshake->ciphersuite_info = ciphersuite_info;
Xiaokang Qian8dc4ce72023-02-07 10:49:50 +0000[diff] [blame]1266
Tom Cosgrove5c8505f2023-03-07 11:39:52 +0000[diff] [blame]1267 /* Enable psk and psk_ephemeral to make stage early happy */
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1268 ssl->handshake->key_exchange_mode =
1269 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
1270
1271 /* Start the TLS 1.3 key schedule:
Xiaokang Qian8dc4ce72023-02-07 10:49:50 +0000[diff] [blame]1272 * Set the PSK and derive early secret.
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1273 */
1274 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1275 if (ret != 0) {
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1276 MBEDTLS_SSL_DEBUG_RET(
1277 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1278 return ret;
1279 }
1280
1281 /* Derive early data key material */
1282 ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
1283 if (ret != 0) {
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1284 MBEDTLS_SSL_DEBUG_RET(
1285 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1286 return ret;
1287 }
1288
Ronald Cron297c6082024-01-19 08:15:33 +0100[diff] [blame]1289#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1290 mbedtls_ssl_handshake_set_state(
1291 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
1292#else
1293 MBEDTLS_SSL_DEBUG_MSG(
1294 1, ("Switch to early data keys for outbound traffic"));
1295 mbedtls_ssl_set_outbound_transform(
1296 ssl, ssl->handshake->transform_earlydata);
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]1297 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE;
Ronald Cron297c6082024-01-19 08:15:33 +0100[diff] [blame]1298#endif
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1299 }
1300#endif /* MBEDTLS_SSL_EARLY_DATA */
1301 return 0;
1302}
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]1303/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1304 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1305 */
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1306
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1307/**
1308 * \brief Detect if the ServerHello contains a supported_versions extension
1309 * or not.
1310 *
1311 * \param[in] ssl SSL context
1312 * \param[in] buf Buffer containing the ServerHello message
1313 * \param[in] end End of the buffer containing the ServerHello message
1314 *
1315 * \return 0 if the ServerHello does not contain a supported_versions extension
1316 * \return 1 if the ServerHello contains a supported_versions extension
1317 * \return A negative value if an error occurred while parsing the ServerHello.
1318 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1319MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1320static int ssl_tls13_is_supported_versions_ext_present(
1321 mbedtls_ssl_context *ssl,
1322 const unsigned char *buf,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1323 const unsigned char *end)
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1324{
1325 const unsigned char *p = buf;
1326 size_t legacy_session_id_echo_len;
Ronald Croneff56732023-04-03 17:36:31 +0200[diff] [blame]1327 const unsigned char *supported_versions_data;
1328 const unsigned char *supported_versions_data_end;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1329
1330 /*
1331 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1332 * length:
1333 * - legacy_version 2 bytes
1334 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1335 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1336 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1337 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1338 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1339 legacy_session_id_echo_len = *p;
1340
1341 /*
1342 * Jump to the extensions, jumping over:
1343 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1344 * - cipher_suite 2 bytes
1345 * - legacy_compression_method 1 byte
1346 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1347 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);
1348 p += legacy_session_id_echo_len + 4;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1349
Ronald Cron47dce632023-02-08 17:38:29 +0100[diff] [blame]1350 return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
1351 ssl, p, end,
Ronald Croneff56732023-04-03 17:36:31 +0200[diff] [blame]1352 &supported_versions_data, &supported_versions_data_end);
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1353}
1354
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]1355/* Returns a negative value on failure, and otherwise
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1356 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1357 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1358 * - 0 otherwise
1359 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1360MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1361static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,
1362 const unsigned char *buf,
1363 const unsigned char *end)
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1364{
1365 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1366 static const unsigned char magic_downgrade_string[] =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1367 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1368 const unsigned char *last_eight_bytes_of_random;
1369 unsigned char last_byte_of_random;
1370
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1371 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1372 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1373
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1374 if (memcmp(last_eight_bytes_of_random,
1375 magic_downgrade_string,
1376 sizeof(magic_downgrade_string)) == 0) {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1377 last_byte_of_random = last_eight_bytes_of_random[7];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1378 return last_byte_of_random == 0 ||
1379 last_byte_of_random == 1;
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1380 }
1381
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1382 return 0;
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1383}
1384
1385/* Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1386 * - SSL_SERVER_HELLO or
1387 * - SSL_SERVER_HELLO_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1388 * to indicate which message is expected and to be parsed next.
1389 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1390#define SSL_SERVER_HELLO 0
1391#define SSL_SERVER_HELLO_HRR 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1392MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1393static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,
1394 const unsigned char *buf,
1395 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1396{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1397
1398 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1399 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1400 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1401 * special value of the SHA-256 of "HelloRetryRequest".
1402 *
1403 * struct {
1404 * ProtocolVersion legacy_version = 0x0303;
1405 * Random random;
1406 * opaque legacy_session_id_echo<0..32>;
1407 * CipherSuite cipher_suite;
1408 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1409 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1410 * } ServerHello;
1411 *
1412 */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1413 MBEDTLS_SSL_CHK_BUF_READ_PTR(
1414 buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1415
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1416 if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1417 sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {
1418 return SSL_SERVER_HELLO_HRR;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1419 }
1420
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1421 return SSL_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1422}
1423
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1424/*
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1425 * Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1426 * - SSL_SERVER_HELLO or
1427 * - SSL_SERVER_HELLO_HRR or
1428 * - SSL_SERVER_HELLO_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1429 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1430#define SSL_SERVER_HELLO_TLS1_2 2
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1431MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1432static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
1433 const unsigned char *buf,
1434 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1435{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1436 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1437 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1438
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1439 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(
1440 ssl, buf, end));
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1441
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1442 if (ret == 0) {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1443 MBEDTLS_SSL_PROC_CHK_NEG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1444 ssl_tls13_is_downgrade_negotiation(ssl, buf, end));
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1445
1446 /* If the server is negotiating TLS 1.2 or below and:
1447 * . we did not propose TLS 1.2 or
1448 * . the server responded it is TLS 1.3 capable but negotiating a lower
1449 * version of the protocol and thus we are under downgrade attack
1450 * abort the handshake with an "illegal parameter" alert.
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1451 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1452 if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {
1453 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1454 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1455 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1456 }
1457
Ronald Cronb828c7d2023-04-03 16:37:22 +0200[diff] [blame]1458 /*
1459 * Version 1.2 of the protocol has been negotiated, set the
1460 * ssl->keep_current_message flag for the ServerHello to be kept and
1461 * parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to
1462 * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
1463 * will dispatch to the TLS 1.2 state machine.
1464 */
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1465 ssl->keep_current_message = 1;
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1466 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1467 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1468 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1469 buf, (size_t) (end - buf)));
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1470
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1471 if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1472 ret = ssl_tls13_reset_key_share(ssl);
1473 if (ret != 0) {
1474 return ret;
1475 }
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1476 }
1477
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1478 return SSL_SERVER_HELLO_TLS1_2;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1479 }
1480
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1481 ssl->session_negotiate->tls_version = ssl->tls_version;
Ronald Cron17ef8df2023-11-22 10:29:42 +0100[diff] [blame]1482 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1483
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1484 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1485
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1486 ret = ssl_server_hello_is_hrr(ssl, buf, end);
1487 switch (ret) {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1488 case SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1489 MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1490 break;
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1491 case SSL_SERVER_HELLO_HRR:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1492 MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1493 /* If a client receives a second HelloRetryRequest in the same
1494 * connection (i.e., where the ClientHello was itself in response
1495 * to a HelloRetryRequest), it MUST abort the handshake with an
1496 * "unexpected_message" alert.
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1497 */
1498 if (handshake->hello_retry_request_count > 0) {
1499 MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1500 MBEDTLS_SSL_PEND_FATAL_ALERT(
1501 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1502 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1503 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1504 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1505 /*
1506 * Clients must abort the handshake with an "illegal_parameter"
1507 * alert if the HelloRetryRequest would not result in any change
1508 * in the ClientHello.
1509 * In a PSK only key exchange that what we expect.
1510 */
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1511 if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1512 MBEDTLS_SSL_DEBUG_MSG(1,
1513 ("Unexpected HRR in pure PSK key exchange."));
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1514 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1515 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1516 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1517 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1518 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1519
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1520 handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1521
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1522 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1523 }
1524
1525cleanup:
1526
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1527 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1528}
1529
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1530MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1531static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,
1532 const unsigned char **buf,
1533 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1534{
1535 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1536 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1537
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1538 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1539 legacy_session_id_echo_len = *p++;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1540
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1541 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1542
1543 /* legacy_session_id_echo */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1544 if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1545 memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {
1546 MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",
1547 ssl->session_negotiate->id,
1548 ssl->session_negotiate->id_len);
1549 MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,
1550 legacy_session_id_echo_len);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1551
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1552 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1553 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1555 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1556 }
1557
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1558 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1559 *buf = p;
1560
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1561 MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,
1562 ssl->session_negotiate->id_len);
1563 return 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1564}
1565
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1566/* Parse ServerHello message and configure context
1567 *
1568 * struct {
1569 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1570 * Random random;
1571 * opaque legacy_session_id_echo<0..32>;
1572 * CipherSuite cipher_suite;
1573 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1574 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1575 * } ServerHello;
1576 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1577MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1578static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
1579 const unsigned char *buf,
1580 const unsigned char *end,
1581 int is_hrr)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1582{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1583 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1584 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1585 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1586 size_t extensions_len;
1587 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1588 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1589 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1590 int fatal_alert = 0;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1591 uint32_t allowed_extensions_mask;
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1592 int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1593 MBEDTLS_SSL_HS_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1594
1595 /*
1596 * Check there is space for minimal fields
1597 *
1598 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1599 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1600 * - legacy_session_id_echo ( 1 byte ), minimum size
1601 * - cipher_suite ( 2 bytes)
1602 * - legacy_compression_method ( 1 byte )
1603 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1604 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1605
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1606 MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);
1607 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1608
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1609 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1610 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1611 * ...
1612 * with ProtocolVersion defined as:
1613 * uint16 ProtocolVersion;
1614 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1615 if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1616 MBEDTLS_SSL_VERSION_TLS1_2) {
1617 MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1618 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1619 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1620 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1621 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1622 }
1623 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1624
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1625 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1626 * Random random;
1627 * ...
1628 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1629 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1630 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1631 if (!is_hrr) {
1632 memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
1633 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1634 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
1635 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1636 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1637 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1638
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1639 /* ...
1640 * opaque legacy_session_id_echo<0..32>;
1641 * ...
1642 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1643 if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1644 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1645 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1646 }
1647
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1648 /* ...
1649 * CipherSuite cipher_suite;
1650 * ...
1651 * with CipherSuite defined as:
1652 * uint8 CipherSuite[2];
1653 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1654 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1655 cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1656 p += 2;
1657
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1658
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1659 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1660 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1661 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1662 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1663 if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
1664 ssl->tls_version,
1665 ssl->tls_version) != 0) ||
1666 !mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1667 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1668 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1669 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1670 * If we received an HRR before and that the proposed selected
1671 * ciphersuite in this server hello is not the same as the one
1672 * proposed in the HRR, we abort the handshake and send an
1673 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1674 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1675 else if ((!is_hrr) && (handshake->hello_retry_request_count > 0) &&
1676 (cipher_suite != ssl->session_negotiate->ciphersuite)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1677 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1678 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1679
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1680 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1681 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",
1682 cipher_suite));
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1683 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1684 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1685
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1686 /* Configure ciphersuites */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1687 mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1688
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1689 handshake->ciphersuite_info = ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1690 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",
1691 cipher_suite, ciphersuite_info->name));
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1692
1693#if defined(MBEDTLS_HAVE_TIME)
YxCda609132023-05-22 12:08:12 -0700[diff] [blame]1694 ssl->session_negotiate->start = mbedtls_time(NULL);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1695#endif /* MBEDTLS_HAVE_TIME */
1696
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1697 /* ...
1698 * uint8 legacy_compression_method = 0;
1699 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1700 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1701 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1702 if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {
1703 MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1704 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1705 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1706 }
1707 p++;
1708
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1709 /* ...
1710 * Extension extensions<6..2^16-1>;
1711 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1712 * struct {
1713 * ExtensionType extension_type; (2 bytes)
1714 * opaque extension_data<0..2^16-1>;
1715 * } Extension;
1716 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1717 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1718 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1719 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1720
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1721 /* Check extensions do not go beyond the buffer of data. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1722 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1723 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1724
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1725 MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1726
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1727 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1728 allowed_extensions_mask = is_hrr ?
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1729 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
1730 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1731
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1732 while (p < extensions_end) {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1733 unsigned int extension_type;
1734 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1735 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1736
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1737 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1738 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1739 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1740 p += 4;
1741
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1742 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1743 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1744
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1745 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1746 ssl, hs_msg_type, extension_type, allowed_extensions_mask);
1747 if (ret != 0) {
1748 return ret;
1749 }
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1750
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1751 switch (extension_type) {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1752 case MBEDTLS_TLS_EXT_COOKIE:
1753
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1754 ret = ssl_tls13_parse_cookie_ext(ssl,
1755 p, extension_data_end);
1756 if (ret != 0) {
1757 MBEDTLS_SSL_DEBUG_RET(1,
1758 "ssl_tls13_parse_cookie_ext",
1759 ret);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1760 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1761 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1762 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1763
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1764 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1765 ret = ssl_tls13_parse_supported_versions_ext(ssl,
1766 p,
1767 extension_data_end);
1768 if (ret != 0) {
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1769 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1770 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1771 break;
1772
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1773#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1774 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1775 MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1776
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1777 if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(
1778 ssl, p, extension_data_end)) != 0) {
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1779 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1780 1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);
1781 return ret;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1782 }
1783 break;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1784#endif
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1785
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1786 case MBEDTLS_TLS_EXT_KEY_SHARE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1787 MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1788 if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1789 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1790 goto cleanup;
1791 }
1792
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1793 if (is_hrr) {
1794 ret = ssl_tls13_parse_hrr_key_share_ext(ssl,
1795 p, extension_data_end);
1796 } else {
1797 ret = ssl_tls13_parse_key_share_ext(ssl,
1798 p, extension_data_end);
1799 }
1800 if (ret != 0) {
1801 MBEDTLS_SSL_DEBUG_RET(1,
1802 "ssl_tls13_parse_key_share_ext",
1803 ret);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1804 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1805 }
1806 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1807
1808 default:
Jerry Yu9872eb22022-08-29 13:42:01 +0800[diff] [blame]1809 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1810 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1811 }
1812
1813 p += extension_data_len;
1814 }
1815
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1816 MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1817
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1818cleanup:
1819
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1820 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {
1821 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1822 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1823 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1824 } else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1825 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1826 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1827 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1828 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1829 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1830}
1831
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1832#if defined(MBEDTLS_DEBUG_C)
1833static const char *ssl_tls13_get_kex_mode_str(int mode)
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1834{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1835 switch (mode) {
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1836 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1837 return "psk";
1838 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1839 return "ephemeral";
1840 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1841 return "psk_ephemeral";
1842 default:
1843 return "unknown mode";
1844 }
1845}
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1846#endif /* MBEDTLS_DEBUG_C */
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1847
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1848MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1849static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1850{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1851 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1852 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1853
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1854 /* Determine the key exchange mode:
1855 * 1) If both the pre_shared_key and key_share extensions were received
1856 * then the key exchange mode is PSK with EPHEMERAL.
1857 * 2) If only the pre_shared_key extension was received then the key
1858 * exchange mode is PSK-only.
1859 * 3) If only the key_share extension was received then the key
1860 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1861 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1862 switch (handshake->received_extensions &
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1863 (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1864 MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1865 /* Only the pre_shared_key extension was received */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1866 case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1867 handshake->key_exchange_mode =
1868 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1869 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1870
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1871 /* Only the key_share extension was received */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1872 case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1873 handshake->key_exchange_mode =
1874 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1875 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1876
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1877 /* Both the pre_shared_key and key_share extensions were received */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1878 case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1879 MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):
1880 handshake->key_exchange_mode =
1881 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1882 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1883
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1884 /* Neither pre_shared_key nor key_share extension was received */
1885 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1886 MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1887 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1888 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1889 }
1890
Pengyu Lvfc2cb962023-11-10 10:22:36 +0800[diff] [blame]1891 if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1892 ssl, handshake->key_exchange_mode)) {
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1893 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1894 MBEDTLS_SSL_DEBUG_MSG(
1895 2, ("Key exchange mode(%s) is not supported.",
1896 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1897 goto cleanup;
1898 }
1899
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1900 MBEDTLS_SSL_DEBUG_MSG(
1901 3, ("Selected key exchange mode: %s",
1902 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1903
Xiaokang Qian7892b6c2023-02-02 06:05:48 +0000[diff] [blame]1904 /* Start the TLS 1.3 key scheduling if not already done.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1905 *
Xiaokang Qian7892b6c2023-02-02 06:05:48 +0000[diff] [blame]1906 * If we proposed early data then we have already derived an
1907 * early secret using the selected PSK and its associated hash.
1908 * It means that if the negotiated key exchange mode is psk or
1909 * psk_ephemeral, we have already correctly computed the
1910 * early secret and thus we do not do it again. In all other
1911 * cases we compute it here.
Xiaokang Qian303f82c52023-01-04 08:43:46 +0000[diff] [blame]1912 */
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1913#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qiane04afdc2023-02-07 02:19:42 +0000[diff] [blame]1914 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT ||
1915 handshake->key_exchange_mode ==
1916 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1917#endif
1918 {
Xiaokang Qian303f82c52023-01-04 08:43:46 +0000[diff] [blame]1919 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1920 if (ret != 0) {
1921 MBEDTLS_SSL_DEBUG_RET(
1922 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
1923 goto cleanup;
1924 }
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1925 }
1926
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1927 ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
1928 if (ret != 0) {
1929 MBEDTLS_SSL_DEBUG_RET(1,
1930 "mbedtls_ssl_tls13_compute_handshake_transform",
1931 ret);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1932 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1933 }
1934
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1935 mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);
1936 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1937 ssl->session_in = ssl->session_negotiate;
1938
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1939cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1940 if (ret != 0) {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1941 MBEDTLS_SSL_PEND_FATAL_ALERT(
1942 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1943 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1944 }
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1945
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1946 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1947}
1948
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1949MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1950static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1951{
1952 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1953
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1954 mbedtls_ssl_session_reset_msg_layer(ssl, 0);
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1955
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1956 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1957 * We are going to re-generate a shared secret corresponding to the group
1958 * selected by the server, which is different from the group for which we
1959 * generated a shared secret in the first client hello.
1960 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1961 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1962 ret = ssl_tls13_reset_key_share(ssl);
1963 if (ret != 0) {
1964 return ret;
1965 }
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1966
Xiaokang Qian4ef8ba22023-02-06 11:06:16 +0000[diff] [blame]1967 ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]1968
1969#if defined(MBEDTLS_SSL_EARLY_DATA)
1970 if (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) {
1971 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
1972 }
1973#endif
1974
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1975 return 0;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1976}
1977
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1978/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1979 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1980 * Handler for MBEDTLS_SSL_SERVER_HELLO
1981 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1982MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1983static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1984{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1985 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1986 unsigned char *buf = NULL;
1987 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1988 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1989
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1990 MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1991
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1992 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1993 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1994
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1995 ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);
1996 if (ret < 0) {
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1997 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1998 } else {
1999 is_hrr = (ret == SSL_SERVER_HELLO_HRR);
2000 }
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]2001
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2002 if (ret == SSL_SERVER_HELLO_TLS1_2) {
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]2003 ret = 0;
2004 goto cleanup;
2005 }
2006
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2007 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,
2008 buf + buf_len,
2009 is_hrr));
2010 if (is_hrr) {
2011 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2012 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2013
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2014 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2015 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2016
2017 if (is_hrr) {
2018 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
2019#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2020 /* If not offering early data, the client sends a dummy CCS record
2021 * immediately before its second flight. This may either be before
2022 * its second ClientHello or before its encrypted handshake flight.
2023 */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2024 mbedtls_ssl_handshake_set_state(
2025 ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2026#else
2027 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2028#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2029 } else {
2030 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));
2031 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2032 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]2033
2034cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2035 MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,
2036 is_hrr ? "HelloRetryRequest" : "ServerHello"));
2037 return ret;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2038}
2039
2040/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2041 *
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2042 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2043 *
2044 * The EncryptedExtensions message contains any extensions which
2045 * should be protected, i.e., any which are not needed to establish
2046 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2047 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2048
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2049/* Parse EncryptedExtensions message
2050 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2051 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2052 * } EncryptedExtensions;
2053 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2054MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2055static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
2056 const unsigned char *buf,
2057 const unsigned char *end)
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2058{
2059 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2060 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]2061 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2062 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2063 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2064
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2065 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2066 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2067 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2068
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2069 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Ronald Cronc8083592022-05-31 16:24:05 +0200[diff] [blame]2070 extensions_end = p + extensions_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2071
Jan Bruckner5a3629b2023-02-23 12:08:09 +0100[diff] [blame]2072 MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);
2073
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2074 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2075
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2076 while (p < extensions_end) {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2077 unsigned int extension_type;
2078 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2079
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2080 /*
2081 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2082 * ExtensionType extension_type; (2 bytes)
2083 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2084 * } Extension;
2085 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2086 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2087 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2088 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2089 p += 4;
2090
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2091 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2092
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2093 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2094 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
2095 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);
2096 if (ret != 0) {
2097 return ret;
2098 }
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2099
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2100 switch (extension_type) {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2101#if defined(MBEDTLS_SSL_ALPN)
2102 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2103 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2104
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2105 if ((ret = ssl_tls13_parse_alpn_ext(
2106 ssl, p, (size_t) extension_data_len)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2107 return ret;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2108 }
2109
2110 break;
2111#endif /* MBEDTLS_SSL_ALPN */
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2112
2113#if defined(MBEDTLS_SSL_EARLY_DATA)
2114 case MBEDTLS_TLS_EXT_EARLY_DATA:
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2115
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2116 if (extension_data_len != 0) {
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2117 /* The message must be empty. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2118 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2119 MBEDTLS_ERR_SSL_DECODE_ERROR);
2120 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2121 }
2122
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2123 break;
2124#endif /* MBEDTLS_SSL_EARLY_DATA */
2125
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]2126#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2127 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
2128 MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
2129
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2130 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
2131 ssl, p, p + extension_data_len);
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]2132 if (ret != 0) {
2133 MBEDTLS_SSL_DEBUG_RET(
2134 1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
2135 return ret;
2136 }
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]2137 break;
2138#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2139
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2140 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2141 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2142 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2143 extension_type, "( ignored )");
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2144 break;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2145 }
2146
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2147 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2148 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2149
Waleed Elmelegy049cd302023-12-20 17:28:31 +0000[diff] [blame]2150 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&
2151 (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {
Waleed Elmelegy6a971fd2023-12-28 17:48:16 +0000[diff] [blame]2152 MBEDTLS_SSL_DEBUG_MSG(3,
2153 (
2154 "Record size limit extension cannot be used with max fragment length extension"));
Waleed Elmelegy049cd302023-12-20 17:28:31 +0000[diff] [blame]2155 MBEDTLS_SSL_PEND_FATAL_ALERT(
2156 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2157 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2158 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2159 }
2160
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2161 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2162 handshake->received_extensions);
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2163
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2164 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2165 if (p != end) {
2166 MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));
2167 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2168 MBEDTLS_ERR_SSL_DECODE_ERROR);
2169 return MBEDTLS_ERR_SSL_DECODE_ERROR;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2170 }
2171
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2172 return ret;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2173}
2174
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2175MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2176static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2177{
2178 int ret;
2179 unsigned char *buf;
2180 size_t buf_len;
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2181 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2182
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2183 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2184
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2185 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2186 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2187 &buf, &buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2188
2189 /* Process the message contents */
2190 MBEDTLS_SSL_PROC_CHK(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2191 ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2192
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2193#if defined(MBEDTLS_SSL_EARLY_DATA)
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2194 if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
2195 /* RFC8446 4.2.11
2196 * If the server supplies an "early_data" extension, the
2197 * client MUST verify that the server's selected_identity
2198 * is 0. If any other value is returned, the client MUST
2199 * abort the handshake with an "illegal_parameter" alert.
2200 *
2201 * RFC 8446 4.2.10
2202 * In order to accept early data, the server MUST have accepted a PSK
2203 * cipher suite and selected the first key offered in the client's
2204 * "pre_shared_key" extension. In addition, it MUST verify that the
2205 * following values are the same as those associated with the
2206 * selected PSK:
2207 * - The TLS version number
2208 * - The selected cipher suite
2209 * - The selected ALPN [RFC7301] protocol, if any
2210 *
Yanray Wang03a00762023-12-01 17:40:19 +0800[diff] [blame]2211 * The server has sent an early data extension in its Encrypted
2212 * Extension message thus accepted to receive early data. We
2213 * check here that the additional constraints on the handshake
2214 * parameters, when early data are exchanged, are met,
2215 * namely:
Yanray Wang744577a2023-12-01 22:33:59 +0800[diff] [blame]2216 * - a PSK has been selected for the handshake
Yanray Wang03a00762023-12-01 17:40:19 +0800[diff] [blame]2217 * - the selected PSK for the handshake was the first one proposed
2218 * by the client.
2219 * - the selected ciphersuite for the handshake is the ciphersuite
2220 * associated with the selected PSK.
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2221 */
Yanray Wang744577a2023-12-01 22:33:59 +0800[diff] [blame]2222 if ((!mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) ||
2223 handshake->selected_identity != 0 ||
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2224 handshake->ciphersuite_info->id !=
2225 ssl->session_negotiate->ciphersuite) {
2226
2227 MBEDTLS_SSL_PEND_FATAL_ALERT(
2228 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2229 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2230 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2231 }
2232
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2233 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]2234 } else if (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) {
2235 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2236 }
2237#endif
2238
Yanray Wanga29db7d2023-11-30 14:06:14 +0800[diff] [blame]2239 /*
Yanray Wang9ae65342023-12-01 17:46:06 +0800[diff] [blame]2240 * In case the client has proposed a PSK associated with a ticket,
2241 * `ssl->session_negotiate->ciphersuite` still contains at this point the
2242 * identifier of the ciphersuite associated with the ticket. This is that
2243 * way because, if an exchange of early data is agreed upon, we need
2244 * it to check that the ciphersuite selected for the handshake is the
2245 * ticket ciphersuite (see above). This information is not needed
2246 * anymore thus we can now set it to the identifier of the ciphersuite
2247 * used in this session under negotiation.
Yanray Wanga29db7d2023-11-30 14:06:14 +0800[diff] [blame]2248 */
2249 ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
2250
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2251 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2252 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2253 buf, buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2254
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2255#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2256 if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2257 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2258 } else {
2259 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2260 }
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2261#else
2262 ((void) ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2263 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2264#endif
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2265
2266cleanup:
2267
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2268 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));
2269 return ret;
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2270
2271}
2272
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2273/*
2274 * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
2275 *
Xiaokang Qianc81a15a2022-12-19 02:43:33 +0000[diff] [blame]2276 * RFC 8446 section 4.5
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2277 *
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2278 * struct {} EndOfEarlyData;
Xiaokang Qianc81a15a2022-12-19 02:43:33 +0000[diff] [blame]2279 *
2280 * If the server sent an "early_data" extension in EncryptedExtensions, the
2281 * client MUST send an EndOfEarlyData message after receiving the server
2282 * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2283 */
2284
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2285MBEDTLS_CHECK_RETURN_CRITICAL
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2286static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)
2287{
2288 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2289 unsigned char *buf = NULL;
2290 size_t buf_len;
Xiaokang Qian57a138d2022-12-19 06:40:47 +0000[diff] [blame]2291 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2292
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2293 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]2294 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
2295 &buf, &buf_len));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2296
Manuel Pégourié-Gonnard63e33dd2023-02-21 15:45:15 +0100[diff] [blame]2297 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(
2298 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2299
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2300 MBEDTLS_SSL_PROC_CHK(
2301 mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));
Xiaokang Qianda8402d2022-12-15 14:55:35 +0000[diff] [blame]2302
Xiaokang Qian19d44162023-01-03 03:39:50 +0000[diff] [blame]2303 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2304
2305cleanup:
2306
2307 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));
2308 return ret;
2309}
2310
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2311#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2312/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2313 * STATE HANDLING: CertificateRequest
2314 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2315 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2316#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2317#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2318/* Coordination:
2319 * Deals with the ambiguity of not knowing if a CertificateRequest
2320 * will be sent. Returns a negative code on failure, or
2321 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2322 * - SSL_CERTIFICATE_REQUEST_SKIP
2323 * indicating if a Certificate Request is expected or not.
2324 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2325MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2326static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2327{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2328 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2329
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2330 if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
2331 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2332 return ret;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2333 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2334 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2335
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2336 if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&
2337 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {
2338 MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));
2339 return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2340 }
2341
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2342 MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2343
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2344 return SSL_CERTIFICATE_REQUEST_SKIP;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2345}
2346
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2347/*
2348 * ssl_tls13_parse_certificate_request()
2349 * Parse certificate request
2350 * struct {
2351 * opaque certificate_request_context<0..2^8-1>;
2352 * Extension extensions<2..2^16-1>;
2353 * } CertificateRequest;
2354 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2355MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2356static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,
2357 const unsigned char *buf,
2358 const unsigned char *end)
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2359{
2360 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2361 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2362 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2363 size_t extensions_len = 0;
2364 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2365 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2366
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2367 /* ...
2368 * opaque certificate_request_context<0..2^8-1>
2369 * ...
2370 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2371 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2372 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2373 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2374
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2375 if (certificate_request_context_len > 0) {
2376 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);
2377 MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",
2378 p, certificate_request_context_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2379
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2380 handshake->certificate_request_context =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2381 mbedtls_calloc(1, certificate_request_context_len);
2382 if (handshake->certificate_request_context == NULL) {
2383 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2384 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2385 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2386 memcpy(handshake->certificate_request_context, p,
2387 certificate_request_context_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2388 p += certificate_request_context_len;
2389 }
2390
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2391 /* ...
2392 * Extension extensions<2..2^16-1>;
2393 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2394 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2395 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2396 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2397 p += 2;
2398
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2399 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2400 extensions_end = p + extensions_len;
2401
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2402 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2403
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2404 while (p < extensions_end) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2405 unsigned int extension_type;
2406 size_t extension_data_len;
2407
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2408 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2409 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2410 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2411 p += 4;
2412
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2413 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2414
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2415 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2416 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
2417 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);
2418 if (ret != 0) {
2419 return ret;
2420 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2421
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2422 switch (extension_type) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2423 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2424 MBEDTLS_SSL_DEBUG_MSG(3,
2425 ("found signature algorithms extension"));
2426 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,
2427 p + extension_data_len);
2428 if (ret != 0) {
2429 return ret;
2430 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2431
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2432 break;
2433
2434 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2435 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2436 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2437 extension_type, "( ignored )");
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2438 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2439 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2440
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2441 p += extension_data_len;
2442 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2443
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2444 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2445 handshake->received_extensions);
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2446
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2447 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2448 if (p != end) {
2449 MBEDTLS_SSL_DEBUG_MSG(1,
2450 ("CertificateRequest misaligned"));
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2451 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2452 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2453
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2454 /* RFC 8446 section 4.3.2
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2455 *
2456 * The "signature_algorithms" extension MUST be specified
2457 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2458 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {
2459 MBEDTLS_SSL_DEBUG_MSG(3,
2460 ("no signature algorithms extension found"));
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2461 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2462 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2463
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]2464 ssl->handshake->client_auth = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2465 return 0;
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2466
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2467decode_error:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2468 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2469 MBEDTLS_ERR_SSL_DECODE_ERROR);
2470 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2471}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2472
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2473/*
2474 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2475 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2476MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2477static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2478{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2479 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2480
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2481 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2482
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2483 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2484
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2485 if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2486 unsigned char *buf;
2487 size_t buf_len;
2488
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2489 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2490 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2491 &buf, &buf_len));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2492
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2493 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(
2494 ssl, buf, buf + buf_len));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2495
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2496 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2497 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2498 buf, buf_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2499 } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]2500 ret = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2501 } else {
2502 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2503 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2504 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2505 }
2506
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2507 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2508
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2509cleanup:
2510
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2511 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
2512 return ret;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2513}
2514
2515/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2516 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2517 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2518MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2519static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2520{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2521 int ret;
2522
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2523 ret = mbedtls_ssl_tls13_process_certificate(ssl);
2524 if (ret != 0) {
2525 return ret;
2526 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2527
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2528 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2529 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2530}
2531
2532/*
2533 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2534 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2535MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2536static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2537{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2538 int ret;
2539
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2540 ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
2541 if (ret != 0) {
2542 return ret;
2543 }
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2544
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2545 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2546 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2547}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2548#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]2549
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2550/*
2551 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2552 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2553MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2554static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2555{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2556 int ret;
2557
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2558 ret = mbedtls_ssl_tls13_process_finished_message(ssl);
2559 if (ret != 0) {
2560 return ret;
2561 }
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2562
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2563 ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2564 if (ret != 0) {
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2565 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2566 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2567 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2568 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2569 }
2570
Xiaokang Qianbc75bc02022-12-19 06:16:42 +0000[diff] [blame]2571#if defined(MBEDTLS_SSL_EARLY_DATA)
2572 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]2573 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED;
Xiaokang Qianbc75bc02022-12-19 06:16:42 +0000[diff] [blame]2574 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
2575 } else
2576#endif /* MBEDTLS_SSL_EARLY_DATA */
2577 {
2578#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2579 mbedtls_ssl_handshake_set_state(
2580 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);
2581#else
2582 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2583#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2584 }
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2585
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2586 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2587}
2588
2589/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2590 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2591 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2592MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2593static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2594{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2595 int non_empty_certificate_msg = 0;
2596
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2597 MBEDTLS_SSL_DEBUG_MSG(1,
2598 ("Switch to handshake traffic keys for outbound traffic"));
2599 mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2600
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2601#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2602 if (ssl->handshake->client_auth) {
2603 int ret = mbedtls_ssl_tls13_write_certificate(ssl);
2604 if (ret != 0) {
2605 return ret;
2606 }
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2607
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2608 if (mbedtls_ssl_own_cert(ssl) != NULL) {
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2609 non_empty_certificate_msg = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2610 }
2611 } else {
2612 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2613 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2614#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2616 if (non_empty_certificate_msg) {
2617 mbedtls_ssl_handshake_set_state(ssl,
2618 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
2619 } else {
2620 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));
2621 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2622 }
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2623
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2624 return 0;
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2625}
2626
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2627#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2628/*
2629 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2630 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2631MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2632static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2633{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2634 int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2635
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2636 if (ret == 0) {
2637 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2638 }
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2639
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2640 return ret;
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2641}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2642#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2643
2644/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2645 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2646 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2647MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2648static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2649{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2650 int ret;
2651
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2652 ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2653 if (ret != 0) {
2654 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2655 }
2656
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2657 ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
2658 if (ret != 0) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2659 MBEDTLS_SSL_DEBUG_RET(
2660 1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2661 return ret;
2662 }
2663
2664 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);
2665 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2666}
2667
2668/*
2669 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2670 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2671MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2672static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2673{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2674 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
2675 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
2676 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2677}
2678
2679/*
2680 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2681 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2682MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2683static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2684{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2685
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2686 mbedtls_ssl_tls13_handshake_wrapup(ssl);
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2687
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2688 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2689 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2690}
2691
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2692#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2693
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2694#if defined(MBEDTLS_SSL_EARLY_DATA)
2695/* From RFC 8446 section 4.2.10
2696 *
2697 * struct {
2698 * select (Handshake.msg_type) {
2699 * case new_session_ticket: uint32 max_early_data_size;
2700 * ...
2701 * };
2702 * } EarlyDataIndication;
2703 */
2704MBEDTLS_CHECK_RETURN_CRITICAL
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2705static int ssl_tls13_parse_new_session_ticket_early_data_ext(
2706 mbedtls_ssl_context *ssl,
2707 const unsigned char *buf,
2708 const unsigned char *end)
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2709{
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2710 mbedtls_ssl_session *session = ssl->session;
2711
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2712 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2713
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2714 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2715 mbedtls_ssl_tls13_session_set_ticket_flags(
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2716 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
2717 MBEDTLS_SSL_DEBUG_MSG(
2718 3, ("received max_early_data_size: %u",
2719 (unsigned int) session->max_early_data_size));
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2720
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2721 return 0;
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2722}
2723#endif /* MBEDTLS_SSL_EARLY_DATA */
2724
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2725MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2726static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
2727 const unsigned char *buf,
2728 const unsigned char *end)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2729{
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2730 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2731 const unsigned char *p = buf;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2732
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2733
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2734 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2735
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2736 while (p < end) {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2737 unsigned int extension_type;
2738 size_t extension_data_len;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2739 int ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2740
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2741 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
2742 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2743 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2744 p += 4;
2745
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2746 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2747
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2748 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2749 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
2750 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);
2751 if (ret != 0) {
2752 return ret;
2753 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2754
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2755 switch (extension_type) {
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2756#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2757 case MBEDTLS_TLS_EXT_EARLY_DATA:
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2758 ret = ssl_tls13_parse_new_session_ticket_early_data_ext(
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2759 ssl, p, p + extension_data_len);
2760 if (ret != 0) {
2761 MBEDTLS_SSL_DEBUG_RET(
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2762 1, "ssl_tls13_parse_new_session_ticket_early_data_ext",
2763 ret);
Xiaokang Qian2d87a9e2022-11-09 07:55:48 +0000[diff] [blame]2764 }
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2765 break;
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2766#endif /* MBEDTLS_SSL_EARLY_DATA */
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2767
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2768 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2769 MBEDTLS_SSL_PRINT_EXT(
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2770 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2771 extension_type, "( ignored )");
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2772 break;
2773 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2774
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2775 p += extension_data_len;
2776 }
2777
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2778 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2779 handshake->received_extensions);
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2780
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2781 return 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2782}
2783
2784/*
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2785 * From RFC8446, page 74
2786 *
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2787 * struct {
2788 * uint32 ticket_lifetime;
2789 * uint32 ticket_age_add;
2790 * opaque ticket_nonce<0..255>;
2791 * opaque ticket<1..2^16-1>;
2792 * Extension extensions<0..2^16-2>;
2793 * } NewSessionTicket;
2794 *
2795 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2796MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2797static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
2798 unsigned char *buf,
2799 unsigned char *end,
2800 unsigned char **ticket_nonce,
2801 size_t *ticket_nonce_len)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2802{
2803 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2804 unsigned char *p = buf;
2805 mbedtls_ssl_session *session = ssl->session;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2806 size_t ticket_len;
2807 unsigned char *ticket;
2808 size_t extensions_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2809
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2810 *ticket_nonce = NULL;
2811 *ticket_nonce_len = 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2812 /*
2813 * ticket_lifetime 4 bytes
2814 * ticket_age_add 4 bytes
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2815 * ticket_nonce_len 1 byte
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2816 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2817 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2818
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2819 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
2820 MBEDTLS_SSL_DEBUG_MSG(3,
2821 ("ticket_lifetime: %u",
2822 (unsigned int) session->ticket_lifetime));
Jerry Yu8e0174a2023-11-10 13:58:16 +0800[diff] [blame]2823 if (session->ticket_lifetime >
2824 MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]2825 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
Jerry Yucf913512023-11-14 11:06:52 +0800[diff] [blame]2826 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]2827 }
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2828
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2829 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);
2830 MBEDTLS_SSL_DEBUG_MSG(3,
2831 ("ticket_age_add: %u",
2832 (unsigned int) session->ticket_age_add));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2833
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2834 *ticket_nonce_len = p[8];
2835 p += 9;
2836
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2837 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2838 *ticket_nonce = p;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2839 MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2840 p += *ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2841
2842 /* Ticket */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2843 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2844 ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2845 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2846 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);
2847 MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2848
2849 /* Check if we previously received a ticket already. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2850 if (session->ticket != NULL || session->ticket_len > 0) {
2851 mbedtls_free(session->ticket);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2852 session->ticket = NULL;
2853 session->ticket_len = 0;
2854 }
2855
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2856 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
2857 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
2858 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2859 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2860 memcpy(ticket, p, ticket_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2861 p += ticket_len;
2862 session->ticket = ticket;
2863 session->ticket_len = ticket_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2864
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2865 /* Clear all flags in ticket_flags */
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2866 mbedtls_ssl_tls13_session_clear_ticket_flags(
Pengyu Lv9eacb442022-12-09 14:39:19 +0800[diff] [blame]2867 session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2868
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2869 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2870 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2871 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2872 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2873
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2874 MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2875
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2876 ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);
2877 if (ret != 0) {
2878 MBEDTLS_SSL_DEBUG_RET(1,
2879 "ssl_tls13_parse_new_session_ticket_exts",
2880 ret);
2881 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2882 }
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2883
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]2884 /* session has been updated, allow export */
2885 session->exported = 0;
2886
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2887 return 0;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2888}
2889
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2890MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2891static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
2892 unsigned char *ticket_nonce,
2893 size_t ticket_nonce_len)
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2894{
2895 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2896 mbedtls_ssl_session *session = ssl->session;
2897 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2898 psa_algorithm_t psa_hash_alg;
2899 int hash_length;
2900
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2901#if defined(MBEDTLS_HAVE_TIME)
2902 /* Store ticket creation time */
Jerry Yu342a5552023-11-10 14:23:39 +0800[diff] [blame]2903 session->ticket_reception_time = mbedtls_ms_time();
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2904#endif
2905
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2906 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
2907 if (ciphersuite_info == NULL) {
2908 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2909 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2910 }
2911
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]2912 psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2913 hash_length = PSA_HASH_LENGTH(psa_hash_alg);
2914 if (hash_length == -1 ||
2915 (size_t) hash_length > sizeof(session->resumption_key)) {
2916 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2917 }
2918
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2919
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2920 MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
2921 session->app_secrets.resumption_master_secret,
2922 hash_length);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2923
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2924 /* Compute resumption key
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2925 *
2926 * HKDF-Expand-Label( resumption_master_secret,
2927 * "resumption", ticket_nonce, Hash.length )
2928 */
2929 ret = mbedtls_ssl_tls13_hkdf_expand_label(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2930 psa_hash_alg,
2931 session->app_secrets.resumption_master_secret,
2932 hash_length,
2933 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
2934 ticket_nonce,
2935 ticket_nonce_len,
2936 session->resumption_key,
2937 hash_length);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2938
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2939 if (ret != 0) {
2940 MBEDTLS_SSL_DEBUG_RET(2,
2941 "Creating the ticket-resumed PSK failed",
2942 ret);
2943 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2944 }
2945
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2946 session->resumption_key_len = hash_length;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2947
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2948 MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
2949 session->resumption_key,
2950 session->resumption_key_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2951
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2952 /* Set ticket_flags depends on the selected key exchange modes */
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2953 mbedtls_ssl_tls13_session_set_ticket_flags(
Pengyu Lv9eacb442022-12-09 14:39:19 +0800[diff] [blame]2954 session, ssl->conf->tls13_kex_modes);
Pengyu Lv4938a562023-01-16 11:28:49 +0800[diff] [blame]2955 MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2956
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2957 return 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2958}
2959
2960/*
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2961 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2962 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2963MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2964static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2965{
2966 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2967 unsigned char *buf;
2968 size_t buf_len;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2969 unsigned char *ticket_nonce;
2970 size_t ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2971
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2972 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2973
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2974 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2975 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2976 &buf, &buf_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2977
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2978 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(
2979 ssl, buf, buf + buf_len,
2980 &ticket_nonce, &ticket_nonce_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2981
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2982 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_new_session_ticket(
2983 ssl, ticket_nonce, ticket_nonce_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2984
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2985 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2986
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2987cleanup:
2988
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2989 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
2990 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2991}
2992#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2993
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2994int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]2995{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2996 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]2997
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2998 switch (ssl->state) {
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2999 case MBEDTLS_SSL_HELLO_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3000 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]3001 break;
3002
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3003 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3004 ret = mbedtls_ssl_write_client_hello(ssl);
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3005 break;
3006
3007 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3008 ret = ssl_tls13_process_server_hello(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3009 break;
3010
3011 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3012 ret = ssl_tls13_process_encrypted_extensions(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3013 break;
3014
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3015#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]3016 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3017 ret = ssl_tls13_process_certificate_request(ssl);
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]3018 break;
3019
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3020 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3021 ret = ssl_tls13_process_server_certificate(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3022 break;
3023
3024 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3025 ret = ssl_tls13_process_certificate_verify(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3026 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3027#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3028
3029 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3030 ret = ssl_tls13_process_server_finished(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3031 break;
3032
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]3033 case MBEDTLS_SSL_END_OF_EARLY_DATA:
3034 ret = ssl_tls13_write_end_of_early_data(ssl);
3035 break;
3036
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3037 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3038 ret = ssl_tls13_write_client_certificate(ssl);
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3039 break;
3040
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3041#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3042 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3043 ret = ssl_tls13_write_client_certificate_verify(ssl);
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3044 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3045#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3046
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3047 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3048 ret = ssl_tls13_write_client_finished(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3049 break;
3050
3051 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3052 ret = ssl_tls13_flush_buffers(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3053 break;
3054
3055 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3056 ret = ssl_tls13_handshake_wrapup(ssl);
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3057 break;
3058
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3059 /*
3060 * Injection of dummy-CCS's for middlebox compatibility
3061 */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3062#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]3063 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Ronald Cronfe59ff72024-01-24 14:31:50 +0100[diff] [blame]3064 ret = 0;
3065 if (ssl->handshake->ccs_count == 0) {
3066 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3067 if (ret != 0) {
3068 break;
3069 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3070 }
Ronald Cronfe59ff72024-01-24 14:31:50 +0100[diff] [blame]3071 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]3072 break;
3073
3074 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
Ronald Cronfe59ff72024-01-24 14:31:50 +0100[diff] [blame]3075 ret = 0;
3076 if (ssl->handshake->ccs_count == 0) {
3077 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3078 if (ret != 0) {
3079 break;
3080 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3081 }
Ronald Cronfe59ff72024-01-24 14:31:50 +0100[diff] [blame]3082 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3083 break;
Xiaokang Qianf6d8fd32023-02-02 02:46:26 +0000[diff] [blame]3084
Ronald Cron297c6082024-01-19 08:15:33 +0100[diff] [blame]3085#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3086 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
3087 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3088 if (ret == 0) {
3089 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
3090
3091 MBEDTLS_SSL_DEBUG_MSG(
3092 1, ("Switch to early data keys for outbound traffic"));
3093 mbedtls_ssl_set_outbound_transform(
3094 ssl, ssl->handshake->transform_earlydata);
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]3095 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE;
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3096 }
3097 break;
Ronald Cron297c6082024-01-19 08:15:33 +0100[diff] [blame]3098#endif /* MBEDTLS_SSL_EARLY_DATA */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3099#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3100
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3101#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]3102 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3103 ret = ssl_tls13_process_new_session_ticket(ssl);
3104 if (ret != 0) {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3105 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3106 }
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3107 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
3108 break;
3109#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3110
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3111 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3112 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3113 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3114 }
3115
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3116 return ret;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3117}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]3118
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3119#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */