TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 17ef8dfddb998a7eab9de8cdfd0ff5c3b6e069fa / . / library / ssl_tls13_client.c
blob: 1bfac586a0542d73d735f2a1e1becb6335c2b937 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]6 */
7
8#include "common.h"
9
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]10#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]11
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]12#include <string.h>
13
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]14#include "mbedtls/debug.h"
15#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]16#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]17
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]18#include "ssl_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]19#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]20#include "ssl_tls13_keys.h"
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]21#include "ssl_debug_helpers.h"
Manuel Pégourié-Gonnard02b10d82023-03-28 12:33:20 +0200[diff] [blame]22#include "md_psa.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]23
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]24#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]25/* Define a local translating function to save code size by not using too many
26 * arguments in each translating place. */
27static int local_err_translation(psa_status_t status)
28{
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]30 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]31 psa_generic_status_to_mbedtls);
32}
33#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kureka6033ac2023-05-30 15:16:34 -0400[diff] [blame]34#endif
35
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]36/* Write extensions */
37
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]38/*
39 * ssl_tls13_write_supported_versions_ext():
40 *
41 * struct {
42 * ProtocolVersion versions<2..254>;
43 * } SupportedVersions;
44 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]45MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]46static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,
47 unsigned char *buf,
48 unsigned char *end,
49 size_t *out_len)
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]50{
51 unsigned char *p = buf;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]52 unsigned char versions_len = (ssl->handshake->min_tls_version <=
53 MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]54
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]55 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]56
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]57 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]58
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]59 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]60 * - extension_type (2 bytes)
61 * - extension_data_length (2 bytes)
62 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]63 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]64 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]66
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]67 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);
68 MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]69 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]70
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]71 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]72 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]73
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]74 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]76 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]77 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]78 mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,
79 MBEDTLS_SSL_VERSION_TLS1_3);
80 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]81
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]83 if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {
84 mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
85 MBEDTLS_SSL_VERSION_TLS1_2);
86 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]87 }
88
89 *out_len = 5 + versions_len;
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]90
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]91 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]92 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]93
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]94 return 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]95}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]96
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]97MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
99 const unsigned char *buf,
100 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]101{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]102 ((void) ssl);
103
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]104 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
105 if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=
106 MBEDTLS_SSL_VERSION_TLS1_3) {
107 MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]108
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
110 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
111 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]112 }
113
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114 if (&buf[2] != end) {
Xiaokang Qian91bb3f02023-04-03 09:07:03 +0000[diff] [blame]115 MBEDTLS_SSL_DEBUG_MSG(
116 1, ("supported_versions ext data length incorrect"));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]117 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
118 MBEDTLS_ERR_SSL_DECODE_ERROR);
119 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]120 }
121
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]122 return 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]123}
124
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]125#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]126MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]127static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,
128 const unsigned char *buf, size_t len)
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]129{
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]130 const unsigned char *p = buf;
131 const unsigned char *end = buf + len;
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]132 size_t protocol_name_list_len, protocol_name_len;
133 const unsigned char *protocol_name_list_end;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]134
135 /* If we didn't send it, the server shouldn't send it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]136 if (ssl->conf->alpn_list == NULL) {
137 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
138 }
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]139
140 /*
141 * opaque ProtocolName<1..2^8-1>;
142 *
143 * struct {
144 * ProtocolName protocol_name_list<2..2^16-1>
145 * } ProtocolNameList;
146 *
147 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
148 */
149
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]150 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
151 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]152 p += 2;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]153
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]154 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]155 protocol_name_list_end = p + protocol_name_list_len;
156
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]157 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]158 protocol_name_len = *p++;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]159
160 /* Check that the server chosen protocol was in our list and save it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]161 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);
162 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
163 if (protocol_name_len == strlen(*alpn) &&
164 memcmp(p, *alpn, protocol_name_len) == 0) {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]165 ssl->alpn_chosen = *alpn;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]166 return 0;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]167 }
168 }
169
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]170 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]171}
172#endif /* MBEDTLS_SSL_ALPN */
173
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]174MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]175static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]176{
177 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]178
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]179 if (group_id == 0) {
180 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
181 }
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]182
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]183#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]184 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]185 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
187 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
188
189 /* Destroy generated private key. */
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]190 status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]191 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]192 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]193 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
194 return ret;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]195 }
196
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]197 ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]198 return 0;
199 } else
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]200#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]201 if (0 /* other KEMs? */) {
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]202 /* Do something */
203 }
204
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]205 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]206}
207
208/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]209 * Functions for writing key_share extension.
210 */
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]211#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]212MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]213static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
214 uint16_t *group_id)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]215{
216 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
217
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]218
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]219#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]220 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]221 /* Pick first available ECDHE group compatible with TLS 1.3 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]222 if (group_list == NULL) {
223 return MBEDTLS_ERR_SSL_BAD_CONFIG;
224 }
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]225
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]226 for (; *group_list != 0; group_list++) {
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]227#if defined(PSA_WANT_ALG_ECDH)
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]228 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
229 *group_list, NULL, NULL) == PSA_SUCCESS) &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]230 mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]231 *group_id = *group_list;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]232 return 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]233 }
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]234#endif
235#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]236 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]237 *group_id = *group_list;
238 return 0;
239 }
240#endif
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]241 }
242#else
243 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]244 ((void) group_id);
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]245#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]246
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]247 return ret;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]248}
249
250/*
251 * ssl_tls13_write_key_share_ext
252 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]253 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]254 *
255 * struct {
256 * NamedGroup group;
257 * opaque key_exchange<1..2^16-1>;
258 * } KeyShareEntry;
259 * struct {
260 * KeyShareEntry client_shares<0..2^16-1>;
261 * } KeyShareClientHello;
262 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]263MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]264static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
265 unsigned char *buf,
266 unsigned char *end,
267 size_t *out_len)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]268{
269 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]270 unsigned char *client_shares; /* Start of client_shares */
271 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]272 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]273 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
274
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]275 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]276
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]277 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]278 * - extension_type (2 bytes)
279 * - extension_data_length (2 bytes)
280 * - client_shares_length (2 bytes)
281 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]283 p += 6;
284
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]285 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]286
287 /* HRR could already have requested something else. */
288 group_id = ssl->handshake->offered_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]289 if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]290 !mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]291 MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,
292 &group_id));
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]293 }
294
295 /*
296 * Dispatch to type-specific key generation function.
297 *
298 * So far, we're only supporting ECDHE. With the introduction
299 * of PQC KEMs, we'll want to have multiple branches, one per
300 * type of KEM, and dispatch to the corresponding crypto. And
301 * only one key share entry is allowed.
302 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]303 client_shares = p;
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]304#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
305 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]306 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]307 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]308 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]309 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]310 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]311
312 /* Check there is space for header of KeyShareEntry
313 * - group (2 bytes)
314 * - key_exchange_length (2 bytes)
315 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]316 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]317 p += 4;
Przemek Stekiel408569f2023-07-06 11:26:44 +0200[diff] [blame]318 ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 ssl, group_id, p, end, &key_exchange_len);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]320 p += key_exchange_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]321 if (ret != 0) {
322 return ret;
323 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]324
325 /* Write group */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]326 MBEDTLS_PUT_UINT16_BE(group_id, group, 0);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]327 /* Write key_exchange_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]328 MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);
329 } else
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]330#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]331 if (0 /* other KEMs? */) {
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]332 /* Do something */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]333 } else {
334 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]335 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]336
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]337 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]338 client_shares_len = p - client_shares;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]339 if (client_shares_len == 0) {
340 MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));
341 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]342 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]343 /* Write extension_type */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]345 /* Write extension_data_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]346 MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]347 /* Write client_shares_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]349
350 /* Update offered_group_id field */
351 ssl->handshake->offered_group_id = group_id;
352
353 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]354 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]355
Xiaokang Qian91bb3f02023-04-03 09:07:03 +0000[diff] [blame]356 MBEDTLS_SSL_DEBUG_BUF(
357 3, "client hello, key_share extension", buf, *out_len);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]358
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]359 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]360
361cleanup:
362
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]363 return ret;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]364}
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]365#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]366
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]367/*
368 * ssl_tls13_parse_hrr_key_share_ext()
369 * Parse key_share extension in Hello Retry Request
370 *
371 * struct {
372 * NamedGroup selected_group;
373 * } KeyShareHelloRetryRequest;
374 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]375MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]376static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
377 const unsigned char *buf,
378 const unsigned char *end)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]379{
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]380#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]381 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]382 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]383 int found = 0;
384
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]385 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
386 if (group_list == NULL) {
387 return MBEDTLS_ERR_SSL_BAD_CONFIG;
388 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]391
392 /* Read selected_group */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]393 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
394 selected_group = MBEDTLS_GET_UINT16_BE(p, 0);
395 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]396
397 /* Upon receipt of this extension in a HelloRetryRequest, the client
398 * MUST first verify that the selected_group field corresponds to a
399 * group which was provided in the "supported_groups" extension in the
400 * original ClientHello.
401 * The supported_group was based on the info in ssl->conf->group_list.
402 *
403 * If the server provided a key share that was not sent in the ClientHello
404 * then the client MUST abort the handshake with an "illegal_parameter" alert.
405 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 for (; *group_list != 0; group_list++) {
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]407#if defined(PSA_WANT_ALG_ECDH)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]408 if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
409 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
410 *group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
411 *group_list != selected_group) {
412 found = 1;
413 break;
414 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 }
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]416#endif /* PSA_WANT_ALG_ECDH */
417#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]418 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]419 found = 1;
420 break;
421 }
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]422#endif /* PSA_WANT_ALG_FFDH */
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]423 }
424
425 /* Client MUST verify that the selected_group field does not
426 * correspond to a group which was provided in the "key_share"
427 * extension in the original ClientHello. If the server sent an
428 * HRR message with a key share already provided in the
429 * ClientHello then the client MUST abort the handshake with
430 * an "illegal_parameter" alert.
431 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]432 if (found == 0 || selected_group == ssl->handshake->offered_group_id) {
433 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]434 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]435 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
436 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
437 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]438 }
439
440 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]441 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]442
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]443 return 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]444#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400[diff] [blame]445 (void) ssl;
446 (void) buf;
447 (void) end;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 return MBEDTLS_ERR_SSL_BAD_CONFIG;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]449#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]450}
451
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]452/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]453 * ssl_tls13_parse_key_share_ext()
454 * Parse key_share extension in Server Hello
455 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]456 * struct {
457 * KeyShareEntry server_share;
458 * } KeyShareServerHello;
459 * struct {
460 * NamedGroup group;
461 * opaque key_exchange<1..2^16-1>;
462 * } KeyShareEntry;
463 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]464MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]465static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
466 const unsigned char *buf,
467 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]468{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]469 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]470 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]471 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]472
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]473 /* ...
474 * NamedGroup group; (2 bytes)
475 * ...
476 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]477 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
478 group = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]479 p += 2;
480
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]481 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]482 offered_group = ssl->handshake->offered_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]483 if (offered_group != group) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]484 MBEDTLS_SSL_DEBUG_MSG(
485 1, ("Invalid server key share, our group %u, their group %u",
486 (unsigned) offered_group, (unsigned) group));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
488 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
489 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]490 }
491
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]492#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]493 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]494 mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]495 MBEDTLS_SSL_DEBUG_MSG(2,
496 ("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]497 ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 if (ret != 0) {
499 return ret;
500 }
501 } else
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]502#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 if (0 /* other KEMs? */) {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]504 /* Do something */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]505 } else {
506 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]507 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]509 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]510}
511
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]512/*
513 * ssl_tls13_parse_cookie_ext()
514 * Parse cookie extension in Hello Retry Request
515 *
516 * struct {
517 * opaque cookie<1..2^16-1>;
518 * } Cookie;
519 *
520 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
521 * extension to the client (this is an exception to the usual rule that
522 * the only extensions that may be sent are those that appear in the
523 * ClientHello). When sending the new ClientHello, the client MUST copy
524 * the contents of the extension received in the HelloRetryRequest into
525 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
526 * cookies in their initial ClientHello in subsequent connections.
527 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]528MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]529static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,
530 const unsigned char *buf,
531 const unsigned char *end)
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]532{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]533 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]534 const unsigned char *p = buf;
535 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
536
537 /* Retrieve length field of cookie */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]538 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
539 cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]540 p += 2;
541
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]542 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);
543 MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]544
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]545 mbedtls_free(handshake->cookie);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]546 handshake->cookie_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]547 handshake->cookie = mbedtls_calloc(1, cookie_len);
548 if (handshake->cookie == NULL) {
549 MBEDTLS_SSL_DEBUG_MSG(1,
550 ("alloc failed ( %ud bytes )",
551 cookie_len));
552 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]553 }
554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]555 memcpy(handshake->cookie, p, cookie_len);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]556 handshake->cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]557
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]558 return 0;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]559}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]560
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]561MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]562static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,
563 unsigned char *buf,
564 unsigned char *end,
565 size_t *out_len)
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]566{
567 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]568 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]569 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]570
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]571 if (handshake->cookie == NULL) {
572 MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));
573 return 0;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]574 }
575
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]576 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
577 handshake->cookie,
578 handshake->cookie_len);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]580 MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]581
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]582 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]583
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]584 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);
585 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);
586 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]587 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]588
589 /* Cookie */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]590 memcpy(p, handshake->cookie, handshake->cookie_len);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]591
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]592 *out_len = handshake->cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]593
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]595
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 return 0;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]597}
598
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]599#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]600/*
601 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
602 *
603 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
604 *
605 * struct {
606 * PskKeyExchangeMode ke_modes<1..255>;
607 * } PskKeyExchangeModes;
608 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]609MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]610static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
611 unsigned char *buf,
612 unsigned char *end,
613 size_t *out_len)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]614{
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]615 unsigned char *p = buf;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]616 int ke_modes_len = 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]617
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]618 ((void) ke_modes_len);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]619 *out_len = 0;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]620
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]621 /* Skip writing extension if no PSK key exchange mode
XiaokangQian7c12d312022-07-20 07:25:43 +0000[diff] [blame]622 * is enabled in the config.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]623 */
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]624 if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625 MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
626 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]627 }
628
629 /* Require 7 bytes of data, otherwise fail,
630 * even if extension might be shorter.
631 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]633 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 3, ("client hello, adding psk_key_exchange_modes extension"));
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]635
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]636 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]637
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]638 /* Skip extension length (2 bytes) and
639 * ke_modes length (1 byte) for now.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]640 */
641 p += 5;
642
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]643 if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]644 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]645 ke_modes_len++;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]646
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]647 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]648 }
649
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]650 if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]651 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
652 ke_modes_len++;
653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]655 }
656
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]657 /* Now write the extension and ke_modes length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]658 MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]659 buf[4] = ke_modes_len;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]660
661 *out_len = p - buf;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]662
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]663 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]664 ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]665
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]666 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]667}
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]668
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]669static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]670{
Jerry Yu21f90952022-10-08 10:30:53 +0800[diff] [blame]671 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]672 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]673
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]674 if (ciphersuite_info != NULL) {
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]675 return mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]678 return PSA_ALG_NONE;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]679}
680
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]681#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]682static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]683{
684 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]685 return ssl->handshake->resume &&
Pengyu Lv93566782022-12-07 12:10:05 +0800[diff] [blame]686 session != NULL && session->ticket != NULL &&
Pengyu Lvfc2cb962023-11-10 10:22:36 +0800[diff] [blame]687 mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]688 ssl, mbedtls_ssl_tls13_session_get_ticket_flags(
Pengyu Lv9b84ea72023-01-16 14:08:23 +0800[diff] [blame]689 session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]690}
691
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]692#if defined(MBEDTLS_SSL_EARLY_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]693static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]694{
695 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]696 return ssl->handshake->resume &&
697 session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]698 mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&
Jerry Yuc2b1bc42023-11-22 10:08:13 +0800[diff] [blame]699 mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]700}
701#endif
702
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]703MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]704static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,
705 psa_algorithm_t *hash_alg,
706 const unsigned char **identity,
707 size_t *identity_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]708{
709 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]710
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]711 if (!ssl_tls13_has_configured_ticket(ssl)) {
712 return -1;
713 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]714
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]715 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]716 *identity = session->ticket;
717 *identity_len = session->ticket_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]718 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]719}
720
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]721MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]722static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,
723 psa_algorithm_t *hash_alg,
724 const unsigned char **psk,
725 size_t *psk_len)
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]726{
727
728 mbedtls_ssl_session *session = ssl->session_negotiate;
729
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]730 if (!ssl_tls13_has_configured_ticket(ssl)) {
731 return -1;
732 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]733
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]734 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]735 *psk = session->resumption_key;
736 *psk_len = session->resumption_key_len;
737
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]738 return 0;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]739}
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]740#endif /* MBEDTLS_SSL_SESSION_TICKETS */
741
742MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]743static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,
744 psa_algorithm_t *hash_alg,
745 const unsigned char **identity,
746 size_t *identity_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]747{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]748
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]749 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
750 return -1;
751 }
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]752
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]753 *hash_alg = PSA_ALG_SHA_256;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]754 *identity = ssl->conf->psk_identity;
755 *identity_len = ssl->conf->psk_identity_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]756 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]757}
758
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]759MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]760static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,
761 psa_algorithm_t *hash_alg,
762 const unsigned char **psk,
763 size_t *psk_len)
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]764{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]765
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]766 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
767 return -1;
768 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]769
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]770 *hash_alg = PSA_ALG_SHA_256;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]771 *psk = ssl->conf->psk;
772 *psk_len = ssl->conf->psk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]773 return 0;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]774}
775
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]776static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]777{
778 int configured_psk_count = 0;
779#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]780 if (ssl_tls13_has_configured_ticket(ssl)) {
781 MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]782 configured_psk_count++;
783 }
784#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]785 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
786 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]787 configured_psk_count++;
788 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]789 return configured_psk_count;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]790}
791
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]792MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]793static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,
794 unsigned char *buf,
795 unsigned char *end,
796 const unsigned char *identity,
797 size_t identity_len,
798 uint32_t obfuscated_ticket_age,
799 size_t *out_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]800{
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]801 ((void) ssl);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]802 *out_len = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]803
804 /*
805 * - identity_len (2 bytes)
806 * - identity (psk_identity_len bytes)
807 * - obfuscated_ticket_age (4 bytes)
808 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]809 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]810
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]811 MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);
812 memcpy(buf + 2, identity, identity_len);
813 MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]814
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]815 MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]816
817 *out_len = 6 + identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]818
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]819 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]820}
821
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]822MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]823static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,
824 unsigned char *buf,
825 unsigned char *end,
826 int psk_type,
827 psa_algorithm_t hash_alg,
828 const unsigned char *psk,
829 size_t psk_len,
830 size_t *out_len)
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]831{
832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]833 unsigned char binder_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]834 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]835 size_t transcript_len = 0;
836
837 *out_len = 0;
838
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]839 binder_len = PSA_HASH_LENGTH(hash_alg);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]840
841 /*
842 * - binder_len (1 bytes)
843 * - binder (binder_len bytes)
844 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]845 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]846
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]847 buf[0] = binder_len;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]848
849 /* Get current state of handshake transcript. */
850 ret = mbedtls_ssl_get_handshake_transcript(
Manuel Pégourié-Gonnard2d6d9932023-03-28 11:38:08 +0200[diff] [blame]851 ssl, mbedtls_md_type_from_psa_alg(hash_alg),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]852 transcript, sizeof(transcript), &transcript_len);
853 if (ret != 0) {
854 return ret;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]855 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]856
857 ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,
858 psk, psk_len, psk_type,
859 transcript, buf + 1);
860 if (ret != 0) {
861 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);
862 return ret;
863 }
864 MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]865
866 *out_len = 1 + binder_len;
867
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]868 return 0;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]869}
870
871/*
872 * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
873 *
874 * struct {
875 * opaque identity<1..2^16-1>;
876 * uint32 obfuscated_ticket_age;
877 * } PskIdentity;
878 *
879 * opaque PskBinderEntry<32..255>;
880 *
881 * struct {
882 * PskIdentity identities<7..2^16-1>;
883 * PskBinderEntry binders<33..2^16-1>;
884 * } OfferedPsks;
885 *
886 * struct {
887 * select (Handshake.msg_type) {
888 * case client_hello: OfferedPsks;
889 * ...
890 * };
891 * } PreSharedKeyExtension;
892 *
893 */
XiaokangQian3ad67bf2022-07-21 02:26:21 +0000[diff] [blame]894int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]895 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
896 size_t *out_len, size_t *binders_len)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]897{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]898 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]899 int configured_psk_count = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]900 unsigned char *p = buf;
Xiaokang Qian854db282022-12-19 07:31:27 +0000[diff] [blame]901 psa_algorithm_t hash_alg = PSA_ALG_NONE;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]902 const unsigned char *identity;
903 size_t identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]904 size_t l_binders_len = 0;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]905 size_t output_len;
Xiaokang Qian7179f812023-02-03 03:38:44 +0000[diff] [blame]906
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]907 *out_len = 0;
908 *binders_len = 0;
909
910 /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]911 configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);
912 if (configured_psk_count == 0) {
913 MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));
914 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]915 }
916
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]917 MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",
918 configured_psk_count));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]919
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]920 /* Check if we have space to write the extension, binders included.
921 * - extension_type (2 bytes)
922 * - extension_data_len (2 bytes)
923 * - identities_len (2 bytes)
924 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]925 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]926 p += 6;
927
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]928#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]929 if (ssl_tls13_ticket_get_identity(
930 ssl, &hash_alg, &identity, &identity_len) == 0) {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]931#if defined(MBEDTLS_HAVE_TIME)
Jerry Yucebffc32022-12-15 18:00:05 +0800[diff] [blame]932 mbedtls_ms_time_t now = mbedtls_ms_time();
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]933 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yucf913512023-11-14 11:06:52 +0800[diff] [blame]934 /* The ticket age has been checked to be smaller than the
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]935 * `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than
936 * 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the
937 * cast to `uint32_t` of the ticket age is safe. */
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]938 uint32_t obfuscated_ticket_age =
Jerry Yu342a5552023-11-10 14:23:39 +0800[diff] [blame]939 (uint32_t) (now - session->ticket_reception_time);
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]940 obfuscated_ticket_age += session->ticket_age_add;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]941
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]942 ret = ssl_tls13_write_identity(ssl, p, end,
943 identity, identity_len,
944 obfuscated_ticket_age,
945 &output_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]946#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]947 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,
948 0, &output_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]949#endif /* MBEDTLS_HAVE_TIME */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]950 if (ret != 0) {
951 return ret;
952 }
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]953
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]954 p += output_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]955 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]956 }
957#endif /* MBEDTLS_SSL_SESSION_TICKETS */
958
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]959 if (ssl_tls13_psk_get_identity(
960 ssl, &hash_alg, &identity, &identity_len) == 0) {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]961
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,
963 &output_len);
964 if (ret != 0) {
965 return ret;
966 }
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]967
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]968 p += output_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]969 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]970 }
971
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]972 MBEDTLS_SSL_DEBUG_MSG(3,
973 ("client hello, adding pre_shared_key extension, "
974 "omitting PSK binder list"));
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]975
976 /* Take into account the two bytes for the length of the binders. */
977 l_binders_len += 2;
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]978 /* Check if there is enough space for binders */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]979 MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]980
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]981 /*
982 * - extension_type (2 bytes)
983 * - extension_data_len (2 bytes)
984 * - identities_len (2 bytes)
985 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]986 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);
987 MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);
988 MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]989
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]990 *out_len = (p - buf) + l_binders_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]991 *binders_len = l_binders_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]992
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]993 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]994
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]995 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]996}
997
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]998int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]999 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1000{
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1001 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1002 unsigned char *p = buf;
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1003 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1004 const unsigned char *psk;
1005 size_t psk_len;
1006 size_t output_len;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1007
1008 /* Check if we have space to write binders_len.
1009 * - binders_len (2 bytes)
1010 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1011 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1012 p += 2;
1013
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1014#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1015 if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1016
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1017 ret = ssl_tls13_write_binder(ssl, p, end,
1018 MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
1019 hash_alg, psk, psk_len,
1020 &output_len);
1021 if (ret != 0) {
1022 return ret;
1023 }
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1024 p += output_len;
1025 }
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1026#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1027
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1028 if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1029
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1030 ret = ssl_tls13_write_binder(ssl, p, end,
1031 MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
1032 hash_alg, psk, psk_len,
1033 &output_len);
1034 if (ret != 0) {
1035 return ret;
1036 }
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1037 p += output_len;
1038 }
1039
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1040 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1041
1042 /*
1043 * - binders_len (2 bytes)
1044 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1045 MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1046
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1047 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1048
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1049 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1050 ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1051
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1052 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1053}
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1054
1055/*
1056 * struct {
1057 * opaque identity<1..2^16-1>;
1058 * uint32 obfuscated_ticket_age;
1059 * } PskIdentity;
1060 *
1061 * opaque PskBinderEntry<32..255>;
1062 *
1063 * struct {
1064 *
1065 * select (Handshake.msg_type) {
1066 * ...
1067 * case server_hello: uint16 selected_identity;
1068 * };
1069 *
1070 * } PreSharedKeyExtension;
1071 *
1072 */
1073MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1074static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
1075 const unsigned char *buf,
1076 const unsigned char *end)
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1077{
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1078 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1079 int selected_identity;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1080 const unsigned char *psk;
1081 size_t psk_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1082 psa_algorithm_t hash_alg;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1083
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1084 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
1085 selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);
Xiaokang Qian2a674932023-01-04 03:15:09 +0000[diff] [blame]1086 ssl->handshake->selected_identity = (uint16_t) selected_identity;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1087
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1088 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1089
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1090 if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {
1091 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1092
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1093 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1094 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1095 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1096 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1097
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1098#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1099 if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {
1100 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1101 } else
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1102#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1103 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
1104 ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);
1105 } else {
1106 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1107 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1108 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1109 if (ret != 0) {
1110 return ret;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1111 }
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1112
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]1113 if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac)
Xiaokang Qianeb31cbc2023-02-07 02:08:56 +0000[diff] [blame]1114 != hash_alg) {
1115 MBEDTLS_SSL_DEBUG_MSG(
1116 1, ("Invalid ciphersuite for external psk."));
1117
1118 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1119 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1120 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1121 }
1122
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1123 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1124 if (ret != 0) {
1125 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1126 return ret;
1127 }
1128
1129 return 0;
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1130}
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1131#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1132
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1133int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
1134 unsigned char *buf,
1135 unsigned char *end,
1136 size_t *out_len)
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1137{
1138 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1139 unsigned char *p = buf;
1140 size_t ext_len;
1141
1142 *out_len = 0;
1143
1144 /* Write supported_versions extension
1145 *
1146 * Supported Versions Extension is mandatory with TLS 1.3.
1147 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1148 ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);
1149 if (ret != 0) {
1150 return ret;
1151 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1152 p += ext_len;
1153
1154 /* Echo the cookie if the server provided one in its preceding
1155 * HelloRetryRequest message.
1156 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1157 ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);
1158 if (ret != 0) {
1159 return ret;
1160 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1161 p += ext_len;
1162
Yanray Wang42017cd2023-11-08 11:15:23 +0800[diff] [blame]1163#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1164 ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
Waleed Elmelegy148dfb62024-01-04 18:02:35 +0000[diff] [blame]1165 ssl, p, end, &ext_len);
Yanray Wang42017cd2023-11-08 11:15:23 +0800[diff] [blame]1166 if (ret != 0) {
1167 return ret;
1168 }
1169 p += ext_len;
1170#endif
1171
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1172#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1173 if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1174 ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
1175 if (ret != 0) {
1176 return ret;
1177 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1178 p += ext_len;
1179 }
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1180#endif
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1181
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1182#if defined(MBEDTLS_SSL_EARLY_DATA)
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1183 if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1184 ssl_tls13_early_data_has_valid_ticket(ssl) &&
1185 ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
Jerry Yu52335392023-11-23 18:06:06 +0800[diff] [blame]1186
1187 ret = mbedtls_ssl_tls13_write_early_data_ext(
Jerry Yuc59c5862023-12-05 10:40:49 +0800[diff] [blame]1188 ssl, 0, p, end, &ext_len);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1189 if (ret != 0) {
1190 return ret;
1191 }
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1192 p += ext_len;
1193
Ronald Cron4a8c9e22022-10-26 18:49:09 +0200[diff] [blame]1194 /* Initializes the status to `rejected`. It will be updated to
1195 * `accepted` if the EncryptedExtension message contain an early data
1196 * indication extension.
Xiaokang Qiana042b842022-11-09 01:59:33 +0000[diff] [blame]1197 */
Ronald Cron4a8c9e22022-10-26 18:49:09 +0200[diff] [blame]1198 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1199 } else {
1200 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension"));
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]1201 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1202 }
1203#endif /* MBEDTLS_SSL_EARLY_DATA */
1204
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1205#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1206 /* For PSK-based key exchange we need the pre_shared_key extension
1207 * and the psk_key_exchange_modes extension.
1208 *
1209 * The pre_shared_key extension MUST be the last extension in the
1210 * ClientHello. Servers MUST check that it is the last extension and
1211 * otherwise fail the handshake with an "illegal_parameter" alert.
1212 *
1213 * Add the psk_key_exchange_modes extension.
1214 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1215 ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);
1216 if (ret != 0) {
1217 return ret;
1218 }
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1219 p += ext_len;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1220#endif
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1221
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1222 *out_len = p - buf;
1223
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1224 return 0;
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1225}
1226
Xiaokang Qian934ce6f2023-02-06 10:23:04 +0000[diff] [blame]1227int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1228{
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1229 ((void) ssl);
Xiaokang Qian79f77522023-01-28 10:35:29 +0000[diff] [blame]1230
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1231#if defined(MBEDTLS_SSL_EARLY_DATA)
1232 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1233 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1234 const unsigned char *psk;
1235 size_t psk_len;
1236 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]1237
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1238 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
Xiaokang Qian6be82902023-02-03 06:04:43 +0000[diff] [blame]1239#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1240 mbedtls_ssl_handshake_set_state(
1241 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
1242#endif
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1243 MBEDTLS_SSL_DEBUG_MSG(
1244 1, ("Set hs psk for early data when writing the first psk"));
1245
1246 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1247 if (ret != 0) {
1248 MBEDTLS_SSL_DEBUG_RET(
1249 1, "ssl_tls13_ticket_get_psk", ret);
1250 return ret;
1251 }
1252
1253 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1254 if (ret != 0) {
1255 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1256 return ret;
1257 }
1258
Xiaokang Qian64bc9bc2023-02-07 02:32:23 +0000[diff] [blame]1259 /*
1260 * Early data are going to be encrypted using the ciphersuite
1261 * associated with the pre-shared key used for the handshake.
1262 * Note that if the server rejects early data, the handshake
1263 * based on the pre-shared key may complete successfully
1264 * with a selected ciphersuite different from the ciphersuite
1265 * associated with the pre-shared key. Only the hashes of the
1266 * two ciphersuites have to be the same. In that case, the
1267 * encrypted handshake data and application data are
1268 * encrypted using a different ciphersuite than the one used for
1269 * the rejected early data.
1270 */
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1271 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
1272 ssl->session_negotiate->ciphersuite);
1273 ssl->handshake->ciphersuite_info = ciphersuite_info;
Xiaokang Qian8dc4ce72023-02-07 10:49:50 +0000[diff] [blame]1274
Tom Cosgrove5c8505f2023-03-07 11:39:52 +0000[diff] [blame]1275 /* Enable psk and psk_ephemeral to make stage early happy */
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1276 ssl->handshake->key_exchange_mode =
1277 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
1278
1279 /* Start the TLS 1.3 key schedule:
Xiaokang Qian8dc4ce72023-02-07 10:49:50 +0000[diff] [blame]1280 * Set the PSK and derive early secret.
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1281 */
1282 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1283 if (ret != 0) {
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1284 MBEDTLS_SSL_DEBUG_RET(
1285 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1286 return ret;
1287 }
1288
1289 /* Derive early data key material */
1290 ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
1291 if (ret != 0) {
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1292 MBEDTLS_SSL_DEBUG_RET(
1293 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1294 return ret;
1295 }
1296
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1297 }
1298#endif /* MBEDTLS_SSL_EARLY_DATA */
1299 return 0;
1300}
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]1301/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1302 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1303 */
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1304
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1305/**
1306 * \brief Detect if the ServerHello contains a supported_versions extension
1307 * or not.
1308 *
1309 * \param[in] ssl SSL context
1310 * \param[in] buf Buffer containing the ServerHello message
1311 * \param[in] end End of the buffer containing the ServerHello message
1312 *
1313 * \return 0 if the ServerHello does not contain a supported_versions extension
1314 * \return 1 if the ServerHello contains a supported_versions extension
1315 * \return A negative value if an error occurred while parsing the ServerHello.
1316 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1317MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1318static int ssl_tls13_is_supported_versions_ext_present(
1319 mbedtls_ssl_context *ssl,
1320 const unsigned char *buf,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1321 const unsigned char *end)
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1322{
1323 const unsigned char *p = buf;
1324 size_t legacy_session_id_echo_len;
Ronald Croneff56732023-04-03 17:36:31 +0200[diff] [blame]1325 const unsigned char *supported_versions_data;
1326 const unsigned char *supported_versions_data_end;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1327
1328 /*
1329 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1330 * length:
1331 * - legacy_version 2 bytes
1332 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1333 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1334 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1335 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1336 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1337 legacy_session_id_echo_len = *p;
1338
1339 /*
1340 * Jump to the extensions, jumping over:
1341 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1342 * - cipher_suite 2 bytes
1343 * - legacy_compression_method 1 byte
1344 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1345 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);
1346 p += legacy_session_id_echo_len + 4;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1347
Ronald Cron47dce632023-02-08 17:38:29 +0100[diff] [blame]1348 return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
1349 ssl, p, end,
Ronald Croneff56732023-04-03 17:36:31 +0200[diff] [blame]1350 &supported_versions_data, &supported_versions_data_end);
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1351}
1352
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]1353/* Returns a negative value on failure, and otherwise
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1354 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1355 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1356 * - 0 otherwise
1357 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1358MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1359static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,
1360 const unsigned char *buf,
1361 const unsigned char *end)
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1362{
1363 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1364 static const unsigned char magic_downgrade_string[] =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1365 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1366 const unsigned char *last_eight_bytes_of_random;
1367 unsigned char last_byte_of_random;
1368
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1369 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1370 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1371
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1372 if (memcmp(last_eight_bytes_of_random,
1373 magic_downgrade_string,
1374 sizeof(magic_downgrade_string)) == 0) {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1375 last_byte_of_random = last_eight_bytes_of_random[7];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1376 return last_byte_of_random == 0 ||
1377 last_byte_of_random == 1;
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1378 }
1379
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1380 return 0;
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1381}
1382
1383/* Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1384 * - SSL_SERVER_HELLO or
1385 * - SSL_SERVER_HELLO_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1386 * to indicate which message is expected and to be parsed next.
1387 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1388#define SSL_SERVER_HELLO 0
1389#define SSL_SERVER_HELLO_HRR 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1390MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1391static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,
1392 const unsigned char *buf,
1393 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1394{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1395
1396 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1397 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1398 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1399 * special value of the SHA-256 of "HelloRetryRequest".
1400 *
1401 * struct {
1402 * ProtocolVersion legacy_version = 0x0303;
1403 * Random random;
1404 * opaque legacy_session_id_echo<0..32>;
1405 * CipherSuite cipher_suite;
1406 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1407 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1408 * } ServerHello;
1409 *
1410 */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1411 MBEDTLS_SSL_CHK_BUF_READ_PTR(
1412 buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1413
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1414 if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1415 sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {
1416 return SSL_SERVER_HELLO_HRR;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1417 }
1418
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1419 return SSL_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1420}
1421
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1422/*
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1423 * Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1424 * - SSL_SERVER_HELLO or
1425 * - SSL_SERVER_HELLO_HRR or
1426 * - SSL_SERVER_HELLO_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1427 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1428#define SSL_SERVER_HELLO_TLS1_2 2
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1429MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1430static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
1431 const unsigned char *buf,
1432 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1433{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1434 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1435 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1436
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1437 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(
1438 ssl, buf, end));
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1439
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1440 if (ret == 0) {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1441 MBEDTLS_SSL_PROC_CHK_NEG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1442 ssl_tls13_is_downgrade_negotiation(ssl, buf, end));
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1443
1444 /* If the server is negotiating TLS 1.2 or below and:
1445 * . we did not propose TLS 1.2 or
1446 * . the server responded it is TLS 1.3 capable but negotiating a lower
1447 * version of the protocol and thus we are under downgrade attack
1448 * abort the handshake with an "illegal parameter" alert.
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1449 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1450 if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {
1451 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1452 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1453 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1454 }
1455
Ronald Cronb828c7d2023-04-03 16:37:22 +0200[diff] [blame]1456 /*
1457 * Version 1.2 of the protocol has been negotiated, set the
1458 * ssl->keep_current_message flag for the ServerHello to be kept and
1459 * parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to
1460 * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
1461 * will dispatch to the TLS 1.2 state machine.
1462 */
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1463 ssl->keep_current_message = 1;
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1464 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1465 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1466 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1467 buf, (size_t) (end - buf)));
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1468
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1469 if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1470 ret = ssl_tls13_reset_key_share(ssl);
1471 if (ret != 0) {
1472 return ret;
1473 }
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1474 }
1475
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1476 return SSL_SERVER_HELLO_TLS1_2;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1477 }
1478
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1479 ssl->session_negotiate->tls_version = ssl->tls_version;
Ronald Cron17ef8df2023-11-22 10:29:42 +0100[diff] [blame^]1480 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1481
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1482 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1483
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1484 ret = ssl_server_hello_is_hrr(ssl, buf, end);
1485 switch (ret) {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1486 case SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1487 MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1488 break;
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1489 case SSL_SERVER_HELLO_HRR:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1490 MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1491 /* If a client receives a second HelloRetryRequest in the same
1492 * connection (i.e., where the ClientHello was itself in response
1493 * to a HelloRetryRequest), it MUST abort the handshake with an
1494 * "unexpected_message" alert.
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1495 */
1496 if (handshake->hello_retry_request_count > 0) {
1497 MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1498 MBEDTLS_SSL_PEND_FATAL_ALERT(
1499 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1500 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1501 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1502 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1503 /*
1504 * Clients must abort the handshake with an "illegal_parameter"
1505 * alert if the HelloRetryRequest would not result in any change
1506 * in the ClientHello.
1507 * In a PSK only key exchange that what we expect.
1508 */
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1509 if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1510 MBEDTLS_SSL_DEBUG_MSG(1,
1511 ("Unexpected HRR in pure PSK key exchange."));
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1512 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1513 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1514 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1515 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1516 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1517
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1518 handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1519
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1520 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1521 }
1522
1523cleanup:
1524
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1525 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1526}
1527
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1528MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1529static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,
1530 const unsigned char **buf,
1531 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1532{
1533 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1534 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1535
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1536 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1537 legacy_session_id_echo_len = *p++;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1538
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1539 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1540
1541 /* legacy_session_id_echo */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1542 if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1543 memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {
1544 MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",
1545 ssl->session_negotiate->id,
1546 ssl->session_negotiate->id_len);
1547 MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,
1548 legacy_session_id_echo_len);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1549
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1550 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1551 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1552
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1553 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1554 }
1555
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1556 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1557 *buf = p;
1558
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1559 MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,
1560 ssl->session_negotiate->id_len);
1561 return 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1562}
1563
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1564/* Parse ServerHello message and configure context
1565 *
1566 * struct {
1567 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1568 * Random random;
1569 * opaque legacy_session_id_echo<0..32>;
1570 * CipherSuite cipher_suite;
1571 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1572 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1573 * } ServerHello;
1574 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1575MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1576static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
1577 const unsigned char *buf,
1578 const unsigned char *end,
1579 int is_hrr)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1580{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1581 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1582 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1583 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1584 size_t extensions_len;
1585 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1586 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1587 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1588 int fatal_alert = 0;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1589 uint32_t allowed_extensions_mask;
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1590 int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1591 MBEDTLS_SSL_HS_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1592
1593 /*
1594 * Check there is space for minimal fields
1595 *
1596 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1597 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1598 * - legacy_session_id_echo ( 1 byte ), minimum size
1599 * - cipher_suite ( 2 bytes)
1600 * - legacy_compression_method ( 1 byte )
1601 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1602 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1603
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1604 MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);
1605 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1606
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1607 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1608 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1609 * ...
1610 * with ProtocolVersion defined as:
1611 * uint16 ProtocolVersion;
1612 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1613 if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1614 MBEDTLS_SSL_VERSION_TLS1_2) {
1615 MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1616 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1617 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1618 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1619 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1620 }
1621 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1622
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1623 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1624 * Random random;
1625 * ...
1626 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1627 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1628 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1629 if (!is_hrr) {
1630 memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
1631 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1632 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
1633 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1634 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1635 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1636
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1637 /* ...
1638 * opaque legacy_session_id_echo<0..32>;
1639 * ...
1640 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1641 if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1642 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1643 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1644 }
1645
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1646 /* ...
1647 * CipherSuite cipher_suite;
1648 * ...
1649 * with CipherSuite defined as:
1650 * uint8 CipherSuite[2];
1651 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1652 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1653 cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1654 p += 2;
1655
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1656
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1657 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1658 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1659 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1660 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1661 if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
1662 ssl->tls_version,
1663 ssl->tls_version) != 0) ||
1664 !mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1665 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1666 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1667 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1668 * If we received an HRR before and that the proposed selected
1669 * ciphersuite in this server hello is not the same as the one
1670 * proposed in the HRR, we abort the handshake and send an
1671 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1672 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1673 else if ((!is_hrr) && (handshake->hello_retry_request_count > 0) &&
1674 (cipher_suite != ssl->session_negotiate->ciphersuite)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1675 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1676 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1678 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1679 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",
1680 cipher_suite));
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1681 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1682 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1683
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1684 /* Configure ciphersuites */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1685 mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1686
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1687 handshake->ciphersuite_info = ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1688 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",
1689 cipher_suite, ciphersuite_info->name));
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1690
1691#if defined(MBEDTLS_HAVE_TIME)
YxCda609132023-05-22 12:08:12 -0700[diff] [blame]1692 ssl->session_negotiate->start = mbedtls_time(NULL);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1693#endif /* MBEDTLS_HAVE_TIME */
1694
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1695 /* ...
1696 * uint8 legacy_compression_method = 0;
1697 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1698 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1699 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1700 if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {
1701 MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1702 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1703 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1704 }
1705 p++;
1706
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1707 /* ...
1708 * Extension extensions<6..2^16-1>;
1709 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1710 * struct {
1711 * ExtensionType extension_type; (2 bytes)
1712 * opaque extension_data<0..2^16-1>;
1713 * } Extension;
1714 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1715 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1716 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1717 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1718
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1719 /* Check extensions do not go beyond the buffer of data. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1720 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1721 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1722
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1723 MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1724
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1725 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1726 allowed_extensions_mask = is_hrr ?
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1727 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
1728 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1729
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1730 while (p < extensions_end) {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1731 unsigned int extension_type;
1732 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1733 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1734
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1735 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1736 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1737 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1738 p += 4;
1739
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1740 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1741 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1742
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1743 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1744 ssl, hs_msg_type, extension_type, allowed_extensions_mask);
1745 if (ret != 0) {
1746 return ret;
1747 }
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1748
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1749 switch (extension_type) {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1750 case MBEDTLS_TLS_EXT_COOKIE:
1751
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1752 ret = ssl_tls13_parse_cookie_ext(ssl,
1753 p, extension_data_end);
1754 if (ret != 0) {
1755 MBEDTLS_SSL_DEBUG_RET(1,
1756 "ssl_tls13_parse_cookie_ext",
1757 ret);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1758 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1759 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1760 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1761
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1762 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1763 ret = ssl_tls13_parse_supported_versions_ext(ssl,
1764 p,
1765 extension_data_end);
1766 if (ret != 0) {
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1767 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1768 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1769 break;
1770
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1771#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1772 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1773 MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1774
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1775 if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(
1776 ssl, p, extension_data_end)) != 0) {
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1777 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1778 1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);
1779 return ret;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1780 }
1781 break;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1782#endif
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1783
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1784 case MBEDTLS_TLS_EXT_KEY_SHARE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1785 MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1786 if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1787 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1788 goto cleanup;
1789 }
1790
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1791 if (is_hrr) {
1792 ret = ssl_tls13_parse_hrr_key_share_ext(ssl,
1793 p, extension_data_end);
1794 } else {
1795 ret = ssl_tls13_parse_key_share_ext(ssl,
1796 p, extension_data_end);
1797 }
1798 if (ret != 0) {
1799 MBEDTLS_SSL_DEBUG_RET(1,
1800 "ssl_tls13_parse_key_share_ext",
1801 ret);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1802 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1803 }
1804 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1805
1806 default:
Jerry Yu9872eb22022-08-29 13:42:01 +0800[diff] [blame]1807 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1808 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1809 }
1810
1811 p += extension_data_len;
1812 }
1813
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1814 MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1815
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1816cleanup:
1817
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1818 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {
1819 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1820 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1821 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1822 } else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1823 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1824 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1825 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1826 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1827 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1828}
1829
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1830#if defined(MBEDTLS_DEBUG_C)
1831static const char *ssl_tls13_get_kex_mode_str(int mode)
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1832{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1833 switch (mode) {
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1834 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1835 return "psk";
1836 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1837 return "ephemeral";
1838 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1839 return "psk_ephemeral";
1840 default:
1841 return "unknown mode";
1842 }
1843}
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1844#endif /* MBEDTLS_DEBUG_C */
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1845
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1846MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1847static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1848{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1849 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1850 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1851
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1852 /* Determine the key exchange mode:
1853 * 1) If both the pre_shared_key and key_share extensions were received
1854 * then the key exchange mode is PSK with EPHEMERAL.
1855 * 2) If only the pre_shared_key extension was received then the key
1856 * exchange mode is PSK-only.
1857 * 3) If only the key_share extension was received then the key
1858 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1859 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1860 switch (handshake->received_extensions &
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1861 (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1862 MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1863 /* Only the pre_shared_key extension was received */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1864 case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1865 handshake->key_exchange_mode =
1866 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1867 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1868
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1869 /* Only the key_share extension was received */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1870 case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1871 handshake->key_exchange_mode =
1872 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1873 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1874
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1875 /* Both the pre_shared_key and key_share extensions were received */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1876 case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1877 MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):
1878 handshake->key_exchange_mode =
1879 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1880 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1881
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1882 /* Neither pre_shared_key nor key_share extension was received */
1883 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1884 MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1885 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1886 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1887 }
1888
Pengyu Lvfc2cb962023-11-10 10:22:36 +0800[diff] [blame]1889 if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1890 ssl, handshake->key_exchange_mode)) {
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1891 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1892 MBEDTLS_SSL_DEBUG_MSG(
1893 2, ("Key exchange mode(%s) is not supported.",
1894 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1895 goto cleanup;
1896 }
1897
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1898 MBEDTLS_SSL_DEBUG_MSG(
1899 3, ("Selected key exchange mode: %s",
1900 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1901
Xiaokang Qian7892b6c2023-02-02 06:05:48 +0000[diff] [blame]1902 /* Start the TLS 1.3 key scheduling if not already done.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1903 *
Xiaokang Qian7892b6c2023-02-02 06:05:48 +0000[diff] [blame]1904 * If we proposed early data then we have already derived an
1905 * early secret using the selected PSK and its associated hash.
1906 * It means that if the negotiated key exchange mode is psk or
1907 * psk_ephemeral, we have already correctly computed the
1908 * early secret and thus we do not do it again. In all other
1909 * cases we compute it here.
Xiaokang Qian303f82c52023-01-04 08:43:46 +0000[diff] [blame]1910 */
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1911#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qiane04afdc2023-02-07 02:19:42 +0000[diff] [blame]1912 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT ||
1913 handshake->key_exchange_mode ==
1914 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1915#endif
1916 {
Xiaokang Qian303f82c52023-01-04 08:43:46 +0000[diff] [blame]1917 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1918 if (ret != 0) {
1919 MBEDTLS_SSL_DEBUG_RET(
1920 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
1921 goto cleanup;
1922 }
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1923 }
1924
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1925 ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
1926 if (ret != 0) {
1927 MBEDTLS_SSL_DEBUG_RET(1,
1928 "mbedtls_ssl_tls13_compute_handshake_transform",
1929 ret);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1930 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1931 }
1932
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1933 mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);
1934 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1935 ssl->session_in = ssl->session_negotiate;
1936
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1937cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1938 if (ret != 0) {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1939 MBEDTLS_SSL_PEND_FATAL_ALERT(
1940 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1941 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1942 }
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1943
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1944 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1945}
1946
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1947MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1948static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1949{
1950 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1951
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1952 mbedtls_ssl_session_reset_msg_layer(ssl, 0);
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1953
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1954 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1955 * We are going to re-generate a shared secret corresponding to the group
1956 * selected by the server, which is different from the group for which we
1957 * generated a shared secret in the first client hello.
1958 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1959 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1960 ret = ssl_tls13_reset_key_share(ssl);
1961 if (ret != 0) {
1962 return ret;
1963 }
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1964
Xiaokang Qian4ef8ba22023-02-06 11:06:16 +0000[diff] [blame]1965 ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1966 return 0;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1967}
1968
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1969/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1970 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1971 * Handler for MBEDTLS_SSL_SERVER_HELLO
1972 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1973MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1974static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1975{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1976 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1977 unsigned char *buf = NULL;
1978 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1979 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1980
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1981 MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1982
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1983 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1984 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1985
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1986 ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);
1987 if (ret < 0) {
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1988 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1989 } else {
1990 is_hrr = (ret == SSL_SERVER_HELLO_HRR);
1991 }
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1992
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1993 if (ret == SSL_SERVER_HELLO_TLS1_2) {
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1994 ret = 0;
1995 goto cleanup;
1996 }
1997
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1998 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,
1999 buf + buf_len,
2000 is_hrr));
2001 if (is_hrr) {
2002 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2003 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2004
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2005 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2006 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2007
2008 if (is_hrr) {
2009 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
2010#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2011 /* If not offering early data, the client sends a dummy CCS record
2012 * immediately before its second flight. This may either be before
2013 * its second ClientHello or before its encrypted handshake flight.
2014 */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2015 mbedtls_ssl_handshake_set_state(
2016 ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2017#else
2018 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2019#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2020 } else {
2021 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));
2022 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2023 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]2024
2025cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2026 MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,
2027 is_hrr ? "HelloRetryRequest" : "ServerHello"));
2028 return ret;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2029}
2030
2031/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2032 *
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2033 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2034 *
2035 * The EncryptedExtensions message contains any extensions which
2036 * should be protected, i.e., any which are not needed to establish
2037 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2038 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2039
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2040/* Parse EncryptedExtensions message
2041 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2042 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2043 * } EncryptedExtensions;
2044 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2045MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2046static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
2047 const unsigned char *buf,
2048 const unsigned char *end)
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2049{
2050 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2051 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]2052 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2053 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2054 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2055
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2056 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2057 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2058 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2059
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2060 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Ronald Cronc8083592022-05-31 16:24:05 +0200[diff] [blame]2061 extensions_end = p + extensions_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2062
Jan Bruckner5a3629b2023-02-23 12:08:09 +0100[diff] [blame]2063 MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);
2064
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2065 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2066
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2067 while (p < extensions_end) {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2068 unsigned int extension_type;
2069 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2070
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2071 /*
2072 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2073 * ExtensionType extension_type; (2 bytes)
2074 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2075 * } Extension;
2076 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2077 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2078 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2079 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2080 p += 4;
2081
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2082 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2083
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2084 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2085 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
2086 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);
2087 if (ret != 0) {
2088 return ret;
2089 }
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2090
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2091 switch (extension_type) {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2092#if defined(MBEDTLS_SSL_ALPN)
2093 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2094 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2095
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2096 if ((ret = ssl_tls13_parse_alpn_ext(
2097 ssl, p, (size_t) extension_data_len)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2098 return ret;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2099 }
2100
2101 break;
2102#endif /* MBEDTLS_SSL_ALPN */
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2103
2104#if defined(MBEDTLS_SSL_EARLY_DATA)
2105 case MBEDTLS_TLS_EXT_EARLY_DATA:
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2106
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2107 if (extension_data_len != 0) {
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2108 /* The message must be empty. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2109 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2110 MBEDTLS_ERR_SSL_DECODE_ERROR);
2111 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2112 }
2113
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2114 break;
2115#endif /* MBEDTLS_SSL_EARLY_DATA */
2116
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]2117#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2118 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
2119 MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
2120
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2121 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
2122 ssl, p, p + extension_data_len);
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]2123 if (ret != 0) {
2124 MBEDTLS_SSL_DEBUG_RET(
2125 1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
2126 return ret;
2127 }
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]2128 break;
2129#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2130
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2131 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2132 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2133 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2134 extension_type, "( ignored )");
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2135 break;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2136 }
2137
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2138 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2139 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2140
Waleed Elmelegy049cd302023-12-20 17:28:31 +0000[diff] [blame]2141 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&
2142 (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {
Waleed Elmelegy6a971fd2023-12-28 17:48:16 +0000[diff] [blame]2143 MBEDTLS_SSL_DEBUG_MSG(3,
2144 (
2145 "Record size limit extension cannot be used with max fragment length extension"));
Waleed Elmelegy049cd302023-12-20 17:28:31 +0000[diff] [blame]2146 MBEDTLS_SSL_PEND_FATAL_ALERT(
2147 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2148 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2149 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2150 }
2151
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2152 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2153 handshake->received_extensions);
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2154
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2155 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2156 if (p != end) {
2157 MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));
2158 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2159 MBEDTLS_ERR_SSL_DECODE_ERROR);
2160 return MBEDTLS_ERR_SSL_DECODE_ERROR;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2161 }
2162
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2163 return ret;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2164}
2165
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2166MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2167static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2168{
2169 int ret;
2170 unsigned char *buf;
2171 size_t buf_len;
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2172 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2173
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2174 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2175
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2176 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2177 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2178 &buf, &buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2179
2180 /* Process the message contents */
2181 MBEDTLS_SSL_PROC_CHK(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2182 ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2183
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2184#if defined(MBEDTLS_SSL_EARLY_DATA)
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2185 if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
2186 /* RFC8446 4.2.11
2187 * If the server supplies an "early_data" extension, the
2188 * client MUST verify that the server's selected_identity
2189 * is 0. If any other value is returned, the client MUST
2190 * abort the handshake with an "illegal_parameter" alert.
2191 *
2192 * RFC 8446 4.2.10
2193 * In order to accept early data, the server MUST have accepted a PSK
2194 * cipher suite and selected the first key offered in the client's
2195 * "pre_shared_key" extension. In addition, it MUST verify that the
2196 * following values are the same as those associated with the
2197 * selected PSK:
2198 * - The TLS version number
2199 * - The selected cipher suite
2200 * - The selected ALPN [RFC7301] protocol, if any
2201 *
Yanray Wang03a00762023-12-01 17:40:19 +0800[diff] [blame]2202 * The server has sent an early data extension in its Encrypted
2203 * Extension message thus accepted to receive early data. We
2204 * check here that the additional constraints on the handshake
2205 * parameters, when early data are exchanged, are met,
2206 * namely:
Yanray Wang744577a2023-12-01 22:33:59 +0800[diff] [blame]2207 * - a PSK has been selected for the handshake
Yanray Wang03a00762023-12-01 17:40:19 +0800[diff] [blame]2208 * - the selected PSK for the handshake was the first one proposed
2209 * by the client.
2210 * - the selected ciphersuite for the handshake is the ciphersuite
2211 * associated with the selected PSK.
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2212 */
Yanray Wang744577a2023-12-01 22:33:59 +0800[diff] [blame]2213 if ((!mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) ||
2214 handshake->selected_identity != 0 ||
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2215 handshake->ciphersuite_info->id !=
2216 ssl->session_negotiate->ciphersuite) {
2217
2218 MBEDTLS_SSL_PEND_FATAL_ALERT(
2219 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2220 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2221 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2222 }
2223
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2224 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
2225 }
2226#endif
2227
Yanray Wanga29db7d2023-11-30 14:06:14 +0800[diff] [blame]2228 /*
Yanray Wang9ae65342023-12-01 17:46:06 +0800[diff] [blame]2229 * In case the client has proposed a PSK associated with a ticket,
2230 * `ssl->session_negotiate->ciphersuite` still contains at this point the
2231 * identifier of the ciphersuite associated with the ticket. This is that
2232 * way because, if an exchange of early data is agreed upon, we need
2233 * it to check that the ciphersuite selected for the handshake is the
2234 * ticket ciphersuite (see above). This information is not needed
2235 * anymore thus we can now set it to the identifier of the ciphersuite
2236 * used in this session under negotiation.
Yanray Wanga29db7d2023-11-30 14:06:14 +0800[diff] [blame]2237 */
2238 ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
2239
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2240 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2241 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2242 buf, buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2243
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2244#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2245 if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2246 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2247 } else {
2248 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2249 }
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2250#else
2251 ((void) ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2252 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2253#endif
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2254
2255cleanup:
2256
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2257 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));
2258 return ret;
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2259
2260}
2261
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2262/*
2263 * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
2264 *
Xiaokang Qianc81a15a2022-12-19 02:43:33 +0000[diff] [blame]2265 * RFC 8446 section 4.5
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2266 *
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2267 * struct {} EndOfEarlyData;
Xiaokang Qianc81a15a2022-12-19 02:43:33 +0000[diff] [blame]2268 *
2269 * If the server sent an "early_data" extension in EncryptedExtensions, the
2270 * client MUST send an EndOfEarlyData message after receiving the server
2271 * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2272 */
2273
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2274MBEDTLS_CHECK_RETURN_CRITICAL
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2275static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)
2276{
2277 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2278 unsigned char *buf = NULL;
2279 size_t buf_len;
Xiaokang Qian57a138d2022-12-19 06:40:47 +0000[diff] [blame]2280 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2281
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2282 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]2283 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
2284 &buf, &buf_len));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2285
Manuel Pégourié-Gonnard63e33dd2023-02-21 15:45:15 +0100[diff] [blame]2286 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(
2287 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2288
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2289 MBEDTLS_SSL_PROC_CHK(
2290 mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));
Xiaokang Qianda8402d2022-12-15 14:55:35 +0000[diff] [blame]2291
Xiaokang Qian19d44162023-01-03 03:39:50 +0000[diff] [blame]2292 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2293
2294cleanup:
2295
2296 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));
2297 return ret;
2298}
2299
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2300#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2301/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2302 * STATE HANDLING: CertificateRequest
2303 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2304 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2305#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2306#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2307/* Coordination:
2308 * Deals with the ambiguity of not knowing if a CertificateRequest
2309 * will be sent. Returns a negative code on failure, or
2310 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2311 * - SSL_CERTIFICATE_REQUEST_SKIP
2312 * indicating if a Certificate Request is expected or not.
2313 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2314MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2315static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2316{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2317 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2318
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2319 if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
2320 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2321 return ret;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2322 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2323 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2324
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2325 if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&
2326 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {
2327 MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));
2328 return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2329 }
2330
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2331 MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2332
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2333 return SSL_CERTIFICATE_REQUEST_SKIP;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2334}
2335
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2336/*
2337 * ssl_tls13_parse_certificate_request()
2338 * Parse certificate request
2339 * struct {
2340 * opaque certificate_request_context<0..2^8-1>;
2341 * Extension extensions<2..2^16-1>;
2342 * } CertificateRequest;
2343 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2344MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2345static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,
2346 const unsigned char *buf,
2347 const unsigned char *end)
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2348{
2349 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2350 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2351 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2352 size_t extensions_len = 0;
2353 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2354 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2355
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2356 /* ...
2357 * opaque certificate_request_context<0..2^8-1>
2358 * ...
2359 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2360 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2361 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2362 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2363
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2364 if (certificate_request_context_len > 0) {
2365 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);
2366 MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",
2367 p, certificate_request_context_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2368
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2369 handshake->certificate_request_context =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2370 mbedtls_calloc(1, certificate_request_context_len);
2371 if (handshake->certificate_request_context == NULL) {
2372 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2373 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2374 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2375 memcpy(handshake->certificate_request_context, p,
2376 certificate_request_context_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2377 p += certificate_request_context_len;
2378 }
2379
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2380 /* ...
2381 * Extension extensions<2..2^16-1>;
2382 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2383 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2384 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2385 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2386 p += 2;
2387
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2388 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2389 extensions_end = p + extensions_len;
2390
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2391 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2392
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2393 while (p < extensions_end) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2394 unsigned int extension_type;
2395 size_t extension_data_len;
2396
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2397 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2398 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2399 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2400 p += 4;
2401
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2402 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2403
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2404 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2405 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
2406 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);
2407 if (ret != 0) {
2408 return ret;
2409 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2410
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2411 switch (extension_type) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2412 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2413 MBEDTLS_SSL_DEBUG_MSG(3,
2414 ("found signature algorithms extension"));
2415 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,
2416 p + extension_data_len);
2417 if (ret != 0) {
2418 return ret;
2419 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2420
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2421 break;
2422
2423 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2424 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2425 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2426 extension_type, "( ignored )");
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2427 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2428 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2429
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2430 p += extension_data_len;
2431 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2432
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2433 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2434 handshake->received_extensions);
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2435
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2436 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2437 if (p != end) {
2438 MBEDTLS_SSL_DEBUG_MSG(1,
2439 ("CertificateRequest misaligned"));
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2440 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2441 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2442
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2443 /* RFC 8446 section 4.3.2
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2444 *
2445 * The "signature_algorithms" extension MUST be specified
2446 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2447 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {
2448 MBEDTLS_SSL_DEBUG_MSG(3,
2449 ("no signature algorithms extension found"));
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2450 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2451 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2452
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]2453 ssl->handshake->client_auth = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2454 return 0;
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2455
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2456decode_error:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2457 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2458 MBEDTLS_ERR_SSL_DECODE_ERROR);
2459 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2460}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2461
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2462/*
2463 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2464 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2465MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2466static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2467{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2468 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2469
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2470 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2471
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2472 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2473
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2474 if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2475 unsigned char *buf;
2476 size_t buf_len;
2477
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2478 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2479 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2480 &buf, &buf_len));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2481
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2482 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(
2483 ssl, buf, buf + buf_len));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2484
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2485 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2486 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2487 buf, buf_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2488 } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]2489 ret = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2490 } else {
2491 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2492 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2493 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2494 }
2495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2496 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2497
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2498cleanup:
2499
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2500 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
2501 return ret;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2502}
2503
2504/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2505 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2506 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2507MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2508static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2509{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2510 int ret;
2511
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2512 ret = mbedtls_ssl_tls13_process_certificate(ssl);
2513 if (ret != 0) {
2514 return ret;
2515 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2516
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2517 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2518 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2519}
2520
2521/*
2522 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2523 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2524MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2525static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2526{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2527 int ret;
2528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2529 ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
2530 if (ret != 0) {
2531 return ret;
2532 }
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2533
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2534 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2535 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2536}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2537#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]2538
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2539/*
2540 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2541 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2542MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2543static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2544{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2545 int ret;
2546
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2547 ret = mbedtls_ssl_tls13_process_finished_message(ssl);
2548 if (ret != 0) {
2549 return ret;
2550 }
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2551
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2552 ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2553 if (ret != 0) {
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2554 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2555 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2556 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2557 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2558 }
2559
Xiaokang Qianbc75bc02022-12-19 06:16:42 +0000[diff] [blame]2560#if defined(MBEDTLS_SSL_EARLY_DATA)
2561 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
2562 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
Xiaokang Qianbd0ab062023-02-02 05:56:30 +0000[diff] [blame]2563 } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
2564 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Xiaokang Qianbc75bc02022-12-19 06:16:42 +0000[diff] [blame]2565 } else
2566#endif /* MBEDTLS_SSL_EARLY_DATA */
2567 {
2568#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2569 mbedtls_ssl_handshake_set_state(
2570 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);
2571#else
2572 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2573#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2574 }
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2575
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2576 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2577}
2578
2579/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2580 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2581 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2582MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2583static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2584{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2585 int non_empty_certificate_msg = 0;
2586
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2587 MBEDTLS_SSL_DEBUG_MSG(1,
2588 ("Switch to handshake traffic keys for outbound traffic"));
2589 mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2590
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2591#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2592 if (ssl->handshake->client_auth) {
2593 int ret = mbedtls_ssl_tls13_write_certificate(ssl);
2594 if (ret != 0) {
2595 return ret;
2596 }
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2597
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2598 if (mbedtls_ssl_own_cert(ssl) != NULL) {
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2599 non_empty_certificate_msg = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2600 }
2601 } else {
2602 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2603 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2604#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2605
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2606 if (non_empty_certificate_msg) {
2607 mbedtls_ssl_handshake_set_state(ssl,
2608 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
2609 } else {
2610 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));
2611 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2612 }
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2613
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2614 return 0;
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2615}
2616
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2617#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2618/*
2619 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2620 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2621MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2622static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2623{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2624 int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2625
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2626 if (ret == 0) {
2627 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2628 }
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2629
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2630 return ret;
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2631}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2632#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2633
2634/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2635 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2636 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2637MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2638static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2639{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2640 int ret;
2641
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2642 ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2643 if (ret != 0) {
2644 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2645 }
2646
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2647 ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
2648 if (ret != 0) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2649 MBEDTLS_SSL_DEBUG_RET(
2650 1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2651 return ret;
2652 }
2653
2654 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);
2655 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2656}
2657
2658/*
2659 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2660 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2661MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2662static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2663{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2664 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
2665 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
2666 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2667}
2668
2669/*
2670 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2671 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2672MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2673static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2674{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2675
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2676 mbedtls_ssl_tls13_handshake_wrapup(ssl);
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2678 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2679 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2680}
2681
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2682#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2683
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2684#if defined(MBEDTLS_SSL_EARLY_DATA)
2685/* From RFC 8446 section 4.2.10
2686 *
2687 * struct {
2688 * select (Handshake.msg_type) {
2689 * case new_session_ticket: uint32 max_early_data_size;
2690 * ...
2691 * };
2692 * } EarlyDataIndication;
2693 */
2694MBEDTLS_CHECK_RETURN_CRITICAL
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2695static int ssl_tls13_parse_new_session_ticket_early_data_ext(
2696 mbedtls_ssl_context *ssl,
2697 const unsigned char *buf,
2698 const unsigned char *end)
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2699{
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2700 mbedtls_ssl_session *session = ssl->session;
2701
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2702 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2703
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2704 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2705 mbedtls_ssl_tls13_session_set_ticket_flags(
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2706 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
2707 MBEDTLS_SSL_DEBUG_MSG(
2708 3, ("received max_early_data_size: %u",
2709 (unsigned int) session->max_early_data_size));
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2710
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2711 return 0;
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2712}
2713#endif /* MBEDTLS_SSL_EARLY_DATA */
2714
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2715MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2716static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
2717 const unsigned char *buf,
2718 const unsigned char *end)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2719{
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2720 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2721 const unsigned char *p = buf;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2722
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2723
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2724 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2725
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2726 while (p < end) {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2727 unsigned int extension_type;
2728 size_t extension_data_len;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2729 int ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2730
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2731 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
2732 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2733 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2734 p += 4;
2735
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2736 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2737
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2738 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2739 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
2740 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);
2741 if (ret != 0) {
2742 return ret;
2743 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2744
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2745 switch (extension_type) {
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2746#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2747 case MBEDTLS_TLS_EXT_EARLY_DATA:
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2748 ret = ssl_tls13_parse_new_session_ticket_early_data_ext(
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2749 ssl, p, p + extension_data_len);
2750 if (ret != 0) {
2751 MBEDTLS_SSL_DEBUG_RET(
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2752 1, "ssl_tls13_parse_new_session_ticket_early_data_ext",
2753 ret);
Xiaokang Qian2d87a9e2022-11-09 07:55:48 +0000[diff] [blame]2754 }
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2755 break;
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2756#endif /* MBEDTLS_SSL_EARLY_DATA */
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2757
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2758 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2759 MBEDTLS_SSL_PRINT_EXT(
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2760 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2761 extension_type, "( ignored )");
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2762 break;
2763 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2764
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2765 p += extension_data_len;
2766 }
2767
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2768 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2769 handshake->received_extensions);
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2770
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2771 return 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2772}
2773
2774/*
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2775 * From RFC8446, page 74
2776 *
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2777 * struct {
2778 * uint32 ticket_lifetime;
2779 * uint32 ticket_age_add;
2780 * opaque ticket_nonce<0..255>;
2781 * opaque ticket<1..2^16-1>;
2782 * Extension extensions<0..2^16-2>;
2783 * } NewSessionTicket;
2784 *
2785 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2786MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2787static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
2788 unsigned char *buf,
2789 unsigned char *end,
2790 unsigned char **ticket_nonce,
2791 size_t *ticket_nonce_len)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2792{
2793 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2794 unsigned char *p = buf;
2795 mbedtls_ssl_session *session = ssl->session;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2796 size_t ticket_len;
2797 unsigned char *ticket;
2798 size_t extensions_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2799
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2800 *ticket_nonce = NULL;
2801 *ticket_nonce_len = 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2802 /*
2803 * ticket_lifetime 4 bytes
2804 * ticket_age_add 4 bytes
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2805 * ticket_nonce_len 1 byte
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2806 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2807 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2808
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2809 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
2810 MBEDTLS_SSL_DEBUG_MSG(3,
2811 ("ticket_lifetime: %u",
2812 (unsigned int) session->ticket_lifetime));
Jerry Yu8e0174a2023-11-10 13:58:16 +0800[diff] [blame]2813 if (session->ticket_lifetime >
2814 MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]2815 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
Jerry Yucf913512023-11-14 11:06:52 +0800[diff] [blame]2816 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]2817 }
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2818
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2819 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);
2820 MBEDTLS_SSL_DEBUG_MSG(3,
2821 ("ticket_age_add: %u",
2822 (unsigned int) session->ticket_age_add));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2823
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2824 *ticket_nonce_len = p[8];
2825 p += 9;
2826
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2827 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2828 *ticket_nonce = p;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2829 MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2830 p += *ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2831
2832 /* Ticket */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2833 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2834 ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2835 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2836 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);
2837 MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2838
2839 /* Check if we previously received a ticket already. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2840 if (session->ticket != NULL || session->ticket_len > 0) {
2841 mbedtls_free(session->ticket);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2842 session->ticket = NULL;
2843 session->ticket_len = 0;
2844 }
2845
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2846 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
2847 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
2848 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2849 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2850 memcpy(ticket, p, ticket_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2851 p += ticket_len;
2852 session->ticket = ticket;
2853 session->ticket_len = ticket_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2854
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2855 /* Clear all flags in ticket_flags */
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2856 mbedtls_ssl_tls13_session_clear_ticket_flags(
Pengyu Lv9eacb442022-12-09 14:39:19 +0800[diff] [blame]2857 session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2858
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2859 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2860 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2861 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2862 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2863
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2864 MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2865
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2866 ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);
2867 if (ret != 0) {
2868 MBEDTLS_SSL_DEBUG_RET(1,
2869 "ssl_tls13_parse_new_session_ticket_exts",
2870 ret);
2871 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2872 }
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2873
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]2874 /* session has been updated, allow export */
2875 session->exported = 0;
2876
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2877 return 0;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2878}
2879
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2880MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2881static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
2882 unsigned char *ticket_nonce,
2883 size_t ticket_nonce_len)
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2884{
2885 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2886 mbedtls_ssl_session *session = ssl->session;
2887 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2888 psa_algorithm_t psa_hash_alg;
2889 int hash_length;
2890
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2891#if defined(MBEDTLS_HAVE_TIME)
2892 /* Store ticket creation time */
Jerry Yu342a5552023-11-10 14:23:39 +0800[diff] [blame]2893 session->ticket_reception_time = mbedtls_ms_time();
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2894#endif
2895
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2896 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
2897 if (ciphersuite_info == NULL) {
2898 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2899 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2900 }
2901
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]2902 psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2903 hash_length = PSA_HASH_LENGTH(psa_hash_alg);
2904 if (hash_length == -1 ||
2905 (size_t) hash_length > sizeof(session->resumption_key)) {
2906 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2907 }
2908
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2909
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2910 MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
2911 session->app_secrets.resumption_master_secret,
2912 hash_length);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2913
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2914 /* Compute resumption key
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2915 *
2916 * HKDF-Expand-Label( resumption_master_secret,
2917 * "resumption", ticket_nonce, Hash.length )
2918 */
2919 ret = mbedtls_ssl_tls13_hkdf_expand_label(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2920 psa_hash_alg,
2921 session->app_secrets.resumption_master_secret,
2922 hash_length,
2923 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
2924 ticket_nonce,
2925 ticket_nonce_len,
2926 session->resumption_key,
2927 hash_length);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2928
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2929 if (ret != 0) {
2930 MBEDTLS_SSL_DEBUG_RET(2,
2931 "Creating the ticket-resumed PSK failed",
2932 ret);
2933 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2934 }
2935
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2936 session->resumption_key_len = hash_length;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2937
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2938 MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
2939 session->resumption_key,
2940 session->resumption_key_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2941
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2942 /* Set ticket_flags depends on the selected key exchange modes */
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2943 mbedtls_ssl_tls13_session_set_ticket_flags(
Pengyu Lv9eacb442022-12-09 14:39:19 +0800[diff] [blame]2944 session, ssl->conf->tls13_kex_modes);
Pengyu Lv4938a562023-01-16 11:28:49 +0800[diff] [blame]2945 MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2946
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2947 return 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2948}
2949
2950/*
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2951 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2952 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2953MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2954static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2955{
2956 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2957 unsigned char *buf;
2958 size_t buf_len;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2959 unsigned char *ticket_nonce;
2960 size_t ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2961
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2962 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2963
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2964 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2965 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2966 &buf, &buf_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2967
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2968 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(
2969 ssl, buf, buf + buf_len,
2970 &ticket_nonce, &ticket_nonce_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2971
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2972 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_new_session_ticket(
2973 ssl, ticket_nonce, ticket_nonce_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2974
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2975 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2976
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2977cleanup:
2978
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2979 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
2980 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2981}
2982#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2983
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2984int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]2985{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2986 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]2987
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2988 switch (ssl->state) {
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2989 case MBEDTLS_SSL_HELLO_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2990 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]2991 break;
2992
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2993 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2994 ret = mbedtls_ssl_write_client_hello(ssl);
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2995 break;
2996
2997 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2998 ret = ssl_tls13_process_server_hello(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2999 break;
3000
3001 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3002 ret = ssl_tls13_process_encrypted_extensions(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3003 break;
3004
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3005#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]3006 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3007 ret = ssl_tls13_process_certificate_request(ssl);
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]3008 break;
3009
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3010 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3011 ret = ssl_tls13_process_server_certificate(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3012 break;
3013
3014 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3015 ret = ssl_tls13_process_certificate_verify(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3016 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3017#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3018
3019 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3020 ret = ssl_tls13_process_server_finished(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3021 break;
3022
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]3023 case MBEDTLS_SSL_END_OF_EARLY_DATA:
3024 ret = ssl_tls13_write_end_of_early_data(ssl);
3025 break;
3026
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3027 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3028 ret = ssl_tls13_write_client_certificate(ssl);
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3029 break;
3030
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3031#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3032 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3033 ret = ssl_tls13_write_client_certificate_verify(ssl);
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3034 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3035#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3036
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3037 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3038 ret = ssl_tls13_write_client_finished(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3039 break;
3040
3041 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3042 ret = ssl_tls13_flush_buffers(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3043 break;
3044
3045 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3046 ret = ssl_tls13_handshake_wrapup(ssl);
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3047 break;
3048
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3049 /*
3050 * Injection of dummy-CCS's for middlebox compatibility
3051 */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3052#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]3053 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3054 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3055 if (ret == 0) {
3056 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3057 }
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]3058 break;
3059
3060 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3061 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3062 if (ret == 0) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]3063 mbedtls_ssl_handshake_set_state(
3064 ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3065 }
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3066 break;
Xiaokang Qianf6d8fd32023-02-02 02:46:26 +0000[diff] [blame]3067
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3068 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
3069 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3070 if (ret == 0) {
3071 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
3072
Xiaokang Qian33ff8682023-01-10 06:32:12 +0000[diff] [blame]3073#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3074 MBEDTLS_SSL_DEBUG_MSG(
3075 1, ("Switch to early data keys for outbound traffic"));
3076 mbedtls_ssl_set_outbound_transform(
3077 ssl, ssl->handshake->transform_earlydata);
Xiaokang Qian33ff8682023-01-10 06:32:12 +0000[diff] [blame]3078#endif
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3079 }
3080 break;
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3081#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3082
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3083#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]3084 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3085 ret = ssl_tls13_process_new_session_ticket(ssl);
3086 if (ret != 0) {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3087 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3088 }
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3089 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
3090 break;
3091#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3092
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3093 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3094 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3095 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3096 }
3097
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3098 return ret;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3099}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]3100
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3101#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */