TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 6a971fd61a3fc0d52f4c31379dc3a2e0651b60f9 / . / library / ssl_tls13_client.c
blob: 5775a3ea5fc846c828dd095d804804e7cef7e695 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]6 */
7
8#include "common.h"
9
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]10#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]11
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]12#include <string.h>
13
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]14#include "mbedtls/debug.h"
15#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]16#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]17
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]18#include "ssl_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]19#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]20#include "ssl_tls13_keys.h"
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]21#include "ssl_debug_helpers.h"
Manuel Pégourié-Gonnard02b10d82023-03-28 12:33:20 +0200[diff] [blame]22#include "md_psa.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]23
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]24#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]25/* Define a local translating function to save code size by not using too many
26 * arguments in each translating place. */
27static int local_err_translation(psa_status_t status)
28{
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]30 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]31 psa_generic_status_to_mbedtls);
32}
33#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kureka6033ac2023-05-30 15:16:34 -0400[diff] [blame]34#endif
35
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]36/* Write extensions */
37
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]38/*
39 * ssl_tls13_write_supported_versions_ext():
40 *
41 * struct {
42 * ProtocolVersion versions<2..254>;
43 * } SupportedVersions;
44 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]45MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]46static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,
47 unsigned char *buf,
48 unsigned char *end,
49 size_t *out_len)
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]50{
51 unsigned char *p = buf;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]52 unsigned char versions_len = (ssl->handshake->min_tls_version <=
53 MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]54
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]55 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]56
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]57 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]58
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]59 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]60 * - extension_type (2 bytes)
61 * - extension_data_length (2 bytes)
62 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]63 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]64 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]66
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]67 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);
68 MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]69 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]70
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]71 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]72 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]73
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]74 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]76 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]77 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]78 mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,
79 MBEDTLS_SSL_VERSION_TLS1_3);
80 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]81
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]83 if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {
84 mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
85 MBEDTLS_SSL_VERSION_TLS1_2);
86 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]87 }
88
89 *out_len = 5 + versions_len;
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]90
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]91 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]92 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]93
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]94 return 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]95}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]96
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]97MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
99 const unsigned char *buf,
100 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]101{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]102 ((void) ssl);
103
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]104 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
105 if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=
106 MBEDTLS_SSL_VERSION_TLS1_3) {
107 MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]108
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
110 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
111 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]112 }
113
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114 if (&buf[2] != end) {
Xiaokang Qian91bb3f02023-04-03 09:07:03 +0000[diff] [blame]115 MBEDTLS_SSL_DEBUG_MSG(
116 1, ("supported_versions ext data length incorrect"));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]117 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
118 MBEDTLS_ERR_SSL_DECODE_ERROR);
119 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]120 }
121
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]122 return 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]123}
124
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]125#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]126MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]127static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,
128 const unsigned char *buf, size_t len)
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]129{
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]130 const unsigned char *p = buf;
131 const unsigned char *end = buf + len;
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]132 size_t protocol_name_list_len, protocol_name_len;
133 const unsigned char *protocol_name_list_end;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]134
135 /* If we didn't send it, the server shouldn't send it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]136 if (ssl->conf->alpn_list == NULL) {
137 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
138 }
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]139
140 /*
141 * opaque ProtocolName<1..2^8-1>;
142 *
143 * struct {
144 * ProtocolName protocol_name_list<2..2^16-1>
145 * } ProtocolNameList;
146 *
147 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
148 */
149
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]150 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
151 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]152 p += 2;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]153
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]154 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]155 protocol_name_list_end = p + protocol_name_list_len;
156
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]157 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]158 protocol_name_len = *p++;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]159
160 /* Check that the server chosen protocol was in our list and save it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]161 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);
162 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
163 if (protocol_name_len == strlen(*alpn) &&
164 memcmp(p, *alpn, protocol_name_len) == 0) {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]165 ssl->alpn_chosen = *alpn;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]166 return 0;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]167 }
168 }
169
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]170 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]171}
172#endif /* MBEDTLS_SSL_ALPN */
173
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]174MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]175static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]176{
177 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]178
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]179 if (group_id == 0) {
180 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
181 }
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]182
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]183#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]184 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]185 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
187 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
188
189 /* Destroy generated private key. */
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]190 status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]191 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]192 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]193 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
194 return ret;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]195 }
196
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]197 ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]198 return 0;
199 } else
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]200#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]201 if (0 /* other KEMs? */) {
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]202 /* Do something */
203 }
204
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]205 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]206}
207
208/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]209 * Functions for writing key_share extension.
210 */
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]211#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]212MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]213static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
214 uint16_t *group_id)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]215{
216 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
217
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]218
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]219#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]220 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]221 /* Pick first available ECDHE group compatible with TLS 1.3 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]222 if (group_list == NULL) {
223 return MBEDTLS_ERR_SSL_BAD_CONFIG;
224 }
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]225
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]226 for (; *group_list != 0; group_list++) {
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]227#if defined(PSA_WANT_ALG_ECDH)
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]228 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
229 *group_list, NULL, NULL) == PSA_SUCCESS) &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]230 mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]231 *group_id = *group_list;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]232 return 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]233 }
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]234#endif
235#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]236 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]237 *group_id = *group_list;
238 return 0;
239 }
240#endif
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]241 }
242#else
243 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]244 ((void) group_id);
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]245#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]246
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]247 return ret;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]248}
249
250/*
251 * ssl_tls13_write_key_share_ext
252 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]253 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]254 *
255 * struct {
256 * NamedGroup group;
257 * opaque key_exchange<1..2^16-1>;
258 * } KeyShareEntry;
259 * struct {
260 * KeyShareEntry client_shares<0..2^16-1>;
261 * } KeyShareClientHello;
262 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]263MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]264static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
265 unsigned char *buf,
266 unsigned char *end,
267 size_t *out_len)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]268{
269 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]270 unsigned char *client_shares; /* Start of client_shares */
271 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]272 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]273 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
274
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]275 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]276
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]277 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]278 * - extension_type (2 bytes)
279 * - extension_data_length (2 bytes)
280 * - client_shares_length (2 bytes)
281 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]283 p += 6;
284
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]285 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]286
287 /* HRR could already have requested something else. */
288 group_id = ssl->handshake->offered_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]289 if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]290 !mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]291 MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,
292 &group_id));
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]293 }
294
295 /*
296 * Dispatch to type-specific key generation function.
297 *
298 * So far, we're only supporting ECDHE. With the introduction
299 * of PQC KEMs, we'll want to have multiple branches, one per
300 * type of KEM, and dispatch to the corresponding crypto. And
301 * only one key share entry is allowed.
302 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]303 client_shares = p;
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]304#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
305 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]306 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]307 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]308 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]309 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]310 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]311
312 /* Check there is space for header of KeyShareEntry
313 * - group (2 bytes)
314 * - key_exchange_length (2 bytes)
315 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]316 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]317 p += 4;
Przemek Stekiel408569f2023-07-06 11:26:44 +0200[diff] [blame]318 ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 ssl, group_id, p, end, &key_exchange_len);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]320 p += key_exchange_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]321 if (ret != 0) {
322 return ret;
323 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]324
325 /* Write group */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]326 MBEDTLS_PUT_UINT16_BE(group_id, group, 0);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]327 /* Write key_exchange_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]328 MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);
329 } else
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]330#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]331 if (0 /* other KEMs? */) {
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]332 /* Do something */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]333 } else {
334 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]335 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]336
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]337 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]338 client_shares_len = p - client_shares;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]339 if (client_shares_len == 0) {
340 MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));
341 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]342 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]343 /* Write extension_type */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]345 /* Write extension_data_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]346 MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]347 /* Write client_shares_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]349
350 /* Update offered_group_id field */
351 ssl->handshake->offered_group_id = group_id;
352
353 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]354 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]355
Xiaokang Qian91bb3f02023-04-03 09:07:03 +0000[diff] [blame]356 MBEDTLS_SSL_DEBUG_BUF(
357 3, "client hello, key_share extension", buf, *out_len);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]358
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]359 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]360
361cleanup:
362
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]363 return ret;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]364}
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]365#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]366
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]367/*
368 * ssl_tls13_parse_hrr_key_share_ext()
369 * Parse key_share extension in Hello Retry Request
370 *
371 * struct {
372 * NamedGroup selected_group;
373 * } KeyShareHelloRetryRequest;
374 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]375MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]376static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
377 const unsigned char *buf,
378 const unsigned char *end)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]379{
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]380#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]381 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]382 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]383 int found = 0;
384
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]385 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
386 if (group_list == NULL) {
387 return MBEDTLS_ERR_SSL_BAD_CONFIG;
388 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]391
392 /* Read selected_group */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]393 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
394 selected_group = MBEDTLS_GET_UINT16_BE(p, 0);
395 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]396
397 /* Upon receipt of this extension in a HelloRetryRequest, the client
398 * MUST first verify that the selected_group field corresponds to a
399 * group which was provided in the "supported_groups" extension in the
400 * original ClientHello.
401 * The supported_group was based on the info in ssl->conf->group_list.
402 *
403 * If the server provided a key share that was not sent in the ClientHello
404 * then the client MUST abort the handshake with an "illegal_parameter" alert.
405 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 for (; *group_list != 0; group_list++) {
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]407#if defined(PSA_WANT_ALG_ECDH)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]408 if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
409 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
410 *group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
411 *group_list != selected_group) {
412 found = 1;
413 break;
414 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 }
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]416#endif /* PSA_WANT_ALG_ECDH */
417#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]418 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]419 found = 1;
420 break;
421 }
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]422#endif /* PSA_WANT_ALG_FFDH */
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]423 }
424
425 /* Client MUST verify that the selected_group field does not
426 * correspond to a group which was provided in the "key_share"
427 * extension in the original ClientHello. If the server sent an
428 * HRR message with a key share already provided in the
429 * ClientHello then the client MUST abort the handshake with
430 * an "illegal_parameter" alert.
431 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]432 if (found == 0 || selected_group == ssl->handshake->offered_group_id) {
433 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]434 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]435 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
436 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
437 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]438 }
439
440 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]441 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]442
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]443 return 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]444#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400[diff] [blame]445 (void) ssl;
446 (void) buf;
447 (void) end;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 return MBEDTLS_ERR_SSL_BAD_CONFIG;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]449#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]450}
451
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]452/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]453 * ssl_tls13_parse_key_share_ext()
454 * Parse key_share extension in Server Hello
455 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]456 * struct {
457 * KeyShareEntry server_share;
458 * } KeyShareServerHello;
459 * struct {
460 * NamedGroup group;
461 * opaque key_exchange<1..2^16-1>;
462 * } KeyShareEntry;
463 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]464MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]465static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
466 const unsigned char *buf,
467 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]468{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]469 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]470 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]471 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]472
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]473 /* ...
474 * NamedGroup group; (2 bytes)
475 * ...
476 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]477 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
478 group = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]479 p += 2;
480
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]481 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]482 offered_group = ssl->handshake->offered_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]483 if (offered_group != group) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]484 MBEDTLS_SSL_DEBUG_MSG(
485 1, ("Invalid server key share, our group %u, their group %u",
486 (unsigned) offered_group, (unsigned) group));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
488 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
489 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]490 }
491
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]492#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]493 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]494 mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]495 MBEDTLS_SSL_DEBUG_MSG(2,
496 ("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]497 ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 if (ret != 0) {
499 return ret;
500 }
501 } else
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]502#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 if (0 /* other KEMs? */) {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]504 /* Do something */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]505 } else {
506 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]507 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]509 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]510}
511
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]512/*
513 * ssl_tls13_parse_cookie_ext()
514 * Parse cookie extension in Hello Retry Request
515 *
516 * struct {
517 * opaque cookie<1..2^16-1>;
518 * } Cookie;
519 *
520 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
521 * extension to the client (this is an exception to the usual rule that
522 * the only extensions that may be sent are those that appear in the
523 * ClientHello). When sending the new ClientHello, the client MUST copy
524 * the contents of the extension received in the HelloRetryRequest into
525 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
526 * cookies in their initial ClientHello in subsequent connections.
527 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]528MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]529static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,
530 const unsigned char *buf,
531 const unsigned char *end)
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]532{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]533 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]534 const unsigned char *p = buf;
535 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
536
537 /* Retrieve length field of cookie */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]538 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
539 cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]540 p += 2;
541
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]542 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);
543 MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]544
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]545 mbedtls_free(handshake->cookie);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]546 handshake->cookie_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]547 handshake->cookie = mbedtls_calloc(1, cookie_len);
548 if (handshake->cookie == NULL) {
549 MBEDTLS_SSL_DEBUG_MSG(1,
550 ("alloc failed ( %ud bytes )",
551 cookie_len));
552 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]553 }
554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]555 memcpy(handshake->cookie, p, cookie_len);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]556 handshake->cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]557
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]558 return 0;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]559}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]560
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]561MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]562static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,
563 unsigned char *buf,
564 unsigned char *end,
565 size_t *out_len)
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]566{
567 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]568 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]569 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]570
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]571 if (handshake->cookie == NULL) {
572 MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));
573 return 0;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]574 }
575
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]576 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
577 handshake->cookie,
578 handshake->cookie_len);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]580 MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]581
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]582 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]583
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]584 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);
585 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);
586 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]587 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]588
589 /* Cookie */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]590 memcpy(p, handshake->cookie, handshake->cookie_len);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]591
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]592 *out_len = handshake->cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]593
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]595
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 return 0;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]597}
598
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]599#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]600/*
601 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
602 *
603 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
604 *
605 * struct {
606 * PskKeyExchangeMode ke_modes<1..255>;
607 * } PskKeyExchangeModes;
608 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]609MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]610static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
611 unsigned char *buf,
612 unsigned char *end,
613 size_t *out_len)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]614{
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]615 unsigned char *p = buf;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]616 int ke_modes_len = 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]617
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]618 ((void) ke_modes_len);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]619 *out_len = 0;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]620
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]621 /* Skip writing extension if no PSK key exchange mode
XiaokangQian7c12d312022-07-20 07:25:43 +0000[diff] [blame]622 * is enabled in the config.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]623 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]624 if (!mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) {
625 MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
626 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]627 }
628
629 /* Require 7 bytes of data, otherwise fail,
630 * even if extension might be shorter.
631 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]633 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 3, ("client hello, adding psk_key_exchange_modes extension"));
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]635
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]636 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]637
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]638 /* Skip extension length (2 bytes) and
639 * ke_modes length (1 byte) for now.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]640 */
641 p += 5;
642
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]643 if (mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl)) {
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]644 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]645 ke_modes_len++;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]646
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]647 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]648 }
649
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]650 if (mbedtls_ssl_conf_tls13_psk_enabled(ssl)) {
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]651 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
652 ke_modes_len++;
653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]655 }
656
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]657 /* Now write the extension and ke_modes length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]658 MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]659 buf[4] = ke_modes_len;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]660
661 *out_len = p - buf;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]662
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]663 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]664 ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]665
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]666 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]667}
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]668
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]669static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]670{
Jerry Yu21f90952022-10-08 10:30:53 +0800[diff] [blame]671 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]672 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]673
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]674 if (ciphersuite_info != NULL) {
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]675 return mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]678 return PSA_ALG_NONE;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]679}
680
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]681#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]682static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]683{
684 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]685 return ssl->handshake->resume &&
Pengyu Lv93566782022-12-07 12:10:05 +0800[diff] [blame]686 session != NULL && session->ticket != NULL &&
Pengyu Lv9b84ea72023-01-16 14:08:23 +0800[diff] [blame]687 mbedtls_ssl_conf_tls13_check_kex_modes(
688 ssl, mbedtls_ssl_session_get_ticket_flags(
689 session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]690}
691
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]692#if defined(MBEDTLS_SSL_EARLY_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]693static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]694{
695 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]696 return ssl->handshake->resume &&
697 session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
698 (session->ticket_flags &
699 MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA) &&
700 mbedtls_ssl_tls13_cipher_suite_is_offered(
701 ssl, session->ciphersuite);
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]702}
703#endif
704
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]705MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]706static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,
707 psa_algorithm_t *hash_alg,
708 const unsigned char **identity,
709 size_t *identity_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]710{
711 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]712
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]713 if (!ssl_tls13_has_configured_ticket(ssl)) {
714 return -1;
715 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]716
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]717 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]718 *identity = session->ticket;
719 *identity_len = session->ticket_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]720 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]721}
722
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]723MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]724static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,
725 psa_algorithm_t *hash_alg,
726 const unsigned char **psk,
727 size_t *psk_len)
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]728{
729
730 mbedtls_ssl_session *session = ssl->session_negotiate;
731
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]732 if (!ssl_tls13_has_configured_ticket(ssl)) {
733 return -1;
734 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]735
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]736 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]737 *psk = session->resumption_key;
738 *psk_len = session->resumption_key_len;
739
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]740 return 0;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]741}
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]742#endif /* MBEDTLS_SSL_SESSION_TICKETS */
743
744MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]745static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,
746 psa_algorithm_t *hash_alg,
747 const unsigned char **identity,
748 size_t *identity_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]749{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]750
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]751 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
752 return -1;
753 }
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]754
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]755 *hash_alg = PSA_ALG_SHA_256;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]756 *identity = ssl->conf->psk_identity;
757 *identity_len = ssl->conf->psk_identity_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]758 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]759}
760
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]761MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]762static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,
763 psa_algorithm_t *hash_alg,
764 const unsigned char **psk,
765 size_t *psk_len)
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]766{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]767
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]768 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
769 return -1;
770 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]771
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]772 *hash_alg = PSA_ALG_SHA_256;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]773 *psk = ssl->conf->psk;
774 *psk_len = ssl->conf->psk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]775 return 0;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]776}
777
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]778static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]779{
780 int configured_psk_count = 0;
781#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]782 if (ssl_tls13_has_configured_ticket(ssl)) {
783 MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]784 configured_psk_count++;
785 }
786#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]787 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
788 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]789 configured_psk_count++;
790 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]791 return configured_psk_count;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]792}
793
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]794MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]795static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,
796 unsigned char *buf,
797 unsigned char *end,
798 const unsigned char *identity,
799 size_t identity_len,
800 uint32_t obfuscated_ticket_age,
801 size_t *out_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]802{
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]803 ((void) ssl);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]804 *out_len = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]805
806 /*
807 * - identity_len (2 bytes)
808 * - identity (psk_identity_len bytes)
809 * - obfuscated_ticket_age (4 bytes)
810 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]811 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]812
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]813 MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);
814 memcpy(buf + 2, identity, identity_len);
815 MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]816
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]817 MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]818
819 *out_len = 6 + identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]820
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]821 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]822}
823
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]824MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]825static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,
826 unsigned char *buf,
827 unsigned char *end,
828 int psk_type,
829 psa_algorithm_t hash_alg,
830 const unsigned char *psk,
831 size_t psk_len,
832 size_t *out_len)
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]833{
834 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]835 unsigned char binder_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]836 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]837 size_t transcript_len = 0;
838
839 *out_len = 0;
840
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]841 binder_len = PSA_HASH_LENGTH(hash_alg);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]842
843 /*
844 * - binder_len (1 bytes)
845 * - binder (binder_len bytes)
846 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]847 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]848
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]849 buf[0] = binder_len;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]850
851 /* Get current state of handshake transcript. */
852 ret = mbedtls_ssl_get_handshake_transcript(
Manuel Pégourié-Gonnard2d6d9932023-03-28 11:38:08 +0200[diff] [blame]853 ssl, mbedtls_md_type_from_psa_alg(hash_alg),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]854 transcript, sizeof(transcript), &transcript_len);
855 if (ret != 0) {
856 return ret;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]857 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]858
859 ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,
860 psk, psk_len, psk_type,
861 transcript, buf + 1);
862 if (ret != 0) {
863 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);
864 return ret;
865 }
866 MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]867
868 *out_len = 1 + binder_len;
869
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]870 return 0;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]871}
872
873/*
874 * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
875 *
876 * struct {
877 * opaque identity<1..2^16-1>;
878 * uint32 obfuscated_ticket_age;
879 * } PskIdentity;
880 *
881 * opaque PskBinderEntry<32..255>;
882 *
883 * struct {
884 * PskIdentity identities<7..2^16-1>;
885 * PskBinderEntry binders<33..2^16-1>;
886 * } OfferedPsks;
887 *
888 * struct {
889 * select (Handshake.msg_type) {
890 * case client_hello: OfferedPsks;
891 * ...
892 * };
893 * } PreSharedKeyExtension;
894 *
895 */
XiaokangQian3ad67bf2022-07-21 02:26:21 +0000[diff] [blame]896int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]897 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
898 size_t *out_len, size_t *binders_len)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]899{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]900 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]901 int configured_psk_count = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]902 unsigned char *p = buf;
Xiaokang Qian854db282022-12-19 07:31:27 +0000[diff] [blame]903 psa_algorithm_t hash_alg = PSA_ALG_NONE;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]904 const unsigned char *identity;
905 size_t identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]906 size_t l_binders_len = 0;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]907 size_t output_len;
Xiaokang Qian7179f812023-02-03 03:38:44 +0000[diff] [blame]908
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]909 *out_len = 0;
910 *binders_len = 0;
911
912 /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]913 configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);
914 if (configured_psk_count == 0) {
915 MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));
916 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]917 }
918
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]919 MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",
920 configured_psk_count));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]921
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]922 /* Check if we have space to write the extension, binders included.
923 * - extension_type (2 bytes)
924 * - extension_data_len (2 bytes)
925 * - identities_len (2 bytes)
926 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]927 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]928 p += 6;
929
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]930#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]931 if (ssl_tls13_ticket_get_identity(
932 ssl, &hash_alg, &identity, &identity_len) == 0) {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]933#if defined(MBEDTLS_HAVE_TIME)
Jerry Yucebffc32022-12-15 18:00:05 +0800[diff] [blame]934 mbedtls_ms_time_t now = mbedtls_ms_time();
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]935 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yucf913512023-11-14 11:06:52 +0800[diff] [blame]936 /* The ticket age has been checked to be smaller than the
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]937 * `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than
938 * 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the
939 * cast to `uint32_t` of the ticket age is safe. */
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]940 uint32_t obfuscated_ticket_age =
Jerry Yu342a5552023-11-10 14:23:39 +0800[diff] [blame]941 (uint32_t) (now - session->ticket_reception_time);
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]942 obfuscated_ticket_age += session->ticket_age_add;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]943
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]944 ret = ssl_tls13_write_identity(ssl, p, end,
945 identity, identity_len,
946 obfuscated_ticket_age,
947 &output_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]948#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]949 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,
950 0, &output_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]951#endif /* MBEDTLS_HAVE_TIME */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]952 if (ret != 0) {
953 return ret;
954 }
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]955
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]956 p += output_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]957 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]958 }
959#endif /* MBEDTLS_SSL_SESSION_TICKETS */
960
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]961 if (ssl_tls13_psk_get_identity(
962 ssl, &hash_alg, &identity, &identity_len) == 0) {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]963
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]964 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,
965 &output_len);
966 if (ret != 0) {
967 return ret;
968 }
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]969
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]970 p += output_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]971 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]972 }
973
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]974 MBEDTLS_SSL_DEBUG_MSG(3,
975 ("client hello, adding pre_shared_key extension, "
976 "omitting PSK binder list"));
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]977
978 /* Take into account the two bytes for the length of the binders. */
979 l_binders_len += 2;
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]980 /* Check if there is enough space for binders */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]981 MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]982
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]983 /*
984 * - extension_type (2 bytes)
985 * - extension_data_len (2 bytes)
986 * - identities_len (2 bytes)
987 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]988 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);
989 MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);
990 MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]991
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]992 *out_len = (p - buf) + l_binders_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]993 *binders_len = l_binders_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]994
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]995 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]996
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]997 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]998}
999
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]1000int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1001 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1002{
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1003 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1004 unsigned char *p = buf;
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1005 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1006 const unsigned char *psk;
1007 size_t psk_len;
1008 size_t output_len;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1009
1010 /* Check if we have space to write binders_len.
1011 * - binders_len (2 bytes)
1012 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1013 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1014 p += 2;
1015
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1016#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1017 if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1018
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1019 ret = ssl_tls13_write_binder(ssl, p, end,
1020 MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
1021 hash_alg, psk, psk_len,
1022 &output_len);
1023 if (ret != 0) {
1024 return ret;
1025 }
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1026 p += output_len;
1027 }
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1028#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1029
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1030 if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1031
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1032 ret = ssl_tls13_write_binder(ssl, p, end,
1033 MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
1034 hash_alg, psk, psk_len,
1035 &output_len);
1036 if (ret != 0) {
1037 return ret;
1038 }
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1039 p += output_len;
1040 }
1041
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1042 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1043
1044 /*
1045 * - binders_len (2 bytes)
1046 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1047 MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1048
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1049 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1050
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1051 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1052 ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1053
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1054 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1055}
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1056
1057/*
1058 * struct {
1059 * opaque identity<1..2^16-1>;
1060 * uint32 obfuscated_ticket_age;
1061 * } PskIdentity;
1062 *
1063 * opaque PskBinderEntry<32..255>;
1064 *
1065 * struct {
1066 *
1067 * select (Handshake.msg_type) {
1068 * ...
1069 * case server_hello: uint16 selected_identity;
1070 * };
1071 *
1072 * } PreSharedKeyExtension;
1073 *
1074 */
1075MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1076static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
1077 const unsigned char *buf,
1078 const unsigned char *end)
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1079{
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1080 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1081 int selected_identity;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1082 const unsigned char *psk;
1083 size_t psk_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1084 psa_algorithm_t hash_alg;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1085
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1086 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
1087 selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);
Xiaokang Qian2a674932023-01-04 03:15:09 +0000[diff] [blame]1088 ssl->handshake->selected_identity = (uint16_t) selected_identity;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1089
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1090 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1091
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1092 if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {
1093 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1094
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1095 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1096 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1097 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1098 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1099
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1100#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1101 if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {
1102 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1103 } else
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1104#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1105 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
1106 ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);
1107 } else {
1108 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1109 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1110 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1111 if (ret != 0) {
1112 return ret;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1113 }
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1114
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]1115 if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac)
Xiaokang Qianeb31cbc2023-02-07 02:08:56 +0000[diff] [blame]1116 != hash_alg) {
1117 MBEDTLS_SSL_DEBUG_MSG(
1118 1, ("Invalid ciphersuite for external psk."));
1119
1120 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1121 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1122 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1123 }
1124
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1125 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1126 if (ret != 0) {
1127 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1128 return ret;
1129 }
1130
1131 return 0;
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1132}
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1133#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1134
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1135int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
1136 unsigned char *buf,
1137 unsigned char *end,
1138 size_t *out_len)
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1139{
1140 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1141 unsigned char *p = buf;
1142 size_t ext_len;
1143
1144 *out_len = 0;
1145
1146 /* Write supported_versions extension
1147 *
1148 * Supported Versions Extension is mandatory with TLS 1.3.
1149 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1150 ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);
1151 if (ret != 0) {
1152 return ret;
1153 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1154 p += ext_len;
1155
1156 /* Echo the cookie if the server provided one in its preceding
1157 * HelloRetryRequest message.
1158 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1159 ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);
1160 if (ret != 0) {
1161 return ret;
1162 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1163 p += ext_len;
1164
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1165#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1166 if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
1167 ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
1168 if (ret != 0) {
1169 return ret;
1170 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1171 p += ext_len;
1172 }
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1173#endif
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1174
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1175#if defined(MBEDTLS_SSL_EARLY_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1176 if (mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
1177 ssl_tls13_early_data_has_valid_ticket(ssl) &&
1178 ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
1179 ret = mbedtls_ssl_tls13_write_early_data_ext(ssl, p, end, &ext_len);
1180 if (ret != 0) {
1181 return ret;
1182 }
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1183 p += ext_len;
1184
Ronald Cron4a8c9e22022-10-26 18:49:09 +0200[diff] [blame]1185 /* Initializes the status to `rejected`. It will be updated to
1186 * `accepted` if the EncryptedExtension message contain an early data
1187 * indication extension.
Xiaokang Qiana042b842022-11-09 01:59:33 +0000[diff] [blame]1188 */
Ronald Cron4a8c9e22022-10-26 18:49:09 +0200[diff] [blame]1189 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1190 } else {
1191 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension"));
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]1192 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1193 }
1194#endif /* MBEDTLS_SSL_EARLY_DATA */
1195
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1196#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1197 /* For PSK-based key exchange we need the pre_shared_key extension
1198 * and the psk_key_exchange_modes extension.
1199 *
1200 * The pre_shared_key extension MUST be the last extension in the
1201 * ClientHello. Servers MUST check that it is the last extension and
1202 * otherwise fail the handshake with an "illegal_parameter" alert.
1203 *
1204 * Add the psk_key_exchange_modes extension.
1205 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1206 ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);
1207 if (ret != 0) {
1208 return ret;
1209 }
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1210 p += ext_len;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1211#endif
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1212
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1213 *out_len = p - buf;
1214
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1215 return 0;
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1216}
1217
Xiaokang Qian934ce6f2023-02-06 10:23:04 +0000[diff] [blame]1218int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1219{
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1220 ((void) ssl);
Xiaokang Qian79f77522023-01-28 10:35:29 +0000[diff] [blame]1221
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1222#if defined(MBEDTLS_SSL_EARLY_DATA)
1223 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1224 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1225 const unsigned char *psk;
1226 size_t psk_len;
1227 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]1228
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1229 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
Xiaokang Qian6be82902023-02-03 06:04:43 +0000[diff] [blame]1230#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1231 mbedtls_ssl_handshake_set_state(
1232 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
1233#endif
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1234 MBEDTLS_SSL_DEBUG_MSG(
1235 1, ("Set hs psk for early data when writing the first psk"));
1236
1237 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1238 if (ret != 0) {
1239 MBEDTLS_SSL_DEBUG_RET(
1240 1, "ssl_tls13_ticket_get_psk", ret);
1241 return ret;
1242 }
1243
1244 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1245 if (ret != 0) {
1246 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1247 return ret;
1248 }
1249
Xiaokang Qian64bc9bc2023-02-07 02:32:23 +0000[diff] [blame]1250 /*
1251 * Early data are going to be encrypted using the ciphersuite
1252 * associated with the pre-shared key used for the handshake.
1253 * Note that if the server rejects early data, the handshake
1254 * based on the pre-shared key may complete successfully
1255 * with a selected ciphersuite different from the ciphersuite
1256 * associated with the pre-shared key. Only the hashes of the
1257 * two ciphersuites have to be the same. In that case, the
1258 * encrypted handshake data and application data are
1259 * encrypted using a different ciphersuite than the one used for
1260 * the rejected early data.
1261 */
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1262 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
1263 ssl->session_negotiate->ciphersuite);
1264 ssl->handshake->ciphersuite_info = ciphersuite_info;
Xiaokang Qian8dc4ce72023-02-07 10:49:50 +0000[diff] [blame]1265
Tom Cosgrove5c8505f2023-03-07 11:39:52 +0000[diff] [blame]1266 /* Enable psk and psk_ephemeral to make stage early happy */
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1267 ssl->handshake->key_exchange_mode =
1268 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
1269
1270 /* Start the TLS 1.3 key schedule:
Xiaokang Qian8dc4ce72023-02-07 10:49:50 +0000[diff] [blame]1271 * Set the PSK and derive early secret.
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1272 */
1273 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1274 if (ret != 0) {
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1275 MBEDTLS_SSL_DEBUG_RET(
1276 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1277 return ret;
1278 }
1279
1280 /* Derive early data key material */
1281 ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
1282 if (ret != 0) {
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1283 MBEDTLS_SSL_DEBUG_RET(
1284 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1285 return ret;
1286 }
1287
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1288 }
1289#endif /* MBEDTLS_SSL_EARLY_DATA */
1290 return 0;
1291}
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]1292/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1293 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1294 */
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1295
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1296/**
1297 * \brief Detect if the ServerHello contains a supported_versions extension
1298 * or not.
1299 *
1300 * \param[in] ssl SSL context
1301 * \param[in] buf Buffer containing the ServerHello message
1302 * \param[in] end End of the buffer containing the ServerHello message
1303 *
1304 * \return 0 if the ServerHello does not contain a supported_versions extension
1305 * \return 1 if the ServerHello contains a supported_versions extension
1306 * \return A negative value if an error occurred while parsing the ServerHello.
1307 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1308MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1309static int ssl_tls13_is_supported_versions_ext_present(
1310 mbedtls_ssl_context *ssl,
1311 const unsigned char *buf,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1312 const unsigned char *end)
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1313{
1314 const unsigned char *p = buf;
1315 size_t legacy_session_id_echo_len;
Ronald Croneff56732023-04-03 17:36:31 +0200[diff] [blame]1316 const unsigned char *supported_versions_data;
1317 const unsigned char *supported_versions_data_end;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1318
1319 /*
1320 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1321 * length:
1322 * - legacy_version 2 bytes
1323 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1324 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1325 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1326 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1327 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1328 legacy_session_id_echo_len = *p;
1329
1330 /*
1331 * Jump to the extensions, jumping over:
1332 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1333 * - cipher_suite 2 bytes
1334 * - legacy_compression_method 1 byte
1335 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1336 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);
1337 p += legacy_session_id_echo_len + 4;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1338
Ronald Cron47dce632023-02-08 17:38:29 +0100[diff] [blame]1339 return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
1340 ssl, p, end,
Ronald Croneff56732023-04-03 17:36:31 +0200[diff] [blame]1341 &supported_versions_data, &supported_versions_data_end);
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1342}
1343
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]1344/* Returns a negative value on failure, and otherwise
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1345 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1346 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1347 * - 0 otherwise
1348 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1349MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1350static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,
1351 const unsigned char *buf,
1352 const unsigned char *end)
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1353{
1354 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1355 static const unsigned char magic_downgrade_string[] =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1356 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1357 const unsigned char *last_eight_bytes_of_random;
1358 unsigned char last_byte_of_random;
1359
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1360 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1361 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1362
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1363 if (memcmp(last_eight_bytes_of_random,
1364 magic_downgrade_string,
1365 sizeof(magic_downgrade_string)) == 0) {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1366 last_byte_of_random = last_eight_bytes_of_random[7];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1367 return last_byte_of_random == 0 ||
1368 last_byte_of_random == 1;
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1369 }
1370
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1371 return 0;
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1372}
1373
1374/* Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1375 * - SSL_SERVER_HELLO or
1376 * - SSL_SERVER_HELLO_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1377 * to indicate which message is expected and to be parsed next.
1378 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1379#define SSL_SERVER_HELLO 0
1380#define SSL_SERVER_HELLO_HRR 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1381MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1382static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,
1383 const unsigned char *buf,
1384 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1385{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1386
1387 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1388 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1389 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1390 * special value of the SHA-256 of "HelloRetryRequest".
1391 *
1392 * struct {
1393 * ProtocolVersion legacy_version = 0x0303;
1394 * Random random;
1395 * opaque legacy_session_id_echo<0..32>;
1396 * CipherSuite cipher_suite;
1397 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1398 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1399 * } ServerHello;
1400 *
1401 */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1402 MBEDTLS_SSL_CHK_BUF_READ_PTR(
1403 buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1404
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1405 if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1406 sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {
1407 return SSL_SERVER_HELLO_HRR;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1408 }
1409
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1410 return SSL_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1411}
1412
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1413/*
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1414 * Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1415 * - SSL_SERVER_HELLO or
1416 * - SSL_SERVER_HELLO_HRR or
1417 * - SSL_SERVER_HELLO_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1418 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1419#define SSL_SERVER_HELLO_TLS1_2 2
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1420MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1421static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
1422 const unsigned char *buf,
1423 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1424{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1425 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1426 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1427
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1428 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(
1429 ssl, buf, end));
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1430
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1431 if (ret == 0) {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1432 MBEDTLS_SSL_PROC_CHK_NEG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1433 ssl_tls13_is_downgrade_negotiation(ssl, buf, end));
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1434
1435 /* If the server is negotiating TLS 1.2 or below and:
1436 * . we did not propose TLS 1.2 or
1437 * . the server responded it is TLS 1.3 capable but negotiating a lower
1438 * version of the protocol and thus we are under downgrade attack
1439 * abort the handshake with an "illegal parameter" alert.
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1440 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1441 if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {
1442 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1443 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1444 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1445 }
1446
Ronald Cronb828c7d2023-04-03 16:37:22 +0200[diff] [blame]1447 /*
1448 * Version 1.2 of the protocol has been negotiated, set the
1449 * ssl->keep_current_message flag for the ServerHello to be kept and
1450 * parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to
1451 * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
1452 * will dispatch to the TLS 1.2 state machine.
1453 */
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1454 ssl->keep_current_message = 1;
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1455 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1456 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1457 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1458 buf, (size_t) (end - buf)));
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1459
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1460 if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
1461 ret = ssl_tls13_reset_key_share(ssl);
1462 if (ret != 0) {
1463 return ret;
1464 }
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1465 }
1466
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1467 return SSL_SERVER_HELLO_TLS1_2;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1468 }
1469
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1470#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1471 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1472 ssl->session_negotiate->tls_version = ssl->tls_version;
1473#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1474
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1475 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1476
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1477 ret = ssl_server_hello_is_hrr(ssl, buf, end);
1478 switch (ret) {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1479 case SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1480 MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1481 break;
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1482 case SSL_SERVER_HELLO_HRR:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1483 MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1484 /* If a client receives a second HelloRetryRequest in the same
1485 * connection (i.e., where the ClientHello was itself in response
1486 * to a HelloRetryRequest), it MUST abort the handshake with an
1487 * "unexpected_message" alert.
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1488 */
1489 if (handshake->hello_retry_request_count > 0) {
1490 MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1491 MBEDTLS_SSL_PEND_FATAL_ALERT(
1492 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1493 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1494 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1495 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1496 /*
1497 * Clients must abort the handshake with an "illegal_parameter"
1498 * alert if the HelloRetryRequest would not result in any change
1499 * in the ClientHello.
1500 * In a PSK only key exchange that what we expect.
1501 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1502 if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
1503 MBEDTLS_SSL_DEBUG_MSG(1,
1504 ("Unexpected HRR in pure PSK key exchange."));
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1505 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1506 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1507 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1508 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1509 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1510
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1511 handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1512
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1513 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1514 }
1515
1516cleanup:
1517
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1518 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1519}
1520
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1521MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1522static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,
1523 const unsigned char **buf,
1524 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1525{
1526 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1527 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1529 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1530 legacy_session_id_echo_len = *p++;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1531
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1532 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1533
1534 /* legacy_session_id_echo */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1535 if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1536 memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {
1537 MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",
1538 ssl->session_negotiate->id,
1539 ssl->session_negotiate->id_len);
1540 MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,
1541 legacy_session_id_echo_len);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1542
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1543 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1544 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1545
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1546 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1547 }
1548
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1549 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1550 *buf = p;
1551
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1552 MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,
1553 ssl->session_negotiate->id_len);
1554 return 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1555}
1556
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1557/* Parse ServerHello message and configure context
1558 *
1559 * struct {
1560 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1561 * Random random;
1562 * opaque legacy_session_id_echo<0..32>;
1563 * CipherSuite cipher_suite;
1564 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1565 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1566 * } ServerHello;
1567 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1568MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1569static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
1570 const unsigned char *buf,
1571 const unsigned char *end,
1572 int is_hrr)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1573{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1574 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1575 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1576 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1577 size_t extensions_len;
1578 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1579 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1580 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1581 int fatal_alert = 0;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1582 uint32_t allowed_extensions_mask;
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1583 int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1584 MBEDTLS_SSL_HS_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1585
1586 /*
1587 * Check there is space for minimal fields
1588 *
1589 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1590 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1591 * - legacy_session_id_echo ( 1 byte ), minimum size
1592 * - cipher_suite ( 2 bytes)
1593 * - legacy_compression_method ( 1 byte )
1594 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1595 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1596
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1597 MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);
1598 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1599
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1600 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1601 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1602 * ...
1603 * with ProtocolVersion defined as:
1604 * uint16 ProtocolVersion;
1605 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1606 if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1607 MBEDTLS_SSL_VERSION_TLS1_2) {
1608 MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1609 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1610 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1611 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1612 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1613 }
1614 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1615
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1616 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1617 * Random random;
1618 * ...
1619 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1620 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1621 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1622 if (!is_hrr) {
1623 memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
1624 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1625 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
1626 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1627 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1628 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1629
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1630 /* ...
1631 * opaque legacy_session_id_echo<0..32>;
1632 * ...
1633 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1634 if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1635 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1636 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1637 }
1638
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1639 /* ...
1640 * CipherSuite cipher_suite;
1641 * ...
1642 * with CipherSuite defined as:
1643 * uint8 CipherSuite[2];
1644 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1645 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1646 cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1647 p += 2;
1648
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1649
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1650 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1651 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1652 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1653 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1654 if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
1655 ssl->tls_version,
1656 ssl->tls_version) != 0) ||
1657 !mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1658 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1659 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1660 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1661 * If we received an HRR before and that the proposed selected
1662 * ciphersuite in this server hello is not the same as the one
1663 * proposed in the HRR, we abort the handshake and send an
1664 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1665 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1666 else if ((!is_hrr) && (handshake->hello_retry_request_count > 0) &&
1667 (cipher_suite != ssl->session_negotiate->ciphersuite)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1668 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1669 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1670
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1671 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1672 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",
1673 cipher_suite));
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1674 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1675 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1676
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1677 /* Configure ciphersuites */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1678 mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1679
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1680 handshake->ciphersuite_info = ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1681 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",
1682 cipher_suite, ciphersuite_info->name));
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1683
1684#if defined(MBEDTLS_HAVE_TIME)
YxCda609132023-05-22 12:08:12 -0700[diff] [blame]1685 ssl->session_negotiate->start = mbedtls_time(NULL);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1686#endif /* MBEDTLS_HAVE_TIME */
1687
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1688 /* ...
1689 * uint8 legacy_compression_method = 0;
1690 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1691 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1692 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1693 if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {
1694 MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1695 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1696 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1697 }
1698 p++;
1699
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1700 /* ...
1701 * Extension extensions<6..2^16-1>;
1702 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1703 * struct {
1704 * ExtensionType extension_type; (2 bytes)
1705 * opaque extension_data<0..2^16-1>;
1706 * } Extension;
1707 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1708 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1709 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1710 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1711
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1712 /* Check extensions do not go beyond the buffer of data. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1713 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1714 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1715
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1716 MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1717
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1718 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1719 allowed_extensions_mask = is_hrr ?
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1720 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
1721 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1722
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1723 while (p < extensions_end) {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1724 unsigned int extension_type;
1725 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1726 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1727
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1728 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1729 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1730 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1731 p += 4;
1732
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1733 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1734 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1735
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1736 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1737 ssl, hs_msg_type, extension_type, allowed_extensions_mask);
1738 if (ret != 0) {
1739 return ret;
1740 }
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1741
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1742 switch (extension_type) {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1743 case MBEDTLS_TLS_EXT_COOKIE:
1744
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1745 ret = ssl_tls13_parse_cookie_ext(ssl,
1746 p, extension_data_end);
1747 if (ret != 0) {
1748 MBEDTLS_SSL_DEBUG_RET(1,
1749 "ssl_tls13_parse_cookie_ext",
1750 ret);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1751 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1752 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1753 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1754
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1755 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1756 ret = ssl_tls13_parse_supported_versions_ext(ssl,
1757 p,
1758 extension_data_end);
1759 if (ret != 0) {
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1760 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1761 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1762 break;
1763
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1764#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1765 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1766 MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1767
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1768 if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(
1769 ssl, p, extension_data_end)) != 0) {
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1770 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1771 1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);
1772 return ret;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1773 }
1774 break;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1775#endif
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1776
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1777 case MBEDTLS_TLS_EXT_KEY_SHARE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1778 MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
1779 if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1780 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1781 goto cleanup;
1782 }
1783
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1784 if (is_hrr) {
1785 ret = ssl_tls13_parse_hrr_key_share_ext(ssl,
1786 p, extension_data_end);
1787 } else {
1788 ret = ssl_tls13_parse_key_share_ext(ssl,
1789 p, extension_data_end);
1790 }
1791 if (ret != 0) {
1792 MBEDTLS_SSL_DEBUG_RET(1,
1793 "ssl_tls13_parse_key_share_ext",
1794 ret);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1795 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1796 }
1797 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1798
1799 default:
Jerry Yu9872eb22022-08-29 13:42:01 +0800[diff] [blame]1800 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1801 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1802 }
1803
1804 p += extension_data_len;
1805 }
1806
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1807 MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1808
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1809cleanup:
1810
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1811 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {
1812 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1813 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1814 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1815 } else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1816 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1817 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1818 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1819 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1820 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1821}
1822
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1823#if defined(MBEDTLS_DEBUG_C)
1824static const char *ssl_tls13_get_kex_mode_str(int mode)
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1825{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1826 switch (mode) {
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1827 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1828 return "psk";
1829 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1830 return "ephemeral";
1831 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1832 return "psk_ephemeral";
1833 default:
1834 return "unknown mode";
1835 }
1836}
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1837#endif /* MBEDTLS_DEBUG_C */
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1838
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1839MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1840static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1841{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1842 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1843 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1844
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1845 /* Determine the key exchange mode:
1846 * 1) If both the pre_shared_key and key_share extensions were received
1847 * then the key exchange mode is PSK with EPHEMERAL.
1848 * 2) If only the pre_shared_key extension was received then the key
1849 * exchange mode is PSK-only.
1850 * 3) If only the key_share extension was received then the key
1851 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1852 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1853 switch (handshake->received_extensions &
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1854 (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1855 MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1856 /* Only the pre_shared_key extension was received */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1857 case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1858 handshake->key_exchange_mode =
1859 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1860 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1861
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1862 /* Only the key_share extension was received */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1863 case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1864 handshake->key_exchange_mode =
1865 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1866 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1867
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1868 /* Both the pre_shared_key and key_share extensions were received */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1869 case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1870 MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):
1871 handshake->key_exchange_mode =
1872 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1873 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1874
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1875 /* Neither pre_shared_key nor key_share extension was received */
1876 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1877 MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1878 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1879 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1880 }
1881
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1882 if (!mbedtls_ssl_conf_tls13_check_kex_modes(
1883 ssl, handshake->key_exchange_mode)) {
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1884 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1885 MBEDTLS_SSL_DEBUG_MSG(
1886 2, ("Key exchange mode(%s) is not supported.",
1887 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1888 goto cleanup;
1889 }
1890
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1891 MBEDTLS_SSL_DEBUG_MSG(
1892 3, ("Selected key exchange mode: %s",
1893 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1894
Xiaokang Qian7892b6c2023-02-02 06:05:48 +0000[diff] [blame]1895 /* Start the TLS 1.3 key scheduling if not already done.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1896 *
Xiaokang Qian7892b6c2023-02-02 06:05:48 +0000[diff] [blame]1897 * If we proposed early data then we have already derived an
1898 * early secret using the selected PSK and its associated hash.
1899 * It means that if the negotiated key exchange mode is psk or
1900 * psk_ephemeral, we have already correctly computed the
1901 * early secret and thus we do not do it again. In all other
1902 * cases we compute it here.
Xiaokang Qian303f82c52023-01-04 08:43:46 +0000[diff] [blame]1903 */
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1904#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qiane04afdc2023-02-07 02:19:42 +0000[diff] [blame]1905 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT ||
1906 handshake->key_exchange_mode ==
1907 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1908#endif
1909 {
Xiaokang Qian303f82c52023-01-04 08:43:46 +0000[diff] [blame]1910 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1911 if (ret != 0) {
1912 MBEDTLS_SSL_DEBUG_RET(
1913 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
1914 goto cleanup;
1915 }
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1916 }
1917
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1918 ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
1919 if (ret != 0) {
1920 MBEDTLS_SSL_DEBUG_RET(1,
1921 "mbedtls_ssl_tls13_compute_handshake_transform",
1922 ret);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1923 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1924 }
1925
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1926 mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);
1927 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1928 ssl->session_in = ssl->session_negotiate;
1929
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1930cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1931 if (ret != 0) {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1932 MBEDTLS_SSL_PEND_FATAL_ALERT(
1933 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1934 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1935 }
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1936
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1937 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1938}
1939
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1940MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1941static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1942{
1943 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1944
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1945 mbedtls_ssl_session_reset_msg_layer(ssl, 0);
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1946
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1947 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1948 * We are going to re-generate a shared secret corresponding to the group
1949 * selected by the server, which is different from the group for which we
1950 * generated a shared secret in the first client hello.
1951 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1952 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1953 ret = ssl_tls13_reset_key_share(ssl);
1954 if (ret != 0) {
1955 return ret;
1956 }
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1957
Xiaokang Qian4ef8ba22023-02-06 11:06:16 +0000[diff] [blame]1958 ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1959 return 0;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1960}
1961
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1962/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1963 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1964 * Handler for MBEDTLS_SSL_SERVER_HELLO
1965 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1966MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1967static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1968{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1969 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1970 unsigned char *buf = NULL;
1971 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1972 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1973
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1974 MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1975
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1976 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1977 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1978
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1979 ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);
1980 if (ret < 0) {
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1981 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1982 } else {
1983 is_hrr = (ret == SSL_SERVER_HELLO_HRR);
1984 }
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1985
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1986 if (ret == SSL_SERVER_HELLO_TLS1_2) {
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1987 ret = 0;
1988 goto cleanup;
1989 }
1990
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1991 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,
1992 buf + buf_len,
1993 is_hrr));
1994 if (is_hrr) {
1995 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]1996 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1997
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1998 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1999 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2000
2001 if (is_hrr) {
2002 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
2003#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2004 /* If not offering early data, the client sends a dummy CCS record
2005 * immediately before its second flight. This may either be before
2006 * its second ClientHello or before its encrypted handshake flight.
2007 */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2008 mbedtls_ssl_handshake_set_state(
2009 ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2010#else
2011 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2012#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2013 } else {
2014 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));
2015 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2016 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]2017
2018cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2019 MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,
2020 is_hrr ? "HelloRetryRequest" : "ServerHello"));
2021 return ret;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2022}
2023
2024/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2025 *
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2026 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2027 *
2028 * The EncryptedExtensions message contains any extensions which
2029 * should be protected, i.e., any which are not needed to establish
2030 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2031 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2032
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2033/* Parse EncryptedExtensions message
2034 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2035 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2036 * } EncryptedExtensions;
2037 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2038MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2039static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
2040 const unsigned char *buf,
2041 const unsigned char *end)
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2042{
2043 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2044 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]2045 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2046 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2047 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2048
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2049 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2050 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2051 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2052
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2053 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Ronald Cronc8083592022-05-31 16:24:05 +0200[diff] [blame]2054 extensions_end = p + extensions_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2055
Jan Bruckner5a3629b2023-02-23 12:08:09 +0100[diff] [blame]2056 MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);
2057
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2058 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2059
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2060 while (p < extensions_end) {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2061 unsigned int extension_type;
2062 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2063
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2064 /*
2065 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2066 * ExtensionType extension_type; (2 bytes)
2067 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2068 * } Extension;
2069 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2070 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2071 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2072 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2073 p += 4;
2074
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2075 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2076
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2077 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2078 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
2079 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);
2080 if (ret != 0) {
2081 return ret;
2082 }
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2083
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2084 switch (extension_type) {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2085#if defined(MBEDTLS_SSL_ALPN)
2086 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2087 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2088
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2089 if ((ret = ssl_tls13_parse_alpn_ext(
2090 ssl, p, (size_t) extension_data_len)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2091 return ret;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2092 }
2093
2094 break;
2095#endif /* MBEDTLS_SSL_ALPN */
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2096
2097#if defined(MBEDTLS_SSL_EARLY_DATA)
2098 case MBEDTLS_TLS_EXT_EARLY_DATA:
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2099
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2100 if (extension_data_len != 0) {
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2101 /* The message must be empty. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2102 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2103 MBEDTLS_ERR_SSL_DECODE_ERROR);
2104 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2105 }
2106
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2107 break;
2108#endif /* MBEDTLS_SSL_EARLY_DATA */
2109
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]2110#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2111 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
2112 MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
2113
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2114 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
2115 ssl, p, p + extension_data_len);
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]2116 if (ret != 0) {
2117 MBEDTLS_SSL_DEBUG_RET(
2118 1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
2119 return ret;
2120 }
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]2121 break;
2122#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2123
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2124 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2125 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2126 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2127 extension_type, "( ignored )");
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2128 break;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2129 }
2130
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2131 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2132 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2133
Waleed Elmelegy049cd302023-12-20 17:28:31 +0000[diff] [blame]2134 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&
2135 (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {
Waleed Elmelegy6a971fd2023-12-28 17:48:16 +0000[diff] [blame^]2136 MBEDTLS_SSL_DEBUG_MSG(3,
2137 (
2138 "Record size limit extension cannot be used with max fragment length extension"));
Waleed Elmelegy049cd302023-12-20 17:28:31 +0000[diff] [blame]2139 MBEDTLS_SSL_PEND_FATAL_ALERT(
2140 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2141 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2142 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2143 }
2144
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2145 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2146 handshake->received_extensions);
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2147
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2148 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2149 if (p != end) {
2150 MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));
2151 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2152 MBEDTLS_ERR_SSL_DECODE_ERROR);
2153 return MBEDTLS_ERR_SSL_DECODE_ERROR;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2154 }
2155
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2156 return ret;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2157}
2158
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2159MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2160static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2161{
2162 int ret;
2163 unsigned char *buf;
2164 size_t buf_len;
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2165 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2166
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2167 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2168
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2169 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2170 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2171 &buf, &buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2172
2173 /* Process the message contents */
2174 MBEDTLS_SSL_PROC_CHK(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2175 ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2176
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2177#if defined(MBEDTLS_SSL_EARLY_DATA)
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2178 if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
2179 /* RFC8446 4.2.11
2180 * If the server supplies an "early_data" extension, the
2181 * client MUST verify that the server's selected_identity
2182 * is 0. If any other value is returned, the client MUST
2183 * abort the handshake with an "illegal_parameter" alert.
2184 *
2185 * RFC 8446 4.2.10
2186 * In order to accept early data, the server MUST have accepted a PSK
2187 * cipher suite and selected the first key offered in the client's
2188 * "pre_shared_key" extension. In addition, it MUST verify that the
2189 * following values are the same as those associated with the
2190 * selected PSK:
2191 * - The TLS version number
2192 * - The selected cipher suite
2193 * - The selected ALPN [RFC7301] protocol, if any
2194 *
Yanray Wang03a00762023-12-01 17:40:19 +0800[diff] [blame]2195 * The server has sent an early data extension in its Encrypted
2196 * Extension message thus accepted to receive early data. We
2197 * check here that the additional constraints on the handshake
2198 * parameters, when early data are exchanged, are met,
2199 * namely:
Yanray Wang744577a2023-12-01 22:33:59 +0800[diff] [blame]2200 * - a PSK has been selected for the handshake
Yanray Wang03a00762023-12-01 17:40:19 +0800[diff] [blame]2201 * - the selected PSK for the handshake was the first one proposed
2202 * by the client.
2203 * - the selected ciphersuite for the handshake is the ciphersuite
2204 * associated with the selected PSK.
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2205 */
Yanray Wang744577a2023-12-01 22:33:59 +0800[diff] [blame]2206 if ((!mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) ||
2207 handshake->selected_identity != 0 ||
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2208 handshake->ciphersuite_info->id !=
2209 ssl->session_negotiate->ciphersuite) {
2210
2211 MBEDTLS_SSL_PEND_FATAL_ALERT(
2212 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2213 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2214 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2215 }
2216
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2217 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
2218 }
2219#endif
2220
Yanray Wanga29db7d2023-11-30 14:06:14 +0800[diff] [blame]2221 /*
Yanray Wang9ae65342023-12-01 17:46:06 +0800[diff] [blame]2222 * In case the client has proposed a PSK associated with a ticket,
2223 * `ssl->session_negotiate->ciphersuite` still contains at this point the
2224 * identifier of the ciphersuite associated with the ticket. This is that
2225 * way because, if an exchange of early data is agreed upon, we need
2226 * it to check that the ciphersuite selected for the handshake is the
2227 * ticket ciphersuite (see above). This information is not needed
2228 * anymore thus we can now set it to the identifier of the ciphersuite
2229 * used in this session under negotiation.
Yanray Wanga29db7d2023-11-30 14:06:14 +0800[diff] [blame]2230 */
2231 ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
2232
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2233 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2234 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2235 buf, buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2236
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2237#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2238 if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2239 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2240 } else {
2241 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2242 }
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2243#else
2244 ((void) ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2245 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2246#endif
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2247
2248cleanup:
2249
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2250 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));
2251 return ret;
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2252
2253}
2254
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2255/*
2256 * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
2257 *
Xiaokang Qianc81a15a2022-12-19 02:43:33 +0000[diff] [blame]2258 * RFC 8446 section 4.5
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2259 *
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2260 * struct {} EndOfEarlyData;
Xiaokang Qianc81a15a2022-12-19 02:43:33 +0000[diff] [blame]2261 *
2262 * If the server sent an "early_data" extension in EncryptedExtensions, the
2263 * client MUST send an EndOfEarlyData message after receiving the server
2264 * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2265 */
2266
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2267MBEDTLS_CHECK_RETURN_CRITICAL
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2268static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)
2269{
2270 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2271 unsigned char *buf = NULL;
2272 size_t buf_len;
Xiaokang Qian57a138d2022-12-19 06:40:47 +0000[diff] [blame]2273 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2274
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2275 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]2276 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
2277 &buf, &buf_len));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2278
Manuel Pégourié-Gonnard63e33dd2023-02-21 15:45:15 +0100[diff] [blame]2279 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(
2280 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2281
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2282 MBEDTLS_SSL_PROC_CHK(
2283 mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));
Xiaokang Qianda8402d2022-12-15 14:55:35 +0000[diff] [blame]2284
Xiaokang Qian19d44162023-01-03 03:39:50 +0000[diff] [blame]2285 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2286
2287cleanup:
2288
2289 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));
2290 return ret;
2291}
2292
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2293#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2294/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2295 * STATE HANDLING: CertificateRequest
2296 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2297 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2298#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2299#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2300/* Coordination:
2301 * Deals with the ambiguity of not knowing if a CertificateRequest
2302 * will be sent. Returns a negative code on failure, or
2303 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2304 * - SSL_CERTIFICATE_REQUEST_SKIP
2305 * indicating if a Certificate Request is expected or not.
2306 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2307MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2308static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2309{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2310 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2311
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2312 if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
2313 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2314 return ret;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2315 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2316 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2317
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2318 if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&
2319 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {
2320 MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));
2321 return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2322 }
2323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2324 MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2325
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2326 return SSL_CERTIFICATE_REQUEST_SKIP;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2327}
2328
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2329/*
2330 * ssl_tls13_parse_certificate_request()
2331 * Parse certificate request
2332 * struct {
2333 * opaque certificate_request_context<0..2^8-1>;
2334 * Extension extensions<2..2^16-1>;
2335 * } CertificateRequest;
2336 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2337MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2338static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,
2339 const unsigned char *buf,
2340 const unsigned char *end)
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2341{
2342 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2343 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2344 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2345 size_t extensions_len = 0;
2346 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2347 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2348
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2349 /* ...
2350 * opaque certificate_request_context<0..2^8-1>
2351 * ...
2352 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2353 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2354 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2355 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2356
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2357 if (certificate_request_context_len > 0) {
2358 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);
2359 MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",
2360 p, certificate_request_context_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2361
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2362 handshake->certificate_request_context =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2363 mbedtls_calloc(1, certificate_request_context_len);
2364 if (handshake->certificate_request_context == NULL) {
2365 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2366 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2367 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2368 memcpy(handshake->certificate_request_context, p,
2369 certificate_request_context_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2370 p += certificate_request_context_len;
2371 }
2372
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2373 /* ...
2374 * Extension extensions<2..2^16-1>;
2375 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2376 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2377 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2378 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2379 p += 2;
2380
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2381 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2382 extensions_end = p + extensions_len;
2383
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2384 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2385
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2386 while (p < extensions_end) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2387 unsigned int extension_type;
2388 size_t extension_data_len;
2389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2390 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2391 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2392 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2393 p += 4;
2394
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2395 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2396
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2397 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2398 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
2399 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);
2400 if (ret != 0) {
2401 return ret;
2402 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2403
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2404 switch (extension_type) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2405 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2406 MBEDTLS_SSL_DEBUG_MSG(3,
2407 ("found signature algorithms extension"));
2408 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,
2409 p + extension_data_len);
2410 if (ret != 0) {
2411 return ret;
2412 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2413
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2414 break;
2415
2416 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2417 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2418 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2419 extension_type, "( ignored )");
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2420 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2421 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2422
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2423 p += extension_data_len;
2424 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2425
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2426 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2427 handshake->received_extensions);
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2428
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2429 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2430 if (p != end) {
2431 MBEDTLS_SSL_DEBUG_MSG(1,
2432 ("CertificateRequest misaligned"));
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2433 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2434 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2435
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2436 /* RFC 8446 section 4.3.2
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2437 *
2438 * The "signature_algorithms" extension MUST be specified
2439 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2440 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {
2441 MBEDTLS_SSL_DEBUG_MSG(3,
2442 ("no signature algorithms extension found"));
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2443 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2444 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2445
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]2446 ssl->handshake->client_auth = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2447 return 0;
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2448
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2449decode_error:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2450 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2451 MBEDTLS_ERR_SSL_DECODE_ERROR);
2452 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2453}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2454
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2455/*
2456 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2457 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2458MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2459static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2460{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2461 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2462
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2463 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2464
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2465 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2466
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2467 if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2468 unsigned char *buf;
2469 size_t buf_len;
2470
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2471 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2472 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2473 &buf, &buf_len));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2474
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2475 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(
2476 ssl, buf, buf + buf_len));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2477
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2478 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2479 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2480 buf, buf_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2481 } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]2482 ret = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2483 } else {
2484 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2485 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2486 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2487 }
2488
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2489 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2490
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2491cleanup:
2492
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2493 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
2494 return ret;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2495}
2496
2497/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2498 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2499 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2500MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2501static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2502{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2503 int ret;
2504
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2505 ret = mbedtls_ssl_tls13_process_certificate(ssl);
2506 if (ret != 0) {
2507 return ret;
2508 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2509
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2510 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2511 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2512}
2513
2514/*
2515 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2516 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2517MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2518static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2519{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2520 int ret;
2521
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2522 ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
2523 if (ret != 0) {
2524 return ret;
2525 }
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2526
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2527 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2528 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2529}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2530#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]2531
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2532/*
2533 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2534 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2535MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2536static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2537{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2538 int ret;
2539
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2540 ret = mbedtls_ssl_tls13_process_finished_message(ssl);
2541 if (ret != 0) {
2542 return ret;
2543 }
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2544
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2545 ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2546 if (ret != 0) {
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2547 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2548 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2549 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2550 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2551 }
2552
Xiaokang Qianbc75bc02022-12-19 06:16:42 +0000[diff] [blame]2553#if defined(MBEDTLS_SSL_EARLY_DATA)
2554 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
2555 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
Xiaokang Qianbd0ab062023-02-02 05:56:30 +0000[diff] [blame]2556 } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
2557 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Xiaokang Qianbc75bc02022-12-19 06:16:42 +0000[diff] [blame]2558 } else
2559#endif /* MBEDTLS_SSL_EARLY_DATA */
2560 {
2561#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2562 mbedtls_ssl_handshake_set_state(
2563 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);
2564#else
2565 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2566#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2567 }
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2568
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2569 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2570}
2571
2572/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2573 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2574 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2575MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2576static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2577{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2578 int non_empty_certificate_msg = 0;
2579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2580 MBEDTLS_SSL_DEBUG_MSG(1,
2581 ("Switch to handshake traffic keys for outbound traffic"));
2582 mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2583
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2584#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2585 if (ssl->handshake->client_auth) {
2586 int ret = mbedtls_ssl_tls13_write_certificate(ssl);
2587 if (ret != 0) {
2588 return ret;
2589 }
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2590
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2591 if (mbedtls_ssl_own_cert(ssl) != NULL) {
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2592 non_empty_certificate_msg = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2593 }
2594 } else {
2595 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2596 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2597#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2598
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2599 if (non_empty_certificate_msg) {
2600 mbedtls_ssl_handshake_set_state(ssl,
2601 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
2602 } else {
2603 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));
2604 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2605 }
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2606
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2607 return 0;
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2608}
2609
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2610#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2611/*
2612 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2613 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2614MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2615static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2616{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2617 int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2618
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2619 if (ret == 0) {
2620 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2621 }
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2622
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2623 return ret;
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2624}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2625#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2626
2627/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2628 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2629 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2630MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2631static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2632{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2633 int ret;
2634
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2635 ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2636 if (ret != 0) {
2637 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2638 }
2639
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2640 ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
2641 if (ret != 0) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2642 MBEDTLS_SSL_DEBUG_RET(
2643 1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2644 return ret;
2645 }
2646
2647 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);
2648 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2649}
2650
2651/*
2652 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2653 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2654MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2655static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2656{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2657 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
2658 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
2659 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2660}
2661
2662/*
2663 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2664 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2665MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2666static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2667{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2668
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2669 mbedtls_ssl_tls13_handshake_wrapup(ssl);
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2670
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2671 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2672 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2673}
2674
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2675#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2676
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2677#if defined(MBEDTLS_SSL_EARLY_DATA)
2678/* From RFC 8446 section 4.2.10
2679 *
2680 * struct {
2681 * select (Handshake.msg_type) {
2682 * case new_session_ticket: uint32 max_early_data_size;
2683 * ...
2684 * };
2685 * } EarlyDataIndication;
2686 */
2687MBEDTLS_CHECK_RETURN_CRITICAL
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2688static int ssl_tls13_parse_new_session_ticket_early_data_ext(
2689 mbedtls_ssl_context *ssl,
2690 const unsigned char *buf,
2691 const unsigned char *end)
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2692{
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2693 mbedtls_ssl_session *session = ssl->session;
2694
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2695 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2696
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2697 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);
2698 mbedtls_ssl_session_set_ticket_flags(
2699 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
2700 MBEDTLS_SSL_DEBUG_MSG(
2701 3, ("received max_early_data_size: %u",
2702 (unsigned int) session->max_early_data_size));
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2703
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2704 return 0;
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2705}
2706#endif /* MBEDTLS_SSL_EARLY_DATA */
2707
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2708MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2709static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
2710 const unsigned char *buf,
2711 const unsigned char *end)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2712{
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2713 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2714 const unsigned char *p = buf;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2715
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2716
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2717 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2718
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2719 while (p < end) {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2720 unsigned int extension_type;
2721 size_t extension_data_len;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2722 int ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2723
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2724 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
2725 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2726 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2727 p += 4;
2728
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2729 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2730
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2731 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2732 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
2733 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);
2734 if (ret != 0) {
2735 return ret;
2736 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2737
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2738 switch (extension_type) {
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2739#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2740 case MBEDTLS_TLS_EXT_EARLY_DATA:
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2741 ret = ssl_tls13_parse_new_session_ticket_early_data_ext(
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2742 ssl, p, p + extension_data_len);
2743 if (ret != 0) {
2744 MBEDTLS_SSL_DEBUG_RET(
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2745 1, "ssl_tls13_parse_new_session_ticket_early_data_ext",
2746 ret);
Xiaokang Qian2d87a9e2022-11-09 07:55:48 +0000[diff] [blame]2747 }
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2748 break;
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2749#endif /* MBEDTLS_SSL_EARLY_DATA */
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2750
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2751 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2752 MBEDTLS_SSL_PRINT_EXT(
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2753 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2754 extension_type, "( ignored )");
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2755 break;
2756 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2757
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2758 p += extension_data_len;
2759 }
2760
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2761 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2762 handshake->received_extensions);
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2763
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2764 return 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2765}
2766
2767/*
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2768 * From RFC8446, page 74
2769 *
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2770 * struct {
2771 * uint32 ticket_lifetime;
2772 * uint32 ticket_age_add;
2773 * opaque ticket_nonce<0..255>;
2774 * opaque ticket<1..2^16-1>;
2775 * Extension extensions<0..2^16-2>;
2776 * } NewSessionTicket;
2777 *
2778 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2779MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2780static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
2781 unsigned char *buf,
2782 unsigned char *end,
2783 unsigned char **ticket_nonce,
2784 size_t *ticket_nonce_len)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2785{
2786 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2787 unsigned char *p = buf;
2788 mbedtls_ssl_session *session = ssl->session;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2789 size_t ticket_len;
2790 unsigned char *ticket;
2791 size_t extensions_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2792
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2793 *ticket_nonce = NULL;
2794 *ticket_nonce_len = 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2795 /*
2796 * ticket_lifetime 4 bytes
2797 * ticket_age_add 4 bytes
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2798 * ticket_nonce_len 1 byte
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2799 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2800 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2801
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2802 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
2803 MBEDTLS_SSL_DEBUG_MSG(3,
2804 ("ticket_lifetime: %u",
2805 (unsigned int) session->ticket_lifetime));
Jerry Yu8e0174a2023-11-10 13:58:16 +0800[diff] [blame]2806 if (session->ticket_lifetime >
2807 MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]2808 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
Jerry Yucf913512023-11-14 11:06:52 +0800[diff] [blame]2809 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]2810 }
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2811
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2812 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);
2813 MBEDTLS_SSL_DEBUG_MSG(3,
2814 ("ticket_age_add: %u",
2815 (unsigned int) session->ticket_age_add));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2816
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2817 *ticket_nonce_len = p[8];
2818 p += 9;
2819
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2820 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2821 *ticket_nonce = p;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2822 MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2823 p += *ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2824
2825 /* Ticket */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2826 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2827 ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2828 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2829 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);
2830 MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2831
2832 /* Check if we previously received a ticket already. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2833 if (session->ticket != NULL || session->ticket_len > 0) {
2834 mbedtls_free(session->ticket);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2835 session->ticket = NULL;
2836 session->ticket_len = 0;
2837 }
2838
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2839 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
2840 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
2841 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2842 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2843 memcpy(ticket, p, ticket_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2844 p += ticket_len;
2845 session->ticket = ticket;
2846 session->ticket_len = ticket_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2847
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2848 /* Clear all flags in ticket_flags */
Pengyu Lv80270b22023-01-12 11:54:04 +0800[diff] [blame]2849 mbedtls_ssl_session_clear_ticket_flags(
Pengyu Lv9eacb442022-12-09 14:39:19 +0800[diff] [blame]2850 session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2851
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2852 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2853 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2854 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2855 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2856
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2857 MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2858
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2859 ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);
2860 if (ret != 0) {
2861 MBEDTLS_SSL_DEBUG_RET(1,
2862 "ssl_tls13_parse_new_session_ticket_exts",
2863 ret);
2864 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2865 }
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2866
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]2867 /* session has been updated, allow export */
2868 session->exported = 0;
2869
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2870 return 0;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2871}
2872
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2873MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2874static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
2875 unsigned char *ticket_nonce,
2876 size_t ticket_nonce_len)
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2877{
2878 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2879 mbedtls_ssl_session *session = ssl->session;
2880 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2881 psa_algorithm_t psa_hash_alg;
2882 int hash_length;
2883
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2884#if defined(MBEDTLS_HAVE_TIME)
2885 /* Store ticket creation time */
Jerry Yu342a5552023-11-10 14:23:39 +0800[diff] [blame]2886 session->ticket_reception_time = mbedtls_ms_time();
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2887#endif
2888
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2889 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
2890 if (ciphersuite_info == NULL) {
2891 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2892 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2893 }
2894
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]2895 psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2896 hash_length = PSA_HASH_LENGTH(psa_hash_alg);
2897 if (hash_length == -1 ||
2898 (size_t) hash_length > sizeof(session->resumption_key)) {
2899 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2900 }
2901
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2902
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2903 MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
2904 session->app_secrets.resumption_master_secret,
2905 hash_length);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2906
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2907 /* Compute resumption key
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2908 *
2909 * HKDF-Expand-Label( resumption_master_secret,
2910 * "resumption", ticket_nonce, Hash.length )
2911 */
2912 ret = mbedtls_ssl_tls13_hkdf_expand_label(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2913 psa_hash_alg,
2914 session->app_secrets.resumption_master_secret,
2915 hash_length,
2916 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
2917 ticket_nonce,
2918 ticket_nonce_len,
2919 session->resumption_key,
2920 hash_length);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2921
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2922 if (ret != 0) {
2923 MBEDTLS_SSL_DEBUG_RET(2,
2924 "Creating the ticket-resumed PSK failed",
2925 ret);
2926 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2927 }
2928
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2929 session->resumption_key_len = hash_length;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2930
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2931 MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
2932 session->resumption_key,
2933 session->resumption_key_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2934
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2935 /* Set ticket_flags depends on the selected key exchange modes */
Pengyu Lv80270b22023-01-12 11:54:04 +0800[diff] [blame]2936 mbedtls_ssl_session_set_ticket_flags(
Pengyu Lv9eacb442022-12-09 14:39:19 +0800[diff] [blame]2937 session, ssl->conf->tls13_kex_modes);
Pengyu Lv4938a562023-01-16 11:28:49 +0800[diff] [blame]2938 MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2939
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2940 return 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2941}
2942
2943/*
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2944 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2945 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2946MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2947static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2948{
2949 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2950 unsigned char *buf;
2951 size_t buf_len;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2952 unsigned char *ticket_nonce;
2953 size_t ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2954
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2955 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2956
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2957 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2958 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2959 &buf, &buf_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2960
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2961 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(
2962 ssl, buf, buf + buf_len,
2963 &ticket_nonce, &ticket_nonce_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2964
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2965 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_new_session_ticket(
2966 ssl, ticket_nonce, ticket_nonce_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2967
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2968 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2969
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2970cleanup:
2971
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2972 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
2973 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2974}
2975#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2976
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2977int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]2978{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2979 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]2980
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2981 switch (ssl->state) {
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2982 case MBEDTLS_SSL_HELLO_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2983 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]2984 break;
2985
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2986 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2987 ret = mbedtls_ssl_write_client_hello(ssl);
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2988 break;
2989
2990 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2991 ret = ssl_tls13_process_server_hello(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2992 break;
2993
2994 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2995 ret = ssl_tls13_process_encrypted_extensions(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2996 break;
2997
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2998#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2999 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3000 ret = ssl_tls13_process_certificate_request(ssl);
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]3001 break;
3002
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3003 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3004 ret = ssl_tls13_process_server_certificate(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3005 break;
3006
3007 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3008 ret = ssl_tls13_process_certificate_verify(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3009 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3010#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3011
3012 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3013 ret = ssl_tls13_process_server_finished(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3014 break;
3015
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]3016 case MBEDTLS_SSL_END_OF_EARLY_DATA:
3017 ret = ssl_tls13_write_end_of_early_data(ssl);
3018 break;
3019
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3020 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3021 ret = ssl_tls13_write_client_certificate(ssl);
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3022 break;
3023
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3024#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3025 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3026 ret = ssl_tls13_write_client_certificate_verify(ssl);
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3027 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3028#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3029
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3030 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3031 ret = ssl_tls13_write_client_finished(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3032 break;
3033
3034 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3035 ret = ssl_tls13_flush_buffers(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3036 break;
3037
3038 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3039 ret = ssl_tls13_handshake_wrapup(ssl);
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3040 break;
3041
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3042 /*
3043 * Injection of dummy-CCS's for middlebox compatibility
3044 */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3045#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]3046 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3047 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3048 if (ret == 0) {
3049 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3050 }
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]3051 break;
3052
3053 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3054 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3055 if (ret == 0) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]3056 mbedtls_ssl_handshake_set_state(
3057 ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3058 }
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3059 break;
Xiaokang Qianf6d8fd32023-02-02 02:46:26 +0000[diff] [blame]3060
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3061 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
3062 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3063 if (ret == 0) {
3064 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
3065
Xiaokang Qian33ff8682023-01-10 06:32:12 +0000[diff] [blame]3066#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3067 MBEDTLS_SSL_DEBUG_MSG(
3068 1, ("Switch to early data keys for outbound traffic"));
3069 mbedtls_ssl_set_outbound_transform(
3070 ssl, ssl->handshake->transform_earlydata);
Xiaokang Qian33ff8682023-01-10 06:32:12 +0000[diff] [blame]3071#endif
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3072 }
3073 break;
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3074#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3075
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3076#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]3077 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3078 ret = ssl_tls13_process_new_session_ticket(ssl);
3079 if (ret != 0) {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3080 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3081 }
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3082 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
3083 break;
3084#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3085
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3086 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3087 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3088 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3089 }
3090
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3091 return ret;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3092}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]3093
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3094#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */