blob: b0a835f4e31b5cb70f5481ff98da904a446b8a74 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +08001/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS ( https://tls.mbed.org )
20 */
21
22#include "common.h"
23
Jerry Yucc43c6b2022-01-28 10:24:45 +080024#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +080025
Jerry Yubc20bdd2021-08-24 15:59:48 +080026#include <string.h>
27
Jerry Yu56fc07f2021-09-01 17:48:49 +080028#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +080030#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +080031
Jerry Yubdc71882021-09-14 19:30:36 +080032#include "ssl_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +010033#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +080034#include "ssl_tls13_keys.h"
Jerry Yucbd082f2022-08-04 16:55:10 +080035#include "ssl_debug_helpers.h"
Jerry Yubdc71882021-09-14 19:30:36 +080036
Jerry Yubc20bdd2021-08-24 15:59:48 +080037/* Write extensions */
38
Jerry Yu92c6b402021-08-27 16:59:09 +080039/*
40 * ssl_tls13_write_supported_versions_ext():
41 *
42 * struct {
43 * ProtocolVersion versions<2..254>;
44 * } SupportedVersions;
45 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +020046MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf4436812021-08-26 22:59:56 +080047static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +080048 unsigned char *buf,
49 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +000050 size_t *out_len )
Jerry Yu92c6b402021-08-27 16:59:09 +080051{
52 unsigned char *p = buf;
Glenn Strausscd78df62022-04-07 19:07:11 -040053 unsigned char versions_len = ( ssl->handshake->min_tls_version <=
54 MBEDTLS_SSL_VERSION_TLS1_2 ) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +080055
Xiaofei Baid25fab62021-12-02 06:36:27 +000056 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +080057
Jerry Yu159c5a02021-08-31 12:51:25 +080058 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported versions extension" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +080059
Jerry Yu388bd0d2021-09-15 18:41:02 +080060 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +080061 * - extension_type (2 bytes)
62 * - extension_data_length (2 bytes)
63 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +020064 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +080065 */
Ronald Crona77fc272022-03-30 17:20:47 +020066 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + versions_len );
Ronald Crondbe87f02022-02-10 14:35:27 +010067
Jerry Yueecfbf02021-08-30 18:32:07 +080068 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
Ronald Crondbe87f02022-02-10 14:35:27 +010069 MBEDTLS_PUT_UINT16_BE( versions_len + 1, p, 2 );
Jerry Yueecfbf02021-08-30 18:32:07 +080070 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +080071
Jerry Yu1bc2c1f2021-09-01 12:57:29 +080072 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +010073 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +080074
Jerry Yu0c63af62021-09-02 12:59:12 +080075 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +080076 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +010077 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +080078 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -040079 mbedtls_ssl_write_version( p, MBEDTLS_SSL_TRANSPORT_STREAM,
80 MBEDTLS_SSL_VERSION_TLS1_3 );
Ronald Crondbe87f02022-02-10 14:35:27 +010081 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:4]" ) );
Jerry Yu92c6b402021-08-27 16:59:09 +080082
Jerry Yu92c6b402021-08-27 16:59:09 +080083
Glenn Strausscd78df62022-04-07 19:07:11 -040084 if( ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 )
Ronald Crondbe87f02022-02-10 14:35:27 +010085 {
Glenn Strausse3af4cb2022-03-15 03:23:42 -040086 mbedtls_ssl_write_version( p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
87 MBEDTLS_SSL_VERSION_TLS1_2 );
Ronald Crondbe87f02022-02-10 14:35:27 +010088 MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [3:3]" ) );
89 }
90
91 *out_len = 5 + versions_len;
Jerry Yu4b8f2f72022-10-31 13:31:22 +080092
Jerry Yuc4bf5d62022-10-29 09:08:47 +080093 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
94 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS );
Jerry Yu4b8f2f72022-10-31 13:31:22 +080095
Jerry Yu92c6b402021-08-27 16:59:09 +080096 return( 0 );
97}
Jerry Yubc20bdd2021-08-24 15:59:48 +080098
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +020099MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +0800100static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
101 const unsigned char *buf,
Jerry Yub85277e2021-10-13 13:36:05 +0800102 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +0800103{
Jerry Yue1b9c292021-09-10 10:08:31 +0800104 ((void) ssl);
105
Ronald Cron98473382022-03-30 20:04:10 +0200106 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Glenn Strausse3af4cb2022-03-15 03:23:42 -0400107 if( mbedtls_ssl_read_version( buf, ssl->conf->transport ) !=
108 MBEDTLS_SSL_VERSION_TLS1_3 )
Jerry Yue1b9c292021-09-10 10:08:31 +0800109 {
110 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected version" ) );
Jerry Yu4a173382021-10-11 21:45:31 +0800111
112 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
113 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
114 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yue1b9c292021-09-10 10:08:31 +0800115 }
116
Ronald Cron98473382022-03-30 20:04:10 +0200117 if( &buf[2] != end )
118 {
119 MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions ext data length incorrect" ) );
120 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
121 MBEDTLS_ERR_SSL_DECODE_ERROR );
122 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
123 }
124
Jerry Yue1b9c292021-09-10 10:08:31 +0800125 return( 0 );
126}
127
lhuang0486cacac2022-01-21 07:34:27 -0800128#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200129MBEDTLS_CHECK_RETURN_CRITICAL
lhuang0486cacac2022-01-21 07:34:27 -0800130static int ssl_tls13_parse_alpn_ext( mbedtls_ssl_context *ssl,
Ronald Cron81a334f2022-05-31 16:04:11 +0200131 const unsigned char *buf, size_t len )
lhuang0486cacac2022-01-21 07:34:27 -0800132{
lhuang0486cacac2022-01-21 07:34:27 -0800133 const unsigned char *p = buf;
134 const unsigned char *end = buf + len;
Ronald Cron81a334f2022-05-31 16:04:11 +0200135 size_t protocol_name_list_len, protocol_name_len;
136 const unsigned char *protocol_name_list_end;
lhuang0486cacac2022-01-21 07:34:27 -0800137
138 /* If we didn't send it, the server shouldn't send it */
139 if( ssl->conf->alpn_list == NULL )
140 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
141
142 /*
143 * opaque ProtocolName<1..2^8-1>;
144 *
145 * struct {
146 * ProtocolName protocol_name_list<2..2^16-1>
147 * } ProtocolNameList;
148 *
149 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
150 */
151
Ronald Cron81a334f2022-05-31 16:04:11 +0200152 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
153 protocol_name_list_len = MBEDTLS_GET_UINT16_BE( p, 0 );
lhuang0486cacac2022-01-21 07:34:27 -0800154 p += 2;
lhuang0486cacac2022-01-21 07:34:27 -0800155
Ronald Cron81a334f2022-05-31 16:04:11 +0200156 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, protocol_name_list_len );
157 protocol_name_list_end = p + protocol_name_list_len;
158
159 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, 1 );
160 protocol_name_len = *p++;
lhuang0486cacac2022-01-21 07:34:27 -0800161
162 /* Check that the server chosen protocol was in our list and save it */
Ronald Cron81a334f2022-05-31 16:04:11 +0200163 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, protocol_name_list_end, protocol_name_len );
164 for( const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++ )
lhuang0486cacac2022-01-21 07:34:27 -0800165 {
Ronald Cron81a334f2022-05-31 16:04:11 +0200166 if( protocol_name_len == strlen( *alpn ) &&
167 memcmp( p, *alpn, protocol_name_len ) == 0 )
lhuang0486cacac2022-01-21 07:34:27 -0800168 {
169 ssl->alpn_chosen = *alpn;
170 return( 0 );
171 }
172 }
173
174 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
175}
176#endif /* MBEDTLS_SSL_ALPN */
177
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200178MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian16acd4b2022-01-14 07:35:47 +0000179static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +0000180{
181 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100182
XiaokangQian647719a2021-12-07 09:16:29 +0000183 if( group_id == 0 )
184 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
185
XiaokangQian355e09a2022-01-20 11:14:50 +0000186#if defined(MBEDTLS_ECDH_C)
XiaokangQian647719a2021-12-07 09:16:29 +0000187 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
XiaokangQian78b1fa72022-01-19 06:56:30 +0000188 {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100189 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
190 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
191
192 /* Destroy generated private key. */
193 status = psa_destroy_key( ssl->handshake->ecdh_psa_privkey );
194 if( status != PSA_SUCCESS )
195 {
196 ret = psa_ssl_status_to_mbedtls( status );
197 MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
198 return( ret );
199 }
200
201 ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000202 return( 0 );
203 }
XiaokangQian355e09a2022-01-20 11:14:50 +0000204 else
205#endif /* MBEDTLS_ECDH_C */
206 if( 0 /* other KEMs? */ )
XiaokangQian647719a2021-12-07 09:16:29 +0000207 {
208 /* Do something */
209 }
210
211 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
212}
213
214/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800215 * Functions for writing key_share extension.
216 */
Ronald Cron766c0cd2022-10-18 12:17:11 +0200217#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200218MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub60e3cf2021-09-08 16:41:02 +0800219static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
220 uint16_t *group_id )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800221{
222 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
223
Jerry Yu56fc07f2021-09-01 17:48:49 +0800224
Jerry Yu56fc07f2021-09-01 17:48:49 +0800225#if defined(MBEDTLS_ECDH_C)
Brett Warren14efd332021-10-06 09:32:11 +0100226 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
Jerry Yu388bd0d2021-09-15 18:41:02 +0800227 /* Pick first available ECDHE group compatible with TLS 1.3 */
Brett Warren14efd332021-10-06 09:32:11 +0100228 if( group_list == NULL )
Jerry Yu388bd0d2021-09-15 18:41:02 +0800229 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
230
Brett Warren14efd332021-10-06 09:32:11 +0100231 for ( ; *group_list != 0; group_list++ )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800232 {
Xiaofei Baieef15042021-11-18 07:29:56 +0000233 const mbedtls_ecp_curve_info *curve_info;
234 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
235 if( curve_info != NULL &&
Brett Warren14efd332021-10-06 09:32:11 +0100236 mbedtls_ssl_tls13_named_group_is_ecdhe( *group_list ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800237 {
Brett Warren14efd332021-10-06 09:32:11 +0100238 *group_id = *group_list;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800239 return( 0 );
240 }
241 }
242#else
243 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800244 ((void) group_id);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800245#endif /* MBEDTLS_ECDH_C */
246
247 /*
248 * Add DHE named groups here.
Jerry Yu388bd0d2021-09-15 18:41:02 +0800249 * Pick first available DHE group compatible with TLS 1.3
Jerry Yu56fc07f2021-09-01 17:48:49 +0800250 */
251
252 return( ret );
253}
254
255/*
256 * ssl_tls13_write_key_share_ext
257 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800258 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800259 *
260 * struct {
261 * NamedGroup group;
262 * opaque key_exchange<1..2^16-1>;
263 * } KeyShareEntry;
264 * struct {
265 * KeyShareEntry client_shares<0..2^16-1>;
266 * } KeyShareClientHello;
267 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200268MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu56fc07f2021-09-01 17:48:49 +0800269static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
270 unsigned char *buf,
271 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000272 size_t *out_len )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800273{
274 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000275 unsigned char *client_shares; /* Start of client_shares */
276 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800277 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800278 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
279
Xiaofei Baid25fab62021-12-02 06:36:27 +0000280 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800281
Jerry Yub60e3cf2021-09-08 16:41:02 +0800282 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800283 * - extension_type (2 bytes)
284 * - extension_data_length (2 bytes)
285 * - client_shares_length (2 bytes)
286 */
287 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
288 p += 6;
289
290 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello: adding key share extension" ) );
291
292 /* HRR could already have requested something else. */
293 group_id = ssl->handshake->offered_group_id;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800294 if( !mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) &&
295 !mbedtls_ssl_tls13_named_group_is_dhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800296 {
Jerry Yub60e3cf2021-09-08 16:41:02 +0800297 MBEDTLS_SSL_PROC_CHK( ssl_tls13_get_default_group_id( ssl,
Jerry Yu56fc07f2021-09-01 17:48:49 +0800298 &group_id ) );
299 }
300
301 /*
302 * Dispatch to type-specific key generation function.
303 *
304 * So far, we're only supporting ECDHE. With the introduction
305 * of PQC KEMs, we'll want to have multiple branches, one per
306 * type of KEM, and dispatch to the corresponding crypto. And
307 * only one key share entry is allowed.
308 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000309 client_shares = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800310#if defined(MBEDTLS_ECDH_C)
Jerry Yub60e3cf2021-09-08 16:41:02 +0800311 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
Jerry Yu56fc07f2021-09-01 17:48:49 +0800312 {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800313 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000314 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800315 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100316 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800317
318 /* Check there is space for header of KeyShareEntry
319 * - group (2 bytes)
320 * - key_exchange_length (2 bytes)
321 */
322 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
323 p += 4;
Jerry Yu89e103c2022-03-30 22:43:29 +0800324 ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
325 ssl, group_id, p, end, &key_exchange_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800326 p += key_exchange_len;
327 if( ret != 0 )
328 return( ret );
329
330 /* Write group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000331 MBEDTLS_PUT_UINT16_BE( group_id, group, 0 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800332 /* Write key_exchange_length */
Xiaofei Baieef15042021-11-18 07:29:56 +0000333 MBEDTLS_PUT_UINT16_BE( key_exchange_len, group, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800334 }
335 else
336#endif /* MBEDTLS_ECDH_C */
337 if( 0 /* other KEMs? */ )
338 {
339 /* Do something */
340 }
341 else
342 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
343
Jerry Yub60e3cf2021-09-08 16:41:02 +0800344 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000345 client_shares_len = p - client_shares;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800346 if( client_shares_len == 0)
347 {
348 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No key share defined." ) );
349 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu7c522d42021-09-08 17:55:09 +0800350 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800351 /* Write extension_type */
352 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
353 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800354 MBEDTLS_PUT_UINT16_BE( client_shares_len + 2, buf, 2 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800355 /* Write client_shares_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800356 MBEDTLS_PUT_UINT16_BE( client_shares_len, buf, 4 );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800357
358 /* Update offered_group_id field */
359 ssl->handshake->offered_group_id = group_id;
360
361 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000362 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800363
Xiaofei Baid25fab62021-12-02 06:36:27 +0000364 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *out_len );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800365
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800366 mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_KEY_SHARE );
Jerry Yu56fc07f2021-09-01 17:48:49 +0800367
368cleanup:
369
370 return( ret );
371}
Ronald Cron766c0cd2022-10-18 12:17:11 +0200372#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Jerry Yue1b9c292021-09-10 10:08:31 +0800373
XiaokangQiand59be772022-01-24 10:12:51 +0000374/*
375 * ssl_tls13_parse_hrr_key_share_ext()
376 * Parse key_share extension in Hello Retry Request
377 *
378 * struct {
379 * NamedGroup selected_group;
380 * } KeyShareHelloRetryRequest;
381 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200382MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQiand9e068e2022-01-18 06:23:32 +0000383static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
XiaokangQianb851da82022-01-14 04:03:11 +0000384 const unsigned char *buf,
385 const unsigned char *end )
386{
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400387#if defined(MBEDTLS_ECDH_C)
XiaokangQianb851da82022-01-14 04:03:11 +0000388 const mbedtls_ecp_curve_info *curve_info = NULL;
389 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000390 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000391 int found = 0;
392
393 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
394 if( group_list == NULL )
395 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
396
397 MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", p, end - buf );
398
399 /* Read selected_group */
XiaokangQianb48894e2022-01-17 02:05:52 +0000400 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQiand59be772022-01-24 10:12:51 +0000401 selected_group = MBEDTLS_GET_UINT16_BE( p, 0 );
402 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", selected_group ) );
XiaokangQianb851da82022-01-14 04:03:11 +0000403
404 /* Upon receipt of this extension in a HelloRetryRequest, the client
405 * MUST first verify that the selected_group field corresponds to a
406 * group which was provided in the "supported_groups" extension in the
407 * original ClientHello.
408 * The supported_group was based on the info in ssl->conf->group_list.
409 *
410 * If the server provided a key share that was not sent in the ClientHello
411 * then the client MUST abort the handshake with an "illegal_parameter" alert.
412 */
XiaokangQiand9e068e2022-01-18 06:23:32 +0000413 for( ; *group_list != 0; group_list++ )
XiaokangQianb851da82022-01-14 04:03:11 +0000414 {
415 curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
XiaokangQiand59be772022-01-24 10:12:51 +0000416 if( curve_info == NULL || curve_info->tls_id != selected_group )
XiaokangQianb851da82022-01-14 04:03:11 +0000417 continue;
418
419 /* We found a match */
420 found = 1;
421 break;
422 }
423
424 /* Client MUST verify that the selected_group field does not
425 * correspond to a group which was provided in the "key_share"
426 * extension in the original ClientHello. If the server sent an
427 * HRR message with a key share already provided in the
428 * ClientHello then the client MUST abort the handshake with
429 * an "illegal_parameter" alert.
430 */
XiaokangQiand59be772022-01-24 10:12:51 +0000431 if( found == 0 || selected_group == ssl->handshake->offered_group_id )
XiaokangQianb851da82022-01-14 04:03:11 +0000432 {
433 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) );
434 MBEDTLS_SSL_PEND_FATAL_ALERT(
435 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
436 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
437 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
438 }
439
440 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000441 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000442
443 return( 0 );
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400444#else
445 (void) ssl;
446 (void) buf;
447 (void) end;
448 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
449#endif
XiaokangQianb851da82022-01-14 04:03:11 +0000450}
451
Jerry Yue1b9c292021-09-10 10:08:31 +0800452/*
Jerry Yub85277e2021-10-13 13:36:05 +0800453 * ssl_tls13_parse_key_share_ext()
454 * Parse key_share extension in Server Hello
455 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800456 * struct {
457 * KeyShareEntry server_share;
458 * } KeyShareServerHello;
459 * struct {
460 * NamedGroup group;
461 * opaque key_exchange<1..2^16-1>;
462 * } KeyShareEntry;
463 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200464MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +0800465static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
Jerry Yue1b9c292021-09-10 10:08:31 +0800466 const unsigned char *buf,
467 const unsigned char *end )
468{
Jerry Yub85277e2021-10-13 13:36:05 +0800469 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800470 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800471 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800472
Jerry Yu4a173382021-10-11 21:45:31 +0800473 /* ...
474 * NamedGroup group; (2 bytes)
475 * ...
476 */
477 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
478 group = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +0800479 p += 2;
480
Jerry Yu4a173382021-10-11 21:45:31 +0800481 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800482 offered_group = ssl->handshake->offered_group_id;
Jerry Yu4a173382021-10-11 21:45:31 +0800483 if( offered_group != group )
Jerry Yue1b9c292021-09-10 10:08:31 +0800484 {
485 MBEDTLS_SSL_DEBUG_MSG( 1,
486 ( "Invalid server key share, our group %u, their group %u",
Jerry Yu4a173382021-10-11 21:45:31 +0800487 (unsigned) offered_group, (unsigned) group ) );
488 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
489 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
490 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
Jerry Yue1b9c292021-09-10 10:08:31 +0800491 }
492
493#if defined(MBEDTLS_ECDH_C)
Jerry Yu4a173382021-10-11 21:45:31 +0800494 if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
Jerry Yue1b9c292021-09-10 10:08:31 +0800495 {
Przemyslaw Stekiel9e23ddb2022-02-10 10:32:02 +0100496 const mbedtls_ecp_curve_info *curve_info =
497 mbedtls_ecp_curve_info_from_tls_id( group );
498 if( curve_info == NULL )
499 {
500 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
501 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
502 }
503
504 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
505
XiaokangQian9b5d04b2022-04-10 10:20:43 +0000506 ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ssl, p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +0800507 if( ret != 0 )
508 return( ret );
509 }
Jerry Yub85277e2021-10-13 13:36:05 +0800510 else
Jerry Yue1b9c292021-09-10 10:08:31 +0800511#endif /* MBEDTLS_ECDH_C */
Jerry Yub85277e2021-10-13 13:36:05 +0800512 if( 0 /* other KEMs? */ )
Jerry Yue1b9c292021-09-10 10:08:31 +0800513 {
514 /* Do something */
515 }
516 else
517 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
518
Jerry Yue1b9c292021-09-10 10:08:31 +0800519 return( ret );
520}
521
XiaokangQiand59be772022-01-24 10:12:51 +0000522/*
523 * ssl_tls13_parse_cookie_ext()
524 * Parse cookie extension in Hello Retry Request
525 *
526 * struct {
527 * opaque cookie<1..2^16-1>;
528 * } Cookie;
529 *
530 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
531 * extension to the client (this is an exception to the usual rule that
532 * the only extensions that may be sent are those that appear in the
533 * ClientHello). When sending the new ClientHello, the client MUST copy
534 * the contents of the extension received in the HelloRetryRequest into
535 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
536 * cookies in their initial ClientHello in subsequent connections.
537 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200538MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian43550bd2022-01-21 04:32:58 +0000539static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
540 const unsigned char *buf,
541 const unsigned char *end )
542{
XiaokangQian25c9c902022-02-08 10:49:53 +0000543 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000544 const unsigned char *p = buf;
545 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
546
547 /* Retrieve length field of cookie */
548 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
549 cookie_len = MBEDTLS_GET_UINT16_BE( p, 0 );
550 p += 2;
551
552 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
553 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
554
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000555 mbedtls_free( handshake->cookie );
XiaokangQian25c9c902022-02-08 10:49:53 +0000556 handshake->hrr_cookie_len = 0;
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000557 handshake->cookie = mbedtls_calloc( 1, cookie_len );
558 if( handshake->cookie == NULL )
XiaokangQian43550bd2022-01-21 04:32:58 +0000559 {
560 MBEDTLS_SSL_DEBUG_MSG( 1,
XiaokangQian25c9c902022-02-08 10:49:53 +0000561 ( "alloc failed ( %ud bytes )",
XiaokangQian43550bd2022-01-21 04:32:58 +0000562 cookie_len ) );
563 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
564 }
565
XiaokangQian9b93c0d2022-02-09 06:02:25 +0000566 memcpy( handshake->cookie, p, cookie_len );
XiaokangQian25c9c902022-02-08 10:49:53 +0000567 handshake->hrr_cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000568
569 return( 0 );
570}
XiaokangQian43550bd2022-01-21 04:32:58 +0000571
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200572MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian0b64eed2022-01-27 10:36:51 +0000573static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
XiaokangQian233397e2022-02-07 08:32:16 +0000574 unsigned char *buf,
575 unsigned char *end,
XiaokangQian9deb90f2022-02-08 10:31:07 +0000576 size_t *out_len )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000577{
578 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000579 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000580 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000581
XiaokangQianc02768a2022-02-10 07:31:25 +0000582 if( handshake->cookie == NULL )
XiaokangQian0b64eed2022-01-27 10:36:51 +0000583 {
584 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) );
585 return( 0 );
586 }
587
588 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
XiaokangQianc02768a2022-02-10 07:31:25 +0000589 handshake->cookie,
590 handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000591
XiaokangQianc02768a2022-02-10 07:31:25 +0000592 MBEDTLS_SSL_CHK_BUF_PTR( p, end, handshake->hrr_cookie_len + 6 );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000593
594 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) );
595
XiaokangQian0b64eed2022-01-27 10:36:51 +0000596 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 );
XiaokangQianc02768a2022-02-10 07:31:25 +0000597 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len + 2, p, 2 );
598 MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len, p, 4 );
XiaokangQian233397e2022-02-07 08:32:16 +0000599 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000600
601 /* Cookie */
XiaokangQianc02768a2022-02-10 07:31:25 +0000602 memcpy( p, handshake->cookie, handshake->hrr_cookie_len );
XiaokangQian0b64eed2022-01-27 10:36:51 +0000603
XiaokangQianc02768a2022-02-10 07:31:25 +0000604 *out_len = handshake->hrr_cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000605
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800606 mbedtls_ssl_tls13_set_hs_sent_ext_mask( ssl, MBEDTLS_TLS_EXT_COOKIE );
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800607
XiaokangQian0b64eed2022-01-27 10:36:51 +0000608 return( 0 );
609}
610
Ronald Cron41a443a2022-10-04 16:38:25 +0200611#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000612/*
613 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
614 *
615 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
616 *
617 * struct {
618 * PskKeyExchangeMode ke_modes<1..255>;
619 * } PskKeyExchangeModes;
620 */
XiaokangQian86981952022-07-19 09:51:50 +0000621MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQianeb69aee2022-07-05 08:21:43 +0000622static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
623 unsigned char *buf,
624 unsigned char *end,
625 size_t *out_len )
626{
XiaokangQianeb69aee2022-07-05 08:21:43 +0000627 unsigned char *p = buf;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000628 int ke_modes_len = 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000629
XiaokangQian008d2bf2022-07-14 07:54:01 +0000630 ((void) ke_modes_len );
XiaokangQianeb69aee2022-07-05 08:21:43 +0000631 *out_len = 0;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000632
XiaokangQianeb69aee2022-07-05 08:21:43 +0000633 /* Skip writing extension if no PSK key exchange mode
XiaokangQian7c12d312022-07-20 07:25:43 +0000634 * is enabled in the config.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000635 */
XiaokangQian86981952022-07-19 09:51:50 +0000636 if( !mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000637 {
638 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip psk_key_exchange_modes extension" ) );
639 return( 0 );
640 }
641
642 /* Require 7 bytes of data, otherwise fail,
643 * even if extension might be shorter.
644 */
645 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 );
646 MBEDTLS_SSL_DEBUG_MSG(
647 3, ( "client hello, adding psk_key_exchange_modes extension" ) );
648
XiaokangQianeb69aee2022-07-05 08:21:43 +0000649 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0 );
650
XiaokangQian008d2bf2022-07-14 07:54:01 +0000651 /* Skip extension length (2 bytes) and
652 * ke_modes length (1 byte) for now.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000653 */
654 p += 5;
655
XiaokangQianeb69aee2022-07-05 08:21:43 +0000656 if( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) )
657 {
658 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000659 ke_modes_len++;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000660
661 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding PSK-ECDHE key exchange mode" ) );
662 }
663
Ronald Crona709a0f2022-09-27 16:46:11 +0200664 if( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) )
665 {
666 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
667 ke_modes_len++;
668
669 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Adding pure PSK key exchange mode" ) );
670 }
671
XiaokangQian008d2bf2022-07-14 07:54:01 +0000672 /* Now write the extension and ke_modes length */
673 MBEDTLS_PUT_UINT16_BE( ke_modes_len + 1, buf, 2 );
674 buf[4] = ke_modes_len;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000675
676 *out_len = p - buf;
Jerry Yu0c354a22022-08-29 15:25:36 +0800677
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800678 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
679 ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES );
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800680
XiaokangQianeb69aee2022-07-05 08:21:43 +0000681 return ( 0 );
682}
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800683
Jerry Yua99cbfa2022-10-08 11:17:14 +0800684static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg( int ciphersuite )
Jerry Yuf7c12592022-09-28 22:09:38 +0800685{
Jerry Yu21f90952022-10-08 10:30:53 +0800686 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
687 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
Jerry Yuf7c12592022-09-28 22:09:38 +0800688
Jerry Yua99cbfa2022-10-08 11:17:14 +0800689 if( ciphersuite_info != NULL )
690 return( mbedtls_psa_translate_md( ciphersuite_info->mac ) );
691
Jerry Yu21f90952022-10-08 10:30:53 +0800692 return( PSA_ALG_NONE );
Jerry Yuf7c12592022-09-28 22:09:38 +0800693}
694
Jerry Yuf75364b2022-09-30 10:30:31 +0800695#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yuf7c12592022-09-28 22:09:38 +0800696static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
697{
Jerry Yuf7c12592022-09-28 22:09:38 +0800698 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu4f77ecf2022-10-10 22:10:08 +0800699 return( ssl->handshake->resume &&
700 session != NULL && session->ticket != NULL );
Jerry Yuf7c12592022-09-28 22:09:38 +0800701}
702
Jerry Yuf7c12592022-09-28 22:09:38 +0800703MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu8b41e892022-09-30 10:00:20 +0800704static int ssl_tls13_ticket_get_identity( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800705 psa_algorithm_t *hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800706 const unsigned char **identity,
707 size_t *identity_len )
Jerry Yuf7c12592022-09-28 22:09:38 +0800708{
709 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu8b41e892022-09-30 10:00:20 +0800710
Jerry Yu8b41e892022-09-30 10:00:20 +0800711 if( !ssl_tls13_has_configured_ticket( ssl ) )
712 return( -1 );
713
Jerry Yua99cbfa2022-10-08 11:17:14 +0800714 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
Jerry Yuf7c12592022-09-28 22:09:38 +0800715 *identity = session->ticket;
716 *identity_len = session->ticket_len;
717 return( 0 );
718}
719
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800720MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu8b41e892022-09-30 10:00:20 +0800721static int ssl_tls13_ticket_get_psk( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800722 psa_algorithm_t *hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800723 const unsigned char **psk,
724 size_t *psk_len )
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800725{
726
727 mbedtls_ssl_session *session = ssl->session_negotiate;
728
Jerry Yu8b41e892022-09-30 10:00:20 +0800729 if( !ssl_tls13_has_configured_ticket( ssl ) )
730 return( -1 );
731
Jerry Yua99cbfa2022-10-08 11:17:14 +0800732 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg( session->ciphersuite );
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800733 *psk = session->resumption_key;
734 *psk_len = session->resumption_key_len;
735
736 return( 0 );
737}
Jerry Yuf7c12592022-09-28 22:09:38 +0800738#endif /* MBEDTLS_SSL_SESSION_TICKETS */
739
740MBEDTLS_CHECK_RETURN_CRITICAL
741static int ssl_tls13_psk_get_identity( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800742 psa_algorithm_t *hash_alg,
Jerry Yuf7c12592022-09-28 22:09:38 +0800743 const unsigned char **identity,
744 size_t *identity_len )
745{
Jerry Yu8b41e892022-09-30 10:00:20 +0800746
Ronald Cron083da8e2022-10-20 15:53:51 +0200747 if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800748 return( -1 );
Jerry Yuf7c12592022-09-28 22:09:38 +0800749
Jerry Yua99cbfa2022-10-08 11:17:14 +0800750 *hash_alg = PSA_ALG_SHA_256;
Jerry Yuf7c12592022-09-28 22:09:38 +0800751 *identity = ssl->conf->psk_identity;
752 *identity_len = ssl->conf->psk_identity_len;
753 return( 0 );
754}
755
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800756MBEDTLS_CHECK_RETURN_CRITICAL
757static int ssl_tls13_psk_get_psk( mbedtls_ssl_context *ssl,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800758 psa_algorithm_t *hash_alg,
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800759 const unsigned char **psk,
760 size_t *psk_len )
761{
Jerry Yu8b41e892022-09-30 10:00:20 +0800762
Ronald Cron083da8e2022-10-20 15:53:51 +0200763 if( ! mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu8b41e892022-09-30 10:00:20 +0800764 return( -1 );
765
Jerry Yua99cbfa2022-10-08 11:17:14 +0800766 *hash_alg = PSA_ALG_SHA_256;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800767 *psk = ssl->conf->psk;
768 *psk_len = ssl->conf->psk_len;
769 return( 0 );
770}
771
Jerry Yuf75364b2022-09-30 10:30:31 +0800772static int ssl_tls13_get_configured_psk_count( mbedtls_ssl_context *ssl )
773{
774 int configured_psk_count = 0;
775#if defined(MBEDTLS_SSL_SESSION_TICKETS)
776 if( ssl_tls13_has_configured_ticket( ssl ) )
777 {
778 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Ticket is configured" ) );
779 configured_psk_count++;
780 }
781#endif
Ronald Crond29e13e2022-10-19 10:33:48 +0200782 if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yuf75364b2022-09-30 10:30:31 +0800783 {
784 MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK is configured" ) );
785 configured_psk_count++;
786 }
787 return( configured_psk_count );
788}
789
Jerry Yuf7c12592022-09-28 22:09:38 +0800790MBEDTLS_CHECK_RETURN_CRITICAL
791static int ssl_tls13_write_identity( mbedtls_ssl_context *ssl,
792 unsigned char *buf,
793 unsigned char *end,
Jerry Yuf75364b2022-09-30 10:30:31 +0800794 const unsigned char *identity,
795 size_t identity_len,
796 uint32_t obfuscated_ticket_age,
797 size_t *out_len )
Jerry Yuf7c12592022-09-28 22:09:38 +0800798{
Jerry Yuf75364b2022-09-30 10:30:31 +0800799 ((void) ssl);
Jerry Yuf7c12592022-09-28 22:09:38 +0800800 *out_len = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800801
802 /*
803 * - identity_len (2 bytes)
804 * - identity (psk_identity_len bytes)
805 * - obfuscated_ticket_age (4 bytes)
806 */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800807 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 6 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800808
Jerry Yua99cbfa2022-10-08 11:17:14 +0800809 MBEDTLS_PUT_UINT16_BE( identity_len, buf, 0 );
810 memcpy( buf + 2, identity, identity_len );
811 MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, buf, 2 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800812
Jerry Yua99cbfa2022-10-08 11:17:14 +0800813 MBEDTLS_SSL_DEBUG_BUF( 4, "write identity", buf, 6 + identity_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800814
815 *out_len = 6 + identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800816
817 return( 0 );
818}
819
Jerry Yu8b41e892022-09-30 10:00:20 +0800820MBEDTLS_CHECK_RETURN_CRITICAL
821static int ssl_tls13_write_binder( mbedtls_ssl_context *ssl,
822 unsigned char *buf,
823 unsigned char *end,
824 int psk_type,
Jerry Yu6183cc72022-09-30 11:08:57 +0800825 psa_algorithm_t hash_alg,
826 const unsigned char *psk,
827 size_t psk_len,
Jerry Yu8b41e892022-09-30 10:00:20 +0800828 size_t *out_len )
829{
830 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu8b41e892022-09-30 10:00:20 +0800831 unsigned char binder_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800832 unsigned char transcript[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
Jerry Yu8b41e892022-09-30 10:00:20 +0800833 size_t transcript_len = 0;
834
835 *out_len = 0;
836
Jerry Yu6183cc72022-09-30 11:08:57 +0800837 binder_len = PSA_HASH_LENGTH( hash_alg );
Jerry Yu8b41e892022-09-30 10:00:20 +0800838
839 /*
840 * - binder_len (1 bytes)
841 * - binder (binder_len bytes)
842 */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800843 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 + binder_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800844
Jerry Yua99cbfa2022-10-08 11:17:14 +0800845 buf[0] = binder_len;
Jerry Yu8b41e892022-09-30 10:00:20 +0800846
847 /* Get current state of handshake transcript. */
848 ret = mbedtls_ssl_get_handshake_transcript(
Jerry Yu6183cc72022-09-30 11:08:57 +0800849 ssl, mbedtls_hash_info_md_from_psa( hash_alg ),
Jerry Yu6916e702022-10-10 21:33:51 +0800850 transcript, sizeof( transcript ), &transcript_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800851 if( ret != 0 )
852 return( ret );
853
Jerry Yu6183cc72022-09-30 11:08:57 +0800854 ret = mbedtls_ssl_tls13_create_psk_binder( ssl, hash_alg,
Jerry Yu8b41e892022-09-30 10:00:20 +0800855 psk, psk_len, psk_type,
Jerry Yua99cbfa2022-10-08 11:17:14 +0800856 transcript, buf + 1 );
Jerry Yu8b41e892022-09-30 10:00:20 +0800857 if( ret != 0 )
858 {
859 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret );
860 return( ret );
861 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800862 MBEDTLS_SSL_DEBUG_BUF( 4, "write binder", buf, 1 + binder_len );
Jerry Yu8b41e892022-09-30 10:00:20 +0800863
864 *out_len = 1 + binder_len;
865
Jerry Yu6916e702022-10-10 21:33:51 +0800866 return( 0 );
Jerry Yu8b41e892022-09-30 10:00:20 +0800867}
868
869/*
870 * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
871 *
872 * struct {
873 * opaque identity<1..2^16-1>;
874 * uint32 obfuscated_ticket_age;
875 * } PskIdentity;
876 *
877 * opaque PskBinderEntry<32..255>;
878 *
879 * struct {
880 * PskIdentity identities<7..2^16-1>;
881 * PskBinderEntry binders<33..2^16-1>;
882 * } OfferedPsks;
883 *
884 * struct {
885 * select (Handshake.msg_type) {
886 * case client_hello: OfferedPsks;
887 * ...
888 * };
889 * } PreSharedKeyExtension;
890 *
891 */
XiaokangQian3ad67bf2022-07-21 02:26:21 +0000892int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
Jerry Yuf75364b2022-09-30 10:30:31 +0800893 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
894 size_t *out_len, size_t *binders_len )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000895{
Jerry Yuf7c12592022-09-28 22:09:38 +0800896 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf75364b2022-09-30 10:30:31 +0800897 int configured_psk_count = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800898 unsigned char *p = buf;
Jerry Yuf75364b2022-09-30 10:30:31 +0800899 psa_algorithm_t hash_alg;
900 const unsigned char *identity;
901 size_t identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800902 size_t l_binders_len = 0;
Jerry Yuf75364b2022-09-30 10:30:31 +0800903 size_t output_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800904
905 *out_len = 0;
906 *binders_len = 0;
907
908 /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
Jerry Yuf75364b2022-09-30 10:30:31 +0800909 configured_psk_count = ssl_tls13_get_configured_psk_count( ssl );
910 if( configured_psk_count == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800911 {
912 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) );
913 return( 0 );
914 }
915
916 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Pre-configured PSK number = %d",
Jerry Yuf75364b2022-09-30 10:30:31 +0800917 configured_psk_count ) );
918
Jerry Yuf7c12592022-09-28 22:09:38 +0800919 /* Check if we have space to write the extension, binders included.
920 * - extension_type (2 bytes)
921 * - extension_data_len (2 bytes)
922 * - identities_len (2 bytes)
923 */
924 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
925 p += 6;
926
Jerry Yuf75364b2022-09-30 10:30:31 +0800927#if defined(MBEDTLS_SSL_SESSION_TICKETS)
928 if( ssl_tls13_ticket_get_identity(
929 ssl, &hash_alg, &identity, &identity_len ) == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800930 {
Jerry Yuf75364b2022-09-30 10:30:31 +0800931#if defined(MBEDTLS_HAVE_TIME)
932 mbedtls_time_t now = mbedtls_time( NULL );
933 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu6916e702022-10-10 21:33:51 +0800934 uint32_t obfuscated_ticket_age =
935 (uint32_t)( now - session->ticket_received );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800936
Jerry Yuf75364b2022-09-30 10:30:31 +0800937 obfuscated_ticket_age *= 1000;
938 obfuscated_ticket_age += session->ticket_age_add;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800939
Jerry Yuf7c12592022-09-28 22:09:38 +0800940 ret = ssl_tls13_write_identity( ssl, p, end,
Jerry Yuf75364b2022-09-30 10:30:31 +0800941 identity, identity_len,
942 obfuscated_ticket_age,
943 &output_len );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800944#else
945 ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len,
946 0, &output_len );
947#endif /* MBEDTLS_HAVE_TIME */
Jerry Yuf7c12592022-09-28 22:09:38 +0800948 if( ret != 0 )
949 return( ret );
Jerry Yuf7c12592022-09-28 22:09:38 +0800950
Jerry Yuf75364b2022-09-30 10:30:31 +0800951 p += output_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800952 l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg );
Jerry Yuf75364b2022-09-30 10:30:31 +0800953 }
954#endif /* MBEDTLS_SSL_SESSION_TICKETS */
955
956 if( ssl_tls13_psk_get_identity(
957 ssl, &hash_alg, &identity, &identity_len ) == 0 )
Jerry Yuf7c12592022-09-28 22:09:38 +0800958 {
Jerry Yuf75364b2022-09-30 10:30:31 +0800959
Jerry Yua99cbfa2022-10-08 11:17:14 +0800960 ret = ssl_tls13_write_identity( ssl, p, end, identity, identity_len, 0,
Jerry Yuf75364b2022-09-30 10:30:31 +0800961 &output_len );
Jerry Yuf7c12592022-09-28 22:09:38 +0800962 if( ret != 0 )
963 return( ret );
Jerry Yuf75364b2022-09-30 10:30:31 +0800964
Jerry Yuf7c12592022-09-28 22:09:38 +0800965 p += output_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800966 l_binders_len += 1 + PSA_HASH_LENGTH( hash_alg );
Jerry Yuf7c12592022-09-28 22:09:38 +0800967 }
968
969 MBEDTLS_SSL_DEBUG_MSG( 3,
970 ( "client hello, adding pre_shared_key extension, "
971 "omitting PSK binder list" ) );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800972
973 /* Take into account the two bytes for the length of the binders. */
974 l_binders_len += 2;
Jerry Yu6916e702022-10-10 21:33:51 +0800975 /* Check if there is enough space for binders */
Jerry Yua99cbfa2022-10-08 11:17:14 +0800976 MBEDTLS_SSL_CHK_BUF_PTR( p, end, l_binders_len );
977
Jerry Yuf7c12592022-09-28 22:09:38 +0800978 /*
979 * - extension_type (2 bytes)
980 * - extension_data_len (2 bytes)
981 * - identities_len (2 bytes)
982 */
983 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0 );
Jerry Yua99cbfa2022-10-08 11:17:14 +0800984 MBEDTLS_PUT_UINT16_BE( p - buf - 4 + l_binders_len , buf, 2 );
Jerry Yuf7c12592022-09-28 22:09:38 +0800985 MBEDTLS_PUT_UINT16_BE( p - buf - 6 , buf, 4 );
986
Jerry Yua99cbfa2022-10-08 11:17:14 +0800987 *out_len = ( p - buf ) + l_binders_len;
988 *binders_len = l_binders_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800989
990 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key identities", buf, p - buf );
991
XiaokangQianeb69aee2022-07-05 08:21:43 +0000992 return( 0 );
993}
994
XiaokangQian86981952022-07-19 09:51:50 +0000995int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
Jerry Yu0c6105b2022-08-12 17:26:40 +0800996 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end )
XiaokangQianeb69aee2022-07-05 08:21:43 +0000997{
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800998 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
999 unsigned char *p = buf;
Jerry Yu6183cc72022-09-30 11:08:57 +08001000 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1001 const unsigned char *psk;
1002 size_t psk_len;
1003 size_t output_len;
Jerry Yu1a0a0f42022-09-28 22:11:02 +08001004
1005 /* Check if we have space to write binders_len.
1006 * - binders_len (2 bytes)
1007 */
1008 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1009 p += 2;
1010
Jerry Yu6183cc72022-09-30 11:08:57 +08001011#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1012 if( ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
Jerry Yu1a0a0f42022-09-28 22:11:02 +08001013 {
Jerry Yu6183cc72022-09-30 11:08:57 +08001014
Jerry Yu1a0a0f42022-09-28 22:11:02 +08001015 ret = ssl_tls13_write_binder( ssl, p, end,
1016 MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
Jerry Yu6183cc72022-09-30 11:08:57 +08001017 hash_alg, psk, psk_len,
Jerry Yu1a0a0f42022-09-28 22:11:02 +08001018 &output_len );
1019 if( ret != 0 )
1020 return( ret );
1021 p += output_len;
1022 }
Jerry Yu6183cc72022-09-30 11:08:57 +08001023#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1a0a0f42022-09-28 22:11:02 +08001024
Jerry Yu6183cc72022-09-30 11:08:57 +08001025 if( ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len ) == 0 )
Jerry Yu1a0a0f42022-09-28 22:11:02 +08001026 {
Jerry Yu6183cc72022-09-30 11:08:57 +08001027
Jerry Yu1a0a0f42022-09-28 22:11:02 +08001028 ret = ssl_tls13_write_binder( ssl, p, end,
1029 MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
Jerry Yu6183cc72022-09-30 11:08:57 +08001030 hash_alg, psk, psk_len,
Jerry Yu1a0a0f42022-09-28 22:11:02 +08001031 &output_len );
1032 if( ret != 0 )
1033 return( ret );
1034 p += output_len;
1035 }
1036
1037 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list." ) );
1038
1039 /*
1040 * - binders_len (2 bytes)
1041 */
1042 MBEDTLS_PUT_UINT16_BE( p - buf - 2, buf, 0 );
1043
1044 MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key binders", buf, p - buf );
XiaokangQianeb69aee2022-07-05 08:21:43 +00001045
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001046 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
1047 ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY );
Jerry Yu0c354a22022-08-29 15:25:36 +08001048
XiaokangQianeb69aee2022-07-05 08:21:43 +00001049 return( 0 );
1050}
Jerry Yu0c6105b2022-08-12 17:26:40 +08001051
1052/*
1053 * struct {
1054 * opaque identity<1..2^16-1>;
1055 * uint32 obfuscated_ticket_age;
1056 * } PskIdentity;
1057 *
1058 * opaque PskBinderEntry<32..255>;
1059 *
1060 * struct {
1061 *
1062 * select (Handshake.msg_type) {
1063 * ...
1064 * case server_hello: uint16 selected_identity;
1065 * };
1066 *
1067 * } PreSharedKeyExtension;
1068 *
1069 */
1070MBEDTLS_CHECK_RETURN_CRITICAL
1071static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
1072 const unsigned char *buf,
1073 const unsigned char *end )
1074{
Jerry Yua99cbfa2022-10-08 11:17:14 +08001075 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub300e3c2022-09-28 22:12:07 +08001076 int selected_identity;
Jerry Yub300e3c2022-09-28 22:12:07 +08001077 const unsigned char *psk;
1078 size_t psk_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +08001079 psa_algorithm_t hash_alg;
Jerry Yub300e3c2022-09-28 22:12:07 +08001080
Jerry Yua99cbfa2022-10-08 11:17:14 +08001081 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 2 );
Jerry Yub300e3c2022-09-28 22:12:07 +08001082 selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 );
Jerry Yua99cbfa2022-10-08 11:17:14 +08001083
Jerry Yub300e3c2022-09-28 22:12:07 +08001084 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_identity = %d", selected_identity ) );
Jerry Yua99cbfa2022-10-08 11:17:14 +08001085
Jerry Yu4a698342022-09-30 12:22:01 +08001086 if( selected_identity >= ssl_tls13_get_configured_psk_count( ssl ) )
Jerry Yub300e3c2022-09-28 22:12:07 +08001087 {
Jerry Yua99cbfa2022-10-08 11:17:14 +08001088 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid PSK identity." ) );
Jerry Yu4a698342022-09-30 12:22:01 +08001089
1090 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1091 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1092 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
Jerry Yub300e3c2022-09-28 22:12:07 +08001093 }
Jerry Yua99cbfa2022-10-08 11:17:14 +08001094
Jerry Yu4a698342022-09-30 12:22:01 +08001095#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1096 if( selected_identity == 0 && ssl_tls13_has_configured_ticket( ssl ) )
Jerry Yub300e3c2022-09-28 22:12:07 +08001097 {
Jerry Yua99cbfa2022-10-08 11:17:14 +08001098 ret = ssl_tls13_ticket_get_psk( ssl, &hash_alg, &psk, &psk_len );
Jerry Yu4a698342022-09-30 12:22:01 +08001099 }
1100 else
1101#endif
Ronald Crond29e13e2022-10-19 10:33:48 +02001102 if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) )
Jerry Yu4a698342022-09-30 12:22:01 +08001103 {
Jerry Yua99cbfa2022-10-08 11:17:14 +08001104 ret = ssl_tls13_psk_get_psk( ssl, &hash_alg, &psk, &psk_len );
Jerry Yub300e3c2022-09-28 22:12:07 +08001105 }
1106 else
1107 {
1108 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1109 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1110 }
Jerry Yub300e3c2022-09-28 22:12:07 +08001111 if( ret != 0 )
1112 return( ret );
1113
1114 ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len );
1115 if( ret != 0 )
1116 {
1117 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret );
Jerry Yu6916e702022-10-10 21:33:51 +08001118 return( ret );
Jerry Yub300e3c2022-09-28 22:12:07 +08001119 }
Jerry Yub300e3c2022-09-28 22:12:07 +08001120
Jerry Yu6916e702022-10-10 21:33:51 +08001121 return( 0 );
Jerry Yu0c6105b2022-08-12 17:26:40 +08001122}
Ronald Cron41a443a2022-10-04 16:38:25 +02001123#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
XiaokangQianeb69aee2022-07-05 08:21:43 +00001124
Ronald Cron3d580bf2022-02-18 17:24:56 +01001125int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
1126 unsigned char *buf,
1127 unsigned char *end,
1128 size_t *out_len )
Ronald Cron04fbd2b2022-02-18 12:06:07 +01001129{
1130 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1131 unsigned char *p = buf;
1132 size_t ext_len;
1133
1134 *out_len = 0;
1135
1136 /* Write supported_versions extension
1137 *
1138 * Supported Versions Extension is mandatory with TLS 1.3.
1139 */
1140 ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &ext_len );
1141 if( ret != 0 )
1142 return( ret );
1143 p += ext_len;
1144
1145 /* Echo the cookie if the server provided one in its preceding
1146 * HelloRetryRequest message.
1147 */
1148 ret = ssl_tls13_write_cookie_ext( ssl, p, end, &ext_len );
1149 if( ret != 0 )
1150 return( ret );
1151 p += ext_len;
1152
Ronald Cron766c0cd2022-10-18 12:17:11 +02001153#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Ronald Cron04fbd2b2022-02-18 12:06:07 +01001154 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1155 {
1156 ret = ssl_tls13_write_key_share_ext( ssl, p, end, &ext_len );
1157 if( ret != 0 )
1158 return( ret );
1159 p += ext_len;
1160 }
Ronald Cron766c0cd2022-10-18 12:17:11 +02001161#endif
Ronald Cron04fbd2b2022-02-18 12:06:07 +01001162
Ronald Cron41a443a2022-10-04 16:38:25 +02001163#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +00001164 /* For PSK-based key exchange we need the pre_shared_key extension
1165 * and the psk_key_exchange_modes extension.
1166 *
1167 * The pre_shared_key extension MUST be the last extension in the
1168 * ClientHello. Servers MUST check that it is the last extension and
1169 * otherwise fail the handshake with an "illegal_parameter" alert.
1170 *
1171 * Add the psk_key_exchange_modes extension.
1172 */
1173 ret = ssl_tls13_write_psk_key_exchange_modes_ext( ssl, p, end, &ext_len );
1174 if( ret != 0 )
1175 return( ret );
1176 p += ext_len;
Ronald Cron41a443a2022-10-04 16:38:25 +02001177#endif
XiaokangQianeb69aee2022-07-05 08:21:43 +00001178
Ronald Cron04fbd2b2022-02-18 12:06:07 +01001179 *out_len = p - buf;
1180
1181 return( 0 );
1182}
1183
Jerry Yu1bc2c1f2021-09-01 12:57:29 +08001184/*
Jerry Yu4a173382021-10-11 21:45:31 +08001185 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +08001186 */
Ronald Cronfd6193c2022-04-05 11:04:20 +02001187
Ronald Cronda41b382022-03-30 09:57:11 +02001188/**
1189 * \brief Detect if the ServerHello contains a supported_versions extension
1190 * or not.
1191 *
1192 * \param[in] ssl SSL context
1193 * \param[in] buf Buffer containing the ServerHello message
1194 * \param[in] end End of the buffer containing the ServerHello message
1195 *
1196 * \return 0 if the ServerHello does not contain a supported_versions extension
1197 * \return 1 if the ServerHello contains a supported_versions extension
1198 * \return A negative value if an error occurred while parsing the ServerHello.
1199 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001200MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9f0fba32022-02-10 16:45:15 +01001201static int ssl_tls13_is_supported_versions_ext_present(
1202 mbedtls_ssl_context *ssl,
1203 const unsigned char *buf,
1204 const unsigned char *end )
1205{
1206 const unsigned char *p = buf;
1207 size_t legacy_session_id_echo_len;
1208 size_t extensions_len;
1209 const unsigned char *extensions_end;
1210
1211 /*
1212 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +02001213 * length:
1214 * - legacy_version 2 bytes
1215 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1216 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +01001217 */
1218 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3 );
1219 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1220 legacy_session_id_echo_len = *p;
1221
1222 /*
1223 * Jump to the extensions, jumping over:
1224 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1225 * - cipher_suite 2 bytes
1226 * - legacy_compression_method 1 byte
1227 */
Ronald Cron28271062022-06-10 14:43:55 +02001228 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len + 4 );
Ronald Cron9f0fba32022-02-10 16:45:15 +01001229 p += legacy_session_id_echo_len + 4;
1230
1231 /* Case of no extension */
1232 if( p == end )
1233 return( 0 );
1234
1235 /* ...
1236 * Extension extensions<6..2^16-1>;
1237 * ...
1238 * struct {
1239 * ExtensionType extension_type; (2 bytes)
1240 * opaque extension_data<0..2^16-1>;
1241 * } Extension;
1242 */
1243 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
1244 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
1245 p += 2;
1246
1247 /* Check extensions do not go beyond the buffer of data. */
1248 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1249 extensions_end = p + extensions_len;
1250
1251 while( p < extensions_end )
1252 {
1253 unsigned int extension_type;
1254 size_t extension_data_len;
1255
1256 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
1257 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1258 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1259 p += 4;
1260
1261 if( extension_type == MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS )
1262 return( 1 );
1263
1264 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
1265 p += extension_data_len;
1266 }
1267
1268 return( 0 );
1269}
1270
Jerry Yu7a186a02021-10-15 18:46:14 +08001271/* Returns a negative value on failure, and otherwise
Ronald Cronfd6193c2022-04-05 11:04:20 +02001272 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1273 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1274 * - 0 otherwise
1275 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001276MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cronfd6193c2022-04-05 11:04:20 +02001277static int ssl_tls13_is_downgrade_negotiation( mbedtls_ssl_context *ssl,
1278 const unsigned char *buf,
1279 const unsigned char *end )
1280{
1281 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1282 static const unsigned char magic_downgrade_string[] =
1283 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
1284 const unsigned char *last_eight_bytes_of_random;
1285 unsigned char last_byte_of_random;
1286
1287 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2 );
1288 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1289
1290 if( memcmp( last_eight_bytes_of_random,
1291 magic_downgrade_string,
1292 sizeof( magic_downgrade_string ) ) == 0 )
1293 {
1294 last_byte_of_random = last_eight_bytes_of_random[7];
1295 return( last_byte_of_random == 0 ||
1296 last_byte_of_random == 1 );
1297 }
1298
1299 return( 0 );
1300}
1301
1302/* Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +02001303 * - SSL_SERVER_HELLO or
1304 * - SSL_SERVER_HELLO_HRR
XiaokangQian51eff222021-12-10 10:33:56 +00001305 * to indicate which message is expected and to be parsed next.
1306 */
Ronald Cron828aff62022-05-31 12:04:31 +02001307#define SSL_SERVER_HELLO 0
1308#define SSL_SERVER_HELLO_HRR 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001309MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yub85277e2021-10-13 13:36:05 +08001310static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
1311 const unsigned char *buf,
1312 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +08001313{
Jerry Yue1b9c292021-09-10 10:08:31 +08001314
1315 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1316 *
Jerry Yu4a173382021-10-11 21:45:31 +08001317 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +08001318 * special value of the SHA-256 of "HelloRetryRequest".
1319 *
1320 * struct {
1321 * ProtocolVersion legacy_version = 0x0303;
1322 * Random random;
1323 * opaque legacy_session_id_echo<0..32>;
1324 * CipherSuite cipher_suite;
1325 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +08001326 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +08001327 * } ServerHello;
1328 *
1329 */
Jerry Yu93a13f22022-04-11 23:00:01 +08001330 MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end,
1331 2 + sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) );
Jerry Yu4a173382021-10-11 21:45:31 +08001332
Jerry Yu93a13f22022-04-11 23:00:01 +08001333 if( memcmp( buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1334 sizeof( mbedtls_ssl_tls13_hello_retry_request_magic ) ) == 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +08001335 {
Ronald Cron828aff62022-05-31 12:04:31 +02001336 return( SSL_SERVER_HELLO_HRR );
Jerry Yue1b9c292021-09-10 10:08:31 +08001337 }
1338
Ronald Cron828aff62022-05-31 12:04:31 +02001339 return( SSL_SERVER_HELLO );
Jerry Yue1b9c292021-09-10 10:08:31 +08001340}
1341
Ronald Cron828aff62022-05-31 12:04:31 +02001342/*
Jerry Yu745bb612021-10-13 22:01:04 +08001343 * Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +02001344 * - SSL_SERVER_HELLO or
1345 * - SSL_SERVER_HELLO_HRR or
1346 * - SSL_SERVER_HELLO_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +08001347 */
Ronald Cron828aff62022-05-31 12:04:31 +02001348#define SSL_SERVER_HELLO_TLS1_2 2
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001349MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron828aff62022-05-31 12:04:31 +02001350static int ssl_tls13_preprocess_server_hello( mbedtls_ssl_context *ssl,
Ronald Crondb5dfa12022-05-31 11:44:38 +02001351 const unsigned char *buf,
1352 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +08001353{
Jerry Yu4a173382021-10-11 21:45:31 +08001354 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ronald Cron5afb9042022-05-31 12:11:39 +02001355 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +08001356
Ronald Cron9f0fba32022-02-10 16:45:15 +01001357 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_is_supported_versions_ext_present(
Ronald Crondb5dfa12022-05-31 11:44:38 +02001358 ssl, buf, end ) );
Jerry Yua66fece2022-07-13 14:30:29 +08001359
Ronald Cron9f0fba32022-02-10 16:45:15 +01001360 if( ret == 0 )
1361 {
Ronald Cronfd6193c2022-04-05 11:04:20 +02001362 MBEDTLS_SSL_PROC_CHK_NEG(
Ronald Crondb5dfa12022-05-31 11:44:38 +02001363 ssl_tls13_is_downgrade_negotiation( ssl, buf, end ) );
Ronald Cronfd6193c2022-04-05 11:04:20 +02001364
1365 /* If the server is negotiating TLS 1.2 or below and:
1366 * . we did not propose TLS 1.2 or
1367 * . the server responded it is TLS 1.3 capable but negotiating a lower
1368 * version of the protocol and thus we are under downgrade attack
1369 * abort the handshake with an "illegal parameter" alert.
Ronald Cron9f0fba32022-02-10 16:45:15 +01001370 */
Ronald Cron5afb9042022-05-31 12:11:39 +02001371 if( handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret )
Ronald Cron9f0fba32022-02-10 16:45:15 +01001372 {
1373 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1374 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1375 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1376 }
1377
1378 ssl->keep_current_message = 1;
Glenn Strauss60bfe602022-03-14 19:04:24 -04001379 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Ronald Cron9f0fba32022-02-10 16:45:15 +01001380 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
Ronald Crondb5dfa12022-05-31 11:44:38 +02001381 buf, (size_t)(end - buf) );
Ronald Cron9f0fba32022-02-10 16:45:15 +01001382
1383 if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1384 {
1385 ret = ssl_tls13_reset_key_share( ssl );
1386 if( ret != 0 )
1387 return( ret );
1388 }
1389
Ronald Cron828aff62022-05-31 12:04:31 +02001390 return( SSL_SERVER_HELLO_TLS1_2 );
Ronald Cron9f0fba32022-02-10 16:45:15 +01001391 }
1392
Jerry Yua66fece2022-07-13 14:30:29 +08001393#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1394 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1395 ssl->session_negotiate->tls_version = ssl->tls_version;
1396#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1397
Jerry Yu0c354a22022-08-29 15:25:36 +08001398 handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
Ronald Cron5afb9042022-05-31 12:11:39 +02001399
Ronald Crondb5dfa12022-05-31 11:44:38 +02001400 ret = ssl_server_hello_is_hrr( ssl, buf, end );
Jerry Yub85277e2021-10-13 13:36:05 +08001401 switch( ret )
Jerry Yue1b9c292021-09-10 10:08:31 +08001402 {
Ronald Cron828aff62022-05-31 12:04:31 +02001403 case SSL_SERVER_HELLO:
Jerry Yu745bb612021-10-13 22:01:04 +08001404 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received ServerHello message" ) );
1405 break;
Ronald Cron828aff62022-05-31 12:04:31 +02001406 case SSL_SERVER_HELLO_HRR:
Jerry Yu745bb612021-10-13 22:01:04 +08001407 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
XiaokangQian16acd4b2022-01-14 07:35:47 +00001408 /* If a client receives a second
1409 * HelloRetryRequest in the same connection (i.e., where the ClientHello
1410 * was itself in response to a HelloRetryRequest), it MUST abort the
1411 * handshake with an "unexpected_message" alert.
1412 */
Ronald Cron5afb9042022-05-31 12:11:39 +02001413 if( handshake->hello_retry_request_count > 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +00001414 {
1415 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) );
1416 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1417 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1418 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1419 }
XiaokangQian2b01dc32022-01-21 02:53:13 +00001420 /*
1421 * Clients must abort the handshake with an "illegal_parameter"
1422 * alert if the HelloRetryRequest would not result in any change
1423 * in the ClientHello.
1424 * In a PSK only key exchange that what we expect.
1425 */
1426 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1427 {
1428 MBEDTLS_SSL_DEBUG_MSG( 1,
1429 ( "Unexpected HRR in pure PSK key exchange." ) );
1430 MBEDTLS_SSL_PEND_FATAL_ALERT(
1431 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1432 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1433 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1434 }
XiaokangQian16acd4b2022-01-14 07:35:47 +00001435
Ronald Cron5afb9042022-05-31 12:11:39 +02001436 handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +00001437
Jerry Yu745bb612021-10-13 22:01:04 +08001438 break;
Jerry Yue1b9c292021-09-10 10:08:31 +08001439 }
1440
1441cleanup:
1442
1443 return( ret );
1444}
1445
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001446MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu4a173382021-10-11 21:45:31 +08001447static int ssl_tls13_check_server_hello_session_id_echo( mbedtls_ssl_context *ssl,
1448 const unsigned char **buf,
1449 const unsigned char *end )
Jerry Yue1b9c292021-09-10 10:08:31 +08001450{
1451 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +08001452 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +08001453
Jerry Yude4fb2c2021-09-19 18:05:08 +08001454 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Jerry Yu4a173382021-10-11 21:45:31 +08001455 legacy_session_id_echo_len = *p++ ;
Jerry Yue1b9c292021-09-10 10:08:31 +08001456
Jerry Yu4a173382021-10-11 21:45:31 +08001457 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, legacy_session_id_echo_len );
Jerry Yue1b9c292021-09-10 10:08:31 +08001458
1459 /* legacy_session_id_echo */
Jerry Yu4a173382021-10-11 21:45:31 +08001460 if( ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1461 memcmp( ssl->session_negotiate->id, p , legacy_session_id_echo_len ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +08001462 {
Jerry Yue1b9c292021-09-10 10:08:31 +08001463 MBEDTLS_SSL_DEBUG_BUF( 3, "Expected Session ID",
1464 ssl->session_negotiate->id,
1465 ssl->session_negotiate->id_len );
1466 MBEDTLS_SSL_DEBUG_BUF( 3, "Received Session ID", p,
Jerry Yu4a173382021-10-11 21:45:31 +08001467 legacy_session_id_echo_len );
1468
1469 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1470 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1471
Jerry Yue1b9c292021-09-10 10:08:31 +08001472 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1473 }
1474
Jerry Yu4a173382021-10-11 21:45:31 +08001475 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +08001476 *buf = p;
1477
1478 MBEDTLS_SSL_DEBUG_BUF( 3, "Session ID", ssl->session_negotiate->id,
Jerry Yu4a173382021-10-11 21:45:31 +08001479 ssl->session_negotiate->id_len );
Jerry Yue1b9c292021-09-10 10:08:31 +08001480 return( 0 );
1481}
1482
Jerry Yue1b9c292021-09-10 10:08:31 +08001483/* Parse ServerHello message and configure context
1484 *
1485 * struct {
1486 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1487 * Random random;
1488 * opaque legacy_session_id_echo<0..32>;
1489 * CipherSuite cipher_suite;
1490 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +08001491 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +08001492 * } ServerHello;
1493 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001494MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuc068b662021-10-11 22:30:19 +08001495static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
1496 const unsigned char *buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +00001497 const unsigned char *end,
1498 int is_hrr )
Jerry Yue1b9c292021-09-10 10:08:31 +08001499{
Jerry Yub85277e2021-10-13 13:36:05 +08001500 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +08001501 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +00001502 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +08001503 size_t extensions_len;
1504 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +08001505 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +08001506 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +00001507 int fatal_alert = 0;
Jerry Yu0c354a22022-08-29 15:25:36 +08001508 uint32_t allowed_extensions_mask;
Jerry Yue1b9c292021-09-10 10:08:31 +08001509
1510 /*
1511 * Check there is space for minimal fields
1512 *
1513 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +08001514 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +08001515 * - legacy_session_id_echo ( 1 byte ), minimum size
1516 * - cipher_suite ( 2 bytes)
1517 * - legacy_compression_method ( 1 byte )
1518 */
Jerry Yue6d7e5c2021-10-26 10:44:32 +08001519 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6 );
Jerry Yue1b9c292021-09-10 10:08:31 +08001520
1521 MBEDTLS_SSL_DEBUG_BUF( 4, "server hello", p, end - p );
Jerry Yue1b9c292021-09-10 10:08:31 +08001522 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", p, 2 );
1523
Jerry Yu4a173382021-10-11 21:45:31 +08001524 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +08001525 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +08001526 * ...
1527 * with ProtocolVersion defined as:
1528 * uint16 ProtocolVersion;
1529 */
Glenn Strausse3af4cb2022-03-15 03:23:42 -04001530 if( mbedtls_ssl_read_version( p, ssl->conf->transport ) !=
1531 MBEDTLS_SSL_VERSION_TLS1_2 )
Jerry Yue1b9c292021-09-10 10:08:31 +08001532 {
1533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
1534 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1535 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
XiaokangQiand59be772022-01-24 10:12:51 +00001536 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1537 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +08001538 }
1539 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +08001540
Jerry Yue6d7e5c2021-10-26 10:44:32 +08001541 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +08001542 * Random random;
1543 * ...
1544 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +08001545 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +08001546 */
XiaokangQian53f20b72022-01-18 10:47:33 +00001547 if( !is_hrr )
1548 {
XiaokangQian355e09a2022-01-20 11:14:50 +00001549 memcpy( &handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
XiaokangQian53f20b72022-01-18 10:47:33 +00001550 MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1551 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
1552 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
1553 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +08001554 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +08001555
Jerry Yu4a173382021-10-11 21:45:31 +08001556 /* ...
1557 * opaque legacy_session_id_echo<0..32>;
1558 * ...
1559 */
1560 if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +08001561 {
XiaokangQian52da5582022-01-26 09:49:29 +00001562 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +00001563 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +08001564 }
1565
Jerry Yu4a173382021-10-11 21:45:31 +08001566 /* ...
1567 * CipherSuite cipher_suite;
1568 * ...
1569 * with CipherSuite defined as:
1570 * uint8 CipherSuite[2];
1571 */
1572 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yue1b9c292021-09-10 10:08:31 +08001573 cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
1574 p += 2;
1575
Jerry Yu4a173382021-10-11 21:45:31 +08001576
XiaokangQian355e09a2022-01-20 11:14:50 +00001577 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
Jerry Yu4a173382021-10-11 21:45:31 +08001578 /*
Ronald Cronba120bb2022-03-30 22:09:48 +02001579 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +08001580 */
Glenn Strauss60bfe602022-03-14 19:04:24 -04001581 if( ( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
1582 ssl->tls_version,
1583 ssl->tls_version ) != 0 ) ||
XiaokangQian08037552022-04-20 07:16:41 +00001584 !mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
Jerry Yue1b9c292021-09-10 10:08:31 +08001585 {
XiaokangQian52da5582022-01-26 09:49:29 +00001586 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +08001587 }
XiaokangQian53f20b72022-01-18 10:47:33 +00001588 /*
XiaokangQian355e09a2022-01-20 11:14:50 +00001589 * If we received an HRR before and that the proposed selected
1590 * ciphersuite in this server hello is not the same as the one
1591 * proposed in the HRR, we abort the handshake and send an
1592 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +00001593 */
XiaokangQian355e09a2022-01-20 11:14:50 +00001594 else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
1595 ( cipher_suite != ssl->session_negotiate->ciphersuite ) )
XiaokangQian53f20b72022-01-18 10:47:33 +00001596 {
XiaokangQian52da5582022-01-26 09:49:29 +00001597 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +00001598 }
XiaokangQian53f20b72022-01-18 10:47:33 +00001599
XiaokangQian52da5582022-01-26 09:49:29 +00001600 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQian355e09a2022-01-20 11:14:50 +00001601 {
1602 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
1603 cipher_suite ) );
XiaokangQiand59be772022-01-24 10:12:51 +00001604 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +00001605 }
Jerry Yue1b9c292021-09-10 10:08:31 +08001606
Jerry Yu4a173382021-10-11 21:45:31 +08001607 /* Configure ciphersuites */
1608 mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info );
1609
XiaokangQian355e09a2022-01-20 11:14:50 +00001610 handshake->ciphersuite_info = ciphersuite_info;
Jerry Yue1b9c292021-09-10 10:08:31 +08001611 ssl->session_negotiate->ciphersuite = cipher_suite;
1612
Jerry Yue1b9c292021-09-10 10:08:31 +08001613 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s",
1614 cipher_suite, ciphersuite_info->name ) );
1615
1616#if defined(MBEDTLS_HAVE_TIME)
1617 ssl->session_negotiate->start = time( NULL );
1618#endif /* MBEDTLS_HAVE_TIME */
1619
Jerry Yu4a173382021-10-11 21:45:31 +08001620 /* ...
1621 * uint8 legacy_compression_method = 0;
1622 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +08001623 */
Jerry Yude4fb2c2021-09-19 18:05:08 +08001624 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
Thomas Daubney31e03a82022-07-25 15:59:25 +01001625 if( p[0] != MBEDTLS_SSL_COMPRESS_NULL )
Jerry Yue1b9c292021-09-10 10:08:31 +08001626 {
Jerry Yub85277e2021-10-13 13:36:05 +08001627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
XiaokangQian52da5582022-01-26 09:49:29 +00001628 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +00001629 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +08001630 }
1631 p++;
1632
Jerry Yub85277e2021-10-13 13:36:05 +08001633 /* ...
1634 * Extension extensions<6..2^16-1>;
1635 * ...
Jerry Yu4a173382021-10-11 21:45:31 +08001636 * struct {
1637 * ExtensionType extension_type; (2 bytes)
1638 * opaque extension_data<0..2^16-1>;
1639 * } Extension;
1640 */
Jerry Yude4fb2c2021-09-19 18:05:08 +08001641 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yu4a173382021-10-11 21:45:31 +08001642 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
Jerry Yue1b9c292021-09-10 10:08:31 +08001643 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +08001644
Jerry Yu4a173382021-10-11 21:45:31 +08001645 /* Check extensions do not go beyond the buffer of data. */
1646 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
1647 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +08001648
Jerry Yu4a173382021-10-11 21:45:31 +08001649 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello extensions", p, extensions_len );
Jerry Yue1b9c292021-09-10 10:08:31 +08001650
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001651 handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
Jerry Yu0c354a22022-08-29 15:25:36 +08001652 allowed_extensions_mask = is_hrr ?
Jerry Yu2c5363e2022-08-04 17:42:49 +08001653 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
1654 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
1655
Jerry Yu4a173382021-10-11 21:45:31 +08001656 while( p < extensions_end )
Jerry Yue1b9c292021-09-10 10:08:31 +08001657 {
1658 unsigned int extension_type;
1659 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +00001660 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +08001661
Jerry Yu4a173382021-10-11 21:45:31 +08001662 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
Jerry Yue1b9c292021-09-10 10:08:31 +08001663 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
1664 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
1665 p += 4;
1666
Jerry Yu4a173382021-10-11 21:45:31 +08001667 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian43550bd2022-01-21 04:32:58 +00001668 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +08001669
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001670 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yu0c354a22022-08-29 15:25:36 +08001671 ssl,
1672 is_hrr ?
1673 -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO,
1674 extension_type,
1675 allowed_extensions_mask );
1676 if( ret != 0 )
1677 return( ret );
Jerry Yu2c5363e2022-08-04 17:42:49 +08001678
Jerry Yue1b9c292021-09-10 10:08:31 +08001679 switch( extension_type )
1680 {
XiaokangQianb851da82022-01-14 04:03:11 +00001681 case MBEDTLS_TLS_EXT_COOKIE:
1682
XiaokangQian43550bd2022-01-21 04:32:58 +00001683 ret = ssl_tls13_parse_cookie_ext( ssl,
1684 p, extension_data_end );
1685 if( ret != 0 )
XiaokangQianb851da82022-01-14 04:03:11 +00001686 {
XiaokangQian43550bd2022-01-21 04:32:58 +00001687 MBEDTLS_SSL_DEBUG_RET( 1,
1688 "ssl_tls13_parse_cookie_ext",
1689 ret );
XiaokangQiand59be772022-01-24 10:12:51 +00001690 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +00001691 }
XiaokangQianb851da82022-01-14 04:03:11 +00001692 break;
XiaokangQianb851da82022-01-14 04:03:11 +00001693
Jerry Yue1b9c292021-09-10 10:08:31 +08001694 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Jerry Yuc068b662021-10-11 22:30:19 +08001695 ret = ssl_tls13_parse_supported_versions_ext( ssl,
Jerry Yub85277e2021-10-13 13:36:05 +08001696 p,
XiaokangQian43550bd2022-01-21 04:32:58 +00001697 extension_data_end );
Jerry Yue1b9c292021-09-10 10:08:31 +08001698 if( ret != 0 )
XiaokangQiand59be772022-01-24 10:12:51 +00001699 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +08001700 break;
1701
Ronald Cron41a443a2022-10-04 16:38:25 +02001702#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue1b9c292021-09-10 10:08:31 +08001703 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
XiaokangQianeb69aee2022-07-05 08:21:43 +00001704 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
Jerry Yu4a173382021-10-11 21:45:31 +08001705
XiaokangQian86981952022-07-19 09:51:50 +00001706 if( ( ret = ssl_tls13_parse_server_pre_shared_key_ext(
XiaokangQian008d2bf2022-07-14 07:54:01 +00001707 ssl, p, extension_data_end ) ) != 0 )
XiaokangQianeb69aee2022-07-05 08:21:43 +00001708 {
1709 MBEDTLS_SSL_DEBUG_RET(
XiaokangQian86981952022-07-19 09:51:50 +00001710 1, ( "ssl_tls13_parse_server_pre_shared_key_ext" ), ret );
XiaokangQianeb69aee2022-07-05 08:21:43 +00001711 return( ret );
1712 }
1713 break;
Ronald Cron41a443a2022-10-04 16:38:25 +02001714#endif
Jerry Yue1b9c292021-09-10 10:08:31 +08001715
Jerry Yue1b9c292021-09-10 10:08:31 +08001716 case MBEDTLS_TLS_EXT_KEY_SHARE:
1717 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
XiaokangQiand59be772022-01-24 10:12:51 +00001718 if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
1719 {
XiaokangQian52da5582022-01-26 09:49:29 +00001720 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +00001721 goto cleanup;
1722 }
1723
XiaokangQian53f20b72022-01-18 10:47:33 +00001724 if( is_hrr )
XiaokangQiand9e068e2022-01-18 06:23:32 +00001725 ret = ssl_tls13_parse_hrr_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +00001726 p, extension_data_end );
XiaokangQian53f20b72022-01-18 10:47:33 +00001727 else
XiaokangQianb851da82022-01-14 04:03:11 +00001728 ret = ssl_tls13_parse_key_share_ext( ssl,
XiaokangQian43550bd2022-01-21 04:32:58 +00001729 p, extension_data_end );
XiaokangQianb851da82022-01-14 04:03:11 +00001730 if( ret != 0 )
Jerry Yue1b9c292021-09-10 10:08:31 +08001731 {
1732 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu4a173382021-10-11 21:45:31 +08001733 "ssl_tls13_parse_key_share_ext",
Jerry Yue1b9c292021-09-10 10:08:31 +08001734 ret );
XiaokangQiand59be772022-01-24 10:12:51 +00001735 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +08001736 }
1737 break;
Jerry Yue1b9c292021-09-10 10:08:31 +08001738
1739 default:
Jerry Yu9872eb22022-08-29 13:42:01 +08001740 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1741 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +08001742 }
1743
1744 p += extension_data_len;
1745 }
1746
Jerry Yu2c5363e2022-08-04 17:42:49 +08001747 MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
Jerry Yu0c354a22022-08-29 15:25:36 +08001748 3, is_hrr ? -MBEDTLS_SSL_HS_SERVER_HELLO : MBEDTLS_SSL_HS_SERVER_HELLO,
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001749 handshake->received_extensions );
Jerry Yu2c5363e2022-08-04 17:42:49 +08001750
XiaokangQiand59be772022-01-24 10:12:51 +00001751cleanup:
1752
XiaokangQian52da5582022-01-26 09:49:29 +00001753 if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
XiaokangQiand59be772022-01-24 10:12:51 +00001754 {
1755 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1756 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
1757 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1758 }
XiaokangQian52da5582022-01-26 09:49:29 +00001759 else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
XiaokangQiand59be772022-01-24 10:12:51 +00001760 {
1761 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1762 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1763 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1764 }
1765 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +08001766}
1767
Xiaokang Qiancb6e9632022-09-26 11:59:32 +00001768#if defined(MBEDTLS_DEBUG_C)
1769static const char *ssl_tls13_get_kex_mode_str(int mode)
Xiaokang Qian5beec4b2022-09-26 08:23:45 +00001770{
1771 switch( mode )
1772 {
1773 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1774 return "psk";
1775 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1776 return "ephemeral";
1777 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1778 return "psk_ephemeral";
1779 default:
1780 return "unknown mode";
1781 }
1782}
Xiaokang Qiancb6e9632022-09-26 11:59:32 +00001783#endif /* MBEDTLS_DEBUG_C */
Xiaokang Qian5beec4b2022-09-26 08:23:45 +00001784
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001785MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +00001786static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
Jerry Yue1b9c292021-09-10 10:08:31 +08001787{
Jerry Yub85277e2021-10-13 13:36:05 +08001788 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub85277e2021-10-13 13:36:05 +08001789 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +08001790
Jerry Yub85277e2021-10-13 13:36:05 +08001791 /* Determine the key exchange mode:
1792 * 1) If both the pre_shared_key and key_share extensions were received
1793 * then the key exchange mode is PSK with EPHEMERAL.
1794 * 2) If only the pre_shared_key extension was received then the key
1795 * exchange mode is PSK-only.
1796 * 3) If only the key_share extension was received then the key
1797 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +08001798 */
Jerry Yu0c354a22022-08-29 15:25:36 +08001799 switch( handshake->received_extensions &
Jerry Yub85277e2021-10-13 13:36:05 +08001800 ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ) )
Jerry Yu0b177842021-09-05 19:41:30 +08001801 {
Jerry Yu745bb612021-10-13 22:01:04 +08001802 /* Only the pre_shared_key extension was received */
1803 case MBEDTLS_SSL_EXT_PRE_SHARED_KEY:
Ronald Cron79907712022-07-20 17:05:29 +02001804 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +08001805 break;
Jerry Yub85277e2021-10-13 13:36:05 +08001806
Jerry Yu745bb612021-10-13 22:01:04 +08001807 /* Only the key_share extension was received */
1808 case MBEDTLS_SSL_EXT_KEY_SHARE:
Ronald Cron79907712022-07-20 17:05:29 +02001809 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +08001810 break;
Jerry Yub85277e2021-10-13 13:36:05 +08001811
Jerry Yu745bb612021-10-13 22:01:04 +08001812 /* Both the pre_shared_key and key_share extensions were received */
1813 case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ):
Ronald Cron79907712022-07-20 17:05:29 +02001814 handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +08001815 break;
Jerry Yub85277e2021-10-13 13:36:05 +08001816
Jerry Yu745bb612021-10-13 22:01:04 +08001817 /* Neither pre_shared_key nor key_share extension was received */
1818 default:
1819 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unknown key exchange." ) );
1820 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1821 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +08001822 }
1823
Xiaokang Qianac8195f2022-09-26 04:01:06 +00001824 if( !mbedtls_ssl_conf_tls13_check_kex_modes( ssl, handshake->key_exchange_mode ) )
1825 {
1826 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1827 MBEDTLS_SSL_DEBUG_MSG( 2,
Xiaokang Qianca343ae2022-09-28 02:07:54 +00001828 ( "Key exchange mode(%s) is not supported.",
Xiaokang Qiancb6e9632022-09-26 11:59:32 +00001829 ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
Xiaokang Qianac8195f2022-09-26 04:01:06 +00001830 goto cleanup;
1831 }
1832
Xiaokang Qian5beec4b2022-09-26 08:23:45 +00001833 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaokang Qianca343ae2022-09-28 02:07:54 +00001834 ( "Selected key exchange mode: %s",
Xiaokang Qiancb6e9632022-09-26 11:59:32 +00001835 ssl_tls13_get_kex_mode_str( handshake->key_exchange_mode ) ) );
Xiaokang Qian5beec4b2022-09-26 08:23:45 +00001836
Jerry Yu0b177842021-09-05 19:41:30 +08001837 /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret.
1838 *
1839 * TODO: We don't have to do this in case we offered 0-RTT and the
1840 * server accepted it. In this case, we could skip generating
1841 * the early secret. */
Xiaofei Bai746f9482021-11-12 08:53:56 +00001842 ret = mbedtls_ssl_tls13_key_schedule_stage_early( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +08001843 if( ret != 0 )
1844 {
Jerry Yue110d252022-05-05 10:19:22 +08001845 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_key_schedule_stage_early",
Jerry Yu0b177842021-09-05 19:41:30 +08001846 ret );
Jerry Yu4a173382021-10-11 21:45:31 +08001847 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +08001848 }
1849
Jerry Yuf86eb752022-05-06 11:16:55 +08001850 ret = mbedtls_ssl_tls13_compute_handshake_transform( ssl );
Jerry Yu0b177842021-09-05 19:41:30 +08001851 if( ret != 0 )
1852 {
Jerry Yuf86eb752022-05-06 11:16:55 +08001853 MBEDTLS_SSL_DEBUG_RET( 1,
1854 "mbedtls_ssl_tls13_compute_handshake_transform",
Jerry Yuc068b662021-10-11 22:30:19 +08001855 ret );
Jerry Yu4a173382021-10-11 21:45:31 +08001856 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +08001857 }
1858
Jerry Yue110d252022-05-05 10:19:22 +08001859 mbedtls_ssl_set_inbound_transform( ssl, handshake->transform_handshake );
Jerry Yu0b177842021-09-05 19:41:30 +08001860 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
1861 ssl->session_in = ssl->session_negotiate;
1862
Jerry Yu4a173382021-10-11 21:45:31 +08001863cleanup:
Jerry Yu4a173382021-10-11 21:45:31 +08001864 if( ret != 0 )
1865 {
Jerry Yu4a173382021-10-11 21:45:31 +08001866 MBEDTLS_SSL_PEND_FATAL_ALERT(
1867 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1868 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1869 }
Jerry Yue110d252022-05-05 10:19:22 +08001870
Jerry Yu4a173382021-10-11 21:45:31 +08001871 return( ret );
Jerry Yue1b9c292021-09-10 10:08:31 +08001872}
1873
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001874MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian355e09a2022-01-20 11:14:50 +00001875static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
XiaokangQian647719a2021-12-07 09:16:29 +00001876{
1877 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1878
XiaokangQian78b1fa72022-01-19 06:56:30 +00001879 mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
XiaokangQian647719a2021-12-07 09:16:29 +00001880
XiaokangQian78b1fa72022-01-19 06:56:30 +00001881 /*
XiaokangQian355e09a2022-01-20 11:14:50 +00001882 * We are going to re-generate a shared secret corresponding to the group
1883 * selected by the server, which is different from the group for which we
1884 * generated a shared secret in the first client hello.
1885 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +00001886 */
XiaokangQian16acd4b2022-01-14 07:35:47 +00001887 ret = ssl_tls13_reset_key_share( ssl );
XiaokangQian647719a2021-12-07 09:16:29 +00001888 if( ret != 0 )
1889 return( ret );
1890
1891 return( 0 );
1892}
1893
Jerry Yue1b9c292021-09-10 10:08:31 +08001894/*
Jerry Yu4a173382021-10-11 21:45:31 +08001895 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +08001896 * Handler for MBEDTLS_SSL_SERVER_HELLO
1897 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001898MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +00001899static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +08001900{
Jerry Yu4a173382021-10-11 21:45:31 +08001901 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +00001902 unsigned char *buf = NULL;
1903 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +00001904 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +08001905
1906 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
1907
Ronald Crondb5dfa12022-05-31 11:44:38 +02001908 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
1909 MBEDTLS_SSL_HS_SERVER_HELLO,
1910 &buf, &buf_len ) );
1911
Ronald Cron828aff62022-05-31 12:04:31 +02001912 ret = ssl_tls13_preprocess_server_hello( ssl, buf, buf + buf_len );
XiaokangQiand9e068e2022-01-18 06:23:32 +00001913 if( ret < 0 )
XiaokangQian16acd4b2022-01-14 07:35:47 +00001914 goto cleanup;
1915 else
Ronald Cron828aff62022-05-31 12:04:31 +02001916 is_hrr = ( ret == SSL_SERVER_HELLO_HRR );
XiaokangQiand59be772022-01-24 10:12:51 +00001917
Ronald Cron828aff62022-05-31 12:04:31 +02001918 if( ret == SSL_SERVER_HELLO_TLS1_2 )
Ronald Cron9f0fba32022-02-10 16:45:15 +01001919 {
1920 ret = 0;
1921 goto cleanup;
1922 }
1923
XiaokangQianb851da82022-01-14 04:03:11 +00001924 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
XiaokangQiand9e068e2022-01-18 06:23:32 +00001925 buf + buf_len,
1926 is_hrr ) );
1927 if( is_hrr )
XiaokangQian647719a2021-12-07 09:16:29 +00001928 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) );
1929
Ronald Cron8f6d39a2022-03-10 18:56:50 +01001930 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1931 buf, buf_len );
XiaokangQian647719a2021-12-07 09:16:29 +00001932
XiaokangQiand9e068e2022-01-18 06:23:32 +00001933 if( is_hrr )
Ronald Cronfb508b82022-05-31 14:49:55 +02001934 {
XiaokangQian355e09a2022-01-20 11:14:50 +00001935 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +02001936#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1937 /* If not offering early data, the client sends a dummy CCS record
1938 * immediately before its second flight. This may either be before
1939 * its second ClientHello or before its encrypted handshake flight.
1940 */
1941 mbedtls_ssl_handshake_set_state( ssl,
1942 MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
1943#else
1944 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
1945#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1946 }
XiaokangQiand9e068e2022-01-18 06:23:32 +00001947 else
Ronald Cronfb508b82022-05-31 14:49:55 +02001948 {
XiaokangQian355e09a2022-01-20 11:14:50 +00001949 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) );
Ronald Cronfb508b82022-05-31 14:49:55 +02001950 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
1951 }
Jerry Yue1b9c292021-09-10 10:08:31 +08001952
1953cleanup:
XiaokangQiana9090612022-01-27 03:48:27 +00001954 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__,
1955 is_hrr?"HelloRetryRequest":"ServerHello" ) );
Jerry Yue1b9c292021-09-10 10:08:31 +08001956 return( ret );
Jerry Yu687101b2021-09-14 16:03:56 +08001957}
1958
1959/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +00001960 *
Ronald Cron9d6a5452022-05-30 16:05:38 +02001961 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +00001962 *
1963 * The EncryptedExtensions message contains any extensions which
1964 * should be protected, i.e., any which are not needed to establish
1965 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +08001966 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +00001967
XiaokangQian08da26c2021-10-09 10:12:11 +00001968/* Parse EncryptedExtensions message
1969 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +00001970 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +00001971 * } EncryptedExtensions;
1972 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02001973MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian97799ac2021-10-11 10:05:54 +00001974static int ssl_tls13_parse_encrypted_extensions( mbedtls_ssl_context *ssl,
1975 const unsigned char *buf,
1976 const unsigned char *end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +00001977{
1978 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +00001979 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +00001980 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +00001981 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +08001982 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian2d5c72b2021-09-13 07:30:09 +00001983
XiaokangQian08da26c2021-10-09 10:12:11 +00001984 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
XiaokangQian97799ac2021-10-11 10:05:54 +00001985 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
XiaokangQian08da26c2021-10-09 10:12:11 +00001986 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +00001987
XiaokangQian97799ac2021-10-11 10:05:54 +00001988 MBEDTLS_SSL_DEBUG_BUF( 3, "encrypted extensions", p, extensions_len );
XiaokangQian8db25ff2021-10-13 05:56:18 +00001989 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
Ronald Cronc8083592022-05-31 16:24:05 +02001990 extensions_end = p + extensions_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +00001991
Jerry Yu9eba7502022-10-31 13:46:16 +08001992 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yucbd082f2022-08-04 16:55:10 +08001993
XiaokangQian8db25ff2021-10-13 05:56:18 +00001994 while( p < extensions_end )
XiaokangQian2d5c72b2021-09-13 07:30:09 +00001995 {
XiaokangQian08da26c2021-10-09 10:12:11 +00001996 unsigned int extension_type;
1997 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +00001998
XiaokangQian08da26c2021-10-09 10:12:11 +00001999 /*
2000 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +00002001 * ExtensionType extension_type; (2 bytes)
2002 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +00002003 * } Extension;
2004 */
XiaokangQian8db25ff2021-10-13 05:56:18 +00002005 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
XiaokangQian08da26c2021-10-09 10:12:11 +00002006 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2007 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2008 p += 4;
2009
XiaokangQian8db25ff2021-10-13 05:56:18 +00002010 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
XiaokangQian2d5c72b2021-09-13 07:30:09 +00002011
Jerry Yuc4bf5d62022-10-29 09:08:47 +08002012 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yu0c354a22022-08-29 15:25:36 +08002013 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
2014 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE );
2015 if( ret != 0 )
2016 return( ret );
Jerry Yucbd082f2022-08-04 16:55:10 +08002017
XiaokangQian08da26c2021-10-09 10:12:11 +00002018 switch( extension_type )
2019 {
lhuang0486cacac2022-01-21 07:34:27 -08002020#if defined(MBEDTLS_SSL_ALPN)
2021 case MBEDTLS_TLS_EXT_ALPN:
2022 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
2023
2024 if( ( ret = ssl_tls13_parse_alpn_ext( ssl, p, (size_t)extension_data_len ) ) != 0 )
2025 {
2026 return( ret );
2027 }
2028
2029 break;
2030#endif /* MBEDTLS_SSL_ALPN */
XiaokangQian08da26c2021-10-09 10:12:11 +00002031 default:
Jerry Yu9eba7502022-10-31 13:46:16 +08002032 MBEDTLS_SSL_PRINT_EXT_TYPE(
2033 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2034 extension_type, "( ignored )" );
Jerry Yucbd082f2022-08-04 16:55:10 +08002035 break;
XiaokangQian08da26c2021-10-09 10:12:11 +00002036 }
2037
XiaokangQian08da26c2021-10-09 10:12:11 +00002038 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +00002039 }
XiaokangQian08da26c2021-10-09 10:12:11 +00002040
Jerry Yu9eba7502022-10-31 13:46:16 +08002041 MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS );
Jerry Yucbd082f2022-08-04 16:55:10 +08002042
XiaokangQian97799ac2021-10-11 10:05:54 +00002043 /* Check that we consumed all the message. */
XiaokangQian7b2d4ef2021-10-13 10:19:02 +00002044 if( p != end )
XiaokangQian97799ac2021-10-11 10:05:54 +00002045 {
2046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "EncryptedExtension lengths misaligned" ) );
Jerry Yu7aa71862021-10-28 21:41:30 +08002047 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQian7b2d4ef2021-10-13 10:19:02 +00002048 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian97799ac2021-10-11 10:05:54 +00002049 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQian2d5c72b2021-09-13 07:30:09 +00002050 }
2051
2052 return( ret );
2053}
2054
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002055MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9d6a5452022-05-30 16:05:38 +02002056static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
2057{
2058 int ret;
2059 unsigned char *buf;
2060 size_t buf_len;
2061
2062 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse encrypted extensions" ) );
2063
2064 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
2065 MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2066 &buf, &buf_len ) );
2067
2068 /* Process the message contents */
2069 MBEDTLS_SSL_PROC_CHK(
2070 ssl_tls13_parse_encrypted_extensions( ssl, buf, buf + buf_len ) );
2071
2072 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2073 buf, buf_len );
2074
Ronald Cron928cbd32022-10-04 16:14:26 +02002075#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Ronald Cron79907712022-07-20 17:05:29 +02002076 if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
Ronald Cronfb508b82022-05-31 14:49:55 +02002077 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2078 else
2079 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
2080#else
2081 ((void) ssl);
2082 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2083#endif
Ronald Cron9d6a5452022-05-30 16:05:38 +02002084
2085cleanup:
2086
2087 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse encrypted extensions" ) );
2088 return( ret );
2089
2090}
2091
Ronald Cron928cbd32022-10-04 16:14:26 +02002092#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +08002093/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002094 * STATE HANDLING: CertificateRequest
2095 *
Jerry Yud2674312021-10-29 10:08:19 +08002096 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002097#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2098#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002099/* Coordination:
2100 * Deals with the ambiguity of not knowing if a CertificateRequest
2101 * will be sent. Returns a negative code on failure, or
2102 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2103 * - SSL_CERTIFICATE_REQUEST_SKIP
2104 * indicating if a Certificate Request is expected or not.
2105 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002106MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002107static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
Jerry Yud2674312021-10-29 10:08:19 +08002108{
Xiaofei Baide3f13e2022-01-18 05:47:05 +00002109 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +08002110
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002111 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
Jerry Yud2674312021-10-29 10:08:19 +08002112 {
2113 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2114 return( ret );
2115 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002116 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +08002117
2118 if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) &&
2119 ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) )
2120 {
Ronald Cron19385882022-06-15 16:26:13 +02002121 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got a certificate request" ) );
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002122 return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST );
Jerry Yud2674312021-10-29 10:08:19 +08002123 }
2124
Ronald Cron19385882022-06-15 16:26:13 +02002125 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got no certificate request" ) );
2126
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002127 return( SSL_CERTIFICATE_REQUEST_SKIP );
2128}
2129
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002130/*
2131 * ssl_tls13_parse_certificate_request()
2132 * Parse certificate request
2133 * struct {
2134 * opaque certificate_request_context<0..2^8-1>;
2135 * Extension extensions<2..2^16-1>;
2136 * } CertificateRequest;
2137 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002138MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002139static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
2140 const unsigned char *buf,
2141 const unsigned char *end )
2142{
2143 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2144 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002145 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +00002146 size_t extensions_len = 0;
2147 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +08002148 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002149
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +00002150 /* ...
2151 * opaque certificate_request_context<0..2^8-1>
2152 * ...
2153 */
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002154 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
2155 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002156 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002157
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002158 if( certificate_request_context_len > 0 )
2159 {
Xiaofei Baic234ecf2022-02-08 09:59:23 +00002160 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002161 MBEDTLS_SSL_DEBUG_BUF( 3, "Certificate Request Context",
2162 p, certificate_request_context_len );
2163
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002164 handshake->certificate_request_context =
Xiaofei Bai6d42bb42022-01-28 08:52:13 +00002165 mbedtls_calloc( 1, certificate_request_context_len );
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002166 if( handshake->certificate_request_context == NULL )
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002167 {
2168 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2169 return ( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2170 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002171 memcpy( handshake->certificate_request_context, p,
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002172 certificate_request_context_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002173 p += certificate_request_context_len;
2174 }
2175
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +00002176 /* ...
2177 * Extension extensions<2..2^16-1>;
2178 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002179 */
2180 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
2181 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2182 p += 2;
2183
2184 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2185 extensions_end = p + extensions_len;
2186
Jerry Yu6d0e78b2022-10-31 14:13:25 +08002187 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yuc55a6af2022-08-04 17:01:21 +08002188
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002189 while( p < extensions_end )
2190 {
2191 unsigned int extension_type;
2192 size_t extension_data_len;
2193
2194 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
2195 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2196 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2197 p += 4;
2198
2199 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
2200
Jerry Yuc4bf5d62022-10-29 09:08:47 +08002201 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yu0c354a22022-08-29 15:25:36 +08002202 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
2203 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR );
2204 if( ret != 0 )
2205 return( ret );
Jerry Yuc55a6af2022-08-04 17:01:21 +08002206
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002207 switch( extension_type )
2208 {
2209 case MBEDTLS_TLS_EXT_SIG_ALG:
2210 MBEDTLS_SSL_DEBUG_MSG( 3,
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002211 ( "found signature algorithms extension" ) );
Gabor Mezei078e8032022-04-27 21:17:56 +02002212 ret = mbedtls_ssl_parse_sig_alg_ext( ssl, p,
Gabor Mezei696956d2022-05-13 16:27:29 +02002213 p + extension_data_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002214 if( ret != 0 )
2215 return( ret );
Jerry Yuc55a6af2022-08-04 17:01:21 +08002216
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002217 break;
2218
2219 default:
Jerry Yu6d0e78b2022-10-31 14:13:25 +08002220 MBEDTLS_SSL_PRINT_EXT_TYPE(
2221 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2222 extension_type, "( ignored )" );
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +00002223 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002224 }
Jerry Yuc55a6af2022-08-04 17:01:21 +08002225
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002226 p += extension_data_len;
2227 }
Jerry Yuc55a6af2022-08-04 17:01:21 +08002228
Jerry Yu6d0e78b2022-10-31 14:13:25 +08002229 MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
Jerry Yuc55a6af2022-08-04 17:01:21 +08002230
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002231 /* Check that we consumed all the message. */
2232 if( p != end )
2233 {
2234 MBEDTLS_SSL_DEBUG_MSG( 1,
Xiaofei Baic234ecf2022-02-08 09:59:23 +00002235 ( "CertificateRequest misaligned" ) );
2236 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002237 }
Jerry Yuc55a6af2022-08-04 17:01:21 +08002238
Jerry Yu0c354a22022-08-29 15:25:36 +08002239 /* RFC 8446 section 4.3.2
Jerry Yuc55a6af2022-08-04 17:01:21 +08002240 *
2241 * The "signature_algorithms" extension MUST be specified
2242 */
Jerry Yu6d0e78b2022-10-31 14:13:25 +08002243 if( ( handshake->received_extensions & MBEDTLS_SSL_EXT_MASK( SIG_ALG ) ) == 0 )
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002244 {
Xiaofei Bai6d42bb42022-01-28 08:52:13 +00002245 MBEDTLS_SSL_DEBUG_MSG( 3,
2246 ( "no signature algorithms extension found" ) );
Xiaofei Baic234ecf2022-02-08 09:59:23 +00002247 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002248 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002249
Jerry Yu7840f812022-01-29 10:26:51 +08002250 ssl->handshake->client_auth = 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002251 return( 0 );
Xiaofei Bai51f515a2022-02-08 07:28:04 +00002252
Xiaofei Baic234ecf2022-02-08 09:59:23 +00002253decode_error:
Xiaofei Bai51f515a2022-02-08 07:28:04 +00002254 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2255 MBEDTLS_ERR_SSL_DECODE_ERROR );
2256 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002257}
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002258
Xiaofei Baide3f13e2022-01-18 05:47:05 +00002259/*
2260 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2261 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002262MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Baide3f13e2022-01-18 05:47:05 +00002263static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002264{
Xiaofei Baide3f13e2022-01-18 05:47:05 +00002265 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002266
2267 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2268
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002269 MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_certificate_request_coordinate( ssl ) );
2270
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002271 if( ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST )
2272 {
2273 unsigned char *buf;
2274 size_t buf_len;
2275
2276 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
2277 MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2278 &buf, &buf_len ) );
2279
2280 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_request( ssl,
2281 buf, buf + buf_len ) );
2282
Ronald Cron8f6d39a2022-03-10 18:56:50 +01002283 mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2284 buf, buf_len );
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002285 }
Xiaofei Bai69fcd392022-01-20 08:25:00 +00002286 else if( ret == SSL_CERTIFICATE_REQUEST_SKIP )
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002287 {
Xiaofei Baif6d36962022-01-16 14:54:35 +00002288 ret = 0;
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002289 }
2290 else
2291 {
2292 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Xiaofei Bai51f515a2022-02-08 07:28:04 +00002293 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2294 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002295 }
2296
Jerry Yud2674312021-10-29 10:08:19 +08002297 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE );
2298
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002299cleanup:
2300
Xiaofei Baia0ab7772022-01-16 12:14:45 +00002301 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
2302 return( ret );
Jerry Yud2674312021-10-29 10:08:19 +08002303}
2304
2305/*
Jerry Yu687101b2021-09-14 16:03:56 +08002306 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2307 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002308MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +00002309static int ssl_tls13_process_server_certificate( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +08002310{
Xiaofei Bai947571e2021-09-29 09:12:03 +00002311 int ret;
2312
2313 ret = mbedtls_ssl_tls13_process_certificate( ssl );
Xiaofei Baif93cbd22021-10-29 02:39:30 +00002314 if( ret != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +00002315 return( ret );
2316
Jerry Yu687101b2021-09-14 16:03:56 +08002317 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
2318 return( 0 );
2319}
2320
2321/*
2322 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2323 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002324MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +00002325static int ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +08002326{
Jerry Yu30b071c2021-09-12 20:16:03 +08002327 int ret;
2328
2329 ret = mbedtls_ssl_tls13_process_certificate_verify( ssl );
2330 if( ret != 0 )
2331 return( ret );
2332
Jerry Yu687101b2021-09-14 16:03:56 +08002333 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
2334 return( 0 );
2335}
Ronald Cron928cbd32022-10-04 16:14:26 +02002336#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +01002337
Jerry Yu687101b2021-09-14 16:03:56 +08002338/*
2339 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2340 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002341MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +00002342static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +08002343{
XiaokangQianac0385c2021-11-03 06:40:11 +00002344 int ret;
2345
XiaokangQianc5c39d52021-11-09 11:55:10 +00002346 ret = mbedtls_ssl_tls13_process_finished_message( ssl );
XiaokangQianac0385c2021-11-03 06:40:11 +00002347 if( ret != 0 )
2348 return( ret );
2349
Jerry Yue3d67cb2022-05-19 15:33:10 +08002350 ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
2351 if( ret != 0 )
2352 {
2353 MBEDTLS_SSL_PEND_FATAL_ALERT(
2354 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2355 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2356 return( ret );
2357 }
2358
Ronald Cron49ad6192021-11-24 16:25:31 +01002359#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2360 mbedtls_ssl_handshake_set_state(
2361 ssl,
2362 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED );
2363#else
Jerry Yuca133a32022-02-15 14:22:05 +08002364 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Jerry Yu566c7812022-01-26 15:41:22 +08002365#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
Ronald Cron49ad6192021-11-24 16:25:31 +01002366
XiaokangQianac0385c2021-11-03 06:40:11 +00002367 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +08002368}
2369
2370/*
Jerry Yu566c7812022-01-26 15:41:22 +08002371 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2372 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002373MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +08002374static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
2375{
Ronald Cron7a94aca2022-03-09 07:44:27 +01002376 int non_empty_certificate_msg = 0;
2377
Jerry Yu5cc35062022-01-28 16:16:08 +08002378 MBEDTLS_SSL_DEBUG_MSG( 1,
2379 ( "Switch to handshake traffic keys for outbound traffic" ) );
Jerry Yu566c7812022-01-26 15:41:22 +08002380 mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
Jerry Yu5cc35062022-01-28 16:16:08 +08002381
Ronald Cron928cbd32022-10-04 16:14:26 +02002382#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Ronald Cron5bb8fc82022-03-09 07:00:13 +01002383 if( ssl->handshake->client_auth )
Ronald Cron7a94aca2022-03-09 07:44:27 +01002384 {
2385 int ret = mbedtls_ssl_tls13_write_certificate( ssl );
2386 if( ret != 0 )
2387 return( ret );
Ronald Cron5bb8fc82022-03-09 07:00:13 +01002388
Ronald Cron7a94aca2022-03-09 07:44:27 +01002389 if( mbedtls_ssl_own_cert( ssl ) != NULL )
2390 non_empty_certificate_msg = 1;
2391 }
2392 else
2393 {
XiaokangQian23c5be62022-06-07 02:04:34 +00002394 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +01002395 }
Ronald Cron9df7c802022-03-08 18:38:54 +01002396#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +01002397
Ronald Cron7a94aca2022-03-09 07:44:27 +01002398 if( non_empty_certificate_msg )
2399 {
2400 mbedtls_ssl_handshake_set_state( ssl,
2401 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
2402 }
2403 else
Ronald Cron19385882022-06-15 16:26:13 +02002404 {
2405 MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate verify" ) );
Ronald Cron7a94aca2022-03-09 07:44:27 +01002406 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
Ronald Cron19385882022-06-15 16:26:13 +02002407 }
Ronald Cron7a94aca2022-03-09 07:44:27 +01002408
Ronald Cron5bb8fc82022-03-09 07:00:13 +01002409 return( 0 );
Jerry Yu566c7812022-01-26 15:41:22 +08002410}
2411
Ronald Cron928cbd32022-10-04 16:14:26 +02002412#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +08002413/*
2414 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2415 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002416MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yu566c7812022-01-26 15:41:22 +08002417static int ssl_tls13_write_client_certificate_verify( mbedtls_ssl_context *ssl )
2418{
Ronald Crona8b38872022-03-09 07:59:25 +01002419 int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
2420
2421 if( ret == 0 )
2422 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
2423
2424 return( ret );
Jerry Yu566c7812022-01-26 15:41:22 +08002425}
Ronald Cron928cbd32022-10-04 16:14:26 +02002426#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +08002427
2428/*
Jerry Yu687101b2021-09-14 16:03:56 +08002429 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2430 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002431MBEDTLS_CHECK_RETURN_CRITICAL
XiaokangQian74af2a82021-09-22 07:40:30 +00002432static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +08002433{
XiaokangQian0fa66432021-11-15 03:33:57 +00002434 int ret;
2435
2436 ret = mbedtls_ssl_tls13_write_finished_message( ssl );
2437 if( ret != 0 )
2438 return( ret );
2439
Jerry Yu466dda82022-09-13 11:20:20 +08002440 ret = mbedtls_ssl_tls13_compute_resumption_master_secret( ssl );
Jerry Yue3d67cb2022-05-19 15:33:10 +08002441 if( ret != 0 )
2442 {
2443 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yu466dda82022-09-13 11:20:20 +08002444 "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret );
Jerry Yue3d67cb2022-05-19 15:33:10 +08002445 return ( ret );
2446 }
2447
XiaokangQian0fa66432021-11-15 03:33:57 +00002448 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
2449 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +08002450}
2451
2452/*
2453 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2454 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002455MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +00002456static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +08002457{
Jerry Yu378254d2021-10-30 21:44:47 +08002458 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
Jerry Yuad8d0ba2021-09-28 17:58:26 +08002459 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
Jerry Yu687101b2021-09-14 16:03:56 +08002460 return( 0 );
2461}
2462
2463/*
2464 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2465 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +02002466MBEDTLS_CHECK_RETURN_CRITICAL
Xiaofei Bai746f9482021-11-12 08:53:56 +00002467static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
Jerry Yu687101b2021-09-14 16:03:56 +08002468{
Jerry Yu378254d2021-10-30 21:44:47 +08002469
2470 mbedtls_ssl_tls13_handshake_wrapup( ssl );
2471
2472 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2473 return( 0 );
Jerry Yu687101b2021-09-14 16:03:56 +08002474}
2475
Jerry Yuf8a49942022-07-07 11:32:32 +00002476#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2477
Jerry Yua0446a02022-07-13 11:22:55 +08002478MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuaf2c0c82022-07-12 05:47:21 +00002479static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
2480 const unsigned char *buf,
2481 const unsigned char *end )
Jerry Yuf8a49942022-07-07 11:32:32 +00002482{
Jerry Yuc4bf5d62022-10-29 09:08:47 +08002483 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yuaf2c0c82022-07-12 05:47:21 +00002484 const unsigned char *p = buf;
Jerry Yuf8a49942022-07-07 11:32:32 +00002485
Jerry Yuf8a49942022-07-07 11:32:32 +00002486
Jerry Yuedab6372022-10-31 14:37:31 +08002487 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu6ba9f1c2022-08-04 17:53:25 +08002488
Jerry Yuf8a49942022-07-07 11:32:32 +00002489 while( p < end )
2490 {
2491 unsigned int extension_type;
2492 size_t extension_data_len;
Jerry Yu0c354a22022-08-29 15:25:36 +08002493 int ret;
Jerry Yuf8a49942022-07-07 11:32:32 +00002494
Jerry Yuf8a49942022-07-07 11:32:32 +00002495 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
2496 extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
2497 extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
2498 p += 4;
2499
2500 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extension_data_len );
Jerry Yuf8a49942022-07-07 11:32:32 +00002501
Jerry Yuc4bf5d62022-10-29 09:08:47 +08002502 ret = mbedtls_ssl_tls13_check_received_extension(
Jerry Yuedab6372022-10-31 14:37:31 +08002503 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
2504 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST );
Jerry Yu0c354a22022-08-29 15:25:36 +08002505 if( ret != 0 )
2506 return( ret );
Jerry Yu6ba9f1c2022-08-04 17:53:25 +08002507
Jerry Yuf8a49942022-07-07 11:32:32 +00002508 switch( extension_type )
2509 {
Jerry Yuf8a49942022-07-07 11:32:32 +00002510 default:
Jerry Yuedab6372022-10-31 14:37:31 +08002511 MBEDTLS_SSL_PRINT_EXT_TYPE(
2512 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2513 extension_type, "( ignored )" );
Jerry Yuf8a49942022-07-07 11:32:32 +00002514 break;
2515 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +08002516
Jerry Yuf8a49942022-07-07 11:32:32 +00002517 p += extension_data_len;
2518 }
2519
Jerry Yuedab6372022-10-31 14:37:31 +08002520 MBEDTLS_SSL_PRINT_RECEIVED_EXTS( 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET );
Jerry Yu6ba9f1c2022-08-04 17:53:25 +08002521
Jerry Yuf8a49942022-07-07 11:32:32 +00002522 return( 0 );
2523}
2524
2525/*
Jerry Yu08aed4d2022-07-20 10:36:12 +08002526 * From RFC8446, page 74
2527 *
Jerry Yuf8a49942022-07-07 11:32:32 +00002528 * struct {
2529 * uint32 ticket_lifetime;
2530 * uint32 ticket_age_add;
2531 * opaque ticket_nonce<0..255>;
2532 * opaque ticket<1..2^16-1>;
2533 * Extension extensions<0..2^16-2>;
2534 * } NewSessionTicket;
2535 *
2536 */
Jerry Yua0446a02022-07-13 11:22:55 +08002537MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +00002538static int ssl_tls13_parse_new_session_ticket( mbedtls_ssl_context *ssl,
2539 unsigned char *buf,
Jerry Yucb3b1392022-07-12 06:09:38 +00002540 unsigned char *end,
2541 unsigned char **ticket_nonce,
2542 size_t *ticket_nonce_len )
Jerry Yuf8a49942022-07-07 11:32:32 +00002543{
2544 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2545 unsigned char *p = buf;
2546 mbedtls_ssl_session *session = ssl->session;
Jerry Yuf8a49942022-07-07 11:32:32 +00002547 size_t ticket_len;
2548 unsigned char *ticket;
2549 size_t extensions_len;
Jerry Yuf8a49942022-07-07 11:32:32 +00002550
Jerry Yucb3b1392022-07-12 06:09:38 +00002551 *ticket_nonce = NULL;
2552 *ticket_nonce_len = 0;
Jerry Yuf8a49942022-07-07 11:32:32 +00002553 /*
2554 * ticket_lifetime 4 bytes
2555 * ticket_age_add 4 bytes
Jerry Yu08aed4d2022-07-20 10:36:12 +08002556 * ticket_nonce_len 1 byte
Jerry Yuf8a49942022-07-07 11:32:32 +00002557 */
Jerry Yucb3b1392022-07-12 06:09:38 +00002558 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 9 );
Jerry Yuf8a49942022-07-07 11:32:32 +00002559
2560 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE( p, 0 );
Jerry Yuf8a49942022-07-07 11:32:32 +00002561 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +08002562 ( "ticket_lifetime: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +00002563 ( unsigned int )session->ticket_lifetime ) );
2564
Jerry Yucb3b1392022-07-12 06:09:38 +00002565 session->ticket_age_add = MBEDTLS_GET_UINT32_BE( p, 4 );
Jerry Yuf8a49942022-07-07 11:32:32 +00002566 MBEDTLS_SSL_DEBUG_MSG( 3,
Jerry Yu4e6c42a2022-07-13 11:16:51 +08002567 ( "ticket_age_add: %u",
Jerry Yuf8a49942022-07-07 11:32:32 +00002568 ( unsigned int )session->ticket_age_add ) );
2569
Jerry Yucb3b1392022-07-12 06:09:38 +00002570 *ticket_nonce_len = p[8];
2571 p += 9;
2572
2573 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, *ticket_nonce_len );
2574 *ticket_nonce = p;
2575 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len );
2576 p += *ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +00002577
2578 /* Ticket */
Jerry Yucb3b1392022-07-12 06:09:38 +00002579 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +00002580 ticket_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2581 p += 2;
2582 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ticket_len );
Jerry Yuf8a49942022-07-07 11:32:32 +00002583 MBEDTLS_SSL_DEBUG_BUF( 3, "received ticket", p, ticket_len ) ;
2584
2585 /* Check if we previously received a ticket already. */
2586 if( session->ticket != NULL || session->ticket_len > 0 )
2587 {
2588 mbedtls_free( session->ticket );
2589 session->ticket = NULL;
2590 session->ticket_len = 0;
2591 }
2592
2593 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
2594 {
2595 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
2596 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2597 }
2598 memcpy( ticket, p, ticket_len );
2599 p += ticket_len;
2600 session->ticket = ticket;
2601 session->ticket_len = ticket_len;
Jerry Yuf8a49942022-07-07 11:32:32 +00002602
Jerry Yucb3b1392022-07-12 06:09:38 +00002603 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
Jerry Yuf8a49942022-07-07 11:32:32 +00002604 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
2605 p += 2;
2606 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
2607
Jerry Yu4e6c42a2022-07-13 11:16:51 +08002608 MBEDTLS_SSL_DEBUG_BUF( 3, "ticket extension", p, extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +00002609
Jerry Yu4e6c42a2022-07-13 11:16:51 +08002610 ret = ssl_tls13_parse_new_session_ticket_exts( ssl, p, p + extensions_len );
Jerry Yuf8a49942022-07-07 11:32:32 +00002611 if( ret != 0 )
2612 {
2613 MBEDTLS_SSL_DEBUG_RET( 1,
Jerry Yuaf2c0c82022-07-12 05:47:21 +00002614 "ssl_tls13_parse_new_session_ticket_exts",
Jerry Yuf8a49942022-07-07 11:32:32 +00002615 ret );
2616 return( ret );
2617 }
Jerry Yucb3b1392022-07-12 06:09:38 +00002618
Jerry Yudb8c5fa2022-08-03 12:10:13 +08002619 /* session has been updated, allow export */
2620 session->exported = 0;
2621
Jerry Yucb3b1392022-07-12 06:09:38 +00002622 return( 0 );
2623}
2624
Jerry Yua0446a02022-07-13 11:22:55 +08002625MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yucb3b1392022-07-12 06:09:38 +00002626static int ssl_tls13_postprocess_new_session_ticket( mbedtls_ssl_context *ssl,
2627 unsigned char *ticket_nonce,
2628 size_t ticket_nonce_len )
2629{
2630 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2631 mbedtls_ssl_session *session = ssl->session;
2632 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2633 psa_algorithm_t psa_hash_alg;
2634 int hash_length;
2635
Jerry Yu4e6c42a2022-07-13 11:16:51 +08002636#if defined(MBEDTLS_HAVE_TIME)
2637 /* Store ticket creation time */
Jerry Yu08aed4d2022-07-20 10:36:12 +08002638 session->ticket_received = mbedtls_time( NULL );
Jerry Yu4e6c42a2022-07-13 11:16:51 +08002639#endif
2640
Jerry Yuf8a49942022-07-07 11:32:32 +00002641 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( session->ciphersuite );
2642 if( ciphersuite_info == NULL )
2643 {
2644 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2645 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2646 }
2647
2648 psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
2649 hash_length = PSA_HASH_LENGTH( psa_hash_alg );
Jerry Yu3afdf362022-07-20 17:34:14 +08002650 if( hash_length == -1 ||
2651 ( size_t )hash_length > sizeof( session->resumption_key ) )
2652 {
Jerry Yuf8a49942022-07-07 11:32:32 +00002653 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Jerry Yu3afdf362022-07-20 17:34:14 +08002654 }
2655
Jerry Yuf8a49942022-07-07 11:32:32 +00002656
2657 MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
2658 session->app_secrets.resumption_master_secret,
2659 hash_length );
2660
Jerry Yu4e6c42a2022-07-13 11:16:51 +08002661 /* Compute resumption key
Jerry Yuf8a49942022-07-07 11:32:32 +00002662 *
2663 * HKDF-Expand-Label( resumption_master_secret,
2664 * "resumption", ticket_nonce, Hash.length )
2665 */
2666 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2667 psa_hash_alg,
2668 session->app_secrets.resumption_master_secret,
2669 hash_length,
2670 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
2671 ticket_nonce,
2672 ticket_nonce_len,
Jerry Yu0a430c82022-07-20 11:02:48 +08002673 session->resumption_key,
Jerry Yuf8a49942022-07-07 11:32:32 +00002674 hash_length );
2675
2676 if( ret != 0 )
2677 {
2678 MBEDTLS_SSL_DEBUG_RET( 2,
2679 "Creating the ticket-resumed PSK failed",
2680 ret );
2681 return( ret );
2682 }
2683
Jerry Yu0a430c82022-07-20 11:02:48 +08002684 session->resumption_key_len = hash_length;
Jerry Yuf8a49942022-07-07 11:32:32 +00002685
2686 MBEDTLS_SSL_DEBUG_BUF( 3, "Ticket-resumed PSK",
Jerry Yu0a430c82022-07-20 11:02:48 +08002687 session->resumption_key,
2688 session->resumption_key_len );
Jerry Yuf8a49942022-07-07 11:32:32 +00002689
Jerry Yuf8a49942022-07-07 11:32:32 +00002690 return( 0 );
2691}
2692
2693/*
Jerry Yua357cf42022-07-12 05:36:45 +00002694 * Handler for MBEDTLS_SSL_NEW_SESSION_TICKET
Jerry Yuf8a49942022-07-07 11:32:32 +00002695 */
Jerry Yua0446a02022-07-13 11:22:55 +08002696MBEDTLS_CHECK_RETURN_CRITICAL
Jerry Yuf8a49942022-07-07 11:32:32 +00002697static int ssl_tls13_process_new_session_ticket( mbedtls_ssl_context *ssl )
2698{
2699 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2700 unsigned char *buf;
2701 size_t buf_len;
Jerry Yucb3b1392022-07-12 06:09:38 +00002702 unsigned char *ticket_nonce;
2703 size_t ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +00002704
2705 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2706
2707 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
2708 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2709 &buf, &buf_len ) );
2710
Jerry Yucb3b1392022-07-12 06:09:38 +00002711 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_new_session_ticket(
2712 ssl, buf, buf + buf_len,
2713 &ticket_nonce, &ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +00002714
Jerry Yucb3b1392022-07-12 06:09:38 +00002715 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_new_session_ticket(
2716 ssl, ticket_nonce, ticket_nonce_len ) );
Jerry Yuf8a49942022-07-07 11:32:32 +00002717
Jerry Yu4e6c42a2022-07-13 11:16:51 +08002718 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
2719
Jerry Yuf8a49942022-07-07 11:32:32 +00002720cleanup:
2721
2722 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
2723 return( ret );
2724}
2725#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2726
Jerry Yu92c6b402021-08-27 16:59:09 +08002727int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
Jerry Yubc20bdd2021-08-24 15:59:48 +08002728{
Jerry Yu92c6b402021-08-27 16:59:09 +08002729 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +08002730
Jerry Yu92c6b402021-08-27 16:59:09 +08002731 switch( ssl->state )
2732 {
2733 /*
Jerry Yu0c63af62021-09-02 12:59:12 +08002734 * ssl->state is initialized as HELLO_REQUEST. It is the same
2735 * as CLIENT_HELLO state.
Jerry Yu92c6b402021-08-27 16:59:09 +08002736 */
2737 case MBEDTLS_SSL_HELLO_REQUEST:
2738 case MBEDTLS_SSL_CLIENT_HELLO:
Ronald Cron3d580bf2022-02-18 17:24:56 +01002739 ret = mbedtls_ssl_write_client_hello( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +08002740 break;
2741
2742 case MBEDTLS_SSL_SERVER_HELLO:
Xiaofei Bai746f9482021-11-12 08:53:56 +00002743 ret = ssl_tls13_process_server_hello( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +08002744 break;
2745
2746 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
XiaokangQian97799ac2021-10-11 10:05:54 +00002747 ret = ssl_tls13_process_encrypted_extensions( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +08002748 break;
2749
Ronald Cron928cbd32022-10-04 16:14:26 +02002750#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +08002751 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
2752 ret = ssl_tls13_process_certificate_request( ssl );
2753 break;
2754
Jerry Yu687101b2021-09-14 16:03:56 +08002755 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Xiaofei Bai746f9482021-11-12 08:53:56 +00002756 ret = ssl_tls13_process_server_certificate( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +08002757 break;
2758
2759 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Xiaofei Bai746f9482021-11-12 08:53:56 +00002760 ret = ssl_tls13_process_certificate_verify( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +08002761 break;
Ronald Cron928cbd32022-10-04 16:14:26 +02002762#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +08002763
2764 case MBEDTLS_SSL_SERVER_FINISHED:
Xiaofei Bai746f9482021-11-12 08:53:56 +00002765 ret = ssl_tls13_process_server_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +08002766 break;
2767
Jerry Yu566c7812022-01-26 15:41:22 +08002768 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2769 ret = ssl_tls13_write_client_certificate( ssl );
2770 break;
2771
Ronald Cron928cbd32022-10-04 16:14:26 +02002772#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +08002773 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2774 ret = ssl_tls13_write_client_certificate_verify( ssl );
2775 break;
Ronald Cron928cbd32022-10-04 16:14:26 +02002776#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +08002777
Jerry Yu687101b2021-09-14 16:03:56 +08002778 case MBEDTLS_SSL_CLIENT_FINISHED:
XiaokangQian74af2a82021-09-22 07:40:30 +00002779 ret = ssl_tls13_write_client_finished( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +08002780 break;
2781
2782 case MBEDTLS_SSL_FLUSH_BUFFERS:
Xiaofei Bai746f9482021-11-12 08:53:56 +00002783 ret = ssl_tls13_flush_buffers( ssl );
Jerry Yu687101b2021-09-14 16:03:56 +08002784 break;
2785
2786 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Xiaofei Bai746f9482021-11-12 08:53:56 +00002787 ret = ssl_tls13_handshake_wrapup( ssl );
Jerry Yu92c6b402021-08-27 16:59:09 +08002788 break;
2789
Ronald Cron49ad6192021-11-24 16:25:31 +01002790 /*
2791 * Injection of dummy-CCS's for middlebox compatibility
2792 */
2793#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +00002794 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Ronald Cron9f55f632022-02-02 16:02:47 +01002795 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2796 if( ret == 0 )
2797 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
2798 break;
2799
2800 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
2801 ret = mbedtls_ssl_tls13_write_change_cipher_spec( ssl );
2802 if( ret == 0 )
2803 mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
Ronald Cron49ad6192021-11-24 16:25:31 +01002804 break;
2805#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2806
Jerry Yuf8a49942022-07-07 11:32:32 +00002807#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua357cf42022-07-12 05:36:45 +00002808 case MBEDTLS_SSL_NEW_SESSION_TICKET:
Jerry Yuf8a49942022-07-07 11:32:32 +00002809 ret = ssl_tls13_process_new_session_ticket( ssl );
2810 if( ret != 0 )
2811 break;
2812 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
2813 break;
2814#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2815
Jerry Yu92c6b402021-08-27 16:59:09 +08002816 default:
2817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
2818 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2819 }
2820
2821 return( ret );
2822}
Jerry Yu65dd2cc2021-08-18 16:38:40 +08002823
Jerry Yufb4b6472022-01-27 15:03:26 +08002824#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu3cc4c2a2021-08-06 16:29:08 +08002825
Jerry Yufb4b6472022-01-27 15:03:26 +08002826