TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e273f7203dfa7d6533ed868a02a4a8ae73138a66 / . / library / ssl_tls13_client.c
blob: cedebad29a391ca5829d2e3ffa4cf176b1119122 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]6 */
7
8#include "common.h"
9
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]10#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]11
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]12#include <string.h>
13
Valerio Settib4f50762024-01-17 10:24:52 +0100[diff] [blame]14#include "debug_internal.h"
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]15#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]16#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]17
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]18#include "ssl_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]19#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]20#include "ssl_tls13_keys.h"
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]21#include "ssl_debug_helpers.h"
Valerio Setti384fbde2024-01-02 13:26:40 +0100[diff] [blame]22#include "mbedtls/psa_util.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]23
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]24#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]25/* Define a local translating function to save code size by not using too many
26 * arguments in each translating place. */
27static int local_err_translation(psa_status_t status)
28{
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]30 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]31 psa_generic_status_to_mbedtls);
32}
33#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kureka6033ac2023-05-30 15:16:34 -0400[diff] [blame]34#endif
35
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]36/* Write extensions */
37
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]38/*
39 * ssl_tls13_write_supported_versions_ext():
40 *
41 * struct {
42 * ProtocolVersion versions<2..254>;
43 * } SupportedVersions;
44 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]45MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]46static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,
47 unsigned char *buf,
48 unsigned char *end,
49 size_t *out_len)
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]50{
51 unsigned char *p = buf;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]52 unsigned char versions_len = (ssl->handshake->min_tls_version <=
53 MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]54
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]55 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]56
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]57 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]58
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]59 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]60 * - extension_type (2 bytes)
61 * - extension_data_length (2 bytes)
62 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]63 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]64 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]66
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]67 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);
68 MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]69 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]70
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]71 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]72 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]73
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]74 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]76 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]77 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]78 mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,
79 MBEDTLS_SSL_VERSION_TLS1_3);
80 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]81
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]83 if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {
84 mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
85 MBEDTLS_SSL_VERSION_TLS1_2);
86 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]87 }
88
89 *out_len = 5 + versions_len;
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]90
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]91 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]92 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]93
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]94 return 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]95}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]96
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]97MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
99 const unsigned char *buf,
100 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]101{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]102 ((void) ssl);
103
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]104 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
105 if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=
106 MBEDTLS_SSL_VERSION_TLS1_3) {
107 MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]108
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
110 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
111 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]112 }
113
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114 if (&buf[2] != end) {
Xiaokang Qian91bb3f02023-04-03 09:07:03 +0000[diff] [blame]115 MBEDTLS_SSL_DEBUG_MSG(
116 1, ("supported_versions ext data length incorrect"));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]117 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
118 MBEDTLS_ERR_SSL_DECODE_ERROR);
119 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]120 }
121
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]122 return 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]123}
124
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]125#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]126MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]127static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,
128 const unsigned char *buf, size_t len)
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]129{
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]130 const unsigned char *p = buf;
131 const unsigned char *end = buf + len;
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]132 size_t protocol_name_list_len, protocol_name_len;
133 const unsigned char *protocol_name_list_end;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]134
135 /* If we didn't send it, the server shouldn't send it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]136 if (ssl->conf->alpn_list == NULL) {
137 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
138 }
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]139
140 /*
141 * opaque ProtocolName<1..2^8-1>;
142 *
143 * struct {
144 * ProtocolName protocol_name_list<2..2^16-1>
145 * } ProtocolNameList;
146 *
147 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
148 */
149
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]150 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
151 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]152 p += 2;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]153
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]154 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]155 protocol_name_list_end = p + protocol_name_list_len;
156
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]157 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]158 protocol_name_len = *p++;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]159
160 /* Check that the server chosen protocol was in our list and save it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]161 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);
162 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
163 if (protocol_name_len == strlen(*alpn) &&
164 memcmp(p, *alpn, protocol_name_len) == 0) {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]165 ssl->alpn_chosen = *alpn;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]166 return 0;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]167 }
168 }
169
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]170 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]171}
172#endif /* MBEDTLS_SSL_ALPN */
173
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]174MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]175static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]176{
177 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]178
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]179 if (group_id == 0) {
180 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
181 }
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]182
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]183#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]184 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]185 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
187 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
188
189 /* Destroy generated private key. */
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]190 status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]191 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]192 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]193 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
194 return ret;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]195 }
196
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]197 ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]198 return 0;
199 } else
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]200#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]201 if (0 /* other KEMs? */) {
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]202 /* Do something */
203 }
204
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]205 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]206}
207
208/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]209 * Functions for writing key_share extension.
210 */
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]211#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]212MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]213static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
214 uint16_t *group_id)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]215{
216 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
217
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]218
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]219#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]220 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]221 /* Pick first available ECDHE group compatible with TLS 1.3 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]222 if (group_list == NULL) {
223 return MBEDTLS_ERR_SSL_BAD_CONFIG;
224 }
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]225
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]226 for (; *group_list != 0; group_list++) {
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]227#if defined(PSA_WANT_ALG_ECDH)
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]228 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
229 *group_list, NULL, NULL) == PSA_SUCCESS) &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]230 mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]231 *group_id = *group_list;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]232 return 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]233 }
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]234#endif
235#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]236 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]237 *group_id = *group_list;
238 return 0;
239 }
240#endif
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]241 }
242#else
243 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]244 ((void) group_id);
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]245#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]246
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]247 return ret;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]248}
249
250/*
251 * ssl_tls13_write_key_share_ext
252 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]253 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]254 *
255 * struct {
256 * NamedGroup group;
257 * opaque key_exchange<1..2^16-1>;
258 * } KeyShareEntry;
259 * struct {
260 * KeyShareEntry client_shares<0..2^16-1>;
261 * } KeyShareClientHello;
262 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]263MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]264static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
265 unsigned char *buf,
266 unsigned char *end,
267 size_t *out_len)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]268{
269 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]270 unsigned char *client_shares; /* Start of client_shares */
271 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]272 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]273 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
274
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]275 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]276
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]277 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]278 * - extension_type (2 bytes)
279 * - extension_data_length (2 bytes)
280 * - client_shares_length (2 bytes)
281 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]283 p += 6;
284
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]285 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]286
287 /* HRR could already have requested something else. */
288 group_id = ssl->handshake->offered_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]289 if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]290 !mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]291 MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,
292 &group_id));
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]293 }
294
295 /*
296 * Dispatch to type-specific key generation function.
297 *
298 * So far, we're only supporting ECDHE. With the introduction
299 * of PQC KEMs, we'll want to have multiple branches, one per
300 * type of KEM, and dispatch to the corresponding crypto. And
301 * only one key share entry is allowed.
302 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]303 client_shares = p;
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]304#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
305 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]306 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]307 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]308 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]309 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]310 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]311
312 /* Check there is space for header of KeyShareEntry
313 * - group (2 bytes)
314 * - key_exchange_length (2 bytes)
315 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]316 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]317 p += 4;
Przemek Stekiel408569f2023-07-06 11:26:44 +0200[diff] [blame]318 ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 ssl, group_id, p, end, &key_exchange_len);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]320 p += key_exchange_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]321 if (ret != 0) {
322 return ret;
323 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]324
325 /* Write group */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]326 MBEDTLS_PUT_UINT16_BE(group_id, group, 0);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]327 /* Write key_exchange_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]328 MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);
329 } else
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]330#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]331 if (0 /* other KEMs? */) {
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]332 /* Do something */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]333 } else {
334 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]335 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]336
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]337 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]338 client_shares_len = p - client_shares;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]339 if (client_shares_len == 0) {
340 MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));
341 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]342 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]343 /* Write extension_type */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]345 /* Write extension_data_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]346 MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]347 /* Write client_shares_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]349
350 /* Update offered_group_id field */
351 ssl->handshake->offered_group_id = group_id;
352
353 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]354 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]355
Xiaokang Qian91bb3f02023-04-03 09:07:03 +0000[diff] [blame]356 MBEDTLS_SSL_DEBUG_BUF(
357 3, "client hello, key_share extension", buf, *out_len);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]358
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]359 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]360
361cleanup:
362
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]363 return ret;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]364}
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]365#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]366
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]367/*
368 * ssl_tls13_parse_hrr_key_share_ext()
369 * Parse key_share extension in Hello Retry Request
370 *
371 * struct {
372 * NamedGroup selected_group;
373 * } KeyShareHelloRetryRequest;
374 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]375MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]376static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
377 const unsigned char *buf,
378 const unsigned char *end)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]379{
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]380#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]381 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]382 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]383 int found = 0;
384
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]385 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
386 if (group_list == NULL) {
387 return MBEDTLS_ERR_SSL_BAD_CONFIG;
388 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]391
392 /* Read selected_group */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]393 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
394 selected_group = MBEDTLS_GET_UINT16_BE(p, 0);
395 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]396
397 /* Upon receipt of this extension in a HelloRetryRequest, the client
398 * MUST first verify that the selected_group field corresponds to a
399 * group which was provided in the "supported_groups" extension in the
400 * original ClientHello.
401 * The supported_group was based on the info in ssl->conf->group_list.
402 *
403 * If the server provided a key share that was not sent in the ClientHello
404 * then the client MUST abort the handshake with an "illegal_parameter" alert.
405 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 for (; *group_list != 0; group_list++) {
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]407#if defined(PSA_WANT_ALG_ECDH)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]408 if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
409 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
410 *group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
411 *group_list != selected_group) {
412 found = 1;
413 break;
414 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 }
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]416#endif /* PSA_WANT_ALG_ECDH */
417#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]418 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]419 found = 1;
420 break;
421 }
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]422#endif /* PSA_WANT_ALG_FFDH */
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]423 }
424
425 /* Client MUST verify that the selected_group field does not
426 * correspond to a group which was provided in the "key_share"
427 * extension in the original ClientHello. If the server sent an
428 * HRR message with a key share already provided in the
429 * ClientHello then the client MUST abort the handshake with
430 * an "illegal_parameter" alert.
431 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]432 if (found == 0 || selected_group == ssl->handshake->offered_group_id) {
433 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]434 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]435 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
436 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
437 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]438 }
439
440 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]441 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]442
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]443 return 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]444#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400[diff] [blame]445 (void) ssl;
446 (void) buf;
447 (void) end;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 return MBEDTLS_ERR_SSL_BAD_CONFIG;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]449#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]450}
451
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]452/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]453 * ssl_tls13_parse_key_share_ext()
454 * Parse key_share extension in Server Hello
455 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]456 * struct {
457 * KeyShareEntry server_share;
458 * } KeyShareServerHello;
459 * struct {
460 * NamedGroup group;
461 * opaque key_exchange<1..2^16-1>;
462 * } KeyShareEntry;
463 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]464MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]465static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
466 const unsigned char *buf,
467 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]468{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]469 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]470 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]471 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]472
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]473 /* ...
474 * NamedGroup group; (2 bytes)
475 * ...
476 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]477 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
478 group = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]479 p += 2;
480
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]481 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]482 offered_group = ssl->handshake->offered_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]483 if (offered_group != group) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]484 MBEDTLS_SSL_DEBUG_MSG(
485 1, ("Invalid server key share, our group %u, their group %u",
486 (unsigned) offered_group, (unsigned) group));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
488 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
489 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]490 }
491
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]492#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]493 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]494 mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]495 MBEDTLS_SSL_DEBUG_MSG(2,
496 ("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]497 ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 if (ret != 0) {
499 return ret;
500 }
501 } else
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]502#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 if (0 /* other KEMs? */) {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]504 /* Do something */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]505 } else {
506 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]507 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]509 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]510}
511
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]512/*
513 * ssl_tls13_parse_cookie_ext()
514 * Parse cookie extension in Hello Retry Request
515 *
516 * struct {
517 * opaque cookie<1..2^16-1>;
518 * } Cookie;
519 *
520 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
521 * extension to the client (this is an exception to the usual rule that
522 * the only extensions that may be sent are those that appear in the
523 * ClientHello). When sending the new ClientHello, the client MUST copy
524 * the contents of the extension received in the HelloRetryRequest into
525 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
526 * cookies in their initial ClientHello in subsequent connections.
527 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]528MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]529static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,
530 const unsigned char *buf,
531 const unsigned char *end)
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]532{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]533 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]534 const unsigned char *p = buf;
535 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
536
537 /* Retrieve length field of cookie */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]538 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
539 cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]540 p += 2;
541
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]542 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);
543 MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]544
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]545 mbedtls_free(handshake->cookie);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]546 handshake->cookie_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]547 handshake->cookie = mbedtls_calloc(1, cookie_len);
548 if (handshake->cookie == NULL) {
549 MBEDTLS_SSL_DEBUG_MSG(1,
550 ("alloc failed ( %ud bytes )",
551 cookie_len));
552 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]553 }
554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]555 memcpy(handshake->cookie, p, cookie_len);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]556 handshake->cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]557
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]558 return 0;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]559}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]560
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]561MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]562static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,
563 unsigned char *buf,
564 unsigned char *end,
565 size_t *out_len)
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]566{
567 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]568 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]569 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]570
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]571 if (handshake->cookie == NULL) {
572 MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));
573 return 0;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]574 }
575
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]576 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
577 handshake->cookie,
578 handshake->cookie_len);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]580 MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]581
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]582 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]583
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]584 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);
585 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);
586 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]587 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]588
589 /* Cookie */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]590 memcpy(p, handshake->cookie, handshake->cookie_len);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]591
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]592 *out_len = handshake->cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]593
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]595
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 return 0;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]597}
598
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]599#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]600/*
601 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
602 *
603 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
604 *
605 * struct {
606 * PskKeyExchangeMode ke_modes<1..255>;
607 * } PskKeyExchangeModes;
608 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]609MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]610static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
611 unsigned char *buf,
612 unsigned char *end,
613 size_t *out_len)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]614{
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]615 unsigned char *p = buf;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]616 int ke_modes_len = 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]617
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]618 ((void) ke_modes_len);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]619 *out_len = 0;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]620
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]621 /* Skip writing extension if no PSK key exchange mode
XiaokangQian7c12d312022-07-20 07:25:43 +0000[diff] [blame]622 * is enabled in the config.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]623 */
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]624 if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625 MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
626 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]627 }
628
629 /* Require 7 bytes of data, otherwise fail,
630 * even if extension might be shorter.
631 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]633 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 3, ("client hello, adding psk_key_exchange_modes extension"));
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]635
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]636 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]637
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]638 /* Skip extension length (2 bytes) and
639 * ke_modes length (1 byte) for now.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]640 */
641 p += 5;
642
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]643 if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]644 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]645 ke_modes_len++;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]646
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]647 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]648 }
649
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]650 if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]651 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
652 ke_modes_len++;
653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]655 }
656
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]657 /* Now write the extension and ke_modes length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]658 MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]659 buf[4] = ke_modes_len;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]660
661 *out_len = p - buf;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]662
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]663 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]664 ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]665
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]666 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]667}
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]668
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]669static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]670{
Jerry Yu21f90952022-10-08 10:30:53 +0800[diff] [blame]671 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]672 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]673
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]674 if (ciphersuite_info != NULL) {
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]675 return mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]678 return PSA_ALG_NONE;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]679}
680
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]681#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]682static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]683{
684 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]685 return ssl->handshake->resume &&
Pengyu Lv93566782022-12-07 12:10:05 +0800[diff] [blame]686 session != NULL && session->ticket != NULL &&
Pengyu Lvfc2cb962023-11-10 10:22:36 +0800[diff] [blame]687 mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]688 ssl, mbedtls_ssl_tls13_session_get_ticket_flags(
Pengyu Lv9b84ea72023-01-16 14:08:23 +0800[diff] [blame]689 session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]690}
691
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]692#if defined(MBEDTLS_SSL_EARLY_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]693static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]694{
695 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]696 return ssl->handshake->resume &&
697 session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]698 mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&
Jerry Yuc2b1bc42023-11-22 10:08:13 +0800[diff] [blame]699 mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]700}
701#endif
702
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]703MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]704static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,
705 psa_algorithm_t *hash_alg,
706 const unsigned char **identity,
707 size_t *identity_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]708{
709 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]710
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]711 if (!ssl_tls13_has_configured_ticket(ssl)) {
712 return -1;
713 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]714
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]715 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]716 *identity = session->ticket;
717 *identity_len = session->ticket_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]718 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]719}
720
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]721MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]722static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,
723 psa_algorithm_t *hash_alg,
724 const unsigned char **psk,
725 size_t *psk_len)
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]726{
727
728 mbedtls_ssl_session *session = ssl->session_negotiate;
729
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]730 if (!ssl_tls13_has_configured_ticket(ssl)) {
731 return -1;
732 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]733
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]734 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]735 *psk = session->resumption_key;
736 *psk_len = session->resumption_key_len;
737
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]738 return 0;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]739}
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]740#endif /* MBEDTLS_SSL_SESSION_TICKETS */
741
742MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]743static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,
744 psa_algorithm_t *hash_alg,
745 const unsigned char **identity,
746 size_t *identity_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]747{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]748
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]749 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
750 return -1;
751 }
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]752
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]753 *hash_alg = PSA_ALG_SHA_256;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]754 *identity = ssl->conf->psk_identity;
755 *identity_len = ssl->conf->psk_identity_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]756 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]757}
758
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]759MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]760static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,
761 psa_algorithm_t *hash_alg,
762 const unsigned char **psk,
763 size_t *psk_len)
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]764{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]765
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]766 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
767 return -1;
768 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]769
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]770 *hash_alg = PSA_ALG_SHA_256;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]771 *psk = ssl->conf->psk;
772 *psk_len = ssl->conf->psk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]773 return 0;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]774}
775
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]776static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]777{
778 int configured_psk_count = 0;
779#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]780 if (ssl_tls13_has_configured_ticket(ssl)) {
781 MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]782 configured_psk_count++;
783 }
784#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]785 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
786 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]787 configured_psk_count++;
788 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]789 return configured_psk_count;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]790}
791
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]792MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]793static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,
794 unsigned char *buf,
795 unsigned char *end,
796 const unsigned char *identity,
797 size_t identity_len,
798 uint32_t obfuscated_ticket_age,
799 size_t *out_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]800{
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]801 ((void) ssl);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]802 *out_len = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]803
804 /*
805 * - identity_len (2 bytes)
806 * - identity (psk_identity_len bytes)
807 * - obfuscated_ticket_age (4 bytes)
808 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]809 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]810
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]811 MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);
812 memcpy(buf + 2, identity, identity_len);
813 MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]814
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]815 MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]816
817 *out_len = 6 + identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]818
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]819 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]820}
821
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]822MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]823static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,
824 unsigned char *buf,
825 unsigned char *end,
826 int psk_type,
827 psa_algorithm_t hash_alg,
828 const unsigned char *psk,
829 size_t psk_len,
830 size_t *out_len)
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]831{
832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]833 unsigned char binder_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]834 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]835 size_t transcript_len = 0;
836
837 *out_len = 0;
838
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]839 binder_len = PSA_HASH_LENGTH(hash_alg);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]840
841 /*
842 * - binder_len (1 bytes)
843 * - binder (binder_len bytes)
844 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]845 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]846
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]847 buf[0] = binder_len;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]848
849 /* Get current state of handshake transcript. */
850 ret = mbedtls_ssl_get_handshake_transcript(
Manuel Pégourié-Gonnard2d6d9932023-03-28 11:38:08 +0200[diff] [blame]851 ssl, mbedtls_md_type_from_psa_alg(hash_alg),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]852 transcript, sizeof(transcript), &transcript_len);
853 if (ret != 0) {
854 return ret;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]855 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]856
857 ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,
858 psk, psk_len, psk_type,
859 transcript, buf + 1);
860 if (ret != 0) {
861 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);
862 return ret;
863 }
864 MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]865
866 *out_len = 1 + binder_len;
867
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]868 return 0;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]869}
870
871/*
872 * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
873 *
874 * struct {
875 * opaque identity<1..2^16-1>;
876 * uint32 obfuscated_ticket_age;
877 * } PskIdentity;
878 *
879 * opaque PskBinderEntry<32..255>;
880 *
881 * struct {
882 * PskIdentity identities<7..2^16-1>;
883 * PskBinderEntry binders<33..2^16-1>;
884 * } OfferedPsks;
885 *
886 * struct {
887 * select (Handshake.msg_type) {
888 * case client_hello: OfferedPsks;
889 * ...
890 * };
891 * } PreSharedKeyExtension;
892 *
893 */
XiaokangQian3ad67bf2022-07-21 02:26:21 +0000[diff] [blame]894int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]895 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
896 size_t *out_len, size_t *binders_len)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]897{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]898 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]899 int configured_psk_count = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]900 unsigned char *p = buf;
Xiaokang Qian854db282022-12-19 07:31:27 +0000[diff] [blame]901 psa_algorithm_t hash_alg = PSA_ALG_NONE;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]902 const unsigned char *identity;
903 size_t identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]904 size_t l_binders_len = 0;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]905 size_t output_len;
Xiaokang Qian7179f812023-02-03 03:38:44 +0000[diff] [blame]906
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]907 *out_len = 0;
908 *binders_len = 0;
909
910 /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]911 configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);
912 if (configured_psk_count == 0) {
913 MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));
914 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]915 }
916
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]917 MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",
918 configured_psk_count));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]919
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]920 /* Check if we have space to write the extension, binders included.
921 * - extension_type (2 bytes)
922 * - extension_data_len (2 bytes)
923 * - identities_len (2 bytes)
924 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]925 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]926 p += 6;
927
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]928#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]929 if (ssl_tls13_ticket_get_identity(
930 ssl, &hash_alg, &identity, &identity_len) == 0) {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]931#if defined(MBEDTLS_HAVE_TIME)
Jerry Yucebffc32022-12-15 18:00:05 +0800[diff] [blame]932 mbedtls_ms_time_t now = mbedtls_ms_time();
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]933 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yucf913512023-11-14 11:06:52 +0800[diff] [blame]934 /* The ticket age has been checked to be smaller than the
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]935 * `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than
936 * 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the
937 * cast to `uint32_t` of the ticket age is safe. */
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]938 uint32_t obfuscated_ticket_age =
Jerry Yu342a5552023-11-10 14:23:39 +0800[diff] [blame]939 (uint32_t) (now - session->ticket_reception_time);
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]940 obfuscated_ticket_age += session->ticket_age_add;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]941
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]942 ret = ssl_tls13_write_identity(ssl, p, end,
943 identity, identity_len,
944 obfuscated_ticket_age,
945 &output_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]946#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]947 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,
948 0, &output_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]949#endif /* MBEDTLS_HAVE_TIME */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]950 if (ret != 0) {
951 return ret;
952 }
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]953
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]954 p += output_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]955 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]956 }
957#endif /* MBEDTLS_SSL_SESSION_TICKETS */
958
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]959 if (ssl_tls13_psk_get_identity(
960 ssl, &hash_alg, &identity, &identity_len) == 0) {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]961
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,
963 &output_len);
964 if (ret != 0) {
965 return ret;
966 }
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]967
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]968 p += output_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]969 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]970 }
971
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]972 MBEDTLS_SSL_DEBUG_MSG(3,
973 ("client hello, adding pre_shared_key extension, "
974 "omitting PSK binder list"));
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]975
976 /* Take into account the two bytes for the length of the binders. */
977 l_binders_len += 2;
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]978 /* Check if there is enough space for binders */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]979 MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]980
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]981 /*
982 * - extension_type (2 bytes)
983 * - extension_data_len (2 bytes)
984 * - identities_len (2 bytes)
985 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]986 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);
987 MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);
988 MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]989
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]990 *out_len = (p - buf) + l_binders_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]991 *binders_len = l_binders_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]992
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]993 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]994
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]995 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]996}
997
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]998int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]999 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1000{
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1001 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1002 unsigned char *p = buf;
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1003 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1004 const unsigned char *psk;
1005 size_t psk_len;
1006 size_t output_len;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1007
1008 /* Check if we have space to write binders_len.
1009 * - binders_len (2 bytes)
1010 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1011 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1012 p += 2;
1013
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1014#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1015 if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1016
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1017 ret = ssl_tls13_write_binder(ssl, p, end,
1018 MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
1019 hash_alg, psk, psk_len,
1020 &output_len);
1021 if (ret != 0) {
1022 return ret;
1023 }
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1024 p += output_len;
1025 }
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1026#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1027
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1028 if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1029
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1030 ret = ssl_tls13_write_binder(ssl, p, end,
1031 MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
1032 hash_alg, psk, psk_len,
1033 &output_len);
1034 if (ret != 0) {
1035 return ret;
1036 }
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1037 p += output_len;
1038 }
1039
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1040 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1041
1042 /*
1043 * - binders_len (2 bytes)
1044 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1045 MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1046
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1047 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1048
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1049 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1050 ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1051
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1052 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1053}
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1054
1055/*
1056 * struct {
1057 * opaque identity<1..2^16-1>;
1058 * uint32 obfuscated_ticket_age;
1059 * } PskIdentity;
1060 *
1061 * opaque PskBinderEntry<32..255>;
1062 *
1063 * struct {
1064 *
1065 * select (Handshake.msg_type) {
1066 * ...
1067 * case server_hello: uint16 selected_identity;
1068 * };
1069 *
1070 * } PreSharedKeyExtension;
1071 *
1072 */
1073MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1074static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
1075 const unsigned char *buf,
1076 const unsigned char *end)
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1077{
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1078 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1079 int selected_identity;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1080 const unsigned char *psk;
1081 size_t psk_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1082 psa_algorithm_t hash_alg;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1083
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1084 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
1085 selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);
Xiaokang Qian2a674932023-01-04 03:15:09 +0000[diff] [blame]1086 ssl->handshake->selected_identity = (uint16_t) selected_identity;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1087
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1088 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1089
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1090 if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {
1091 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1092
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1093 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1094 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1095 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1096 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1097
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1098#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1099 if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {
1100 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1101 } else
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1102#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1103 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
1104 ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);
1105 } else {
1106 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1107 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1108 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1109 if (ret != 0) {
1110 return ret;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1111 }
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1112
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]1113 if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac)
Xiaokang Qianeb31cbc2023-02-07 02:08:56 +0000[diff] [blame]1114 != hash_alg) {
1115 MBEDTLS_SSL_DEBUG_MSG(
1116 1, ("Invalid ciphersuite for external psk."));
1117
1118 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1119 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1120 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1121 }
1122
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1123 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1124 if (ret != 0) {
1125 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1126 return ret;
1127 }
1128
1129 return 0;
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1130}
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1131#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1132
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1133int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
1134 unsigned char *buf,
1135 unsigned char *end,
1136 size_t *out_len)
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1137{
1138 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1139 unsigned char *p = buf;
1140 size_t ext_len;
1141
1142 *out_len = 0;
1143
1144 /* Write supported_versions extension
1145 *
1146 * Supported Versions Extension is mandatory with TLS 1.3.
1147 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1148 ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);
1149 if (ret != 0) {
1150 return ret;
1151 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1152 p += ext_len;
1153
1154 /* Echo the cookie if the server provided one in its preceding
1155 * HelloRetryRequest message.
1156 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1157 ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);
1158 if (ret != 0) {
1159 return ret;
1160 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1161 p += ext_len;
1162
Yanray Wang42017cd2023-11-08 11:15:23 +0800[diff] [blame]1163#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1164 ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
Waleed Elmelegy148dfb62024-01-04 18:02:35 +0000[diff] [blame]1165 ssl, p, end, &ext_len);
Yanray Wang42017cd2023-11-08 11:15:23 +0800[diff] [blame]1166 if (ret != 0) {
1167 return ret;
1168 }
1169 p += ext_len;
1170#endif
1171
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1172#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1173 if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1174 ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
1175 if (ret != 0) {
1176 return ret;
1177 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1178 p += ext_len;
1179 }
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1180#endif
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1181
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1182#if defined(MBEDTLS_SSL_EARLY_DATA)
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]1183 if (ssl->handshake->hello_retry_request_count == 0) {
1184 if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
1185 ssl_tls13_early_data_has_valid_ticket(ssl) &&
1186 ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
1187 ret = mbedtls_ssl_tls13_write_early_data_ext(
1188 ssl, 0, p, end, &ext_len);
1189 if (ret != 0) {
1190 return ret;
1191 }
1192 p += ext_len;
Jerry Yu52335392023-11-23 18:06:06 +0800[diff] [blame]1193
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]1194 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_SENT;
1195 } else {
1196 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1197 }
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1198 }
1199#endif /* MBEDTLS_SSL_EARLY_DATA */
1200
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1201#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1202 /* For PSK-based key exchange we need the pre_shared_key extension
1203 * and the psk_key_exchange_modes extension.
1204 *
1205 * The pre_shared_key extension MUST be the last extension in the
1206 * ClientHello. Servers MUST check that it is the last extension and
1207 * otherwise fail the handshake with an "illegal_parameter" alert.
1208 *
1209 * Add the psk_key_exchange_modes extension.
1210 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1211 ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);
1212 if (ret != 0) {
1213 return ret;
1214 }
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1215 p += ext_len;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1216#endif
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1217
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1218 *out_len = p - buf;
1219
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1220 return 0;
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1221}
1222
Xiaokang Qian934ce6f2023-02-06 10:23:04 +0000[diff] [blame]1223int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1224{
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1225 ((void) ssl);
Xiaokang Qian79f77522023-01-28 10:35:29 +0000[diff] [blame]1226
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1227#if defined(MBEDTLS_SSL_EARLY_DATA)
1228 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1229 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1230 const unsigned char *psk;
1231 size_t psk_len;
1232 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]1233
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]1234 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_SENT) {
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1235 MBEDTLS_SSL_DEBUG_MSG(
1236 1, ("Set hs psk for early data when writing the first psk"));
1237
1238 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1239 if (ret != 0) {
1240 MBEDTLS_SSL_DEBUG_RET(
1241 1, "ssl_tls13_ticket_get_psk", ret);
1242 return ret;
1243 }
1244
1245 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1246 if (ret != 0) {
1247 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1248 return ret;
1249 }
1250
Xiaokang Qian64bc9bc2023-02-07 02:32:23 +0000[diff] [blame]1251 /*
1252 * Early data are going to be encrypted using the ciphersuite
1253 * associated with the pre-shared key used for the handshake.
1254 * Note that if the server rejects early data, the handshake
1255 * based on the pre-shared key may complete successfully
1256 * with a selected ciphersuite different from the ciphersuite
1257 * associated with the pre-shared key. Only the hashes of the
1258 * two ciphersuites have to be the same. In that case, the
1259 * encrypted handshake data and application data are
1260 * encrypted using a different ciphersuite than the one used for
1261 * the rejected early data.
1262 */
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1263 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
1264 ssl->session_negotiate->ciphersuite);
1265 ssl->handshake->ciphersuite_info = ciphersuite_info;
Xiaokang Qian8dc4ce72023-02-07 10:49:50 +0000[diff] [blame]1266
Tom Cosgrove5c8505f2023-03-07 11:39:52 +0000[diff] [blame]1267 /* Enable psk and psk_ephemeral to make stage early happy */
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1268 ssl->handshake->key_exchange_mode =
1269 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
1270
1271 /* Start the TLS 1.3 key schedule:
Xiaokang Qian8dc4ce72023-02-07 10:49:50 +0000[diff] [blame]1272 * Set the PSK and derive early secret.
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1273 */
1274 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1275 if (ret != 0) {
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1276 MBEDTLS_SSL_DEBUG_RET(
1277 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1278 return ret;
1279 }
1280
1281 /* Derive early data key material */
1282 ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
1283 if (ret != 0) {
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1284 MBEDTLS_SSL_DEBUG_RET(
1285 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1286 return ret;
1287 }
1288
Ronald Cron297c6082024-01-19 08:15:33 +0100[diff] [blame]1289#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1290 mbedtls_ssl_handshake_set_state(
1291 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
1292#else
1293 MBEDTLS_SSL_DEBUG_MSG(
1294 1, ("Switch to early data keys for outbound traffic"));
1295 mbedtls_ssl_set_outbound_transform(
1296 ssl, ssl->handshake->transform_earlydata);
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]1297 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE;
Ronald Cron297c6082024-01-19 08:15:33 +0100[diff] [blame]1298#endif
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1299 }
1300#endif /* MBEDTLS_SSL_EARLY_DATA */
1301 return 0;
1302}
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]1303/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1304 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1305 */
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1306
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1307/**
1308 * \brief Detect if the ServerHello contains a supported_versions extension
1309 * or not.
1310 *
1311 * \param[in] ssl SSL context
1312 * \param[in] buf Buffer containing the ServerHello message
1313 * \param[in] end End of the buffer containing the ServerHello message
1314 *
1315 * \return 0 if the ServerHello does not contain a supported_versions extension
1316 * \return 1 if the ServerHello contains a supported_versions extension
1317 * \return A negative value if an error occurred while parsing the ServerHello.
1318 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1319MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1320static int ssl_tls13_is_supported_versions_ext_present(
1321 mbedtls_ssl_context *ssl,
1322 const unsigned char *buf,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1323 const unsigned char *end)
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1324{
1325 const unsigned char *p = buf;
1326 size_t legacy_session_id_echo_len;
Ronald Croneff56732023-04-03 17:36:31 +0200[diff] [blame]1327 const unsigned char *supported_versions_data;
1328 const unsigned char *supported_versions_data_end;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1329
1330 /*
1331 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1332 * length:
1333 * - legacy_version 2 bytes
1334 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1335 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1336 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1337 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1338 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1339 legacy_session_id_echo_len = *p;
1340
1341 /*
1342 * Jump to the extensions, jumping over:
1343 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1344 * - cipher_suite 2 bytes
1345 * - legacy_compression_method 1 byte
1346 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1347 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);
1348 p += legacy_session_id_echo_len + 4;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1349
Ronald Cron47dce632023-02-08 17:38:29 +0100[diff] [blame]1350 return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
1351 ssl, p, end,
Ronald Croneff56732023-04-03 17:36:31 +0200[diff] [blame]1352 &supported_versions_data, &supported_versions_data_end);
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1353}
1354
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]1355/* Returns a negative value on failure, and otherwise
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1356 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1357 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1358 * - 0 otherwise
1359 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1360MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1361static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,
1362 const unsigned char *buf,
1363 const unsigned char *end)
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1364{
1365 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1366 static const unsigned char magic_downgrade_string[] =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1367 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1368 const unsigned char *last_eight_bytes_of_random;
1369 unsigned char last_byte_of_random;
1370
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1371 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1372 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1373
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1374 if (memcmp(last_eight_bytes_of_random,
1375 magic_downgrade_string,
1376 sizeof(magic_downgrade_string)) == 0) {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1377 last_byte_of_random = last_eight_bytes_of_random[7];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1378 return last_byte_of_random == 0 ||
1379 last_byte_of_random == 1;
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1380 }
1381
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1382 return 0;
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1383}
1384
1385/* Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1386 * - SSL_SERVER_HELLO or
1387 * - SSL_SERVER_HELLO_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1388 * to indicate which message is expected and to be parsed next.
1389 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1390#define SSL_SERVER_HELLO 0
1391#define SSL_SERVER_HELLO_HRR 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1392MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1393static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,
1394 const unsigned char *buf,
1395 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1396{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1397
1398 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1399 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1400 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1401 * special value of the SHA-256 of "HelloRetryRequest".
1402 *
1403 * struct {
1404 * ProtocolVersion legacy_version = 0x0303;
1405 * Random random;
1406 * opaque legacy_session_id_echo<0..32>;
1407 * CipherSuite cipher_suite;
1408 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1409 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1410 * } ServerHello;
1411 *
1412 */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1413 MBEDTLS_SSL_CHK_BUF_READ_PTR(
1414 buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1415
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1416 if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1417 sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {
1418 return SSL_SERVER_HELLO_HRR;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1419 }
1420
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1421 return SSL_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1422}
1423
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1424/*
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1425 * Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1426 * - SSL_SERVER_HELLO or
1427 * - SSL_SERVER_HELLO_HRR or
1428 * - SSL_SERVER_HELLO_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1429 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1430#define SSL_SERVER_HELLO_TLS1_2 2
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1431MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1432static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
1433 const unsigned char *buf,
1434 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1435{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1436 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1437 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1438
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1439 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(
1440 ssl, buf, end));
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1441
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1442 if (ret == 0) {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1443 MBEDTLS_SSL_PROC_CHK_NEG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1444 ssl_tls13_is_downgrade_negotiation(ssl, buf, end));
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1445
1446 /* If the server is negotiating TLS 1.2 or below and:
1447 * . we did not propose TLS 1.2 or
1448 * . the server responded it is TLS 1.3 capable but negotiating a lower
1449 * version of the protocol and thus we are under downgrade attack
1450 * abort the handshake with an "illegal parameter" alert.
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1451 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1452 if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {
1453 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1454 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1455 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1456 }
1457
Ronald Cronb828c7d2023-04-03 16:37:22 +0200[diff] [blame]1458 /*
1459 * Version 1.2 of the protocol has been negotiated, set the
1460 * ssl->keep_current_message flag for the ServerHello to be kept and
1461 * parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to
1462 * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
1463 * will dispatch to the TLS 1.2 state machine.
1464 */
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1465 ssl->keep_current_message = 1;
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1466 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1467 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1468 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1469 buf, (size_t) (end - buf)));
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1470
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1471 if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1472 ret = ssl_tls13_reset_key_share(ssl);
1473 if (ret != 0) {
1474 return ret;
1475 }
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1476 }
1477
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1478 return SSL_SERVER_HELLO_TLS1_2;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1479 }
1480
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1481#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1482 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1483 ssl->session_negotiate->tls_version = ssl->tls_version;
1484#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1485
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1486 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1487
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1488 ret = ssl_server_hello_is_hrr(ssl, buf, end);
1489 switch (ret) {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1490 case SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1491 MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1492 break;
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1493 case SSL_SERVER_HELLO_HRR:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1494 MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1495 /* If a client receives a second HelloRetryRequest in the same
1496 * connection (i.e., where the ClientHello was itself in response
1497 * to a HelloRetryRequest), it MUST abort the handshake with an
1498 * "unexpected_message" alert.
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1499 */
1500 if (handshake->hello_retry_request_count > 0) {
1501 MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1502 MBEDTLS_SSL_PEND_FATAL_ALERT(
1503 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1504 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1505 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1506 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1507 /*
1508 * Clients must abort the handshake with an "illegal_parameter"
1509 * alert if the HelloRetryRequest would not result in any change
1510 * in the ClientHello.
1511 * In a PSK only key exchange that what we expect.
1512 */
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1513 if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1514 MBEDTLS_SSL_DEBUG_MSG(1,
1515 ("Unexpected HRR in pure PSK key exchange."));
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1516 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1517 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1518 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1519 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1520 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1521
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1522 handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1523
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1524 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1525 }
1526
1527cleanup:
1528
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1529 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1530}
1531
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1532MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1533static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,
1534 const unsigned char **buf,
1535 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1536{
1537 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1538 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1539
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1540 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1541 legacy_session_id_echo_len = *p++;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1542
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1543 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1544
1545 /* legacy_session_id_echo */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1546 if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1547 memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {
1548 MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",
1549 ssl->session_negotiate->id,
1550 ssl->session_negotiate->id_len);
1551 MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,
1552 legacy_session_id_echo_len);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1553
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1554 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1555 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1556
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1557 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1558 }
1559
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1560 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1561 *buf = p;
1562
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1563 MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,
1564 ssl->session_negotiate->id_len);
1565 return 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1566}
1567
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1568/* Parse ServerHello message and configure context
1569 *
1570 * struct {
1571 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1572 * Random random;
1573 * opaque legacy_session_id_echo<0..32>;
1574 * CipherSuite cipher_suite;
1575 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1576 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1577 * } ServerHello;
1578 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1579MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1580static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
1581 const unsigned char *buf,
1582 const unsigned char *end,
1583 int is_hrr)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1584{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1585 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1586 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1587 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1588 size_t extensions_len;
1589 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1590 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1591 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1592 int fatal_alert = 0;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1593 uint32_t allowed_extensions_mask;
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1594 int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1595 MBEDTLS_SSL_HS_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1596
1597 /*
1598 * Check there is space for minimal fields
1599 *
1600 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1601 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1602 * - legacy_session_id_echo ( 1 byte ), minimum size
1603 * - cipher_suite ( 2 bytes)
1604 * - legacy_compression_method ( 1 byte )
1605 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1606 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1607
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1608 MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);
1609 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1610
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1611 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1612 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1613 * ...
1614 * with ProtocolVersion defined as:
1615 * uint16 ProtocolVersion;
1616 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1617 if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1618 MBEDTLS_SSL_VERSION_TLS1_2) {
1619 MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1620 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1621 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1622 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1623 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1624 }
1625 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1626
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1627 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1628 * Random random;
1629 * ...
1630 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1631 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1632 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1633 if (!is_hrr) {
1634 memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
1635 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1636 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
1637 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1638 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1639 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1640
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1641 /* ...
1642 * opaque legacy_session_id_echo<0..32>;
1643 * ...
1644 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1645 if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1646 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1647 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1648 }
1649
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1650 /* ...
1651 * CipherSuite cipher_suite;
1652 * ...
1653 * with CipherSuite defined as:
1654 * uint8 CipherSuite[2];
1655 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1656 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1657 cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1658 p += 2;
1659
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1660
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1661 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1662 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1663 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1664 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1665 if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
1666 ssl->tls_version,
1667 ssl->tls_version) != 0) ||
1668 !mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1669 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1670 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1671 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1672 * If we received an HRR before and that the proposed selected
1673 * ciphersuite in this server hello is not the same as the one
1674 * proposed in the HRR, we abort the handshake and send an
1675 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1676 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1677 else if ((!is_hrr) && (handshake->hello_retry_request_count > 0) &&
1678 (cipher_suite != ssl->session_negotiate->ciphersuite)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1679 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1680 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1681
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1682 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1683 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",
1684 cipher_suite));
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1685 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1686 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1687
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1688 /* Configure ciphersuites */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1689 mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1690
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1691 handshake->ciphersuite_info = ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1692 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",
1693 cipher_suite, ciphersuite_info->name));
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1694
1695#if defined(MBEDTLS_HAVE_TIME)
YxCda609132023-05-22 12:08:12 -0700[diff] [blame]1696 ssl->session_negotiate->start = mbedtls_time(NULL);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1697#endif /* MBEDTLS_HAVE_TIME */
1698
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1699 /* ...
1700 * uint8 legacy_compression_method = 0;
1701 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1702 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1703 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1704 if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {
1705 MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1706 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1707 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1708 }
1709 p++;
1710
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1711 /* ...
1712 * Extension extensions<6..2^16-1>;
1713 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1714 * struct {
1715 * ExtensionType extension_type; (2 bytes)
1716 * opaque extension_data<0..2^16-1>;
1717 * } Extension;
1718 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1719 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1720 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1721 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1722
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1723 /* Check extensions do not go beyond the buffer of data. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1724 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1725 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1726
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1727 MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1728
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1729 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1730 allowed_extensions_mask = is_hrr ?
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1731 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
1732 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1733
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1734 while (p < extensions_end) {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1735 unsigned int extension_type;
1736 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1737 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1738
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1739 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1740 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1741 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1742 p += 4;
1743
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1744 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1745 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1746
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1747 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1748 ssl, hs_msg_type, extension_type, allowed_extensions_mask);
1749 if (ret != 0) {
1750 return ret;
1751 }
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1752
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1753 switch (extension_type) {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1754 case MBEDTLS_TLS_EXT_COOKIE:
1755
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1756 ret = ssl_tls13_parse_cookie_ext(ssl,
1757 p, extension_data_end);
1758 if (ret != 0) {
1759 MBEDTLS_SSL_DEBUG_RET(1,
1760 "ssl_tls13_parse_cookie_ext",
1761 ret);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1762 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1763 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1764 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1765
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1766 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1767 ret = ssl_tls13_parse_supported_versions_ext(ssl,
1768 p,
1769 extension_data_end);
1770 if (ret != 0) {
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1771 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1772 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1773 break;
1774
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1775#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1776 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1777 MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1778
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1779 if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(
1780 ssl, p, extension_data_end)) != 0) {
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1781 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1782 1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);
1783 return ret;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1784 }
1785 break;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1786#endif
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1787
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1788 case MBEDTLS_TLS_EXT_KEY_SHARE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1789 MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1790 if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1791 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1792 goto cleanup;
1793 }
1794
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1795 if (is_hrr) {
1796 ret = ssl_tls13_parse_hrr_key_share_ext(ssl,
1797 p, extension_data_end);
1798 } else {
1799 ret = ssl_tls13_parse_key_share_ext(ssl,
1800 p, extension_data_end);
1801 }
1802 if (ret != 0) {
1803 MBEDTLS_SSL_DEBUG_RET(1,
1804 "ssl_tls13_parse_key_share_ext",
1805 ret);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1806 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1807 }
1808 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1809
1810 default:
Jerry Yu9872eb22022-08-29 13:42:01 +0800[diff] [blame]1811 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1812 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1813 }
1814
1815 p += extension_data_len;
1816 }
1817
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1818 MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1819
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1820cleanup:
1821
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1822 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {
1823 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1824 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1825 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1826 } else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1827 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1828 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1829 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1830 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1831 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1832}
1833
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1834#if defined(MBEDTLS_DEBUG_C)
1835static const char *ssl_tls13_get_kex_mode_str(int mode)
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1836{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1837 switch (mode) {
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1838 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1839 return "psk";
1840 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1841 return "ephemeral";
1842 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1843 return "psk_ephemeral";
1844 default:
1845 return "unknown mode";
1846 }
1847}
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1848#endif /* MBEDTLS_DEBUG_C */
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1849
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1850MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1851static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1852{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1853 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1854 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1855
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1856 /* Determine the key exchange mode:
1857 * 1) If both the pre_shared_key and key_share extensions were received
1858 * then the key exchange mode is PSK with EPHEMERAL.
1859 * 2) If only the pre_shared_key extension was received then the key
1860 * exchange mode is PSK-only.
1861 * 3) If only the key_share extension was received then the key
1862 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1863 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1864 switch (handshake->received_extensions &
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1865 (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1866 MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1867 /* Only the pre_shared_key extension was received */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1868 case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1869 handshake->key_exchange_mode =
1870 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1871 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1872
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1873 /* Only the key_share extension was received */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1874 case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1875 handshake->key_exchange_mode =
1876 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1877 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1878
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1879 /* Both the pre_shared_key and key_share extensions were received */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1880 case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1881 MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):
1882 handshake->key_exchange_mode =
1883 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1884 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1885
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1886 /* Neither pre_shared_key nor key_share extension was received */
1887 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1888 MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1889 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1890 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1891 }
1892
Pengyu Lvfc2cb962023-11-10 10:22:36 +0800[diff] [blame]1893 if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1894 ssl, handshake->key_exchange_mode)) {
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1895 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1896 MBEDTLS_SSL_DEBUG_MSG(
1897 2, ("Key exchange mode(%s) is not supported.",
1898 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1899 goto cleanup;
1900 }
1901
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1902 MBEDTLS_SSL_DEBUG_MSG(
1903 3, ("Selected key exchange mode: %s",
1904 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1905
Xiaokang Qian7892b6c2023-02-02 06:05:48 +0000[diff] [blame]1906 /* Start the TLS 1.3 key scheduling if not already done.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1907 *
Xiaokang Qian7892b6c2023-02-02 06:05:48 +0000[diff] [blame]1908 * If we proposed early data then we have already derived an
1909 * early secret using the selected PSK and its associated hash.
1910 * It means that if the negotiated key exchange mode is psk or
1911 * psk_ephemeral, we have already correctly computed the
1912 * early secret and thus we do not do it again. In all other
1913 * cases we compute it here.
Xiaokang Qian303f82c52023-01-04 08:43:46 +0000[diff] [blame]1914 */
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1915#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qiane04afdc2023-02-07 02:19:42 +0000[diff] [blame]1916 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT ||
1917 handshake->key_exchange_mode ==
1918 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1919#endif
1920 {
Xiaokang Qian303f82c52023-01-04 08:43:46 +0000[diff] [blame]1921 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1922 if (ret != 0) {
1923 MBEDTLS_SSL_DEBUG_RET(
1924 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
1925 goto cleanup;
1926 }
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1927 }
1928
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1929 ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
1930 if (ret != 0) {
1931 MBEDTLS_SSL_DEBUG_RET(1,
1932 "mbedtls_ssl_tls13_compute_handshake_transform",
1933 ret);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1934 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1935 }
1936
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1937 mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);
1938 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1939 ssl->session_in = ssl->session_negotiate;
1940
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1941cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1942 if (ret != 0) {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1943 MBEDTLS_SSL_PEND_FATAL_ALERT(
1944 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1945 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1946 }
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1947
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1948 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1949}
1950
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1951MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1952static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1953{
1954 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1955
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1956 mbedtls_ssl_session_reset_msg_layer(ssl, 0);
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1957
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1958 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1959 * We are going to re-generate a shared secret corresponding to the group
1960 * selected by the server, which is different from the group for which we
1961 * generated a shared secret in the first client hello.
1962 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1963 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1964 ret = ssl_tls13_reset_key_share(ssl);
1965 if (ret != 0) {
1966 return ret;
1967 }
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1968
Xiaokang Qian4ef8ba22023-02-06 11:06:16 +0000[diff] [blame]1969 ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]1970
1971#if defined(MBEDTLS_SSL_EARLY_DATA)
1972 if (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) {
1973 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
1974 }
1975#endif
1976
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1977 return 0;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1978}
1979
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1980/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1981 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1982 * Handler for MBEDTLS_SSL_SERVER_HELLO
1983 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1984MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1985static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1986{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1987 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1988 unsigned char *buf = NULL;
1989 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1990 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1991
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1992 MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1993
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1994 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1995 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1996
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1997 ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);
1998 if (ret < 0) {
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1999 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2000 } else {
2001 is_hrr = (ret == SSL_SERVER_HELLO_HRR);
2002 }
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]2003
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2004 if (ret == SSL_SERVER_HELLO_TLS1_2) {
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]2005 ret = 0;
2006 goto cleanup;
2007 }
2008
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2009 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,
2010 buf + buf_len,
2011 is_hrr));
2012 if (is_hrr) {
2013 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2014 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2015
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2016 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2017 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2018
2019 if (is_hrr) {
2020 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
2021#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2022 /* If not offering early data, the client sends a dummy CCS record
2023 * immediately before its second flight. This may either be before
2024 * its second ClientHello or before its encrypted handshake flight.
2025 */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2026 mbedtls_ssl_handshake_set_state(
2027 ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2028#else
2029 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2030#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2031 } else {
2032 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));
2033 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2034 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]2035
2036cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2037 MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,
2038 is_hrr ? "HelloRetryRequest" : "ServerHello"));
2039 return ret;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2040}
2041
2042/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2043 *
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2044 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2045 *
2046 * The EncryptedExtensions message contains any extensions which
2047 * should be protected, i.e., any which are not needed to establish
2048 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2049 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2050
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2051/* Parse EncryptedExtensions message
2052 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2053 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2054 * } EncryptedExtensions;
2055 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2056MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2057static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
2058 const unsigned char *buf,
2059 const unsigned char *end)
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2060{
2061 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2062 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]2063 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2064 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2065 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2066
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2067 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2068 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2069 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2070
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2071 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Ronald Cronc8083592022-05-31 16:24:05 +0200[diff] [blame]2072 extensions_end = p + extensions_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2073
Jan Bruckner5a3629b2023-02-23 12:08:09 +0100[diff] [blame]2074 MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);
2075
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2076 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2077
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2078 while (p < extensions_end) {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2079 unsigned int extension_type;
2080 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2081
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2082 /*
2083 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2084 * ExtensionType extension_type; (2 bytes)
2085 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2086 * } Extension;
2087 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2088 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2089 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2090 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2091 p += 4;
2092
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2093 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2094
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2095 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2096 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
2097 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);
2098 if (ret != 0) {
2099 return ret;
2100 }
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2101
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2102 switch (extension_type) {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2103#if defined(MBEDTLS_SSL_ALPN)
2104 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2105 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2106
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2107 if ((ret = ssl_tls13_parse_alpn_ext(
2108 ssl, p, (size_t) extension_data_len)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2109 return ret;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2110 }
2111
2112 break;
2113#endif /* MBEDTLS_SSL_ALPN */
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2114
2115#if defined(MBEDTLS_SSL_EARLY_DATA)
2116 case MBEDTLS_TLS_EXT_EARLY_DATA:
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2117
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2118 if (extension_data_len != 0) {
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2119 /* The message must be empty. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2120 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2121 MBEDTLS_ERR_SSL_DECODE_ERROR);
2122 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2123 }
2124
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2125 break;
2126#endif /* MBEDTLS_SSL_EARLY_DATA */
2127
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]2128#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2129 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
2130 MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
2131
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2132 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
2133 ssl, p, p + extension_data_len);
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]2134 if (ret != 0) {
2135 MBEDTLS_SSL_DEBUG_RET(
2136 1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
2137 return ret;
2138 }
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]2139 break;
2140#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2141
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2142 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2143 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2144 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2145 extension_type, "( ignored )");
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2146 break;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2147 }
2148
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2149 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2150 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2151
Waleed Elmelegy049cd302023-12-20 17:28:31 +0000[diff] [blame]2152 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&
2153 (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {
Waleed Elmelegy6a971fd2023-12-28 17:48:16 +0000[diff] [blame]2154 MBEDTLS_SSL_DEBUG_MSG(3,
2155 (
2156 "Record size limit extension cannot be used with max fragment length extension"));
Waleed Elmelegy049cd302023-12-20 17:28:31 +0000[diff] [blame]2157 MBEDTLS_SSL_PEND_FATAL_ALERT(
2158 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2159 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2160 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2161 }
2162
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2163 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2164 handshake->received_extensions);
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2165
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2166 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2167 if (p != end) {
2168 MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));
2169 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2170 MBEDTLS_ERR_SSL_DECODE_ERROR);
2171 return MBEDTLS_ERR_SSL_DECODE_ERROR;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2172 }
2173
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2174 return ret;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2175}
2176
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2177MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2178static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2179{
2180 int ret;
2181 unsigned char *buf;
2182 size_t buf_len;
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2183 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2185 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2186
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2187 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2188 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2189 &buf, &buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2190
2191 /* Process the message contents */
2192 MBEDTLS_SSL_PROC_CHK(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2193 ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2194
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2195#if defined(MBEDTLS_SSL_EARLY_DATA)
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2196 if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
2197 /* RFC8446 4.2.11
2198 * If the server supplies an "early_data" extension, the
2199 * client MUST verify that the server's selected_identity
2200 * is 0. If any other value is returned, the client MUST
2201 * abort the handshake with an "illegal_parameter" alert.
2202 *
2203 * RFC 8446 4.2.10
2204 * In order to accept early data, the server MUST have accepted a PSK
2205 * cipher suite and selected the first key offered in the client's
2206 * "pre_shared_key" extension. In addition, it MUST verify that the
2207 * following values are the same as those associated with the
2208 * selected PSK:
2209 * - The TLS version number
2210 * - The selected cipher suite
2211 * - The selected ALPN [RFC7301] protocol, if any
2212 *
Yanray Wang03a00762023-12-01 17:40:19 +0800[diff] [blame]2213 * The server has sent an early data extension in its Encrypted
2214 * Extension message thus accepted to receive early data. We
2215 * check here that the additional constraints on the handshake
2216 * parameters, when early data are exchanged, are met,
2217 * namely:
Yanray Wang744577a2023-12-01 22:33:59 +0800[diff] [blame]2218 * - a PSK has been selected for the handshake
Yanray Wang03a00762023-12-01 17:40:19 +0800[diff] [blame]2219 * - the selected PSK for the handshake was the first one proposed
2220 * by the client.
2221 * - the selected ciphersuite for the handshake is the ciphersuite
2222 * associated with the selected PSK.
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2223 */
Yanray Wang744577a2023-12-01 22:33:59 +0800[diff] [blame]2224 if ((!mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) ||
2225 handshake->selected_identity != 0 ||
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2226 handshake->ciphersuite_info->id !=
2227 ssl->session_negotiate->ciphersuite) {
2228
2229 MBEDTLS_SSL_PEND_FATAL_ALERT(
2230 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2231 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2232 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2233 }
2234
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2235 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]2236 } else if (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) {
2237 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2238 }
2239#endif
2240
Yanray Wanga29db7d2023-11-30 14:06:14 +0800[diff] [blame]2241 /*
Yanray Wang9ae65342023-12-01 17:46:06 +0800[diff] [blame]2242 * In case the client has proposed a PSK associated with a ticket,
2243 * `ssl->session_negotiate->ciphersuite` still contains at this point the
2244 * identifier of the ciphersuite associated with the ticket. This is that
2245 * way because, if an exchange of early data is agreed upon, we need
2246 * it to check that the ciphersuite selected for the handshake is the
2247 * ticket ciphersuite (see above). This information is not needed
2248 * anymore thus we can now set it to the identifier of the ciphersuite
2249 * used in this session under negotiation.
Yanray Wanga29db7d2023-11-30 14:06:14 +0800[diff] [blame]2250 */
2251 ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
2252
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2253 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2254 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2255 buf, buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2256
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2257#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2258 if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2259 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2260 } else {
2261 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2262 }
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2263#else
2264 ((void) ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2265 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2266#endif
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2267
2268cleanup:
2269
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2270 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));
2271 return ret;
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2272
2273}
2274
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2275/*
2276 * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
2277 *
Xiaokang Qianc81a15a2022-12-19 02:43:33 +0000[diff] [blame]2278 * RFC 8446 section 4.5
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2279 *
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2280 * struct {} EndOfEarlyData;
Xiaokang Qianc81a15a2022-12-19 02:43:33 +0000[diff] [blame]2281 *
2282 * If the server sent an "early_data" extension in EncryptedExtensions, the
2283 * client MUST send an EndOfEarlyData message after receiving the server
2284 * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2285 */
2286
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2287MBEDTLS_CHECK_RETURN_CRITICAL
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2288static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)
2289{
2290 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2291 unsigned char *buf = NULL;
2292 size_t buf_len;
Xiaokang Qian57a138d2022-12-19 06:40:47 +0000[diff] [blame]2293 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2294
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2295 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]2296 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
2297 &buf, &buf_len));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2298
Manuel Pégourié-Gonnard63e33dd2023-02-21 15:45:15 +0100[diff] [blame]2299 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(
2300 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2301
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2302 MBEDTLS_SSL_PROC_CHK(
2303 mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));
Xiaokang Qianda8402d2022-12-15 14:55:35 +0000[diff] [blame]2304
Xiaokang Qian19d44162023-01-03 03:39:50 +0000[diff] [blame]2305 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2306
2307cleanup:
2308
2309 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));
2310 return ret;
2311}
2312
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2313#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2314/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2315 * STATE HANDLING: CertificateRequest
2316 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2317 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2318#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2319#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2320/* Coordination:
2321 * Deals with the ambiguity of not knowing if a CertificateRequest
2322 * will be sent. Returns a negative code on failure, or
2323 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2324 * - SSL_CERTIFICATE_REQUEST_SKIP
2325 * indicating if a Certificate Request is expected or not.
2326 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2327MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2328static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2329{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2330 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2331
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2332 if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
2333 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2334 return ret;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2335 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2336 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2337
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2338 if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&
2339 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {
2340 MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));
2341 return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2342 }
2343
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2344 MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2345
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2346 return SSL_CERTIFICATE_REQUEST_SKIP;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2347}
2348
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2349/*
2350 * ssl_tls13_parse_certificate_request()
2351 * Parse certificate request
2352 * struct {
2353 * opaque certificate_request_context<0..2^8-1>;
2354 * Extension extensions<2..2^16-1>;
2355 * } CertificateRequest;
2356 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2357MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2358static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,
2359 const unsigned char *buf,
2360 const unsigned char *end)
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2361{
2362 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2363 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2364 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2365 size_t extensions_len = 0;
2366 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2367 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2368
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2369 /* ...
2370 * opaque certificate_request_context<0..2^8-1>
2371 * ...
2372 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2373 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2374 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2375 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2376
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2377 if (certificate_request_context_len > 0) {
2378 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);
2379 MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",
2380 p, certificate_request_context_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2381
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2382 handshake->certificate_request_context =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2383 mbedtls_calloc(1, certificate_request_context_len);
2384 if (handshake->certificate_request_context == NULL) {
2385 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2386 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2387 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2388 memcpy(handshake->certificate_request_context, p,
2389 certificate_request_context_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2390 p += certificate_request_context_len;
2391 }
2392
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2393 /* ...
2394 * Extension extensions<2..2^16-1>;
2395 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2396 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2397 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2398 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2399 p += 2;
2400
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2401 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2402 extensions_end = p + extensions_len;
2403
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2404 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2405
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2406 while (p < extensions_end) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2407 unsigned int extension_type;
2408 size_t extension_data_len;
2409
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2410 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2411 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2412 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2413 p += 4;
2414
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2415 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2416
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2417 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2418 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
2419 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);
2420 if (ret != 0) {
2421 return ret;
2422 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2423
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2424 switch (extension_type) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2425 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2426 MBEDTLS_SSL_DEBUG_MSG(3,
2427 ("found signature algorithms extension"));
2428 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,
2429 p + extension_data_len);
2430 if (ret != 0) {
2431 return ret;
2432 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2433
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2434 break;
2435
2436 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2437 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2438 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2439 extension_type, "( ignored )");
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2440 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2441 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2442
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2443 p += extension_data_len;
2444 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2445
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2446 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2447 handshake->received_extensions);
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2448
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2449 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2450 if (p != end) {
2451 MBEDTLS_SSL_DEBUG_MSG(1,
2452 ("CertificateRequest misaligned"));
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2453 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2454 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2455
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2456 /* RFC 8446 section 4.3.2
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2457 *
2458 * The "signature_algorithms" extension MUST be specified
2459 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2460 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {
2461 MBEDTLS_SSL_DEBUG_MSG(3,
2462 ("no signature algorithms extension found"));
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2463 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2464 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2465
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]2466 ssl->handshake->client_auth = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2467 return 0;
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2468
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2469decode_error:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2470 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2471 MBEDTLS_ERR_SSL_DECODE_ERROR);
2472 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2473}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2474
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2475/*
2476 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2477 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2478MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2479static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2480{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2481 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2482
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2483 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2484
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2485 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2486
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2487 if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2488 unsigned char *buf;
2489 size_t buf_len;
2490
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2491 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2492 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2493 &buf, &buf_len));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2494
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2495 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(
2496 ssl, buf, buf + buf_len));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2497
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2498 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2499 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2500 buf, buf_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2501 } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]2502 ret = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2503 } else {
2504 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2505 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2506 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2507 }
2508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2509 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2510
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2511cleanup:
2512
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2513 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
2514 return ret;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2515}
2516
2517/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2518 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2519 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2520MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2521static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2522{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2523 int ret;
2524
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2525 ret = mbedtls_ssl_tls13_process_certificate(ssl);
2526 if (ret != 0) {
2527 return ret;
2528 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2529
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2530 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2531 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2532}
2533
2534/*
2535 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2536 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2537MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2538static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2539{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2540 int ret;
2541
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2542 ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
2543 if (ret != 0) {
2544 return ret;
2545 }
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2546
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2547 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2548 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2549}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2550#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]2551
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2552/*
2553 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2554 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2555MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2556static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2557{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2558 int ret;
2559
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2560 ret = mbedtls_ssl_tls13_process_finished_message(ssl);
2561 if (ret != 0) {
2562 return ret;
2563 }
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2564
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2565 ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2566 if (ret != 0) {
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2567 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2568 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2569 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2570 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2571 }
2572
Xiaokang Qianbc75bc02022-12-19 06:16:42 +0000[diff] [blame]2573#if defined(MBEDTLS_SSL_EARLY_DATA)
2574 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]2575 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED;
Xiaokang Qianbc75bc02022-12-19 06:16:42 +0000[diff] [blame]2576 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
2577 } else
2578#endif /* MBEDTLS_SSL_EARLY_DATA */
2579 {
2580#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2581 mbedtls_ssl_handshake_set_state(
2582 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);
2583#else
2584 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2585#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2586 }
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2587
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2588 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2589}
2590
2591/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2592 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2593 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2594MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2595static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2596{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2597 int non_empty_certificate_msg = 0;
2598
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2599 MBEDTLS_SSL_DEBUG_MSG(1,
2600 ("Switch to handshake traffic keys for outbound traffic"));
2601 mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2602
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2603#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2604 if (ssl->handshake->client_auth) {
2605 int ret = mbedtls_ssl_tls13_write_certificate(ssl);
2606 if (ret != 0) {
2607 return ret;
2608 }
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2609
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2610 if (mbedtls_ssl_own_cert(ssl) != NULL) {
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2611 non_empty_certificate_msg = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2612 }
2613 } else {
2614 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2615 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2616#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2617
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2618 if (non_empty_certificate_msg) {
2619 mbedtls_ssl_handshake_set_state(ssl,
2620 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
2621 } else {
2622 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));
2623 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2624 }
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2625
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2626 return 0;
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2627}
2628
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2629#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2630/*
2631 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2632 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2633MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2634static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2635{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2636 int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2637
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2638 if (ret == 0) {
2639 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2640 }
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2641
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2642 return ret;
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2643}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2644#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2645
2646/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2647 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2648 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2649MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2650static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2651{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2652 int ret;
2653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2654 ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2655 if (ret != 0) {
2656 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2657 }
2658
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2659 ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
2660 if (ret != 0) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2661 MBEDTLS_SSL_DEBUG_RET(
2662 1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2663 return ret;
2664 }
2665
2666 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);
2667 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2668}
2669
2670/*
2671 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2672 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2673MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2674static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2675{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2676 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
2677 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
2678 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2679}
2680
2681/*
2682 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2683 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2684MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2685static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2686{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2687
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2688 mbedtls_ssl_tls13_handshake_wrapup(ssl);
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2689
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2690 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2691 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2692}
2693
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2694#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2695
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2696#if defined(MBEDTLS_SSL_EARLY_DATA)
2697/* From RFC 8446 section 4.2.10
2698 *
2699 * struct {
2700 * select (Handshake.msg_type) {
2701 * case new_session_ticket: uint32 max_early_data_size;
2702 * ...
2703 * };
2704 * } EarlyDataIndication;
2705 */
2706MBEDTLS_CHECK_RETURN_CRITICAL
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2707static int ssl_tls13_parse_new_session_ticket_early_data_ext(
2708 mbedtls_ssl_context *ssl,
2709 const unsigned char *buf,
2710 const unsigned char *end)
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2711{
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2712 mbedtls_ssl_session *session = ssl->session;
2713
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2714 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2715
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2716 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2717 mbedtls_ssl_tls13_session_set_ticket_flags(
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2718 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
2719 MBEDTLS_SSL_DEBUG_MSG(
2720 3, ("received max_early_data_size: %u",
2721 (unsigned int) session->max_early_data_size));
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2722
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2723 return 0;
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2724}
2725#endif /* MBEDTLS_SSL_EARLY_DATA */
2726
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2727MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2728static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
2729 const unsigned char *buf,
2730 const unsigned char *end)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2731{
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2732 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2733 const unsigned char *p = buf;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2734
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2735
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2736 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2737
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2738 while (p < end) {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2739 unsigned int extension_type;
2740 size_t extension_data_len;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2741 int ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2742
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2743 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
2744 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2745 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2746 p += 4;
2747
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2748 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2749
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2750 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2751 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
2752 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);
2753 if (ret != 0) {
2754 return ret;
2755 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2756
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2757 switch (extension_type) {
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2758#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2759 case MBEDTLS_TLS_EXT_EARLY_DATA:
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2760 ret = ssl_tls13_parse_new_session_ticket_early_data_ext(
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2761 ssl, p, p + extension_data_len);
2762 if (ret != 0) {
2763 MBEDTLS_SSL_DEBUG_RET(
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2764 1, "ssl_tls13_parse_new_session_ticket_early_data_ext",
2765 ret);
Xiaokang Qian2d87a9e2022-11-09 07:55:48 +0000[diff] [blame]2766 }
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2767 break;
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2768#endif /* MBEDTLS_SSL_EARLY_DATA */
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2769
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2770 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2771 MBEDTLS_SSL_PRINT_EXT(
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2772 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2773 extension_type, "( ignored )");
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2774 break;
2775 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2776
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2777 p += extension_data_len;
2778 }
2779
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2780 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2781 handshake->received_extensions);
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2782
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2783 return 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2784}
2785
2786/*
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2787 * From RFC8446, page 74
2788 *
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2789 * struct {
2790 * uint32 ticket_lifetime;
2791 * uint32 ticket_age_add;
2792 * opaque ticket_nonce<0..255>;
2793 * opaque ticket<1..2^16-1>;
2794 * Extension extensions<0..2^16-2>;
2795 * } NewSessionTicket;
2796 *
2797 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2798MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2799static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
2800 unsigned char *buf,
2801 unsigned char *end,
2802 unsigned char **ticket_nonce,
2803 size_t *ticket_nonce_len)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2804{
2805 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2806 unsigned char *p = buf;
2807 mbedtls_ssl_session *session = ssl->session;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2808 size_t ticket_len;
2809 unsigned char *ticket;
2810 size_t extensions_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2811
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2812 *ticket_nonce = NULL;
2813 *ticket_nonce_len = 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2814 /*
2815 * ticket_lifetime 4 bytes
2816 * ticket_age_add 4 bytes
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2817 * ticket_nonce_len 1 byte
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2818 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2819 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2820
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2821 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
2822 MBEDTLS_SSL_DEBUG_MSG(3,
2823 ("ticket_lifetime: %u",
2824 (unsigned int) session->ticket_lifetime));
Jerry Yu8e0174a2023-11-10 13:58:16 +0800[diff] [blame]2825 if (session->ticket_lifetime >
2826 MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]2827 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
Jerry Yucf913512023-11-14 11:06:52 +0800[diff] [blame]2828 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]2829 }
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2830
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2831 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);
2832 MBEDTLS_SSL_DEBUG_MSG(3,
2833 ("ticket_age_add: %u",
2834 (unsigned int) session->ticket_age_add));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2835
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2836 *ticket_nonce_len = p[8];
2837 p += 9;
2838
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2839 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2840 *ticket_nonce = p;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2841 MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2842 p += *ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2843
2844 /* Ticket */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2845 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2846 ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2847 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2848 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);
2849 MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2850
2851 /* Check if we previously received a ticket already. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2852 if (session->ticket != NULL || session->ticket_len > 0) {
2853 mbedtls_free(session->ticket);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2854 session->ticket = NULL;
2855 session->ticket_len = 0;
2856 }
2857
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2858 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
2859 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
2860 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2861 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2862 memcpy(ticket, p, ticket_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2863 p += ticket_len;
2864 session->ticket = ticket;
2865 session->ticket_len = ticket_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2866
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2867 /* Clear all flags in ticket_flags */
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2868 mbedtls_ssl_tls13_session_clear_ticket_flags(
Pengyu Lv9eacb442022-12-09 14:39:19 +0800[diff] [blame]2869 session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2870
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2871 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2872 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2873 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2874 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2875
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2876 MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2877
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2878 ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);
2879 if (ret != 0) {
2880 MBEDTLS_SSL_DEBUG_RET(1,
2881 "ssl_tls13_parse_new_session_ticket_exts",
2882 ret);
2883 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2884 }
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2885
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]2886 /* session has been updated, allow export */
2887 session->exported = 0;
2888
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2889 return 0;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2890}
2891
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2892MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2893static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
2894 unsigned char *ticket_nonce,
2895 size_t ticket_nonce_len)
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2896{
2897 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2898 mbedtls_ssl_session *session = ssl->session;
2899 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2900 psa_algorithm_t psa_hash_alg;
2901 int hash_length;
2902
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2903#if defined(MBEDTLS_HAVE_TIME)
2904 /* Store ticket creation time */
Jerry Yu342a5552023-11-10 14:23:39 +0800[diff] [blame]2905 session->ticket_reception_time = mbedtls_ms_time();
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2906#endif
2907
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2908 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
2909 if (ciphersuite_info == NULL) {
2910 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2911 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2912 }
2913
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]2914 psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2915 hash_length = PSA_HASH_LENGTH(psa_hash_alg);
2916 if (hash_length == -1 ||
2917 (size_t) hash_length > sizeof(session->resumption_key)) {
2918 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2919 }
2920
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2921
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2922 MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
2923 session->app_secrets.resumption_master_secret,
2924 hash_length);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2925
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2926 /* Compute resumption key
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2927 *
2928 * HKDF-Expand-Label( resumption_master_secret,
2929 * "resumption", ticket_nonce, Hash.length )
2930 */
2931 ret = mbedtls_ssl_tls13_hkdf_expand_label(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2932 psa_hash_alg,
2933 session->app_secrets.resumption_master_secret,
2934 hash_length,
2935 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
2936 ticket_nonce,
2937 ticket_nonce_len,
2938 session->resumption_key,
2939 hash_length);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2940
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2941 if (ret != 0) {
2942 MBEDTLS_SSL_DEBUG_RET(2,
2943 "Creating the ticket-resumed PSK failed",
2944 ret);
2945 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2946 }
2947
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2948 session->resumption_key_len = hash_length;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2949
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2950 MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
2951 session->resumption_key,
2952 session->resumption_key_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2953
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2954 /* Set ticket_flags depends on the selected key exchange modes */
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2955 mbedtls_ssl_tls13_session_set_ticket_flags(
Pengyu Lv9eacb442022-12-09 14:39:19 +0800[diff] [blame]2956 session, ssl->conf->tls13_kex_modes);
Pengyu Lv4938a562023-01-16 11:28:49 +0800[diff] [blame]2957 MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2958
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2959 return 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2960}
2961
2962/*
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2963 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2964 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2965MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2966static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2967{
2968 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2969 unsigned char *buf;
2970 size_t buf_len;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2971 unsigned char *ticket_nonce;
2972 size_t ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2973
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2974 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2975
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2976 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2977 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2978 &buf, &buf_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2979
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2980 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(
2981 ssl, buf, buf + buf_len,
2982 &ticket_nonce, &ticket_nonce_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2983
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2984 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_new_session_ticket(
2985 ssl, ticket_nonce, ticket_nonce_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2986
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2987 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2988
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2989cleanup:
2990
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2991 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
2992 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2993}
2994#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2995
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2996int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]2997{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2998 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]2999
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3000 switch (ssl->state) {
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3001 case MBEDTLS_SSL_HELLO_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3002 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]3003 break;
3004
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3005 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3006 ret = mbedtls_ssl_write_client_hello(ssl);
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3007 break;
3008
3009 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3010 ret = ssl_tls13_process_server_hello(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3011 break;
3012
3013 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3014 ret = ssl_tls13_process_encrypted_extensions(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3015 break;
3016
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3017#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]3018 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3019 ret = ssl_tls13_process_certificate_request(ssl);
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]3020 break;
3021
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3022 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3023 ret = ssl_tls13_process_server_certificate(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3024 break;
3025
3026 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3027 ret = ssl_tls13_process_certificate_verify(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3028 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3029#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3030
3031 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3032 ret = ssl_tls13_process_server_finished(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3033 break;
3034
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]3035 case MBEDTLS_SSL_END_OF_EARLY_DATA:
3036 ret = ssl_tls13_write_end_of_early_data(ssl);
3037 break;
3038
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3039 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3040 ret = ssl_tls13_write_client_certificate(ssl);
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3041 break;
3042
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3043#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3044 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3045 ret = ssl_tls13_write_client_certificate_verify(ssl);
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3046 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3047#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3048
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3049 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3050 ret = ssl_tls13_write_client_finished(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3051 break;
3052
3053 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3054 ret = ssl_tls13_flush_buffers(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3055 break;
3056
3057 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3058 ret = ssl_tls13_handshake_wrapup(ssl);
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3059 break;
3060
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3061 /*
3062 * Injection of dummy-CCS's for middlebox compatibility
3063 */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3064#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]3065 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Ronald Crone273f722024-02-13 18:22:26 +0100[diff] [blame^]3066 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3067 if (ret != 0) {
3068 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3069 }
Ronald Cronfe59ff72024-01-24 14:31:50 +0100[diff] [blame]3070 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]3071 break;
3072
3073 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
Ronald Crone273f722024-02-13 18:22:26 +0100[diff] [blame^]3074 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3075 if (ret != 0) {
3076 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3077 }
Ronald Cronfe59ff72024-01-24 14:31:50 +0100[diff] [blame]3078 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3079 break;
Xiaokang Qianf6d8fd32023-02-02 02:46:26 +0000[diff] [blame]3080
Ronald Cron297c6082024-01-19 08:15:33 +0100[diff] [blame]3081#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3082 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
3083 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3084 if (ret == 0) {
3085 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
3086
3087 MBEDTLS_SSL_DEBUG_MSG(
3088 1, ("Switch to early data keys for outbound traffic"));
3089 mbedtls_ssl_set_outbound_transform(
3090 ssl, ssl->handshake->transform_earlydata);
Ronald Cron90e22332024-01-22 15:24:21 +0100[diff] [blame]3091 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE;
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3092 }
3093 break;
Ronald Cron297c6082024-01-19 08:15:33 +0100[diff] [blame]3094#endif /* MBEDTLS_SSL_EARLY_DATA */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3095#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3096
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3097#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]3098 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3099 ret = ssl_tls13_process_new_session_ticket(ssl);
3100 if (ret != 0) {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3101 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3102 }
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3103 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
3104 break;
3105#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3106
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3107 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3108 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3109 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3110 }
3111
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3112 return ret;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3113}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]3114
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3115#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */