TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b4f5076270c4636934aa1114d08ba19eca9b673d / . / library / ssl_tls13_client.c
blob: 86dd0ec597e4f1a539f9bdca29b895dcb90c4863 [file] [log] [blame]
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]1/*
2 * TLS 1.3 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]6 */
7
8#include "common.h"
9
Jerry Yucc43c6b2022-01-28 10:24:45 +0800[diff] [blame]10#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu3cc4c2a2021-08-06 16:29:08 +0800[diff] [blame]11
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]12#include <string.h>
13
Valerio Settib4f50762024-01-17 10:24:52 +0100[diff] [blame^]14#include "debug_internal.h"
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]15#include "mbedtls/error.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]16#include "mbedtls/platform.h"
Jerry Yua13c7e72021-08-17 10:44:40 +0800[diff] [blame]17
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]18#include "ssl_misc.h"
Ronald Cron3d580bf2022-02-18 17:24:56 +0100[diff] [blame]19#include "ssl_client.h"
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]20#include "ssl_tls13_keys.h"
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]21#include "ssl_debug_helpers.h"
Manuel Pégourié-Gonnard02b10d82023-03-28 12:33:20 +0200[diff] [blame]22#include "md_psa.h"
Jerry Yubdc71882021-09-14 19:30:36 +0800[diff] [blame]23
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]24#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]25/* Define a local translating function to save code size by not using too many
26 * arguments in each translating place. */
27static int local_err_translation(psa_status_t status)
28{
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
Andrzej Kurek1e4a0302023-05-30 09:45:17 -0400[diff] [blame]30 ARRAY_LENGTH(psa_to_ssl_errors),
Andrzej Kurek00644842023-05-30 05:45:00 -0400[diff] [blame]31 psa_generic_status_to_mbedtls);
32}
33#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
Andrzej Kureka6033ac2023-05-30 15:16:34 -0400[diff] [blame]34#endif
35
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]36/* Write extensions */
37
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]38/*
39 * ssl_tls13_write_supported_versions_ext():
40 *
41 * struct {
42 * ProtocolVersion versions<2..254>;
43 * } SupportedVersions;
44 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]45MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]46static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,
47 unsigned char *buf,
48 unsigned char *end,
49 size_t *out_len)
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]50{
51 unsigned char *p = buf;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]52 unsigned char versions_len = (ssl->handshake->min_tls_version <=
53 MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]54
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]55 *out_len = 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]56
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]57 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]58
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]59 /* Check if we have space to write the extension:
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]60 * - extension_type (2 bytes)
61 * - extension_data_length (2 bytes)
62 * - versions_length (1 byte )
Ronald Crona77fc272022-03-30 17:20:47 +0200[diff] [blame]63 * - versions (2 or 4 bytes)
Jerry Yu159c5a02021-08-31 12:51:25 +0800[diff] [blame]64 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]65 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]66
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]67 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);
68 MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]69 p += 4;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]70
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]71 /* Length of versions */
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]72 *p++ = versions_len;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]73
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]74 /* Write values of supported versions.
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]75 * They are defined by the configuration.
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]76 * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]77 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]78 mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,
79 MBEDTLS_SSL_VERSION_TLS1_3);
80 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]81
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]82
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]83 if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {
84 mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
85 MBEDTLS_SSL_VERSION_TLS1_2);
86 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));
Ronald Crondbe87f02022-02-10 14:35:27 +0100[diff] [blame]87 }
88
89 *out_len = 5 + versions_len;
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]90
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]91 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]92 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]93
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]94 return 0;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]95}
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]96
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]97MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]98static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
99 const unsigned char *buf,
100 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]101{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]102 ((void) ssl);
103
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]104 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
105 if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=
106 MBEDTLS_SSL_VERSION_TLS1_3) {
107 MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]108
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]109 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
110 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
111 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]112 }
113
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]114 if (&buf[2] != end) {
Xiaokang Qian91bb3f02023-04-03 09:07:03 +0000[diff] [blame]115 MBEDTLS_SSL_DEBUG_MSG(
116 1, ("supported_versions ext data length incorrect"));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]117 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
118 MBEDTLS_ERR_SSL_DECODE_ERROR);
119 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Ronald Cron98473382022-03-30 20:04:10 +0200[diff] [blame]120 }
121
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]122 return 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]123}
124
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]125#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]126MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]127static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,
128 const unsigned char *buf, size_t len)
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]129{
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]130 const unsigned char *p = buf;
131 const unsigned char *end = buf + len;
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]132 size_t protocol_name_list_len, protocol_name_len;
133 const unsigned char *protocol_name_list_end;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]134
135 /* If we didn't send it, the server shouldn't send it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]136 if (ssl->conf->alpn_list == NULL) {
137 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
138 }
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]139
140 /*
141 * opaque ProtocolName<1..2^8-1>;
142 *
143 * struct {
144 * ProtocolName protocol_name_list<2..2^16-1>
145 * } ProtocolNameList;
146 *
147 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
148 */
149
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]150 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
151 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]152 p += 2;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]153
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]154 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]155 protocol_name_list_end = p + protocol_name_list_len;
156
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]157 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);
Ronald Cron81a334f2022-05-31 16:04:11 +0200[diff] [blame]158 protocol_name_len = *p++;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]159
160 /* Check that the server chosen protocol was in our list and save it */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]161 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);
162 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
163 if (protocol_name_len == strlen(*alpn) &&
164 memcmp(p, *alpn, protocol_name_len) == 0) {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]165 ssl->alpn_chosen = *alpn;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]166 return 0;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]167 }
168 }
169
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]170 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]171}
172#endif /* MBEDTLS_SSL_ALPN */
173
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]174MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]175static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]176{
177 uint16_t group_id = ssl->handshake->offered_group_id;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]178
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]179 if (group_id == 0) {
180 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
181 }
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]182
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]183#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]184 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]185 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
187 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
188
189 /* Destroy generated private key. */
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]190 status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]191 if (status != PSA_SUCCESS) {
Andrzej Kurek8a045ce2022-12-23 11:00:06 -0500[diff] [blame]192 ret = PSA_TO_MBEDTLS_ERR(status);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]193 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
194 return ret;
Ronald Cron5b98ac92022-03-15 10:19:18 +0100[diff] [blame]195 }
196
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]197 ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]198 return 0;
199 } else
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]200#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]201 if (0 /* other KEMs? */) {
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]202 /* Do something */
203 }
204
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]205 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]206}
207
208/*
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]209 * Functions for writing key_share extension.
210 */
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]211#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]212MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]213static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
214 uint16_t *group_id)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]215{
216 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
217
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]218
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]219#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]220 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]221 /* Pick first available ECDHE group compatible with TLS 1.3 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]222 if (group_list == NULL) {
223 return MBEDTLS_ERR_SSL_BAD_CONFIG;
224 }
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]225
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]226 for (; *group_list != 0; group_list++) {
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]227#if defined(PSA_WANT_ALG_ECDH)
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]228 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
229 *group_list, NULL, NULL) == PSA_SUCCESS) &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]230 mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
Brett Warren14efd332021-10-06 09:32:11 +0100[diff] [blame]231 *group_id = *group_list;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]232 return 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]233 }
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]234#endif
235#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]236 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
Przemek Stekiela05e9c12023-06-15 16:58:51 +0200[diff] [blame]237 *group_id = *group_list;
238 return 0;
239 }
240#endif
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]241 }
242#else
243 ((void) ssl);
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]244 ((void) group_id);
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]245#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]246
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]247 return ret;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]248}
249
250/*
251 * ssl_tls13_write_key_share_ext
252 *
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]253 * Structure of key_share extension in ClientHello:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]254 *
255 * struct {
256 * NamedGroup group;
257 * opaque key_exchange<1..2^16-1>;
258 * } KeyShareEntry;
259 * struct {
260 * KeyShareEntry client_shares<0..2^16-1>;
261 * } KeyShareClientHello;
262 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]263MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]264static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
265 unsigned char *buf,
266 unsigned char *end,
267 size_t *out_len)
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]268{
269 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]270 unsigned char *client_shares; /* Start of client_shares */
271 size_t client_shares_len; /* Length of client_shares */
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]272 uint16_t group_id;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]273 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
274
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]275 *out_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]276
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]277 /* Check if we have space for header and length fields:
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]278 * - extension_type (2 bytes)
279 * - extension_data_length (2 bytes)
280 * - client_shares_length (2 bytes)
281 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]282 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]283 p += 6;
284
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]285 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]286
287 /* HRR could already have requested something else. */
288 group_id = ssl->handshake->offered_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]289 if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]290 !mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]291 MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,
292 &group_id));
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]293 }
294
295 /*
296 * Dispatch to type-specific key generation function.
297 *
298 * So far, we're only supporting ECDHE. With the introduction
299 * of PQC KEMs, we'll want to have multiple branches, one per
300 * type of KEM, and dispatch to the corresponding crypto. And
301 * only one key share entry is allowed.
302 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]303 client_shares = p;
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]304#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
305 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]306 mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
Jerry Yu388bd0d2021-09-15 18:41:02 +0800[diff] [blame]307 /* Pointer to group */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]308 unsigned char *group = p;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]309 /* Length of key_exchange */
Przemyslaw Stekiel4f419e52022-02-10 15:56:26 +0100[diff] [blame]310 size_t key_exchange_len = 0;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]311
312 /* Check there is space for header of KeyShareEntry
313 * - group (2 bytes)
314 * - key_exchange_length (2 bytes)
315 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]316 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]317 p += 4;
Przemek Stekiel408569f2023-07-06 11:26:44 +0200[diff] [blame]318 ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]319 ssl, group_id, p, end, &key_exchange_len);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]320 p += key_exchange_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]321 if (ret != 0) {
322 return ret;
323 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]324
325 /* Write group */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]326 MBEDTLS_PUT_UINT16_BE(group_id, group, 0);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]327 /* Write key_exchange_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]328 MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);
329 } else
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]330#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]331 if (0 /* other KEMs? */) {
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]332 /* Do something */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]333 } else {
334 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]335 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]336
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]337 /* Length of client_shares */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]338 client_shares_len = p - client_shares;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]339 if (client_shares_len == 0) {
340 MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));
341 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu7c522d42021-09-08 17:55:09 +0800[diff] [blame]342 }
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]343 /* Write extension_type */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]344 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]345 /* Write extension_data_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]346 MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]347 /* Write client_shares_length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]348 MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]349
350 /* Update offered_group_id field */
351 ssl->handshake->offered_group_id = group_id;
352
353 /* Output the total length of key_share extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]354 *out_len = p - buf;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]355
Xiaokang Qian91bb3f02023-04-03 09:07:03 +0000[diff] [blame]356 MBEDTLS_SSL_DEBUG_BUF(
357 3, "client hello, key_share extension", buf, *out_len);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]358
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]359 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]360
361cleanup:
362
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]363 return ret;
Jerry Yu56fc07f2021-09-01 17:48:49 +0800[diff] [blame]364}
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]365#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]366
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]367/*
368 * ssl_tls13_parse_hrr_key_share_ext()
369 * Parse key_share extension in Hello Retry Request
370 *
371 * struct {
372 * NamedGroup selected_group;
373 * } KeyShareHelloRetryRequest;
374 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]375MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]376static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
377 const unsigned char *buf,
378 const unsigned char *end)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]379{
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]380#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]381 const unsigned char *p = buf;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]382 int selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]383 int found = 0;
384
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]385 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
386 if (group_list == NULL) {
387 return MBEDTLS_ERR_SSL_BAD_CONFIG;
388 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]390 MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]391
392 /* Read selected_group */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]393 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
394 selected_group = MBEDTLS_GET_UINT16_BE(p, 0);
395 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]396
397 /* Upon receipt of this extension in a HelloRetryRequest, the client
398 * MUST first verify that the selected_group field corresponds to a
399 * group which was provided in the "supported_groups" extension in the
400 * original ClientHello.
401 * The supported_group was based on the info in ssl->conf->group_list.
402 *
403 * If the server provided a key share that was not sent in the ClientHello
404 * then the client MUST abort the handshake with an "illegal_parameter" alert.
405 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 for (; *group_list != 0; group_list++) {
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]407#if defined(PSA_WANT_ALG_ECDH)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]408 if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
409 if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
410 *group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
411 *group_list != selected_group) {
412 found = 1;
413 break;
414 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]415 }
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]416#endif /* PSA_WANT_ALG_ECDH */
417#if defined(PSA_WANT_ALG_FFDH)
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]418 if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]419 found = 1;
420 break;
421 }
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]422#endif /* PSA_WANT_ALG_FFDH */
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]423 }
424
425 /* Client MUST verify that the selected_group field does not
426 * correspond to a group which was provided in the "key_share"
427 * extension in the original ClientHello. If the server sent an
428 * HRR message with a key share already provided in the
429 * ClientHello then the client MUST abort the handshake with
430 * an "illegal_parameter" alert.
431 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]432 if (found == 0 || selected_group == ssl->handshake->offered_group_id) {
433 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]434 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]435 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
436 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
437 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]438 }
439
440 /* Remember server's preference for next ClientHello */
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]441 ssl->handshake->offered_group_id = selected_group;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]442
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]443 return 0;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]444#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
Andrzej Kurekc19fb082022-10-03 10:52:24 -0400[diff] [blame]445 (void) ssl;
446 (void) buf;
447 (void) end;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 return MBEDTLS_ERR_SSL_BAD_CONFIG;
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]449#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]450}
451
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]452/*
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]453 * ssl_tls13_parse_key_share_ext()
454 * Parse key_share extension in Server Hello
455 *
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]456 * struct {
457 * KeyShareEntry server_share;
458 * } KeyShareServerHello;
459 * struct {
460 * NamedGroup group;
461 * opaque key_exchange<1..2^16-1>;
462 * } KeyShareEntry;
463 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]464MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]465static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
466 const unsigned char *buf,
467 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]468{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]469 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]470 const unsigned char *p = buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]471 uint16_t group, offered_group;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]472
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]473 /* ...
474 * NamedGroup group; (2 bytes)
475 * ...
476 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]477 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
478 group = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]479 p += 2;
480
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]481 /* Check that the chosen group matches the one we offered. */
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]482 offered_group = ssl->handshake->offered_group_id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]483 if (offered_group != group) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]484 MBEDTLS_SSL_DEBUG_MSG(
485 1, ("Invalid server key share, our group %u, their group %u",
486 (unsigned) offered_group, (unsigned) group));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]487 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
488 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
489 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]490 }
491
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]492#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Przemek Stekielc89f3ea2023-05-18 15:45:53 +0200[diff] [blame]493 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
Przemek Stekield5f79e72023-06-29 09:08:43 +0200[diff] [blame]494 mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
Przemek Stekiel75a5a9c2023-06-12 11:21:18 +0200[diff] [blame]495 MBEDTLS_SSL_DEBUG_MSG(2,
496 ("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));
Przemek Stekiel7ac93be2023-07-04 10:02:38 +0200[diff] [blame]497 ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 if (ret != 0) {
499 return ret;
500 }
501 } else
Valerio Settic9ae8622023-07-25 11:23:50 +0200[diff] [blame]502#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]503 if (0 /* other KEMs? */) {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]504 /* Do something */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]505 } else {
506 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]507 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]508
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]509 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]510}
511
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]512/*
513 * ssl_tls13_parse_cookie_ext()
514 * Parse cookie extension in Hello Retry Request
515 *
516 * struct {
517 * opaque cookie<1..2^16-1>;
518 * } Cookie;
519 *
520 * When sending a HelloRetryRequest, the server MAY provide a "cookie"
521 * extension to the client (this is an exception to the usual rule that
522 * the only extensions that may be sent are those that appear in the
523 * ClientHello). When sending the new ClientHello, the client MUST copy
524 * the contents of the extension received in the HelloRetryRequest into
525 * a "cookie" extension in the new ClientHello. Clients MUST NOT use
526 * cookies in their initial ClientHello in subsequent connections.
527 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]528MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]529static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,
530 const unsigned char *buf,
531 const unsigned char *end)
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]532{
XiaokangQian25c9c902022-02-08 10:49:53 +0000[diff] [blame]533 uint16_t cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]534 const unsigned char *p = buf;
535 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
536
537 /* Retrieve length field of cookie */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]538 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
539 cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]540 p += 2;
541
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]542 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);
543 MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]544
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]545 mbedtls_free(handshake->cookie);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]546 handshake->cookie_len = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]547 handshake->cookie = mbedtls_calloc(1, cookie_len);
548 if (handshake->cookie == NULL) {
549 MBEDTLS_SSL_DEBUG_MSG(1,
550 ("alloc failed ( %ud bytes )",
551 cookie_len));
552 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]553 }
554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]555 memcpy(handshake->cookie, p, cookie_len);
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]556 handshake->cookie_len = cookie_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]557
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]558 return 0;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]559}
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]560
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]561MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]562static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,
563 unsigned char *buf,
564 unsigned char *end,
565 size_t *out_len)
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]566{
567 unsigned char *p = buf;
XiaokangQian9deb90f2022-02-08 10:31:07 +0000[diff] [blame]568 *out_len = 0;
XiaokangQianc02768a2022-02-10 07:31:25 +0000[diff] [blame]569 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]570
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]571 if (handshake->cookie == NULL) {
572 MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));
573 return 0;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]574 }
575
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]576 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
577 handshake->cookie,
578 handshake->cookie_len);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]580 MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]581
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]582 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]583
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]584 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);
585 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);
586 MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);
XiaokangQian233397e2022-02-07 08:32:16 +0000[diff] [blame]587 p += 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]588
589 /* Cookie */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]590 memcpy(p, handshake->cookie, handshake->cookie_len);
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]591
Jerry Yuac5ca5a2022-03-04 12:50:46 +0800[diff] [blame]592 *out_len = handshake->cookie_len + 6;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]593
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]594 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]595
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]596 return 0;
XiaokangQian0b64eed2022-01-27 10:36:51 +0000[diff] [blame]597}
598
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]599#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]600/*
601 * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
602 *
603 * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
604 *
605 * struct {
606 * PskKeyExchangeMode ke_modes<1..255>;
607 * } PskKeyExchangeModes;
608 */
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]609MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]610static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
611 unsigned char *buf,
612 unsigned char *end,
613 size_t *out_len)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]614{
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]615 unsigned char *p = buf;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]616 int ke_modes_len = 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]617
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]618 ((void) ke_modes_len);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]619 *out_len = 0;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]620
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]621 /* Skip writing extension if no PSK key exchange mode
XiaokangQian7c12d312022-07-20 07:25:43 +0000[diff] [blame]622 * is enabled in the config.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]623 */
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]624 if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]625 MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
626 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]627 }
628
629 /* Require 7 bytes of data, otherwise fail,
630 * even if extension might be shorter.
631 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]632 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]633 MBEDTLS_SSL_DEBUG_MSG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]634 3, ("client hello, adding psk_key_exchange_modes extension"));
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]635
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]636 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]637
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]638 /* Skip extension length (2 bytes) and
639 * ke_modes length (1 byte) for now.
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]640 */
641 p += 5;
642
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]643 if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]644 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]645 ke_modes_len++;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]646
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]647 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]648 }
649
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]650 if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]651 *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
652 ke_modes_len++;
653
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));
Ronald Crona709a0f2022-09-27 16:46:11 +0200[diff] [blame]655 }
656
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]657 /* Now write the extension and ke_modes length */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]658 MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);
XiaokangQian008d2bf2022-07-14 07:54:01 +0000[diff] [blame]659 buf[4] = ke_modes_len;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]660
661 *out_len = p - buf;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]662
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]663 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]664 ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);
Jerry Yu4b8f2f72022-10-31 13:31:22 +0800[diff] [blame]665
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]666 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]667}
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]668
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]669static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]670{
Jerry Yu21f90952022-10-08 10:30:53 +0800[diff] [blame]671 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]672 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]673
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]674 if (ciphersuite_info != NULL) {
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]675 return mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]676 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]678 return PSA_ALG_NONE;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]679}
680
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]681#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]682static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]683{
684 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]685 return ssl->handshake->resume &&
Pengyu Lv93566782022-12-07 12:10:05 +0800[diff] [blame]686 session != NULL && session->ticket != NULL &&
Pengyu Lvfc2cb962023-11-10 10:22:36 +0800[diff] [blame]687 mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]688 ssl, mbedtls_ssl_tls13_session_get_ticket_flags(
Pengyu Lv9b84ea72023-01-16 14:08:23 +0800[diff] [blame]689 session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]690}
691
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]692#if defined(MBEDTLS_SSL_EARLY_DATA)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]693static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]694{
695 mbedtls_ssl_session *session = ssl->session_negotiate;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]696 return ssl->handshake->resume &&
697 session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]698 mbedtls_ssl_tls13_session_ticket_allow_early_data(session) &&
Jerry Yuc2b1bc42023-11-22 10:08:13 +0800[diff] [blame]699 mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, session->ciphersuite);
Xiaokang Qian01323a42022-11-03 02:27:35 +0000[diff] [blame]700}
701#endif
702
Xiaokang Qianb781a232022-11-01 07:39:46 +0000[diff] [blame]703MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]704static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,
705 psa_algorithm_t *hash_alg,
706 const unsigned char **identity,
707 size_t *identity_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]708{
709 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]710
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]711 if (!ssl_tls13_has_configured_ticket(ssl)) {
712 return -1;
713 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]714
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]715 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]716 *identity = session->ticket;
717 *identity_len = session->ticket_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]718 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]719}
720
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]721MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]722static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,
723 psa_algorithm_t *hash_alg,
724 const unsigned char **psk,
725 size_t *psk_len)
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]726{
727
728 mbedtls_ssl_session *session = ssl->session_negotiate;
729
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]730 if (!ssl_tls13_has_configured_ticket(ssl)) {
731 return -1;
732 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]733
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]734 *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]735 *psk = session->resumption_key;
736 *psk_len = session->resumption_key_len;
737
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]738 return 0;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]739}
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]740#endif /* MBEDTLS_SSL_SESSION_TICKETS */
741
742MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]743static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,
744 psa_algorithm_t *hash_alg,
745 const unsigned char **identity,
746 size_t *identity_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]747{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]748
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]749 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
750 return -1;
751 }
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]752
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]753 *hash_alg = PSA_ALG_SHA_256;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]754 *identity = ssl->conf->psk_identity;
755 *identity_len = ssl->conf->psk_identity_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]756 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]757}
758
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]759MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]760static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,
761 psa_algorithm_t *hash_alg,
762 const unsigned char **psk,
763 size_t *psk_len)
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]764{
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]765
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]766 if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
767 return -1;
768 }
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]769
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]770 *hash_alg = PSA_ALG_SHA_256;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]771 *psk = ssl->conf->psk;
772 *psk_len = ssl->conf->psk_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]773 return 0;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]774}
775
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]776static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]777{
778 int configured_psk_count = 0;
779#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]780 if (ssl_tls13_has_configured_ticket(ssl)) {
781 MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]782 configured_psk_count++;
783 }
784#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]785 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
786 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]787 configured_psk_count++;
788 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]789 return configured_psk_count;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]790}
791
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]792MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]793static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,
794 unsigned char *buf,
795 unsigned char *end,
796 const unsigned char *identity,
797 size_t identity_len,
798 uint32_t obfuscated_ticket_age,
799 size_t *out_len)
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]800{
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]801 ((void) ssl);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]802 *out_len = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]803
804 /*
805 * - identity_len (2 bytes)
806 * - identity (psk_identity_len bytes)
807 * - obfuscated_ticket_age (4 bytes)
808 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]809 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]810
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]811 MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);
812 memcpy(buf + 2, identity, identity_len);
813 MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]814
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]815 MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]816
817 *out_len = 6 + identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]818
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]819 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]820}
821
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]822MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]823static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,
824 unsigned char *buf,
825 unsigned char *end,
826 int psk_type,
827 psa_algorithm_t hash_alg,
828 const unsigned char *psk,
829 size_t psk_len,
830 size_t *out_len)
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]831{
832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]833 unsigned char binder_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]834 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]835 size_t transcript_len = 0;
836
837 *out_len = 0;
838
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]839 binder_len = PSA_HASH_LENGTH(hash_alg);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]840
841 /*
842 * - binder_len (1 bytes)
843 * - binder (binder_len bytes)
844 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]845 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]846
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]847 buf[0] = binder_len;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]848
849 /* Get current state of handshake transcript. */
850 ret = mbedtls_ssl_get_handshake_transcript(
Manuel Pégourié-Gonnard2d6d9932023-03-28 11:38:08 +0200[diff] [blame]851 ssl, mbedtls_md_type_from_psa_alg(hash_alg),
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]852 transcript, sizeof(transcript), &transcript_len);
853 if (ret != 0) {
854 return ret;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]855 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]856
857 ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,
858 psk, psk_len, psk_type,
859 transcript, buf + 1);
860 if (ret != 0) {
861 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);
862 return ret;
863 }
864 MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]865
866 *out_len = 1 + binder_len;
867
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]868 return 0;
Jerry Yu8b41e892022-09-30 10:00:20 +0800[diff] [blame]869}
870
871/*
872 * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
873 *
874 * struct {
875 * opaque identity<1..2^16-1>;
876 * uint32 obfuscated_ticket_age;
877 * } PskIdentity;
878 *
879 * opaque PskBinderEntry<32..255>;
880 *
881 * struct {
882 * PskIdentity identities<7..2^16-1>;
883 * PskBinderEntry binders<33..2^16-1>;
884 * } OfferedPsks;
885 *
886 * struct {
887 * select (Handshake.msg_type) {
888 * case client_hello: OfferedPsks;
889 * ...
890 * };
891 * } PreSharedKeyExtension;
892 *
893 */
XiaokangQian3ad67bf2022-07-21 02:26:21 +0000[diff] [blame]894int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]895 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
896 size_t *out_len, size_t *binders_len)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]897{
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]898 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]899 int configured_psk_count = 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]900 unsigned char *p = buf;
Xiaokang Qian854db282022-12-19 07:31:27 +0000[diff] [blame]901 psa_algorithm_t hash_alg = PSA_ALG_NONE;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]902 const unsigned char *identity;
903 size_t identity_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]904 size_t l_binders_len = 0;
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]905 size_t output_len;
Xiaokang Qian7179f812023-02-03 03:38:44 +0000[diff] [blame]906
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]907 *out_len = 0;
908 *binders_len = 0;
909
910 /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]911 configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);
912 if (configured_psk_count == 0) {
913 MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));
914 return 0;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]915 }
916
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]917 MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",
918 configured_psk_count));
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]919
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]920 /* Check if we have space to write the extension, binders included.
921 * - extension_type (2 bytes)
922 * - extension_data_len (2 bytes)
923 * - identities_len (2 bytes)
924 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]925 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]926 p += 6;
927
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]928#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]929 if (ssl_tls13_ticket_get_identity(
930 ssl, &hash_alg, &identity, &identity_len) == 0) {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]931#if defined(MBEDTLS_HAVE_TIME)
Jerry Yucebffc32022-12-15 18:00:05 +0800[diff] [blame]932 mbedtls_ms_time_t now = mbedtls_ms_time();
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]933 mbedtls_ssl_session *session = ssl->session_negotiate;
Jerry Yucf913512023-11-14 11:06:52 +0800[diff] [blame]934 /* The ticket age has been checked to be smaller than the
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]935 * `ticket_lifetime` in ssl_prepare_client_hello() which is smaller than
936 * 7 days (enforced in ssl_tls13_parse_new_session_ticket()) . Thus the
937 * cast to `uint32_t` of the ticket age is safe. */
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]938 uint32_t obfuscated_ticket_age =
Jerry Yu342a5552023-11-10 14:23:39 +0800[diff] [blame]939 (uint32_t) (now - session->ticket_reception_time);
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]940 obfuscated_ticket_age += session->ticket_age_add;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]941
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]942 ret = ssl_tls13_write_identity(ssl, p, end,
943 identity, identity_len,
944 obfuscated_ticket_age,
945 &output_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]946#else
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]947 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,
948 0, &output_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]949#endif /* MBEDTLS_HAVE_TIME */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]950 if (ret != 0) {
951 return ret;
952 }
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]953
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]954 p += output_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]955 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]956 }
957#endif /* MBEDTLS_SSL_SESSION_TICKETS */
958
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]959 if (ssl_tls13_psk_get_identity(
960 ssl, &hash_alg, &identity, &identity_len) == 0) {
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]961
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]962 ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,
963 &output_len);
964 if (ret != 0) {
965 return ret;
966 }
Jerry Yuf75364b2022-09-30 10:30:31 +0800[diff] [blame]967
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]968 p += output_len;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]969 l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]970 }
971
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]972 MBEDTLS_SSL_DEBUG_MSG(3,
973 ("client hello, adding pre_shared_key extension, "
974 "omitting PSK binder list"));
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]975
976 /* Take into account the two bytes for the length of the binders. */
977 l_binders_len += 2;
Jerry Yu6916e702022-10-10 21:33:51 +0800[diff] [blame]978 /* Check if there is enough space for binders */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]979 MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]980
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]981 /*
982 * - extension_type (2 bytes)
983 * - extension_data_len (2 bytes)
984 * - identities_len (2 bytes)
985 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]986 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);
987 MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);
988 MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]989
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]990 *out_len = (p - buf) + l_binders_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]991 *binders_len = l_binders_len;
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]992
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]993 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);
Jerry Yuf7c12592022-09-28 22:09:38 +0800[diff] [blame]994
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]995 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]996}
997
XiaokangQian86981952022-07-19 09:51:50 +0000[diff] [blame]998int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]999 mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1000{
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1001 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1002 unsigned char *p = buf;
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1003 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1004 const unsigned char *psk;
1005 size_t psk_len;
1006 size_t output_len;
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1007
1008 /* Check if we have space to write binders_len.
1009 * - binders_len (2 bytes)
1010 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1011 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1012 p += 2;
1013
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1014#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1015 if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1016
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1017 ret = ssl_tls13_write_binder(ssl, p, end,
1018 MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
1019 hash_alg, psk, psk_len,
1020 &output_len);
1021 if (ret != 0) {
1022 return ret;
1023 }
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1024 p += output_len;
1025 }
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1026#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1027
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1028 if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
Jerry Yu6183cc72022-09-30 11:08:57 +0800[diff] [blame]1029
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1030 ret = ssl_tls13_write_binder(ssl, p, end,
1031 MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
1032 hash_alg, psk, psk_len,
1033 &output_len);
1034 if (ret != 0) {
1035 return ret;
1036 }
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1037 p += output_len;
1038 }
1039
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1040 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1041
1042 /*
1043 * - binders_len (2 bytes)
1044 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1045 MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);
Jerry Yu1a0a0f42022-09-28 22:11:02 +0800[diff] [blame]1046
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1047 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1048
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1049 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1050 ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1051
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1052 return 0;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1053}
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1054
1055/*
1056 * struct {
1057 * opaque identity<1..2^16-1>;
1058 * uint32 obfuscated_ticket_age;
1059 * } PskIdentity;
1060 *
1061 * opaque PskBinderEntry<32..255>;
1062 *
1063 * struct {
1064 *
1065 * select (Handshake.msg_type) {
1066 * ...
1067 * case server_hello: uint16 selected_identity;
1068 * };
1069 *
1070 * } PreSharedKeyExtension;
1071 *
1072 */
1073MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1074static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
1075 const unsigned char *buf,
1076 const unsigned char *end)
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1077{
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1078 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1079 int selected_identity;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1080 const unsigned char *psk;
1081 size_t psk_len;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1082 psa_algorithm_t hash_alg;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1083
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1084 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
1085 selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);
Xiaokang Qian2a674932023-01-04 03:15:09 +0000[diff] [blame]1086 ssl->handshake->selected_identity = (uint16_t) selected_identity;
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1087
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1088 MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1089
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1090 if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {
1091 MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1092
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1093 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1094 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1095 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1096 }
Jerry Yua99cbfa2022-10-08 11:17:14 +0800[diff] [blame]1097
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1098#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1099 if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {
1100 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1101 } else
Jerry Yu4a698342022-09-30 12:22:01 +0800[diff] [blame]1102#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1103 if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
1104 ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);
1105 } else {
1106 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1107 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1108 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1109 if (ret != 0) {
1110 return ret;
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1111 }
Jerry Yub300e3c2022-09-28 22:12:07 +0800[diff] [blame]1112
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]1113 if (mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac)
Xiaokang Qianeb31cbc2023-02-07 02:08:56 +0000[diff] [blame]1114 != hash_alg) {
1115 MBEDTLS_SSL_DEBUG_MSG(
1116 1, ("Invalid ciphersuite for external psk."));
1117
1118 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1119 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1120 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1121 }
1122
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1123 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1124 if (ret != 0) {
1125 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1126 return ret;
1127 }
1128
1129 return 0;
Jerry Yu0c6105b2022-08-12 17:26:40 +0800[diff] [blame]1130}
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1131#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1132
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1133int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
1134 unsigned char *buf,
1135 unsigned char *end,
1136 size_t *out_len)
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1137{
1138 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1139 unsigned char *p = buf;
1140 size_t ext_len;
1141
1142 *out_len = 0;
1143
1144 /* Write supported_versions extension
1145 *
1146 * Supported Versions Extension is mandatory with TLS 1.3.
1147 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1148 ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);
1149 if (ret != 0) {
1150 return ret;
1151 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1152 p += ext_len;
1153
1154 /* Echo the cookie if the server provided one in its preceding
1155 * HelloRetryRequest message.
1156 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1157 ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);
1158 if (ret != 0) {
1159 return ret;
1160 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1161 p += ext_len;
1162
Yanray Wang42017cd2023-11-08 11:15:23 +0800[diff] [blame]1163#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1164 ret = mbedtls_ssl_tls13_write_record_size_limit_ext(
Waleed Elmelegy148dfb62024-01-04 18:02:35 +0000[diff] [blame]1165 ssl, p, end, &ext_len);
Yanray Wang42017cd2023-11-08 11:15:23 +0800[diff] [blame]1166 if (ret != 0) {
1167 return ret;
1168 }
1169 p += ext_len;
1170#endif
1171
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1172#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1173 if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1174 ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
1175 if (ret != 0) {
1176 return ret;
1177 }
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1178 p += ext_len;
1179 }
Ronald Cron766c0cd2022-10-18 12:17:11 +0200[diff] [blame]1180#endif
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1181
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1182#if defined(MBEDTLS_SSL_EARLY_DATA)
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1183 if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1184 ssl_tls13_early_data_has_valid_ticket(ssl) &&
1185 ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
Jerry Yu52335392023-11-23 18:06:06 +0800[diff] [blame]1186
1187 ret = mbedtls_ssl_tls13_write_early_data_ext(
Jerry Yuc59c5862023-12-05 10:40:49 +0800[diff] [blame]1188 ssl, 0, p, end, &ext_len);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1189 if (ret != 0) {
1190 return ret;
1191 }
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1192 p += ext_len;
1193
Ronald Cron4a8c9e22022-10-26 18:49:09 +0200[diff] [blame]1194 /* Initializes the status to `rejected`. It will be updated to
1195 * `accepted` if the EncryptedExtension message contain an early data
1196 * indication extension.
Xiaokang Qiana042b842022-11-09 01:59:33 +0000[diff] [blame]1197 */
Ronald Cron4a8c9e22022-10-26 18:49:09 +0200[diff] [blame]1198 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1199 } else {
1200 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension"));
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]1201 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
Xiaokang Qian0e97d4d2022-10-24 11:12:51 +0000[diff] [blame]1202 }
1203#endif /* MBEDTLS_SSL_EARLY_DATA */
1204
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1205#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1206 /* For PSK-based key exchange we need the pre_shared_key extension
1207 * and the psk_key_exchange_modes extension.
1208 *
1209 * The pre_shared_key extension MUST be the last extension in the
1210 * ClientHello. Servers MUST check that it is the last extension and
1211 * otherwise fail the handshake with an "illegal_parameter" alert.
1212 *
1213 * Add the psk_key_exchange_modes extension.
1214 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1215 ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);
1216 if (ret != 0) {
1217 return ret;
1218 }
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1219 p += ext_len;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1220#endif
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1221
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1222 *out_len = p - buf;
1223
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1224 return 0;
Ronald Cron04fbd2b2022-02-18 12:06:07 +0100[diff] [blame]1225}
1226
Xiaokang Qian934ce6f2023-02-06 10:23:04 +0000[diff] [blame]1227int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1228{
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1229 ((void) ssl);
Xiaokang Qian79f77522023-01-28 10:35:29 +0000[diff] [blame]1230
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1231#if defined(MBEDTLS_SSL_EARLY_DATA)
1232 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1233 psa_algorithm_t hash_alg = PSA_ALG_NONE;
1234 const unsigned char *psk;
1235 size_t psk_len;
1236 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]1237
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1238 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
Xiaokang Qian6be82902023-02-03 06:04:43 +0000[diff] [blame]1239#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1240 mbedtls_ssl_handshake_set_state(
1241 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
1242#endif
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1243 MBEDTLS_SSL_DEBUG_MSG(
1244 1, ("Set hs psk for early data when writing the first psk"));
1245
1246 ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1247 if (ret != 0) {
1248 MBEDTLS_SSL_DEBUG_RET(
1249 1, "ssl_tls13_ticket_get_psk", ret);
1250 return ret;
1251 }
1252
1253 ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1254 if (ret != 0) {
1255 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1256 return ret;
1257 }
1258
Xiaokang Qian64bc9bc2023-02-07 02:32:23 +0000[diff] [blame]1259 /*
1260 * Early data are going to be encrypted using the ciphersuite
1261 * associated with the pre-shared key used for the handshake.
1262 * Note that if the server rejects early data, the handshake
1263 * based on the pre-shared key may complete successfully
1264 * with a selected ciphersuite different from the ciphersuite
1265 * associated with the pre-shared key. Only the hashes of the
1266 * two ciphersuites have to be the same. In that case, the
1267 * encrypted handshake data and application data are
1268 * encrypted using a different ciphersuite than the one used for
1269 * the rejected early data.
1270 */
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1271 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
1272 ssl->session_negotiate->ciphersuite);
1273 ssl->handshake->ciphersuite_info = ciphersuite_info;
Xiaokang Qian8dc4ce72023-02-07 10:49:50 +0000[diff] [blame]1274
Tom Cosgrove5c8505f2023-03-07 11:39:52 +0000[diff] [blame]1275 /* Enable psk and psk_ephemeral to make stage early happy */
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1276 ssl->handshake->key_exchange_mode =
1277 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
1278
1279 /* Start the TLS 1.3 key schedule:
Xiaokang Qian8dc4ce72023-02-07 10:49:50 +0000[diff] [blame]1280 * Set the PSK and derive early secret.
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1281 */
1282 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1283 if (ret != 0) {
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1284 MBEDTLS_SSL_DEBUG_RET(
1285 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1286 return ret;
1287 }
1288
1289 /* Derive early data key material */
1290 ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
1291 if (ret != 0) {
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1292 MBEDTLS_SSL_DEBUG_RET(
1293 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1294 return ret;
1295 }
1296
Xiaokang Qian126929f2023-01-03 10:29:41 +0000[diff] [blame]1297 }
1298#endif /* MBEDTLS_SSL_EARLY_DATA */
1299 return 0;
1300}
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]1301/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1302 * Functions for parsing and processing Server Hello
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1303 */
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1304
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1305/**
1306 * \brief Detect if the ServerHello contains a supported_versions extension
1307 * or not.
1308 *
1309 * \param[in] ssl SSL context
1310 * \param[in] buf Buffer containing the ServerHello message
1311 * \param[in] end End of the buffer containing the ServerHello message
1312 *
1313 * \return 0 if the ServerHello does not contain a supported_versions extension
1314 * \return 1 if the ServerHello contains a supported_versions extension
1315 * \return A negative value if an error occurred while parsing the ServerHello.
1316 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1317MBEDTLS_CHECK_RETURN_CRITICAL
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1318static int ssl_tls13_is_supported_versions_ext_present(
1319 mbedtls_ssl_context *ssl,
1320 const unsigned char *buf,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1321 const unsigned char *end)
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1322{
1323 const unsigned char *p = buf;
1324 size_t legacy_session_id_echo_len;
Ronald Croneff56732023-04-03 17:36:31 +0200[diff] [blame]1325 const unsigned char *supported_versions_data;
1326 const unsigned char *supported_versions_data_end;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1327
1328 /*
1329 * Check there is enough data to access the legacy_session_id_echo vector
Ronald Cronda41b382022-03-30 09:57:11 +0200[diff] [blame]1330 * length:
1331 * - legacy_version 2 bytes
1332 * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1333 * - legacy_session_id_echo length 1 byte
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1334 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1335 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1336 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1337 legacy_session_id_echo_len = *p;
1338
1339 /*
1340 * Jump to the extensions, jumping over:
1341 * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1342 * - cipher_suite 2 bytes
1343 * - legacy_compression_method 1 byte
1344 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1345 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);
1346 p += legacy_session_id_echo_len + 4;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1347
Ronald Cron47dce632023-02-08 17:38:29 +0100[diff] [blame]1348 return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
1349 ssl, p, end,
Ronald Croneff56732023-04-03 17:36:31 +0200[diff] [blame]1350 &supported_versions_data, &supported_versions_data_end);
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1351}
1352
Jerry Yu7a186a02021-10-15 18:46:14 +0800[diff] [blame]1353/* Returns a negative value on failure, and otherwise
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1354 * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1355 * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1356 * - 0 otherwise
1357 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1358MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1359static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,
1360 const unsigned char *buf,
1361 const unsigned char *end)
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1362{
1363 /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1364 static const unsigned char magic_downgrade_string[] =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1365 { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1366 const unsigned char *last_eight_bytes_of_random;
1367 unsigned char last_byte_of_random;
1368
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1369 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1370 last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1371
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1372 if (memcmp(last_eight_bytes_of_random,
1373 magic_downgrade_string,
1374 sizeof(magic_downgrade_string)) == 0) {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1375 last_byte_of_random = last_eight_bytes_of_random[7];
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1376 return last_byte_of_random == 0 ||
1377 last_byte_of_random == 1;
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1378 }
1379
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1380 return 0;
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1381}
1382
1383/* Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1384 * - SSL_SERVER_HELLO or
1385 * - SSL_SERVER_HELLO_HRR
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1386 * to indicate which message is expected and to be parsed next.
1387 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1388#define SSL_SERVER_HELLO 0
1389#define SSL_SERVER_HELLO_HRR 1
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1390MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1391static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,
1392 const unsigned char *buf,
1393 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1394{
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1395
1396 /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1397 *
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1398 * Server Hello and HRR are only distinguished by Random set to the
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1399 * special value of the SHA-256 of "HelloRetryRequest".
1400 *
1401 * struct {
1402 * ProtocolVersion legacy_version = 0x0303;
1403 * Random random;
1404 * opaque legacy_session_id_echo<0..32>;
1405 * CipherSuite cipher_suite;
1406 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1407 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1408 * } ServerHello;
1409 *
1410 */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1411 MBEDTLS_SSL_CHK_BUF_READ_PTR(
1412 buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1413
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1414 if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1415 sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {
1416 return SSL_SERVER_HELLO_HRR;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1417 }
1418
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1419 return SSL_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1420}
1421
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1422/*
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1423 * Returns a negative value on failure, and otherwise
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1424 * - SSL_SERVER_HELLO or
1425 * - SSL_SERVER_HELLO_HRR or
1426 * - SSL_SERVER_HELLO_TLS1_2
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1427 */
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1428#define SSL_SERVER_HELLO_TLS1_2 2
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1429MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1430static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
1431 const unsigned char *buf,
1432 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1433{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1434 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1435 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1436
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1437 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(
1438 ssl, buf, end));
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1439
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1440 if (ret == 0) {
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1441 MBEDTLS_SSL_PROC_CHK_NEG(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1442 ssl_tls13_is_downgrade_negotiation(ssl, buf, end));
Ronald Cronfd6193c2022-04-05 11:04:20 +0200[diff] [blame]1443
1444 /* If the server is negotiating TLS 1.2 or below and:
1445 * . we did not propose TLS 1.2 or
1446 * . the server responded it is TLS 1.3 capable but negotiating a lower
1447 * version of the protocol and thus we are under downgrade attack
1448 * abort the handshake with an "illegal parameter" alert.
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1449 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1450 if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {
1451 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1452 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1453 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1454 }
1455
Ronald Cronb828c7d2023-04-03 16:37:22 +0200[diff] [blame]1456 /*
1457 * Version 1.2 of the protocol has been negotiated, set the
1458 * ssl->keep_current_message flag for the ServerHello to be kept and
1459 * parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to
1460 * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
1461 * will dispatch to the TLS 1.2 state machine.
1462 */
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1463 ssl->keep_current_message = 1;
Glenn Strauss60bfe602022-03-14 19:04:24 -0400[diff] [blame]1464 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1465 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1466 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1467 buf, (size_t) (end - buf)));
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1468
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1469 if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1470 ret = ssl_tls13_reset_key_share(ssl);
1471 if (ret != 0) {
1472 return ret;
1473 }
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1474 }
1475
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1476 return SSL_SERVER_HELLO_TLS1_2;
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1477 }
1478
Jerry Yua66fece2022-07-13 14:30:29 +0800[diff] [blame]1479#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1480 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1481 ssl->session_negotiate->tls_version = ssl->tls_version;
1482#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1483
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1484 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1485
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1486 ret = ssl_server_hello_is_hrr(ssl, buf, end);
1487 switch (ret) {
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1488 case SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1489 MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1490 break;
Ronald Cron828aff62022-05-31 12:04:31 +0200[diff] [blame]1491 case SSL_SERVER_HELLO_HRR:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1492 MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1493 /* If a client receives a second HelloRetryRequest in the same
1494 * connection (i.e., where the ClientHello was itself in response
1495 * to a HelloRetryRequest), it MUST abort the handshake with an
1496 * "unexpected_message" alert.
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1497 */
1498 if (handshake->hello_retry_request_count > 0) {
1499 MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1500 MBEDTLS_SSL_PEND_FATAL_ALERT(
1501 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1502 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1503 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1504 }
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1505 /*
1506 * Clients must abort the handshake with an "illegal_parameter"
1507 * alert if the HelloRetryRequest would not result in any change
1508 * in the ClientHello.
1509 * In a PSK only key exchange that what we expect.
1510 */
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1511 if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1512 MBEDTLS_SSL_DEBUG_MSG(1,
1513 ("Unexpected HRR in pure PSK key exchange."));
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1514 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1515 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1516 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1517 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
XiaokangQian2b01dc32022-01-21 02:53:13 +0000[diff] [blame]1518 }
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1519
Ronald Cron5afb9042022-05-31 12:11:39 +0200[diff] [blame]1520 handshake->hello_retry_request_count++;
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1521
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1522 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1523 }
1524
1525cleanup:
1526
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1527 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1528}
1529
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1530MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1531static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,
1532 const unsigned char **buf,
1533 const unsigned char *end)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1534{
1535 const unsigned char *p = *buf;
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1536 size_t legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1537
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1538 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1539 legacy_session_id_echo_len = *p++;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1540
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1541 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1542
1543 /* legacy_session_id_echo */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1544 if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1545 memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {
1546 MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",
1547 ssl->session_negotiate->id,
1548 ssl->session_negotiate->id_len);
1549 MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,
1550 legacy_session_id_echo_len);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1551
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1552 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1553 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1554
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1555 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1556 }
1557
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1558 p += legacy_session_id_echo_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1559 *buf = p;
1560
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1561 MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,
1562 ssl->session_negotiate->id_len);
1563 return 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1564}
1565
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1566/* Parse ServerHello message and configure context
1567 *
1568 * struct {
1569 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1570 * Random random;
1571 * opaque legacy_session_id_echo<0..32>;
1572 * CipherSuite cipher_suite;
1573 * uint8 legacy_compression_method = 0;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1574 * Extension extensions<6..2^16-1>;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1575 * } ServerHello;
1576 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1577MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1578static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
1579 const unsigned char *buf,
1580 const unsigned char *end,
1581 int is_hrr)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1582{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1583 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1584 const unsigned char *p = buf;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1585 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1586 size_t extensions_len;
1587 const unsigned char *extensions_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1588 uint16_t cipher_suite;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1589 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
XiaokangQianb119a352022-01-26 03:29:10 +0000[diff] [blame]1590 int fatal_alert = 0;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1591 uint32_t allowed_extensions_mask;
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1592 int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1593 MBEDTLS_SSL_HS_SERVER_HELLO;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1594
1595 /*
1596 * Check there is space for minimal fields
1597 *
1598 * - legacy_version ( 2 bytes)
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1599 * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1600 * - legacy_session_id_echo ( 1 byte ), minimum size
1601 * - cipher_suite ( 2 bytes)
1602 * - legacy_compression_method ( 1 byte )
1603 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1604 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1605
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1606 MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);
1607 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1608
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1609 /* ...
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1610 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1611 * ...
1612 * with ProtocolVersion defined as:
1613 * uint16 ProtocolVersion;
1614 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1615 if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1616 MBEDTLS_SSL_VERSION_TLS1_2) {
1617 MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1618 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1619 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1620 ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1621 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1622 }
1623 p += 2;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1624
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1625 /* ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1626 * Random random;
1627 * ...
1628 * with Random defined as:
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1629 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1630 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1631 if (!is_hrr) {
1632 memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
1633 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1634 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
1635 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1636 }
Jerry Yue6d7e5c2021-10-26 10:44:32 +0800[diff] [blame]1637 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1638
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1639 /* ...
1640 * opaque legacy_session_id_echo<0..32>;
1641 * ...
1642 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1643 if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1644 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1645 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1646 }
1647
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1648 /* ...
1649 * CipherSuite cipher_suite;
1650 * ...
1651 * with CipherSuite defined as:
1652 * uint8 CipherSuite[2];
1653 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1654 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1655 cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1656 p += 2;
1657
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1658
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1659 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1660 /*
Ronald Cronba120bb2022-03-30 22:09:48 +0200[diff] [blame]1661 * Check whether this ciphersuite is valid and offered.
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1662 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1663 if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
1664 ssl->tls_version,
1665 ssl->tls_version) != 0) ||
1666 !mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1667 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1668 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1669 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1670 * If we received an HRR before and that the proposed selected
1671 * ciphersuite in this server hello is not the same as the one
1672 * proposed in the HRR, we abort the handshake and send an
1673 * "illegal_parameter" alert.
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1674 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1675 else if ((!is_hrr) && (handshake->hello_retry_request_count > 0) &&
1676 (cipher_suite != ssl->session_negotiate->ciphersuite)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1677 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1678 }
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1679
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1680 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1681 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",
1682 cipher_suite));
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1683 goto cleanup;
XiaokangQian53f20b72022-01-18 10:47:33 +0000[diff] [blame]1684 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1685
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1686 /* Configure ciphersuites */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1687 mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1688
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1689 handshake->ciphersuite_info = ciphersuite_info;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1690 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",
1691 cipher_suite, ciphersuite_info->name));
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1692
1693#if defined(MBEDTLS_HAVE_TIME)
YxCda609132023-05-22 12:08:12 -0700[diff] [blame]1694 ssl->session_negotiate->start = mbedtls_time(NULL);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1695#endif /* MBEDTLS_HAVE_TIME */
1696
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1697 /* ...
1698 * uint8 legacy_compression_method = 0;
1699 * ...
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1700 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1701 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1702 if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {
1703 MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1704 fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1705 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1706 }
1707 p++;
1708
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1709 /* ...
1710 * Extension extensions<6..2^16-1>;
1711 * ...
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1712 * struct {
1713 * ExtensionType extension_type; (2 bytes)
1714 * opaque extension_data<0..2^16-1>;
1715 * } Extension;
1716 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1717 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1718 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1719 p += 2;
Jerry Yude4fb2c2021-09-19 18:05:08 +0800[diff] [blame]1720
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1721 /* Check extensions do not go beyond the buffer of data. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1722 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1723 extensions_end = p + extensions_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1724
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1725 MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1726
Jerry Yu50e00e32022-10-31 14:45:01 +0800[diff] [blame]1727 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]1728 allowed_extensions_mask = is_hrr ?
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1729 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
1730 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1731
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1732 while (p < extensions_end) {
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1733 unsigned int extension_type;
1734 size_t extension_data_len;
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1735 const unsigned char *extension_data_end;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1736
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1737 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1738 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1739 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1740 p += 4;
1741
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1742 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
XiaokangQian43550bd2022-01-21 04:32:58 +0000[diff] [blame]1743 extension_data_end = p + extension_data_len;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1744
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]1745 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1746 ssl, hs_msg_type, extension_type, allowed_extensions_mask);
1747 if (ret != 0) {
1748 return ret;
1749 }
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1750
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1751 switch (extension_type) {
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1752 case MBEDTLS_TLS_EXT_COOKIE:
1753
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1754 ret = ssl_tls13_parse_cookie_ext(ssl,
1755 p, extension_data_end);
1756 if (ret != 0) {
1757 MBEDTLS_SSL_DEBUG_RET(1,
1758 "ssl_tls13_parse_cookie_ext",
1759 ret);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1760 goto cleanup;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1761 }
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1762 break;
XiaokangQianb851da82022-01-14 04:03:11 +0000[diff] [blame]1763
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1764 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1765 ret = ssl_tls13_parse_supported_versions_ext(ssl,
1766 p,
1767 extension_data_end);
1768 if (ret != 0) {
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1769 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1770 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1771 break;
1772
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1773#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1774 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1775 MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1776
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1777 if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(
1778 ssl, p, extension_data_end)) != 0) {
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1779 MBEDTLS_SSL_DEBUG_RET(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1780 1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);
1781 return ret;
XiaokangQianeb69aee2022-07-05 08:21:43 +0000[diff] [blame]1782 }
1783 break;
Ronald Cron41a443a2022-10-04 16:38:25 +0200[diff] [blame]1784#endif
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1785
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1786 case MBEDTLS_TLS_EXT_KEY_SHARE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1787 MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
Pengyu Lv0a1ff2b2023-11-14 11:03:32 +0800[diff] [blame]1788 if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
XiaokangQian52da5582022-01-26 09:49:29 +0000[diff] [blame]1789 fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1790 goto cleanup;
1791 }
1792
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1793 if (is_hrr) {
1794 ret = ssl_tls13_parse_hrr_key_share_ext(ssl,
1795 p, extension_data_end);
1796 } else {
1797 ret = ssl_tls13_parse_key_share_ext(ssl,
1798 p, extension_data_end);
1799 }
1800 if (ret != 0) {
1801 MBEDTLS_SSL_DEBUG_RET(1,
1802 "ssl_tls13_parse_key_share_ext",
1803 ret);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1804 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1805 }
1806 break;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1807
1808 default:
Jerry Yu9872eb22022-08-29 13:42:01 +0800[diff] [blame]1809 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1810 goto cleanup;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1811 }
1812
1813 p += extension_data_len;
1814 }
1815
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1816 MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);
Jerry Yu2c5363e2022-08-04 17:42:49 +0800[diff] [blame]1817
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1818cleanup:
1819
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1820 if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {
1821 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1822 MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1823 ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1824 } else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1825 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1826 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1827 ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1828 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1829 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1830}
1831
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1832#if defined(MBEDTLS_DEBUG_C)
1833static const char *ssl_tls13_get_kex_mode_str(int mode)
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1834{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1835 switch (mode) {
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1836 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1837 return "psk";
1838 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1839 return "ephemeral";
1840 case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1841 return "psk_ephemeral";
1842 default:
1843 return "unknown mode";
1844 }
1845}
Xiaokang Qiancb6e9632022-09-26 11:59:32 +0000[diff] [blame]1846#endif /* MBEDTLS_DEBUG_C */
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1847
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1848MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1849static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1850{
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1851 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1852 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1853
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1854 /* Determine the key exchange mode:
1855 * 1) If both the pre_shared_key and key_share extensions were received
1856 * then the key exchange mode is PSK with EPHEMERAL.
1857 * 2) If only the pre_shared_key extension was received then the key
1858 * exchange mode is PSK-only.
1859 * 3) If only the key_share extension was received then the key
1860 * exchange mode is EPHEMERAL-only.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1861 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1862 switch (handshake->received_extensions &
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1863 (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1864 MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1865 /* Only the pre_shared_key extension was received */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1866 case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1867 handshake->key_exchange_mode =
1868 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1869 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1870
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1871 /* Only the key_share extension was received */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1872 case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1873 handshake->key_exchange_mode =
1874 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1875 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1876
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1877 /* Both the pre_shared_key and key_share extensions were received */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1878 case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1879 MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):
1880 handshake->key_exchange_mode =
1881 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1882 break;
Jerry Yub85277e2021-10-13 13:36:05 +0800[diff] [blame]1883
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1884 /* Neither pre_shared_key nor key_share extension was received */
1885 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1886 MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));
Jerry Yu745bb612021-10-13 22:01:04 +0800[diff] [blame]1887 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1888 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1889 }
1890
Pengyu Lvfc2cb962023-11-10 10:22:36 +0800[diff] [blame]1891 if (!mbedtls_ssl_conf_tls13_is_kex_mode_enabled(
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]1892 ssl, handshake->key_exchange_mode)) {
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1893 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1894 MBEDTLS_SSL_DEBUG_MSG(
1895 2, ("Key exchange mode(%s) is not supported.",
1896 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
Xiaokang Qianac8195f2022-09-26 04:01:06 +0000[diff] [blame]1897 goto cleanup;
1898 }
1899
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1900 MBEDTLS_SSL_DEBUG_MSG(
1901 3, ("Selected key exchange mode: %s",
1902 ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
Xiaokang Qian5beec4b2022-09-26 08:23:45 +0000[diff] [blame]1903
Xiaokang Qian7892b6c2023-02-02 06:05:48 +0000[diff] [blame]1904 /* Start the TLS 1.3 key scheduling if not already done.
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1905 *
Xiaokang Qian7892b6c2023-02-02 06:05:48 +0000[diff] [blame]1906 * If we proposed early data then we have already derived an
1907 * early secret using the selected PSK and its associated hash.
1908 * It means that if the negotiated key exchange mode is psk or
1909 * psk_ephemeral, we have already correctly computed the
1910 * early secret and thus we do not do it again. In all other
1911 * cases we compute it here.
Xiaokang Qian303f82c52023-01-04 08:43:46 +0000[diff] [blame]1912 */
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1913#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qiane04afdc2023-02-07 02:19:42 +0000[diff] [blame]1914 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT ||
1915 handshake->key_exchange_mode ==
1916 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)
Xiaokang Qian90746132023-01-06 05:54:59 +0000[diff] [blame]1917#endif
1918 {
Xiaokang Qian303f82c52023-01-04 08:43:46 +0000[diff] [blame]1919 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1920 if (ret != 0) {
1921 MBEDTLS_SSL_DEBUG_RET(
1922 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
1923 goto cleanup;
1924 }
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1925 }
1926
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1927 ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
1928 if (ret != 0) {
1929 MBEDTLS_SSL_DEBUG_RET(1,
1930 "mbedtls_ssl_tls13_compute_handshake_transform",
1931 ret);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1932 goto cleanup;
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1933 }
1934
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1935 mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);
1936 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
Jerry Yu0b177842021-09-05 19:41:30 +0800[diff] [blame]1937 ssl->session_in = ssl->session_negotiate;
1938
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1939cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1940 if (ret != 0) {
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1941 MBEDTLS_SSL_PEND_FATAL_ALERT(
1942 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1943 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1944 }
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1945
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1946 return ret;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1947}
1948
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1949MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1950static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1951{
1952 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1953
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1954 mbedtls_ssl_session_reset_msg_layer(ssl, 0);
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1955
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1956 /*
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]1957 * We are going to re-generate a shared secret corresponding to the group
1958 * selected by the server, which is different from the group for which we
1959 * generated a shared secret in the first client hello.
1960 * Thus, reset the shared secret.
XiaokangQian51eff222021-12-10 10:33:56 +0000[diff] [blame]1961 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1962 ret = ssl_tls13_reset_key_share(ssl);
1963 if (ret != 0) {
1964 return ret;
1965 }
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1966
Xiaokang Qian4ef8ba22023-02-06 11:06:16 +0000[diff] [blame]1967 ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1968 return 0;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1969}
1970
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1971/*
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1972 * Wait and parse ServerHello handshake message.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1973 * Handler for MBEDTLS_SSL_SERVER_HELLO
1974 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]1975MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1976static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]1977{
Jerry Yu4a173382021-10-11 21:45:31 +0800[diff] [blame]1978 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian647719a2021-12-07 09:16:29 +0000[diff] [blame]1979 unsigned char *buf = NULL;
1980 size_t buf_len = 0;
XiaokangQian78b1fa72022-01-19 06:56:30 +0000[diff] [blame]1981 int is_hrr = 0;
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1982
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1983 MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]1984
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]1985 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1986 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
Ronald Crondb5dfa12022-05-31 11:44:38 +0200[diff] [blame]1987
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1988 ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);
1989 if (ret < 0) {
XiaokangQian16acd4b2022-01-14 07:35:47 +0000[diff] [blame]1990 goto cleanup;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1991 } else {
1992 is_hrr = (ret == SSL_SERVER_HELLO_HRR);
1993 }
XiaokangQiand59be772022-01-24 10:12:51 +0000[diff] [blame]1994
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1995 if (ret == SSL_SERVER_HELLO_TLS1_2) {
Ronald Cron9f0fba32022-02-10 16:45:15 +0100[diff] [blame]1996 ret = 0;
1997 goto cleanup;
1998 }
1999
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2000 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,
2001 buf + buf_len,
2002 is_hrr));
2003 if (is_hrr) {
2004 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2005 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2006
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2007 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2008 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2009
2010 if (is_hrr) {
2011 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
2012#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2013 /* If not offering early data, the client sends a dummy CCS record
2014 * immediately before its second flight. This may either be before
2015 * its second ClientHello or before its encrypted handshake flight.
2016 */
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2017 mbedtls_ssl_handshake_set_state(
2018 ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2019#else
2020 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2021#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2022 } else {
2023 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));
2024 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2025 }
Jerry Yue1b9c292021-09-10 10:08:31 +0800[diff] [blame]2026
2027cleanup:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2028 MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,
2029 is_hrr ? "HelloRetryRequest" : "ServerHello"));
2030 return ret;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2031}
2032
2033/*
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2034 *
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2035 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2036 *
2037 * The EncryptedExtensions message contains any extensions which
2038 * should be protected, i.e., any which are not needed to establish
2039 * the cryptographic context.
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2040 */
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2041
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2042/* Parse EncryptedExtensions message
2043 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2044 * Extension extensions<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2045 * } EncryptedExtensions;
2046 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2047MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2048static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
2049 const unsigned char *buf,
2050 const unsigned char *end)
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2051{
2052 int ret = 0;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2053 size_t extensions_len;
XiaokangQian140f0452021-10-08 08:05:53 +0000[diff] [blame]2054 const unsigned char *p = buf;
XiaokangQian8db25ff2021-10-13 05:56:18 +0000[diff] [blame]2055 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2056 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2057
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2058 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2059 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2060 p += 2;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2061
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2062 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Ronald Cronc8083592022-05-31 16:24:05 +0200[diff] [blame]2063 extensions_end = p + extensions_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2064
Jan Bruckner5a3629b2023-02-23 12:08:09 +0100[diff] [blame]2065 MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);
2066
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2067 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2068
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2069 while (p < extensions_end) {
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2070 unsigned int extension_type;
2071 size_t extension_data_len;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2072
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2073 /*
2074 * struct {
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2075 * ExtensionType extension_type; (2 bytes)
2076 * opaque extension_data<0..2^16-1>;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2077 * } Extension;
2078 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2079 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2080 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2081 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2082 p += 4;
2083
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2084 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2085
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2086 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2087 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
2088 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);
2089 if (ret != 0) {
2090 return ret;
2091 }
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2092
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2093 switch (extension_type) {
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2094#if defined(MBEDTLS_SSL_ALPN)
2095 case MBEDTLS_TLS_EXT_ALPN:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2096 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2097
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2098 if ((ret = ssl_tls13_parse_alpn_ext(
2099 ssl, p, (size_t) extension_data_len)) != 0) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2100 return ret;
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]2101 }
2102
2103 break;
2104#endif /* MBEDTLS_SSL_ALPN */
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2105
2106#if defined(MBEDTLS_SSL_EARLY_DATA)
2107 case MBEDTLS_TLS_EXT_EARLY_DATA:
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2108
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2109 if (extension_data_len != 0) {
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2110 /* The message must be empty. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2111 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2112 MBEDTLS_ERR_SSL_DECODE_ERROR);
2113 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaokang Qianca09afc2022-11-22 10:05:19 +0000[diff] [blame]2114 }
2115
Xiaokang Qian8bee8992022-10-27 10:21:05 +0000[diff] [blame]2116 break;
2117#endif /* MBEDTLS_SSL_EARLY_DATA */
2118
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]2119#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2120 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
2121 MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
2122
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2123 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
2124 ssl, p, p + extension_data_len);
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]2125 if (ret != 0) {
2126 MBEDTLS_SSL_DEBUG_RET(
2127 1, ("mbedtls_ssl_tls13_parse_record_size_limit_ext"), ret);
2128 return ret;
2129 }
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]2130 break;
2131#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2132
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2133 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2134 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu9eba7502022-10-31 13:46:16 +0800[diff] [blame]2135 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2136 extension_type, "( ignored )");
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2137 break;
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2138 }
2139
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2140 p += extension_data_len;
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2141 }
XiaokangQian08da26c2021-10-09 10:12:11 +0000[diff] [blame]2142
Waleed Elmelegy049cd302023-12-20 17:28:31 +0000[diff] [blame]2143 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) &&
2144 (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH))) {
Waleed Elmelegy6a971fd2023-12-28 17:48:16 +0000[diff] [blame]2145 MBEDTLS_SSL_DEBUG_MSG(3,
2146 (
2147 "Record size limit extension cannot be used with max fragment length extension"));
Waleed Elmelegy049cd302023-12-20 17:28:31 +0000[diff] [blame]2148 MBEDTLS_SSL_PEND_FATAL_ALERT(
2149 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2150 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2151 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2152 }
2153
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2154 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2155 handshake->received_extensions);
Jerry Yucbd082f2022-08-04 16:55:10 +0800[diff] [blame]2156
XiaokangQian97799ac2021-10-11 10:05:54 +0000[diff] [blame]2157 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2158 if (p != end) {
2159 MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));
2160 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2161 MBEDTLS_ERR_SSL_DECODE_ERROR);
2162 return MBEDTLS_ERR_SSL_DECODE_ERROR;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2163 }
2164
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2165 return ret;
XiaokangQian2d5c72b2021-09-13 07:30:09 +0000[diff] [blame]2166}
2167
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2168MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2169static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2170{
2171 int ret;
2172 unsigned char *buf;
2173 size_t buf_len;
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2174 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2175
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2176 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2177
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2178 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2179 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2180 &buf, &buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2181
2182 /* Process the message contents */
2183 MBEDTLS_SSL_PROC_CHK(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2184 ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2185
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2186#if defined(MBEDTLS_SSL_EARLY_DATA)
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2187 if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
2188 /* RFC8446 4.2.11
2189 * If the server supplies an "early_data" extension, the
2190 * client MUST verify that the server's selected_identity
2191 * is 0. If any other value is returned, the client MUST
2192 * abort the handshake with an "illegal_parameter" alert.
2193 *
2194 * RFC 8446 4.2.10
2195 * In order to accept early data, the server MUST have accepted a PSK
2196 * cipher suite and selected the first key offered in the client's
2197 * "pre_shared_key" extension. In addition, it MUST verify that the
2198 * following values are the same as those associated with the
2199 * selected PSK:
2200 * - The TLS version number
2201 * - The selected cipher suite
2202 * - The selected ALPN [RFC7301] protocol, if any
2203 *
Yanray Wang03a00762023-12-01 17:40:19 +0800[diff] [blame]2204 * The server has sent an early data extension in its Encrypted
2205 * Extension message thus accepted to receive early data. We
2206 * check here that the additional constraints on the handshake
2207 * parameters, when early data are exchanged, are met,
2208 * namely:
Yanray Wang744577a2023-12-01 22:33:59 +0800[diff] [blame]2209 * - a PSK has been selected for the handshake
Yanray Wang03a00762023-12-01 17:40:19 +0800[diff] [blame]2210 * - the selected PSK for the handshake was the first one proposed
2211 * by the client.
2212 * - the selected ciphersuite for the handshake is the ciphersuite
2213 * associated with the selected PSK.
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2214 */
Yanray Wang744577a2023-12-01 22:33:59 +0800[diff] [blame]2215 if ((!mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) ||
2216 handshake->selected_identity != 0 ||
Jerry Yu960b7eb2023-10-31 16:40:01 +0800[diff] [blame]2217 handshake->ciphersuite_info->id !=
2218 ssl->session_negotiate->ciphersuite) {
2219
2220 MBEDTLS_SSL_PEND_FATAL_ALERT(
2221 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
2222 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
2223 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
2224 }
2225
Xiaokang Qianb157e912022-11-23 08:12:26 +0000[diff] [blame]2226 ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
2227 }
2228#endif
2229
Yanray Wanga29db7d2023-11-30 14:06:14 +0800[diff] [blame]2230 /*
Yanray Wang9ae65342023-12-01 17:46:06 +0800[diff] [blame]2231 * In case the client has proposed a PSK associated with a ticket,
2232 * `ssl->session_negotiate->ciphersuite` still contains at this point the
2233 * identifier of the ciphersuite associated with the ticket. This is that
2234 * way because, if an exchange of early data is agreed upon, we need
2235 * it to check that the ciphersuite selected for the handshake is the
2236 * ticket ciphersuite (see above). This information is not needed
2237 * anymore thus we can now set it to the identifier of the ciphersuite
2238 * used in this session under negotiation.
Yanray Wanga29db7d2023-11-30 14:06:14 +0800[diff] [blame]2239 */
2240 ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
2241
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2242 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2243 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2244 buf, buf_len));
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2245
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2246#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2247 if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2248 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2249 } else {
2250 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2251 }
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2252#else
2253 ((void) ssl);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2254 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
Ronald Cronfb508b82022-05-31 14:49:55 +0200[diff] [blame]2255#endif
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2256
2257cleanup:
2258
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2259 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));
2260 return ret;
Ronald Cron9d6a5452022-05-30 16:05:38 +0200[diff] [blame]2261
2262}
2263
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2264/*
2265 * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
2266 *
Xiaokang Qianc81a15a2022-12-19 02:43:33 +0000[diff] [blame]2267 * RFC 8446 section 4.5
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2268 *
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2269 * struct {} EndOfEarlyData;
Xiaokang Qianc81a15a2022-12-19 02:43:33 +0000[diff] [blame]2270 *
2271 * If the server sent an "early_data" extension in EncryptedExtensions, the
2272 * client MUST send an EndOfEarlyData message after receiving the server
2273 * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2274 */
2275
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2276MBEDTLS_CHECK_RETURN_CRITICAL
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2277static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)
2278{
2279 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2280 unsigned char *buf = NULL;
2281 size_t buf_len;
Xiaokang Qian57a138d2022-12-19 06:40:47 +0000[diff] [blame]2282 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2283
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2284 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
Xiaokang Qian0de0d862023-02-08 06:04:50 +0000[diff] [blame]2285 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
2286 &buf, &buf_len));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2287
Manuel Pégourié-Gonnard63e33dd2023-02-21 15:45:15 +0100[diff] [blame]2288 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(
2289 ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2290
Xiaokang Qian742578c2022-12-19 06:34:44 +0000[diff] [blame]2291 MBEDTLS_SSL_PROC_CHK(
2292 mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));
Xiaokang Qianda8402d2022-12-15 14:55:35 +0000[diff] [blame]2293
Xiaokang Qian19d44162023-01-03 03:39:50 +0000[diff] [blame]2294 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]2295
2296cleanup:
2297
2298 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));
2299 return ret;
2300}
2301
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2302#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2303/*
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2304 * STATE HANDLING: CertificateRequest
2305 *
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2306 */
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2307#define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2308#define SSL_CERTIFICATE_REQUEST_SKIP 1
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2309/* Coordination:
2310 * Deals with the ambiguity of not knowing if a CertificateRequest
2311 * will be sent. Returns a negative code on failure, or
2312 * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2313 * - SSL_CERTIFICATE_REQUEST_SKIP
2314 * indicating if a Certificate Request is expected or not.
2315 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2316MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2317static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2318{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2319 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2320
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2321 if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
2322 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2323 return ret;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2324 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2325 ssl->keep_current_message = 1;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2326
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2327 if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&
2328 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {
2329 MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));
2330 return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2331 }
2332
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2333 MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]2334
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2335 return SSL_CERTIFICATE_REQUEST_SKIP;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2336}
2337
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2338/*
2339 * ssl_tls13_parse_certificate_request()
2340 * Parse certificate request
2341 * struct {
2342 * opaque certificate_request_context<0..2^8-1>;
2343 * Extension extensions<2..2^16-1>;
2344 * } CertificateRequest;
2345 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2346MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2347static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,
2348 const unsigned char *buf,
2349 const unsigned char *end)
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2350{
2351 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2352 const unsigned char *p = buf;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2353 size_t certificate_request_context_len = 0;
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2354 size_t extensions_len = 0;
2355 const unsigned char *extensions_end;
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2356 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2357
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2358 /* ...
2359 * opaque certificate_request_context<0..2^8-1>
2360 * ...
2361 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2362 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2363 certificate_request_context_len = (size_t) p[0];
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2364 p += 1;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2365
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2366 if (certificate_request_context_len > 0) {
2367 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);
2368 MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",
2369 p, certificate_request_context_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2370
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2371 handshake->certificate_request_context =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2372 mbedtls_calloc(1, certificate_request_context_len);
2373 if (handshake->certificate_request_context == NULL) {
2374 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2375 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2376 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2377 memcpy(handshake->certificate_request_context, p,
2378 certificate_request_context_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2379 p += certificate_request_context_len;
2380 }
2381
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2382 /* ...
2383 * Extension extensions<2..2^16-1>;
2384 * ...
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2385 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2386 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2387 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2388 p += 2;
2389
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2390 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2391 extensions_end = p + extensions_len;
2392
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2393 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2394
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2395 while (p < extensions_end) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2396 unsigned int extension_type;
2397 size_t extension_data_len;
2398
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2399 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2400 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2401 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2402 p += 4;
2403
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2404 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2405
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2406 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2407 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
2408 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);
2409 if (ret != 0) {
2410 return ret;
2411 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2412
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2413 switch (extension_type) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2414 case MBEDTLS_TLS_EXT_SIG_ALG:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2415 MBEDTLS_SSL_DEBUG_MSG(3,
2416 ("found signature algorithms extension"));
2417 ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,
2418 p + extension_data_len);
2419 if (ret != 0) {
2420 return ret;
2421 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2422
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2423 break;
2424
2425 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2426 MBEDTLS_SSL_PRINT_EXT(
Jerry Yu6d0e78b2022-10-31 14:13:25 +0800[diff] [blame]2427 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2428 extension_type, "( ignored )");
Xiaofei Bai82f0a9a2022-01-26 09:21:54 +0000[diff] [blame]2429 break;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2430 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2431
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2432 p += extension_data_len;
2433 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2434
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2435 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2436 handshake->received_extensions);
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2437
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2438 /* Check that we consumed all the message. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2439 if (p != end) {
2440 MBEDTLS_SSL_DEBUG_MSG(1,
2441 ("CertificateRequest misaligned"));
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2442 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2443 }
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2444
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2445 /* RFC 8446 section 4.3.2
Jerry Yuc55a6af2022-08-04 17:01:21 +0800[diff] [blame]2446 *
2447 * The "signature_algorithms" extension MUST be specified
2448 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2449 if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {
2450 MBEDTLS_SSL_DEBUG_MSG(3,
2451 ("no signature algorithms extension found"));
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2452 goto decode_error;
Xiaofei Bai69fcd392022-01-20 08:25:00 +0000[diff] [blame]2453 }
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2454
Jerry Yu7840f812022-01-29 10:26:51 +0800[diff] [blame]2455 ssl->handshake->client_auth = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2456 return 0;
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2457
Xiaofei Baic234ecf2022-02-08 09:59:23 +0000[diff] [blame]2458decode_error:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2459 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2460 MBEDTLS_ERR_SSL_DECODE_ERROR);
2461 return MBEDTLS_ERR_SSL_DECODE_ERROR;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2462}
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2463
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2464/*
2465 * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2466 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2467MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2468static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2469{
Xiaofei Baide3f13e2022-01-18 05:47:05 +0000[diff] [blame]2470 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2471
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2472 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2473
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2474 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2475
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2476 if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2477 unsigned char *buf;
2478 size_t buf_len;
2479
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2480 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2481 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2482 &buf, &buf_len));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2483
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2484 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(
2485 ssl, buf, buf + buf_len));
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2486
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2487 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2488 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2489 buf, buf_len));
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2490 } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
Xiaofei Baif6d36962022-01-16 14:54:35 +0000[diff] [blame]2491 ret = 0;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2492 } else {
2493 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
Xiaofei Bai51f515a2022-02-08 07:28:04 +0000[diff] [blame]2494 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2495 goto cleanup;
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2496 }
2497
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2498 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2499
Xiaofei Baia0ab7772022-01-16 12:14:45 +0000[diff] [blame]2500cleanup:
2501
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2502 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
2503 return ret;
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]2504}
2505
2506/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2507 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2508 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2509MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2510static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2511{
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2512 int ret;
2513
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2514 ret = mbedtls_ssl_tls13_process_certificate(ssl);
2515 if (ret != 0) {
2516 return ret;
2517 }
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]2518
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2519 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2520 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2521}
2522
2523/*
2524 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2525 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2526MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2527static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2528{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2529 int ret;
2530
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2531 ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
2532 if (ret != 0) {
2533 return ret;
2534 }
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]2535
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2536 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2537 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2538}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2539#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Ronald Crond4c64022021-12-06 09:06:46 +0100[diff] [blame]2540
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2541/*
2542 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2543 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2544MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2545static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2546{
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2547 int ret;
2548
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2549 ret = mbedtls_ssl_tls13_process_finished_message(ssl);
2550 if (ret != 0) {
2551 return ret;
2552 }
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]2553
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2554 ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2555 if (ret != 0) {
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2556 MBEDTLS_SSL_PEND_FATAL_ALERT(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2557 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2558 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2559 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2560 }
2561
Xiaokang Qianbc75bc02022-12-19 06:16:42 +0000[diff] [blame]2562#if defined(MBEDTLS_SSL_EARLY_DATA)
2563 if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
2564 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
Xiaokang Qianbd0ab062023-02-02 05:56:30 +0000[diff] [blame]2565 } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
2566 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Xiaokang Qianbc75bc02022-12-19 06:16:42 +0000[diff] [blame]2567 } else
2568#endif /* MBEDTLS_SSL_EARLY_DATA */
2569 {
2570#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2571 mbedtls_ssl_handshake_set_state(
2572 ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);
2573#else
2574 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2575#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2576 }
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]2577
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2578 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2579}
2580
2581/*
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2582 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2583 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2584MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2585static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2586{
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2587 int non_empty_certificate_msg = 0;
2588
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2589 MBEDTLS_SSL_DEBUG_MSG(1,
2590 ("Switch to handshake traffic keys for outbound traffic"));
2591 mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);
Jerry Yu5cc35062022-01-28 16:16:08 +0800[diff] [blame]2592
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2593#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2594 if (ssl->handshake->client_auth) {
2595 int ret = mbedtls_ssl_tls13_write_certificate(ssl);
2596 if (ret != 0) {
2597 return ret;
2598 }
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2599
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2600 if (mbedtls_ssl_own_cert(ssl) != NULL) {
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2601 non_empty_certificate_msg = 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2602 }
2603 } else {
2604 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2605 }
Ronald Cron9df7c802022-03-08 18:38:54 +0100[diff] [blame]2606#endif
Ronald Cron5bb8fc82022-03-09 07:00:13 +0100[diff] [blame]2607
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2608 if (non_empty_certificate_msg) {
2609 mbedtls_ssl_handshake_set_state(ssl,
2610 MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
2611 } else {
2612 MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));
2613 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2614 }
Ronald Cron7a94aca2022-03-09 07:44:27 +0100[diff] [blame]2615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2616 return 0;
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2617}
2618
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2619#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2620/*
2621 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2622 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2623MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2624static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2625{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2626 int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2627
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2628 if (ret == 0) {
2629 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2630 }
Ronald Crona8b38872022-03-09 07:59:25 +0100[diff] [blame]2631
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2632 return ret;
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2633}
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]2634#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]2635
2636/*
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2637 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2638 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2639MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2640static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2641{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]2642 int ret;
2643
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2644 ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2645 if (ret != 0) {
2646 return ret;
Jerry Yue3d67cb2022-05-19 15:33:10 +0800[diff] [blame]2647 }
2648
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2649 ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
2650 if (ret != 0) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]2651 MBEDTLS_SSL_DEBUG_RET(
2652 1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2653 return ret;
2654 }
2655
2656 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);
2657 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2658}
2659
2660/*
2661 * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2662 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2663MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2664static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2665{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2666 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
2667 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
2668 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2669}
2670
2671/*
2672 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2673 */
Manuel Pégourié-Gonnarda3115dc2022-06-17 10:52:54 +0200[diff] [blame]2674MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2675static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2676{
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2677
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2678 mbedtls_ssl_tls13_handshake_wrapup(ssl);
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]2679
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2680 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2681 return 0;
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]2682}
2683
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2684#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2685
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2686#if defined(MBEDTLS_SSL_EARLY_DATA)
2687/* From RFC 8446 section 4.2.10
2688 *
2689 * struct {
2690 * select (Handshake.msg_type) {
2691 * case new_session_ticket: uint32 max_early_data_size;
2692 * ...
2693 * };
2694 * } EarlyDataIndication;
2695 */
2696MBEDTLS_CHECK_RETURN_CRITICAL
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2697static int ssl_tls13_parse_new_session_ticket_early_data_ext(
2698 mbedtls_ssl_context *ssl,
2699 const unsigned char *buf,
2700 const unsigned char *end)
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2701{
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2702 mbedtls_ssl_session *session = ssl->session;
2703
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2704 MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 4);
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2705
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2706 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(buf, 0);
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2707 mbedtls_ssl_tls13_session_set_ticket_flags(
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2708 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
2709 MBEDTLS_SSL_DEBUG_MSG(
2710 3, ("received max_early_data_size: %u",
2711 (unsigned int) session->max_early_data_size));
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2712
Yanray Wangd0120842023-11-23 16:35:54 +0800[diff] [blame]2713 return 0;
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2714}
2715#endif /* MBEDTLS_SSL_EARLY_DATA */
2716
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2717MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2718static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
2719 const unsigned char *buf,
2720 const unsigned char *end)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2721{
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2722 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yuaf2c0c82022-07-12 05:47:21 +0000[diff] [blame]2723 const unsigned char *p = buf;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2724
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2725
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2726 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2727
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2728 while (p < end) {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2729 unsigned int extension_type;
2730 size_t extension_data_len;
Jerry Yu0c354a22022-08-29 15:25:36 +0800[diff] [blame]2731 int ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2732
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2733 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
2734 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2735 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2736 p += 4;
2737
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2738 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2739
Jerry Yuc4bf5d62022-10-29 09:08:47 +0800[diff] [blame]2740 ret = mbedtls_ssl_tls13_check_received_extension(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2741 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
2742 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);
2743 if (ret != 0) {
2744 return ret;
2745 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2746
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2747 switch (extension_type) {
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2748#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2749 case MBEDTLS_TLS_EXT_EARLY_DATA:
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2750 ret = ssl_tls13_parse_new_session_ticket_early_data_ext(
Yanray Wang920db452023-11-14 17:20:16 +0800[diff] [blame]2751 ssl, p, p + extension_data_len);
2752 if (ret != 0) {
2753 MBEDTLS_SSL_DEBUG_RET(
Yanray Wangb3e207d2023-11-30 16:49:49 +0800[diff] [blame]2754 1, "ssl_tls13_parse_new_session_ticket_early_data_ext",
2755 ret);
Xiaokang Qian2d87a9e2022-11-09 07:55:48 +0000[diff] [blame]2756 }
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2757 break;
Xiaokang Qian0cc43202022-11-16 08:43:50 +0000[diff] [blame]2758#endif /* MBEDTLS_SSL_EARLY_DATA */
Xiaokang Qianf447e8a2022-11-08 07:02:27 +0000[diff] [blame]2759
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2760 default:
Jerry Yu79aa7212022-11-08 21:30:21 +0800[diff] [blame]2761 MBEDTLS_SSL_PRINT_EXT(
Jerry Yuedab6372022-10-31 14:37:31 +0800[diff] [blame]2762 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2763 extension_type, "( ignored )");
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2764 break;
2765 }
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2766
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2767 p += extension_data_len;
2768 }
2769
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2770 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2771 handshake->received_extensions);
Jerry Yu6ba9f1c2022-08-04 17:53:25 +0800[diff] [blame]2772
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2773 return 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2774}
2775
2776/*
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2777 * From RFC8446, page 74
2778 *
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2779 * struct {
2780 * uint32 ticket_lifetime;
2781 * uint32 ticket_age_add;
2782 * opaque ticket_nonce<0..255>;
2783 * opaque ticket<1..2^16-1>;
2784 * Extension extensions<0..2^16-2>;
2785 * } NewSessionTicket;
2786 *
2787 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2788MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2789static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
2790 unsigned char *buf,
2791 unsigned char *end,
2792 unsigned char **ticket_nonce,
2793 size_t *ticket_nonce_len)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2794{
2795 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2796 unsigned char *p = buf;
2797 mbedtls_ssl_session *session = ssl->session;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2798 size_t ticket_len;
2799 unsigned char *ticket;
2800 size_t extensions_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2801
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2802 *ticket_nonce = NULL;
2803 *ticket_nonce_len = 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2804 /*
2805 * ticket_lifetime 4 bytes
2806 * ticket_age_add 4 bytes
Jerry Yu08aed4d2022-07-20 10:36:12 +0800[diff] [blame]2807 * ticket_nonce_len 1 byte
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2808 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2809 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2810
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2811 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
2812 MBEDTLS_SSL_DEBUG_MSG(3,
2813 ("ticket_lifetime: %u",
2814 (unsigned int) session->ticket_lifetime));
Jerry Yu8e0174a2023-11-10 13:58:16 +0800[diff] [blame]2815 if (session->ticket_lifetime >
2816 MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME) {
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]2817 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime exceeds 7 days."));
Jerry Yucf913512023-11-14 11:06:52 +0800[diff] [blame]2818 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
Jerry Yu46c79262023-11-10 13:58:16 +0800[diff] [blame]2819 }
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2820
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2821 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);
2822 MBEDTLS_SSL_DEBUG_MSG(3,
2823 ("ticket_age_add: %u",
2824 (unsigned int) session->ticket_age_add));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2825
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2826 *ticket_nonce_len = p[8];
2827 p += 9;
2828
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2829 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2830 *ticket_nonce = p;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2831 MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2832 p += *ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2833
2834 /* Ticket */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2835 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2836 ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2837 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2838 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);
2839 MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2840
2841 /* Check if we previously received a ticket already. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2842 if (session->ticket != NULL || session->ticket_len > 0) {
2843 mbedtls_free(session->ticket);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2844 session->ticket = NULL;
2845 session->ticket_len = 0;
2846 }
2847
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2848 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
2849 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
2850 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2851 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2852 memcpy(ticket, p, ticket_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2853 p += ticket_len;
2854 session->ticket = ticket;
2855 session->ticket_len = ticket_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2856
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2857 /* Clear all flags in ticket_flags */
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2858 mbedtls_ssl_tls13_session_clear_ticket_flags(
Pengyu Lv9eacb442022-12-09 14:39:19 +0800[diff] [blame]2859 session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2860
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2861 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2862 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2863 p += 2;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2864 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2865
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2866 MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2867
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2868 ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);
2869 if (ret != 0) {
2870 MBEDTLS_SSL_DEBUG_RET(1,
2871 "ssl_tls13_parse_new_session_ticket_exts",
2872 ret);
2873 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2874 }
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2875
Jerry Yudb8c5fa2022-08-03 12:10:13 +0800[diff] [blame]2876 /* session has been updated, allow export */
2877 session->exported = 0;
2878
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2879 return 0;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2880}
2881
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2882MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2883static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
2884 unsigned char *ticket_nonce,
2885 size_t ticket_nonce_len)
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2886{
2887 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2888 mbedtls_ssl_session *session = ssl->session;
2889 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2890 psa_algorithm_t psa_hash_alg;
2891 int hash_length;
2892
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2893#if defined(MBEDTLS_HAVE_TIME)
2894 /* Store ticket creation time */
Jerry Yu342a5552023-11-10 14:23:39 +0800[diff] [blame]2895 session->ticket_reception_time = mbedtls_ms_time();
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2896#endif
2897
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2898 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
2899 if (ciphersuite_info == NULL) {
2900 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2901 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2902 }
2903
Dave Rodgman2eab4622023-10-05 13:30:37 +0100[diff] [blame]2904 psa_hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2905 hash_length = PSA_HASH_LENGTH(psa_hash_alg);
2906 if (hash_length == -1 ||
2907 (size_t) hash_length > sizeof(session->resumption_key)) {
2908 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
Jerry Yu3afdf362022-07-20 17:34:14 +0800[diff] [blame]2909 }
2910
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2911
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2912 MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
2913 session->app_secrets.resumption_master_secret,
2914 hash_length);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2915
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2916 /* Compute resumption key
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2917 *
2918 * HKDF-Expand-Label( resumption_master_secret,
2919 * "resumption", ticket_nonce, Hash.length )
2920 */
2921 ret = mbedtls_ssl_tls13_hkdf_expand_label(
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2922 psa_hash_alg,
2923 session->app_secrets.resumption_master_secret,
2924 hash_length,
2925 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
2926 ticket_nonce,
2927 ticket_nonce_len,
2928 session->resumption_key,
2929 hash_length);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2930
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2931 if (ret != 0) {
2932 MBEDTLS_SSL_DEBUG_RET(2,
2933 "Creating the ticket-resumed PSK failed",
2934 ret);
2935 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2936 }
2937
Jerry Yu0a430c82022-07-20 11:02:48 +0800[diff] [blame]2938 session->resumption_key_len = hash_length;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2939
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2940 MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
2941 session->resumption_key,
2942 session->resumption_key_len);
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2943
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2944 /* Set ticket_flags depends on the selected key exchange modes */
Pengyu Lv94a42cc2023-12-06 10:04:17 +0800[diff] [blame]2945 mbedtls_ssl_tls13_session_set_ticket_flags(
Pengyu Lv9eacb442022-12-09 14:39:19 +0800[diff] [blame]2946 session, ssl->conf->tls13_kex_modes);
Pengyu Lv4938a562023-01-16 11:28:49 +0800[diff] [blame]2947 MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
Pengyu Lv9f926952022-11-17 15:22:33 +0800[diff] [blame]2948
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2949 return 0;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2950}
2951
2952/*
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]2953 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2954 */
Jerry Yua0446a02022-07-13 11:22:55 +0800[diff] [blame]2955MBEDTLS_CHECK_RETURN_CRITICAL
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2956static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2957{
2958 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2959 unsigned char *buf;
2960 size_t buf_len;
Jerry Yucb3b1392022-07-12 06:09:38 +0000[diff] [blame]2961 unsigned char *ticket_nonce;
2962 size_t ticket_nonce_len;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2963
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2964 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2965
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2966 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2967 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2968 &buf, &buf_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2969
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2970 MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(
2971 ssl, buf, buf + buf_len,
2972 &ticket_nonce, &ticket_nonce_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2973
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2974 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_new_session_ticket(
2975 ssl, ticket_nonce, ticket_nonce_len));
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2976
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2977 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
Jerry Yu4e6c42a2022-07-13 11:16:51 +0800[diff] [blame]2978
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2979cleanup:
2980
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2981 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
2982 return ret;
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]2983}
2984#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2985
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2986int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]2987{
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2988 int ret = 0;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]2989
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2990 switch (ssl->state) {
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2991 case MBEDTLS_SSL_HELLO_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2992 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]2993 break;
2994
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2995 case MBEDTLS_SSL_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2996 ret = mbedtls_ssl_write_client_hello(ssl);
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]2997 break;
2998
2999 case MBEDTLS_SSL_SERVER_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3000 ret = ssl_tls13_process_server_hello(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3001 break;
3002
3003 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3004 ret = ssl_tls13_process_encrypted_extensions(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3005 break;
3006
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3007#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]3008 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3009 ret = ssl_tls13_process_certificate_request(ssl);
Jerry Yud2674312021-10-29 10:08:19 +0800[diff] [blame]3010 break;
3011
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3012 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3013 ret = ssl_tls13_process_server_certificate(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3014 break;
3015
3016 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3017 ret = ssl_tls13_process_certificate_verify(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3018 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3019#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3020
3021 case MBEDTLS_SSL_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3022 ret = ssl_tls13_process_server_finished(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3023 break;
3024
Xiaokang Qian125afcb2022-10-28 06:04:06 +0000[diff] [blame]3025 case MBEDTLS_SSL_END_OF_EARLY_DATA:
3026 ret = ssl_tls13_write_end_of_early_data(ssl);
3027 break;
3028
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3029 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3030 ret = ssl_tls13_write_client_certificate(ssl);
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3031 break;
3032
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3033#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3034 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3035 ret = ssl_tls13_write_client_certificate_verify(ssl);
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3036 break;
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]3037#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
Jerry Yu566c7812022-01-26 15:41:22 +0800[diff] [blame]3038
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3039 case MBEDTLS_SSL_CLIENT_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3040 ret = ssl_tls13_write_client_finished(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3041 break;
3042
3043 case MBEDTLS_SSL_FLUSH_BUFFERS:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3044 ret = ssl_tls13_flush_buffers(ssl);
Jerry Yu687101b2021-09-14 16:03:56 +0800[diff] [blame]3045 break;
3046
3047 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3048 ret = ssl_tls13_handshake_wrapup(ssl);
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3049 break;
3050
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3051 /*
3052 * Injection of dummy-CCS's for middlebox compatibility
3053 */
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3054#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
XiaokangQian0b56a8f2021-12-22 02:39:32 +0000[diff] [blame]3055 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3056 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3057 if (ret == 0) {
3058 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3059 }
Ronald Cron9f55f632022-02-02 16:02:47 +0100[diff] [blame]3060 break;
3061
3062 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3063 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3064 if (ret == 0) {
Xiaokang Qian958b6ff2023-03-29 10:37:35 +0000[diff] [blame]3065 mbedtls_ssl_handshake_set_state(
3066 ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3067 }
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3068 break;
Xiaokang Qianf6d8fd32023-02-02 02:46:26 +0000[diff] [blame]3069
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3070 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
3071 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3072 if (ret == 0) {
3073 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
3074
Xiaokang Qian33ff8682023-01-10 06:32:12 +0000[diff] [blame]3075#if defined(MBEDTLS_SSL_EARLY_DATA)
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3076 MBEDTLS_SSL_DEBUG_MSG(
3077 1, ("Switch to early data keys for outbound traffic"));
3078 mbedtls_ssl_set_outbound_transform(
3079 ssl, ssl->handshake->transform_earlydata);
Xiaokang Qian33ff8682023-01-10 06:32:12 +0000[diff] [blame]3080#endif
Xiaokang Qian592021a2023-01-04 10:47:05 +0000[diff] [blame]3081 }
3082 break;
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]3083#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3084
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3085#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Jerry Yua8d3c502022-10-30 14:51:23 +0800[diff] [blame]3086 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3087 ret = ssl_tls13_process_new_session_ticket(ssl);
3088 if (ret != 0) {
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3089 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3090 }
Jerry Yuf8a49942022-07-07 11:32:32 +0000[diff] [blame]3091 ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
3092 break;
3093#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3094
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3095 default:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3096 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3097 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3098 }
3099
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]3100 return ret;
Jerry Yu92c6b402021-08-27 16:59:09 +0800[diff] [blame]3101}
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]3102
Jerry Yufb4b6472022-01-27 15:03:26 +0800[diff] [blame]3103#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */