1*62c56f98SSadaf Ebrahimi /*
2*62c56f98SSadaf Ebrahimi * TLS 1.3 client-side functions
3*62c56f98SSadaf Ebrahimi *
4*62c56f98SSadaf Ebrahimi * Copyright The Mbed TLS Contributors
5*62c56f98SSadaf Ebrahimi * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6*62c56f98SSadaf Ebrahimi */
7*62c56f98SSadaf Ebrahimi
8*62c56f98SSadaf Ebrahimi #include "common.h"
9*62c56f98SSadaf Ebrahimi
10*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
11*62c56f98SSadaf Ebrahimi
12*62c56f98SSadaf Ebrahimi #include <string.h>
13*62c56f98SSadaf Ebrahimi
14*62c56f98SSadaf Ebrahimi #include "mbedtls/debug.h"
15*62c56f98SSadaf Ebrahimi #include "mbedtls/error.h"
16*62c56f98SSadaf Ebrahimi #include "mbedtls/platform.h"
17*62c56f98SSadaf Ebrahimi
18*62c56f98SSadaf Ebrahimi #include "ssl_misc.h"
19*62c56f98SSadaf Ebrahimi #include "ssl_client.h"
20*62c56f98SSadaf Ebrahimi #include "ssl_tls13_keys.h"
21*62c56f98SSadaf Ebrahimi #include "ssl_debug_helpers.h"
22*62c56f98SSadaf Ebrahimi #include "md_psa.h"
23*62c56f98SSadaf Ebrahimi
24*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
25*62c56f98SSadaf Ebrahimi /* Define a local translating function to save code size by not using too many
26*62c56f98SSadaf Ebrahimi * arguments in each translating place. */
local_err_translation(psa_status_t status)27*62c56f98SSadaf Ebrahimi static int local_err_translation(psa_status_t status)
28*62c56f98SSadaf Ebrahimi {
29*62c56f98SSadaf Ebrahimi return psa_status_to_mbedtls(status, psa_to_ssl_errors,
30*62c56f98SSadaf Ebrahimi ARRAY_LENGTH(psa_to_ssl_errors),
31*62c56f98SSadaf Ebrahimi psa_generic_status_to_mbedtls);
32*62c56f98SSadaf Ebrahimi }
33*62c56f98SSadaf Ebrahimi #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
34*62c56f98SSadaf Ebrahimi #endif
35*62c56f98SSadaf Ebrahimi
36*62c56f98SSadaf Ebrahimi /* Write extensions */
37*62c56f98SSadaf Ebrahimi
38*62c56f98SSadaf Ebrahimi /*
39*62c56f98SSadaf Ebrahimi * ssl_tls13_write_supported_versions_ext():
40*62c56f98SSadaf Ebrahimi *
41*62c56f98SSadaf Ebrahimi * struct {
42*62c56f98SSadaf Ebrahimi * ProtocolVersion versions<2..254>;
43*62c56f98SSadaf Ebrahimi * } SupportedVersions;
44*62c56f98SSadaf Ebrahimi */
45*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)46*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_supported_versions_ext(mbedtls_ssl_context *ssl,
47*62c56f98SSadaf Ebrahimi unsigned char *buf,
48*62c56f98SSadaf Ebrahimi unsigned char *end,
49*62c56f98SSadaf Ebrahimi size_t *out_len)
50*62c56f98SSadaf Ebrahimi {
51*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
52*62c56f98SSadaf Ebrahimi unsigned char versions_len = (ssl->handshake->min_tls_version <=
53*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_VERSION_TLS1_2) ? 4 : 2;
54*62c56f98SSadaf Ebrahimi
55*62c56f98SSadaf Ebrahimi *out_len = 0;
56*62c56f98SSadaf Ebrahimi
57*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding supported versions extension"));
58*62c56f98SSadaf Ebrahimi
59*62c56f98SSadaf Ebrahimi /* Check if we have space to write the extension:
60*62c56f98SSadaf Ebrahimi * - extension_type (2 bytes)
61*62c56f98SSadaf Ebrahimi * - extension_data_length (2 bytes)
62*62c56f98SSadaf Ebrahimi * - versions_length (1 byte )
63*62c56f98SSadaf Ebrahimi * - versions (2 or 4 bytes)
64*62c56f98SSadaf Ebrahimi */
65*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + versions_len);
66*62c56f98SSadaf Ebrahimi
67*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0);
68*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(versions_len + 1, p, 2);
69*62c56f98SSadaf Ebrahimi p += 4;
70*62c56f98SSadaf Ebrahimi
71*62c56f98SSadaf Ebrahimi /* Length of versions */
72*62c56f98SSadaf Ebrahimi *p++ = versions_len;
73*62c56f98SSadaf Ebrahimi
74*62c56f98SSadaf Ebrahimi /* Write values of supported versions.
75*62c56f98SSadaf Ebrahimi * They are defined by the configuration.
76*62c56f98SSadaf Ebrahimi * Currently, we advertise only TLS 1.3 or both TLS 1.3 and TLS 1.2.
77*62c56f98SSadaf Ebrahimi */
78*62c56f98SSadaf Ebrahimi mbedtls_ssl_write_version(p, MBEDTLS_SSL_TRANSPORT_STREAM,
79*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_VERSION_TLS1_3);
80*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:4]"));
81*62c56f98SSadaf Ebrahimi
82*62c56f98SSadaf Ebrahimi
83*62c56f98SSadaf Ebrahimi if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2) {
84*62c56f98SSadaf Ebrahimi mbedtls_ssl_write_version(p + 2, MBEDTLS_SSL_TRANSPORT_STREAM,
85*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_VERSION_TLS1_2);
86*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [3:3]"));
87*62c56f98SSadaf Ebrahimi }
88*62c56f98SSadaf Ebrahimi
89*62c56f98SSadaf Ebrahimi *out_len = 5 + versions_len;
90*62c56f98SSadaf Ebrahimi
91*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(
92*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
93*62c56f98SSadaf Ebrahimi
94*62c56f98SSadaf Ebrahimi return 0;
95*62c56f98SSadaf Ebrahimi }
96*62c56f98SSadaf Ebrahimi
97*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)98*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
99*62c56f98SSadaf Ebrahimi const unsigned char *buf,
100*62c56f98SSadaf Ebrahimi const unsigned char *end)
101*62c56f98SSadaf Ebrahimi {
102*62c56f98SSadaf Ebrahimi ((void) ssl);
103*62c56f98SSadaf Ebrahimi
104*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
105*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_read_version(buf, ssl->conf->transport) !=
106*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_VERSION_TLS1_3) {
107*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("unexpected version"));
108*62c56f98SSadaf Ebrahimi
109*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
110*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
111*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
112*62c56f98SSadaf Ebrahimi }
113*62c56f98SSadaf Ebrahimi
114*62c56f98SSadaf Ebrahimi if (&buf[2] != end) {
115*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
116*62c56f98SSadaf Ebrahimi 1, ("supported_versions ext data length incorrect"));
117*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
118*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_DECODE_ERROR);
119*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_DECODE_ERROR;
120*62c56f98SSadaf Ebrahimi }
121*62c56f98SSadaf Ebrahimi
122*62c56f98SSadaf Ebrahimi return 0;
123*62c56f98SSadaf Ebrahimi }
124*62c56f98SSadaf Ebrahimi
125*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_ALPN)
126*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)127*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_alpn_ext(mbedtls_ssl_context *ssl,
128*62c56f98SSadaf Ebrahimi const unsigned char *buf, size_t len)
129*62c56f98SSadaf Ebrahimi {
130*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
131*62c56f98SSadaf Ebrahimi const unsigned char *end = buf + len;
132*62c56f98SSadaf Ebrahimi size_t protocol_name_list_len, protocol_name_len;
133*62c56f98SSadaf Ebrahimi const unsigned char *protocol_name_list_end;
134*62c56f98SSadaf Ebrahimi
135*62c56f98SSadaf Ebrahimi /* If we didn't send it, the server shouldn't send it */
136*62c56f98SSadaf Ebrahimi if (ssl->conf->alpn_list == NULL) {
137*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
138*62c56f98SSadaf Ebrahimi }
139*62c56f98SSadaf Ebrahimi
140*62c56f98SSadaf Ebrahimi /*
141*62c56f98SSadaf Ebrahimi * opaque ProtocolName<1..2^8-1>;
142*62c56f98SSadaf Ebrahimi *
143*62c56f98SSadaf Ebrahimi * struct {
144*62c56f98SSadaf Ebrahimi * ProtocolName protocol_name_list<2..2^16-1>
145*62c56f98SSadaf Ebrahimi * } ProtocolNameList;
146*62c56f98SSadaf Ebrahimi *
147*62c56f98SSadaf Ebrahimi * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
148*62c56f98SSadaf Ebrahimi */
149*62c56f98SSadaf Ebrahimi
150*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
151*62c56f98SSadaf Ebrahimi protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
152*62c56f98SSadaf Ebrahimi p += 2;
153*62c56f98SSadaf Ebrahimi
154*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
155*62c56f98SSadaf Ebrahimi protocol_name_list_end = p + protocol_name_list_len;
156*62c56f98SSadaf Ebrahimi
157*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 1);
158*62c56f98SSadaf Ebrahimi protocol_name_len = *p++;
159*62c56f98SSadaf Ebrahimi
160*62c56f98SSadaf Ebrahimi /* Check that the server chosen protocol was in our list and save it */
161*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, protocol_name_len);
162*62c56f98SSadaf Ebrahimi for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
163*62c56f98SSadaf Ebrahimi if (protocol_name_len == strlen(*alpn) &&
164*62c56f98SSadaf Ebrahimi memcmp(p, *alpn, protocol_name_len) == 0) {
165*62c56f98SSadaf Ebrahimi ssl->alpn_chosen = *alpn;
166*62c56f98SSadaf Ebrahimi return 0;
167*62c56f98SSadaf Ebrahimi }
168*62c56f98SSadaf Ebrahimi }
169*62c56f98SSadaf Ebrahimi
170*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
171*62c56f98SSadaf Ebrahimi }
172*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_ALPN */
173*62c56f98SSadaf Ebrahimi
174*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_reset_key_share(mbedtls_ssl_context * ssl)175*62c56f98SSadaf Ebrahimi static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
176*62c56f98SSadaf Ebrahimi {
177*62c56f98SSadaf Ebrahimi uint16_t group_id = ssl->handshake->offered_group_id;
178*62c56f98SSadaf Ebrahimi
179*62c56f98SSadaf Ebrahimi if (group_id == 0) {
180*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
181*62c56f98SSadaf Ebrahimi }
182*62c56f98SSadaf Ebrahimi
183*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
184*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
185*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
186*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
187*62c56f98SSadaf Ebrahimi psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
188*62c56f98SSadaf Ebrahimi
189*62c56f98SSadaf Ebrahimi /* Destroy generated private key. */
190*62c56f98SSadaf Ebrahimi status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);
191*62c56f98SSadaf Ebrahimi if (status != PSA_SUCCESS) {
192*62c56f98SSadaf Ebrahimi ret = PSA_TO_MBEDTLS_ERR(status);
193*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
194*62c56f98SSadaf Ebrahimi return ret;
195*62c56f98SSadaf Ebrahimi }
196*62c56f98SSadaf Ebrahimi
197*62c56f98SSadaf Ebrahimi ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
198*62c56f98SSadaf Ebrahimi return 0;
199*62c56f98SSadaf Ebrahimi } else
200*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
201*62c56f98SSadaf Ebrahimi if (0 /* other KEMs? */) {
202*62c56f98SSadaf Ebrahimi /* Do something */
203*62c56f98SSadaf Ebrahimi }
204*62c56f98SSadaf Ebrahimi
205*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
206*62c56f98SSadaf Ebrahimi }
207*62c56f98SSadaf Ebrahimi
208*62c56f98SSadaf Ebrahimi /*
209*62c56f98SSadaf Ebrahimi * Functions for writing key_share extension.
210*62c56f98SSadaf Ebrahimi */
211*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
212*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_get_default_group_id(mbedtls_ssl_context * ssl,uint16_t * group_id)213*62c56f98SSadaf Ebrahimi static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
214*62c56f98SSadaf Ebrahimi uint16_t *group_id)
215*62c56f98SSadaf Ebrahimi {
216*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
217*62c56f98SSadaf Ebrahimi
218*62c56f98SSadaf Ebrahimi
219*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
220*62c56f98SSadaf Ebrahimi const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
221*62c56f98SSadaf Ebrahimi /* Pick first available ECDHE group compatible with TLS 1.3 */
222*62c56f98SSadaf Ebrahimi if (group_list == NULL) {
223*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_BAD_CONFIG;
224*62c56f98SSadaf Ebrahimi }
225*62c56f98SSadaf Ebrahimi
226*62c56f98SSadaf Ebrahimi for (; *group_list != 0; group_list++) {
227*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_ECDH)
228*62c56f98SSadaf Ebrahimi if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
229*62c56f98SSadaf Ebrahimi *group_list, NULL, NULL) == PSA_SUCCESS) &&
230*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
231*62c56f98SSadaf Ebrahimi *group_id = *group_list;
232*62c56f98SSadaf Ebrahimi return 0;
233*62c56f98SSadaf Ebrahimi }
234*62c56f98SSadaf Ebrahimi #endif
235*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_FFDH)
236*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
237*62c56f98SSadaf Ebrahimi *group_id = *group_list;
238*62c56f98SSadaf Ebrahimi return 0;
239*62c56f98SSadaf Ebrahimi }
240*62c56f98SSadaf Ebrahimi #endif
241*62c56f98SSadaf Ebrahimi }
242*62c56f98SSadaf Ebrahimi #else
243*62c56f98SSadaf Ebrahimi ((void) ssl);
244*62c56f98SSadaf Ebrahimi ((void) group_id);
245*62c56f98SSadaf Ebrahimi #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
246*62c56f98SSadaf Ebrahimi
247*62c56f98SSadaf Ebrahimi return ret;
248*62c56f98SSadaf Ebrahimi }
249*62c56f98SSadaf Ebrahimi
250*62c56f98SSadaf Ebrahimi /*
251*62c56f98SSadaf Ebrahimi * ssl_tls13_write_key_share_ext
252*62c56f98SSadaf Ebrahimi *
253*62c56f98SSadaf Ebrahimi * Structure of key_share extension in ClientHello:
254*62c56f98SSadaf Ebrahimi *
255*62c56f98SSadaf Ebrahimi * struct {
256*62c56f98SSadaf Ebrahimi * NamedGroup group;
257*62c56f98SSadaf Ebrahimi * opaque key_exchange<1..2^16-1>;
258*62c56f98SSadaf Ebrahimi * } KeyShareEntry;
259*62c56f98SSadaf Ebrahimi * struct {
260*62c56f98SSadaf Ebrahimi * KeyShareEntry client_shares<0..2^16-1>;
261*62c56f98SSadaf Ebrahimi * } KeyShareClientHello;
262*62c56f98SSadaf Ebrahimi */
263*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_key_share_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)264*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
265*62c56f98SSadaf Ebrahimi unsigned char *buf,
266*62c56f98SSadaf Ebrahimi unsigned char *end,
267*62c56f98SSadaf Ebrahimi size_t *out_len)
268*62c56f98SSadaf Ebrahimi {
269*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
270*62c56f98SSadaf Ebrahimi unsigned char *client_shares; /* Start of client_shares */
271*62c56f98SSadaf Ebrahimi size_t client_shares_len; /* Length of client_shares */
272*62c56f98SSadaf Ebrahimi uint16_t group_id;
273*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
274*62c56f98SSadaf Ebrahimi
275*62c56f98SSadaf Ebrahimi *out_len = 0;
276*62c56f98SSadaf Ebrahimi
277*62c56f98SSadaf Ebrahimi /* Check if we have space for header and length fields:
278*62c56f98SSadaf Ebrahimi * - extension_type (2 bytes)
279*62c56f98SSadaf Ebrahimi * - extension_data_length (2 bytes)
280*62c56f98SSadaf Ebrahimi * - client_shares_length (2 bytes)
281*62c56f98SSadaf Ebrahimi */
282*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
283*62c56f98SSadaf Ebrahimi p += 6;
284*62c56f98SSadaf Ebrahimi
285*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("client hello: adding key share extension"));
286*62c56f98SSadaf Ebrahimi
287*62c56f98SSadaf Ebrahimi /* HRR could already have requested something else. */
288*62c56f98SSadaf Ebrahimi group_id = ssl->handshake->offered_group_id;
289*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&
290*62c56f98SSadaf Ebrahimi !mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
291*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,
292*62c56f98SSadaf Ebrahimi &group_id));
293*62c56f98SSadaf Ebrahimi }
294*62c56f98SSadaf Ebrahimi
295*62c56f98SSadaf Ebrahimi /*
296*62c56f98SSadaf Ebrahimi * Dispatch to type-specific key generation function.
297*62c56f98SSadaf Ebrahimi *
298*62c56f98SSadaf Ebrahimi * So far, we're only supporting ECDHE. With the introduction
299*62c56f98SSadaf Ebrahimi * of PQC KEMs, we'll want to have multiple branches, one per
300*62c56f98SSadaf Ebrahimi * type of KEM, and dispatch to the corresponding crypto. And
301*62c56f98SSadaf Ebrahimi * only one key share entry is allowed.
302*62c56f98SSadaf Ebrahimi */
303*62c56f98SSadaf Ebrahimi client_shares = p;
304*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
305*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
306*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
307*62c56f98SSadaf Ebrahimi /* Pointer to group */
308*62c56f98SSadaf Ebrahimi unsigned char *group = p;
309*62c56f98SSadaf Ebrahimi /* Length of key_exchange */
310*62c56f98SSadaf Ebrahimi size_t key_exchange_len = 0;
311*62c56f98SSadaf Ebrahimi
312*62c56f98SSadaf Ebrahimi /* Check there is space for header of KeyShareEntry
313*62c56f98SSadaf Ebrahimi * - group (2 bytes)
314*62c56f98SSadaf Ebrahimi * - key_exchange_length (2 bytes)
315*62c56f98SSadaf Ebrahimi */
316*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
317*62c56f98SSadaf Ebrahimi p += 4;
318*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
319*62c56f98SSadaf Ebrahimi ssl, group_id, p, end, &key_exchange_len);
320*62c56f98SSadaf Ebrahimi p += key_exchange_len;
321*62c56f98SSadaf Ebrahimi if (ret != 0) {
322*62c56f98SSadaf Ebrahimi return ret;
323*62c56f98SSadaf Ebrahimi }
324*62c56f98SSadaf Ebrahimi
325*62c56f98SSadaf Ebrahimi /* Write group */
326*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(group_id, group, 0);
327*62c56f98SSadaf Ebrahimi /* Write key_exchange_length */
328*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);
329*62c56f98SSadaf Ebrahimi } else
330*62c56f98SSadaf Ebrahimi #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
331*62c56f98SSadaf Ebrahimi if (0 /* other KEMs? */) {
332*62c56f98SSadaf Ebrahimi /* Do something */
333*62c56f98SSadaf Ebrahimi } else {
334*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
335*62c56f98SSadaf Ebrahimi }
336*62c56f98SSadaf Ebrahimi
337*62c56f98SSadaf Ebrahimi /* Length of client_shares */
338*62c56f98SSadaf Ebrahimi client_shares_len = p - client_shares;
339*62c56f98SSadaf Ebrahimi if (client_shares_len == 0) {
340*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("No key share defined."));
341*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
342*62c56f98SSadaf Ebrahimi }
343*62c56f98SSadaf Ebrahimi /* Write extension_type */
344*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
345*62c56f98SSadaf Ebrahimi /* Write extension_data_length */
346*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(client_shares_len + 2, buf, 2);
347*62c56f98SSadaf Ebrahimi /* Write client_shares_length */
348*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(client_shares_len, buf, 4);
349*62c56f98SSadaf Ebrahimi
350*62c56f98SSadaf Ebrahimi /* Update offered_group_id field */
351*62c56f98SSadaf Ebrahimi ssl->handshake->offered_group_id = group_id;
352*62c56f98SSadaf Ebrahimi
353*62c56f98SSadaf Ebrahimi /* Output the total length of key_share extension. */
354*62c56f98SSadaf Ebrahimi *out_len = p - buf;
355*62c56f98SSadaf Ebrahimi
356*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(
357*62c56f98SSadaf Ebrahimi 3, "client hello, key_share extension", buf, *out_len);
358*62c56f98SSadaf Ebrahimi
359*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
360*62c56f98SSadaf Ebrahimi
361*62c56f98SSadaf Ebrahimi cleanup:
362*62c56f98SSadaf Ebrahimi
363*62c56f98SSadaf Ebrahimi return ret;
364*62c56f98SSadaf Ebrahimi }
365*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
366*62c56f98SSadaf Ebrahimi
367*62c56f98SSadaf Ebrahimi /*
368*62c56f98SSadaf Ebrahimi * ssl_tls13_parse_hrr_key_share_ext()
369*62c56f98SSadaf Ebrahimi * Parse key_share extension in Hello Retry Request
370*62c56f98SSadaf Ebrahimi *
371*62c56f98SSadaf Ebrahimi * struct {
372*62c56f98SSadaf Ebrahimi * NamedGroup selected_group;
373*62c56f98SSadaf Ebrahimi * } KeyShareHelloRetryRequest;
374*62c56f98SSadaf Ebrahimi */
375*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)376*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
377*62c56f98SSadaf Ebrahimi const unsigned char *buf,
378*62c56f98SSadaf Ebrahimi const unsigned char *end)
379*62c56f98SSadaf Ebrahimi {
380*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
381*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
382*62c56f98SSadaf Ebrahimi int selected_group;
383*62c56f98SSadaf Ebrahimi int found = 0;
384*62c56f98SSadaf Ebrahimi
385*62c56f98SSadaf Ebrahimi const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
386*62c56f98SSadaf Ebrahimi if (group_list == NULL) {
387*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_BAD_CONFIG;
388*62c56f98SSadaf Ebrahimi }
389*62c56f98SSadaf Ebrahimi
390*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "key_share extension", p, end - buf);
391*62c56f98SSadaf Ebrahimi
392*62c56f98SSadaf Ebrahimi /* Read selected_group */
393*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
394*62c56f98SSadaf Ebrahimi selected_group = MBEDTLS_GET_UINT16_BE(p, 0);
395*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("selected_group ( %d )", selected_group));
396*62c56f98SSadaf Ebrahimi
397*62c56f98SSadaf Ebrahimi /* Upon receipt of this extension in a HelloRetryRequest, the client
398*62c56f98SSadaf Ebrahimi * MUST first verify that the selected_group field corresponds to a
399*62c56f98SSadaf Ebrahimi * group which was provided in the "supported_groups" extension in the
400*62c56f98SSadaf Ebrahimi * original ClientHello.
401*62c56f98SSadaf Ebrahimi * The supported_group was based on the info in ssl->conf->group_list.
402*62c56f98SSadaf Ebrahimi *
403*62c56f98SSadaf Ebrahimi * If the server provided a key share that was not sent in the ClientHello
404*62c56f98SSadaf Ebrahimi * then the client MUST abort the handshake with an "illegal_parameter" alert.
405*62c56f98SSadaf Ebrahimi */
406*62c56f98SSadaf Ebrahimi for (; *group_list != 0; group_list++) {
407*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_ECDH)
408*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
409*62c56f98SSadaf Ebrahimi if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
410*62c56f98SSadaf Ebrahimi *group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
411*62c56f98SSadaf Ebrahimi *group_list != selected_group) {
412*62c56f98SSadaf Ebrahimi found = 1;
413*62c56f98SSadaf Ebrahimi break;
414*62c56f98SSadaf Ebrahimi }
415*62c56f98SSadaf Ebrahimi }
416*62c56f98SSadaf Ebrahimi #endif /* PSA_WANT_ALG_ECDH */
417*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_FFDH)
418*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
419*62c56f98SSadaf Ebrahimi found = 1;
420*62c56f98SSadaf Ebrahimi break;
421*62c56f98SSadaf Ebrahimi }
422*62c56f98SSadaf Ebrahimi #endif /* PSA_WANT_ALG_FFDH */
423*62c56f98SSadaf Ebrahimi }
424*62c56f98SSadaf Ebrahimi
425*62c56f98SSadaf Ebrahimi /* Client MUST verify that the selected_group field does not
426*62c56f98SSadaf Ebrahimi * correspond to a group which was provided in the "key_share"
427*62c56f98SSadaf Ebrahimi * extension in the original ClientHello. If the server sent an
428*62c56f98SSadaf Ebrahimi * HRR message with a key share already provided in the
429*62c56f98SSadaf Ebrahimi * ClientHello then the client MUST abort the handshake with
430*62c56f98SSadaf Ebrahimi * an "illegal_parameter" alert.
431*62c56f98SSadaf Ebrahimi */
432*62c56f98SSadaf Ebrahimi if (found == 0 || selected_group == ssl->handshake->offered_group_id) {
433*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid key share in HRR"));
434*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(
435*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
436*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
437*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
438*62c56f98SSadaf Ebrahimi }
439*62c56f98SSadaf Ebrahimi
440*62c56f98SSadaf Ebrahimi /* Remember server's preference for next ClientHello */
441*62c56f98SSadaf Ebrahimi ssl->handshake->offered_group_id = selected_group;
442*62c56f98SSadaf Ebrahimi
443*62c56f98SSadaf Ebrahimi return 0;
444*62c56f98SSadaf Ebrahimi #else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
445*62c56f98SSadaf Ebrahimi (void) ssl;
446*62c56f98SSadaf Ebrahimi (void) buf;
447*62c56f98SSadaf Ebrahimi (void) end;
448*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_BAD_CONFIG;
449*62c56f98SSadaf Ebrahimi #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
450*62c56f98SSadaf Ebrahimi }
451*62c56f98SSadaf Ebrahimi
452*62c56f98SSadaf Ebrahimi /*
453*62c56f98SSadaf Ebrahimi * ssl_tls13_parse_key_share_ext()
454*62c56f98SSadaf Ebrahimi * Parse key_share extension in Server Hello
455*62c56f98SSadaf Ebrahimi *
456*62c56f98SSadaf Ebrahimi * struct {
457*62c56f98SSadaf Ebrahimi * KeyShareEntry server_share;
458*62c56f98SSadaf Ebrahimi * } KeyShareServerHello;
459*62c56f98SSadaf Ebrahimi * struct {
460*62c56f98SSadaf Ebrahimi * NamedGroup group;
461*62c56f98SSadaf Ebrahimi * opaque key_exchange<1..2^16-1>;
462*62c56f98SSadaf Ebrahimi * } KeyShareEntry;
463*62c56f98SSadaf Ebrahimi */
464*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_key_share_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)465*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
466*62c56f98SSadaf Ebrahimi const unsigned char *buf,
467*62c56f98SSadaf Ebrahimi const unsigned char *end)
468*62c56f98SSadaf Ebrahimi {
469*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
470*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
471*62c56f98SSadaf Ebrahimi uint16_t group, offered_group;
472*62c56f98SSadaf Ebrahimi
473*62c56f98SSadaf Ebrahimi /* ...
474*62c56f98SSadaf Ebrahimi * NamedGroup group; (2 bytes)
475*62c56f98SSadaf Ebrahimi * ...
476*62c56f98SSadaf Ebrahimi */
477*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
478*62c56f98SSadaf Ebrahimi group = MBEDTLS_GET_UINT16_BE(p, 0);
479*62c56f98SSadaf Ebrahimi p += 2;
480*62c56f98SSadaf Ebrahimi
481*62c56f98SSadaf Ebrahimi /* Check that the chosen group matches the one we offered. */
482*62c56f98SSadaf Ebrahimi offered_group = ssl->handshake->offered_group_id;
483*62c56f98SSadaf Ebrahimi if (offered_group != group) {
484*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
485*62c56f98SSadaf Ebrahimi 1, ("Invalid server key share, our group %u, their group %u",
486*62c56f98SSadaf Ebrahimi (unsigned) offered_group, (unsigned) group));
487*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
488*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
489*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
490*62c56f98SSadaf Ebrahimi }
491*62c56f98SSadaf Ebrahimi
492*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
493*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
494*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
495*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2,
496*62c56f98SSadaf Ebrahimi ("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));
497*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);
498*62c56f98SSadaf Ebrahimi if (ret != 0) {
499*62c56f98SSadaf Ebrahimi return ret;
500*62c56f98SSadaf Ebrahimi }
501*62c56f98SSadaf Ebrahimi } else
502*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
503*62c56f98SSadaf Ebrahimi if (0 /* other KEMs? */) {
504*62c56f98SSadaf Ebrahimi /* Do something */
505*62c56f98SSadaf Ebrahimi } else {
506*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
507*62c56f98SSadaf Ebrahimi }
508*62c56f98SSadaf Ebrahimi
509*62c56f98SSadaf Ebrahimi return ret;
510*62c56f98SSadaf Ebrahimi }
511*62c56f98SSadaf Ebrahimi
512*62c56f98SSadaf Ebrahimi /*
513*62c56f98SSadaf Ebrahimi * ssl_tls13_parse_cookie_ext()
514*62c56f98SSadaf Ebrahimi * Parse cookie extension in Hello Retry Request
515*62c56f98SSadaf Ebrahimi *
516*62c56f98SSadaf Ebrahimi * struct {
517*62c56f98SSadaf Ebrahimi * opaque cookie<1..2^16-1>;
518*62c56f98SSadaf Ebrahimi * } Cookie;
519*62c56f98SSadaf Ebrahimi *
520*62c56f98SSadaf Ebrahimi * When sending a HelloRetryRequest, the server MAY provide a "cookie"
521*62c56f98SSadaf Ebrahimi * extension to the client (this is an exception to the usual rule that
522*62c56f98SSadaf Ebrahimi * the only extensions that may be sent are those that appear in the
523*62c56f98SSadaf Ebrahimi * ClientHello). When sending the new ClientHello, the client MUST copy
524*62c56f98SSadaf Ebrahimi * the contents of the extension received in the HelloRetryRequest into
525*62c56f98SSadaf Ebrahimi * a "cookie" extension in the new ClientHello. Clients MUST NOT use
526*62c56f98SSadaf Ebrahimi * cookies in their initial ClientHello in subsequent connections.
527*62c56f98SSadaf Ebrahimi */
528*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_cookie_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)529*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_cookie_ext(mbedtls_ssl_context *ssl,
530*62c56f98SSadaf Ebrahimi const unsigned char *buf,
531*62c56f98SSadaf Ebrahimi const unsigned char *end)
532*62c56f98SSadaf Ebrahimi {
533*62c56f98SSadaf Ebrahimi uint16_t cookie_len;
534*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
535*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_params *handshake = ssl->handshake;
536*62c56f98SSadaf Ebrahimi
537*62c56f98SSadaf Ebrahimi /* Retrieve length field of cookie */
538*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
539*62c56f98SSadaf Ebrahimi cookie_len = MBEDTLS_GET_UINT16_BE(p, 0);
540*62c56f98SSadaf Ebrahimi p += 2;
541*62c56f98SSadaf Ebrahimi
542*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cookie_len);
543*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "cookie extension", p, cookie_len);
544*62c56f98SSadaf Ebrahimi
545*62c56f98SSadaf Ebrahimi mbedtls_free(handshake->cookie);
546*62c56f98SSadaf Ebrahimi handshake->cookie_len = 0;
547*62c56f98SSadaf Ebrahimi handshake->cookie = mbedtls_calloc(1, cookie_len);
548*62c56f98SSadaf Ebrahimi if (handshake->cookie == NULL) {
549*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1,
550*62c56f98SSadaf Ebrahimi ("alloc failed ( %ud bytes )",
551*62c56f98SSadaf Ebrahimi cookie_len));
552*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ALLOC_FAILED;
553*62c56f98SSadaf Ebrahimi }
554*62c56f98SSadaf Ebrahimi
555*62c56f98SSadaf Ebrahimi memcpy(handshake->cookie, p, cookie_len);
556*62c56f98SSadaf Ebrahimi handshake->cookie_len = cookie_len;
557*62c56f98SSadaf Ebrahimi
558*62c56f98SSadaf Ebrahimi return 0;
559*62c56f98SSadaf Ebrahimi }
560*62c56f98SSadaf Ebrahimi
561*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_cookie_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)562*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_cookie_ext(mbedtls_ssl_context *ssl,
563*62c56f98SSadaf Ebrahimi unsigned char *buf,
564*62c56f98SSadaf Ebrahimi unsigned char *end,
565*62c56f98SSadaf Ebrahimi size_t *out_len)
566*62c56f98SSadaf Ebrahimi {
567*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
568*62c56f98SSadaf Ebrahimi *out_len = 0;
569*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_params *handshake = ssl->handshake;
570*62c56f98SSadaf Ebrahimi
571*62c56f98SSadaf Ebrahimi if (handshake->cookie == NULL) {
572*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("no cookie to send; skip extension"));
573*62c56f98SSadaf Ebrahimi return 0;
574*62c56f98SSadaf Ebrahimi }
575*62c56f98SSadaf Ebrahimi
576*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
577*62c56f98SSadaf Ebrahimi handshake->cookie,
578*62c56f98SSadaf Ebrahimi handshake->cookie_len);
579*62c56f98SSadaf Ebrahimi
580*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, handshake->cookie_len + 6);
581*62c56f98SSadaf Ebrahimi
582*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding cookie extension"));
583*62c56f98SSadaf Ebrahimi
584*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_COOKIE, p, 0);
585*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(handshake->cookie_len + 2, p, 2);
586*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(handshake->cookie_len, p, 4);
587*62c56f98SSadaf Ebrahimi p += 6;
588*62c56f98SSadaf Ebrahimi
589*62c56f98SSadaf Ebrahimi /* Cookie */
590*62c56f98SSadaf Ebrahimi memcpy(p, handshake->cookie, handshake->cookie_len);
591*62c56f98SSadaf Ebrahimi
592*62c56f98SSadaf Ebrahimi *out_len = handshake->cookie_len + 6;
593*62c56f98SSadaf Ebrahimi
594*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_COOKIE);
595*62c56f98SSadaf Ebrahimi
596*62c56f98SSadaf Ebrahimi return 0;
597*62c56f98SSadaf Ebrahimi }
598*62c56f98SSadaf Ebrahimi
599*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
600*62c56f98SSadaf Ebrahimi /*
601*62c56f98SSadaf Ebrahimi * ssl_tls13_write_psk_key_exchange_modes_ext() structure:
602*62c56f98SSadaf Ebrahimi *
603*62c56f98SSadaf Ebrahimi * enum { psk_ke( 0 ), psk_dhe_ke( 1 ), ( 255 ) } PskKeyExchangeMode;
604*62c56f98SSadaf Ebrahimi *
605*62c56f98SSadaf Ebrahimi * struct {
606*62c56f98SSadaf Ebrahimi * PskKeyExchangeMode ke_modes<1..255>;
607*62c56f98SSadaf Ebrahimi * } PskKeyExchangeModes;
608*62c56f98SSadaf Ebrahimi */
609*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)610*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
611*62c56f98SSadaf Ebrahimi unsigned char *buf,
612*62c56f98SSadaf Ebrahimi unsigned char *end,
613*62c56f98SSadaf Ebrahimi size_t *out_len)
614*62c56f98SSadaf Ebrahimi {
615*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
616*62c56f98SSadaf Ebrahimi int ke_modes_len = 0;
617*62c56f98SSadaf Ebrahimi
618*62c56f98SSadaf Ebrahimi ((void) ke_modes_len);
619*62c56f98SSadaf Ebrahimi *out_len = 0;
620*62c56f98SSadaf Ebrahimi
621*62c56f98SSadaf Ebrahimi /* Skip writing extension if no PSK key exchange mode
622*62c56f98SSadaf Ebrahimi * is enabled in the config.
623*62c56f98SSadaf Ebrahimi */
624*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) {
625*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
626*62c56f98SSadaf Ebrahimi return 0;
627*62c56f98SSadaf Ebrahimi }
628*62c56f98SSadaf Ebrahimi
629*62c56f98SSadaf Ebrahimi /* Require 7 bytes of data, otherwise fail,
630*62c56f98SSadaf Ebrahimi * even if extension might be shorter.
631*62c56f98SSadaf Ebrahimi */
632*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7);
633*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
634*62c56f98SSadaf Ebrahimi 3, ("client hello, adding psk_key_exchange_modes extension"));
635*62c56f98SSadaf Ebrahimi
636*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, p, 0);
637*62c56f98SSadaf Ebrahimi
638*62c56f98SSadaf Ebrahimi /* Skip extension length (2 bytes) and
639*62c56f98SSadaf Ebrahimi * ke_modes length (1 byte) for now.
640*62c56f98SSadaf Ebrahimi */
641*62c56f98SSadaf Ebrahimi p += 5;
642*62c56f98SSadaf Ebrahimi
643*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl)) {
644*62c56f98SSadaf Ebrahimi *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
645*62c56f98SSadaf Ebrahimi ke_modes_len++;
646*62c56f98SSadaf Ebrahimi
647*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
648*62c56f98SSadaf Ebrahimi }
649*62c56f98SSadaf Ebrahimi
650*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_conf_tls13_psk_enabled(ssl)) {
651*62c56f98SSadaf Ebrahimi *p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
652*62c56f98SSadaf Ebrahimi ke_modes_len++;
653*62c56f98SSadaf Ebrahimi
654*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(4, ("Adding pure PSK key exchange mode"));
655*62c56f98SSadaf Ebrahimi }
656*62c56f98SSadaf Ebrahimi
657*62c56f98SSadaf Ebrahimi /* Now write the extension and ke_modes length */
658*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(ke_modes_len + 1, buf, 2);
659*62c56f98SSadaf Ebrahimi buf[4] = ke_modes_len;
660*62c56f98SSadaf Ebrahimi
661*62c56f98SSadaf Ebrahimi *out_len = p - buf;
662*62c56f98SSadaf Ebrahimi
663*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(
664*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES);
665*62c56f98SSadaf Ebrahimi
666*62c56f98SSadaf Ebrahimi return 0;
667*62c56f98SSadaf Ebrahimi }
668*62c56f98SSadaf Ebrahimi
ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)669*62c56f98SSadaf Ebrahimi static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
670*62c56f98SSadaf Ebrahimi {
671*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
672*62c56f98SSadaf Ebrahimi ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
673*62c56f98SSadaf Ebrahimi
674*62c56f98SSadaf Ebrahimi if (ciphersuite_info != NULL) {
675*62c56f98SSadaf Ebrahimi return mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
676*62c56f98SSadaf Ebrahimi }
677*62c56f98SSadaf Ebrahimi
678*62c56f98SSadaf Ebrahimi return PSA_ALG_NONE;
679*62c56f98SSadaf Ebrahimi }
680*62c56f98SSadaf Ebrahimi
681*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_tls13_has_configured_ticket(mbedtls_ssl_context * ssl)682*62c56f98SSadaf Ebrahimi static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
683*62c56f98SSadaf Ebrahimi {
684*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session = ssl->session_negotiate;
685*62c56f98SSadaf Ebrahimi return ssl->handshake->resume &&
686*62c56f98SSadaf Ebrahimi session != NULL && session->ticket != NULL &&
687*62c56f98SSadaf Ebrahimi mbedtls_ssl_conf_tls13_check_kex_modes(
688*62c56f98SSadaf Ebrahimi ssl, mbedtls_ssl_session_get_ticket_flags(
689*62c56f98SSadaf Ebrahimi session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL));
690*62c56f98SSadaf Ebrahimi }
691*62c56f98SSadaf Ebrahimi
692*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_EARLY_DATA)
ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context * ssl)693*62c56f98SSadaf Ebrahimi static int ssl_tls13_early_data_has_valid_ticket(mbedtls_ssl_context *ssl)
694*62c56f98SSadaf Ebrahimi {
695*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session = ssl->session_negotiate;
696*62c56f98SSadaf Ebrahimi return ssl->handshake->resume &&
697*62c56f98SSadaf Ebrahimi session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
698*62c56f98SSadaf Ebrahimi (session->ticket_flags &
699*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA) &&
700*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_cipher_suite_is_offered(
701*62c56f98SSadaf Ebrahimi ssl, session->ciphersuite);
702*62c56f98SSadaf Ebrahimi }
703*62c56f98SSadaf Ebrahimi #endif
704*62c56f98SSadaf Ebrahimi
705*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_ticket_get_identity(mbedtls_ssl_context * ssl,psa_algorithm_t * hash_alg,const unsigned char ** identity,size_t * identity_len)706*62c56f98SSadaf Ebrahimi static int ssl_tls13_ticket_get_identity(mbedtls_ssl_context *ssl,
707*62c56f98SSadaf Ebrahimi psa_algorithm_t *hash_alg,
708*62c56f98SSadaf Ebrahimi const unsigned char **identity,
709*62c56f98SSadaf Ebrahimi size_t *identity_len)
710*62c56f98SSadaf Ebrahimi {
711*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session = ssl->session_negotiate;
712*62c56f98SSadaf Ebrahimi
713*62c56f98SSadaf Ebrahimi if (!ssl_tls13_has_configured_ticket(ssl)) {
714*62c56f98SSadaf Ebrahimi return -1;
715*62c56f98SSadaf Ebrahimi }
716*62c56f98SSadaf Ebrahimi
717*62c56f98SSadaf Ebrahimi *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
718*62c56f98SSadaf Ebrahimi *identity = session->ticket;
719*62c56f98SSadaf Ebrahimi *identity_len = session->ticket_len;
720*62c56f98SSadaf Ebrahimi return 0;
721*62c56f98SSadaf Ebrahimi }
722*62c56f98SSadaf Ebrahimi
723*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_ticket_get_psk(mbedtls_ssl_context * ssl,psa_algorithm_t * hash_alg,const unsigned char ** psk,size_t * psk_len)724*62c56f98SSadaf Ebrahimi static int ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl,
725*62c56f98SSadaf Ebrahimi psa_algorithm_t *hash_alg,
726*62c56f98SSadaf Ebrahimi const unsigned char **psk,
727*62c56f98SSadaf Ebrahimi size_t *psk_len)
728*62c56f98SSadaf Ebrahimi {
729*62c56f98SSadaf Ebrahimi
730*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session = ssl->session_negotiate;
731*62c56f98SSadaf Ebrahimi
732*62c56f98SSadaf Ebrahimi if (!ssl_tls13_has_configured_ticket(ssl)) {
733*62c56f98SSadaf Ebrahimi return -1;
734*62c56f98SSadaf Ebrahimi }
735*62c56f98SSadaf Ebrahimi
736*62c56f98SSadaf Ebrahimi *hash_alg = ssl_tls13_get_ciphersuite_hash_alg(session->ciphersuite);
737*62c56f98SSadaf Ebrahimi *psk = session->resumption_key;
738*62c56f98SSadaf Ebrahimi *psk_len = session->resumption_key_len;
739*62c56f98SSadaf Ebrahimi
740*62c56f98SSadaf Ebrahimi return 0;
741*62c56f98SSadaf Ebrahimi }
742*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
743*62c56f98SSadaf Ebrahimi
744*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_psk_get_identity(mbedtls_ssl_context * ssl,psa_algorithm_t * hash_alg,const unsigned char ** identity,size_t * identity_len)745*62c56f98SSadaf Ebrahimi static int ssl_tls13_psk_get_identity(mbedtls_ssl_context *ssl,
746*62c56f98SSadaf Ebrahimi psa_algorithm_t *hash_alg,
747*62c56f98SSadaf Ebrahimi const unsigned char **identity,
748*62c56f98SSadaf Ebrahimi size_t *identity_len)
749*62c56f98SSadaf Ebrahimi {
750*62c56f98SSadaf Ebrahimi
751*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
752*62c56f98SSadaf Ebrahimi return -1;
753*62c56f98SSadaf Ebrahimi }
754*62c56f98SSadaf Ebrahimi
755*62c56f98SSadaf Ebrahimi *hash_alg = PSA_ALG_SHA_256;
756*62c56f98SSadaf Ebrahimi *identity = ssl->conf->psk_identity;
757*62c56f98SSadaf Ebrahimi *identity_len = ssl->conf->psk_identity_len;
758*62c56f98SSadaf Ebrahimi return 0;
759*62c56f98SSadaf Ebrahimi }
760*62c56f98SSadaf Ebrahimi
761*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_psk_get_psk(mbedtls_ssl_context * ssl,psa_algorithm_t * hash_alg,const unsigned char ** psk,size_t * psk_len)762*62c56f98SSadaf Ebrahimi static int ssl_tls13_psk_get_psk(mbedtls_ssl_context *ssl,
763*62c56f98SSadaf Ebrahimi psa_algorithm_t *hash_alg,
764*62c56f98SSadaf Ebrahimi const unsigned char **psk,
765*62c56f98SSadaf Ebrahimi size_t *psk_len)
766*62c56f98SSadaf Ebrahimi {
767*62c56f98SSadaf Ebrahimi
768*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
769*62c56f98SSadaf Ebrahimi return -1;
770*62c56f98SSadaf Ebrahimi }
771*62c56f98SSadaf Ebrahimi
772*62c56f98SSadaf Ebrahimi *hash_alg = PSA_ALG_SHA_256;
773*62c56f98SSadaf Ebrahimi *psk = ssl->conf->psk;
774*62c56f98SSadaf Ebrahimi *psk_len = ssl->conf->psk_len;
775*62c56f98SSadaf Ebrahimi return 0;
776*62c56f98SSadaf Ebrahimi }
777*62c56f98SSadaf Ebrahimi
ssl_tls13_get_configured_psk_count(mbedtls_ssl_context * ssl)778*62c56f98SSadaf Ebrahimi static int ssl_tls13_get_configured_psk_count(mbedtls_ssl_context *ssl)
779*62c56f98SSadaf Ebrahimi {
780*62c56f98SSadaf Ebrahimi int configured_psk_count = 0;
781*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
782*62c56f98SSadaf Ebrahimi if (ssl_tls13_has_configured_ticket(ssl)) {
783*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("Ticket is configured"));
784*62c56f98SSadaf Ebrahimi configured_psk_count++;
785*62c56f98SSadaf Ebrahimi }
786*62c56f98SSadaf Ebrahimi #endif
787*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
788*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("PSK is configured"));
789*62c56f98SSadaf Ebrahimi configured_psk_count++;
790*62c56f98SSadaf Ebrahimi }
791*62c56f98SSadaf Ebrahimi return configured_psk_count;
792*62c56f98SSadaf Ebrahimi }
793*62c56f98SSadaf Ebrahimi
794*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_identity(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,const unsigned char * identity,size_t identity_len,uint32_t obfuscated_ticket_age,size_t * out_len)795*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_identity(mbedtls_ssl_context *ssl,
796*62c56f98SSadaf Ebrahimi unsigned char *buf,
797*62c56f98SSadaf Ebrahimi unsigned char *end,
798*62c56f98SSadaf Ebrahimi const unsigned char *identity,
799*62c56f98SSadaf Ebrahimi size_t identity_len,
800*62c56f98SSadaf Ebrahimi uint32_t obfuscated_ticket_age,
801*62c56f98SSadaf Ebrahimi size_t *out_len)
802*62c56f98SSadaf Ebrahimi {
803*62c56f98SSadaf Ebrahimi ((void) ssl);
804*62c56f98SSadaf Ebrahimi *out_len = 0;
805*62c56f98SSadaf Ebrahimi
806*62c56f98SSadaf Ebrahimi /*
807*62c56f98SSadaf Ebrahimi * - identity_len (2 bytes)
808*62c56f98SSadaf Ebrahimi * - identity (psk_identity_len bytes)
809*62c56f98SSadaf Ebrahimi * - obfuscated_ticket_age (4 bytes)
810*62c56f98SSadaf Ebrahimi */
811*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6 + identity_len);
812*62c56f98SSadaf Ebrahimi
813*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(identity_len, buf, 0);
814*62c56f98SSadaf Ebrahimi memcpy(buf + 2, identity, identity_len);
815*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT32_BE(obfuscated_ticket_age, buf, 2 + identity_len);
816*62c56f98SSadaf Ebrahimi
817*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(4, "write identity", buf, 6 + identity_len);
818*62c56f98SSadaf Ebrahimi
819*62c56f98SSadaf Ebrahimi *out_len = 6 + identity_len;
820*62c56f98SSadaf Ebrahimi
821*62c56f98SSadaf Ebrahimi return 0;
822*62c56f98SSadaf Ebrahimi }
823*62c56f98SSadaf Ebrahimi
824*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_binder(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,int psk_type,psa_algorithm_t hash_alg,const unsigned char * psk,size_t psk_len,size_t * out_len)825*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,
826*62c56f98SSadaf Ebrahimi unsigned char *buf,
827*62c56f98SSadaf Ebrahimi unsigned char *end,
828*62c56f98SSadaf Ebrahimi int psk_type,
829*62c56f98SSadaf Ebrahimi psa_algorithm_t hash_alg,
830*62c56f98SSadaf Ebrahimi const unsigned char *psk,
831*62c56f98SSadaf Ebrahimi size_t psk_len,
832*62c56f98SSadaf Ebrahimi size_t *out_len)
833*62c56f98SSadaf Ebrahimi {
834*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
835*62c56f98SSadaf Ebrahimi unsigned char binder_len;
836*62c56f98SSadaf Ebrahimi unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
837*62c56f98SSadaf Ebrahimi size_t transcript_len = 0;
838*62c56f98SSadaf Ebrahimi
839*62c56f98SSadaf Ebrahimi *out_len = 0;
840*62c56f98SSadaf Ebrahimi
841*62c56f98SSadaf Ebrahimi binder_len = PSA_HASH_LENGTH(hash_alg);
842*62c56f98SSadaf Ebrahimi
843*62c56f98SSadaf Ebrahimi /*
844*62c56f98SSadaf Ebrahimi * - binder_len (1 bytes)
845*62c56f98SSadaf Ebrahimi * - binder (binder_len bytes)
846*62c56f98SSadaf Ebrahimi */
847*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 1 + binder_len);
848*62c56f98SSadaf Ebrahimi
849*62c56f98SSadaf Ebrahimi buf[0] = binder_len;
850*62c56f98SSadaf Ebrahimi
851*62c56f98SSadaf Ebrahimi /* Get current state of handshake transcript. */
852*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_get_handshake_transcript(
853*62c56f98SSadaf Ebrahimi ssl, mbedtls_md_type_from_psa_alg(hash_alg),
854*62c56f98SSadaf Ebrahimi transcript, sizeof(transcript), &transcript_len);
855*62c56f98SSadaf Ebrahimi if (ret != 0) {
856*62c56f98SSadaf Ebrahimi return ret;
857*62c56f98SSadaf Ebrahimi }
858*62c56f98SSadaf Ebrahimi
859*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_create_psk_binder(ssl, hash_alg,
860*62c56f98SSadaf Ebrahimi psk, psk_len, psk_type,
861*62c56f98SSadaf Ebrahimi transcript, buf + 1);
862*62c56f98SSadaf Ebrahimi if (ret != 0) {
863*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_create_psk_binder", ret);
864*62c56f98SSadaf Ebrahimi return ret;
865*62c56f98SSadaf Ebrahimi }
866*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(4, "write binder", buf, 1 + binder_len);
867*62c56f98SSadaf Ebrahimi
868*62c56f98SSadaf Ebrahimi *out_len = 1 + binder_len;
869*62c56f98SSadaf Ebrahimi
870*62c56f98SSadaf Ebrahimi return 0;
871*62c56f98SSadaf Ebrahimi }
872*62c56f98SSadaf Ebrahimi
873*62c56f98SSadaf Ebrahimi /*
874*62c56f98SSadaf Ebrahimi * mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
875*62c56f98SSadaf Ebrahimi *
876*62c56f98SSadaf Ebrahimi * struct {
877*62c56f98SSadaf Ebrahimi * opaque identity<1..2^16-1>;
878*62c56f98SSadaf Ebrahimi * uint32 obfuscated_ticket_age;
879*62c56f98SSadaf Ebrahimi * } PskIdentity;
880*62c56f98SSadaf Ebrahimi *
881*62c56f98SSadaf Ebrahimi * opaque PskBinderEntry<32..255>;
882*62c56f98SSadaf Ebrahimi *
883*62c56f98SSadaf Ebrahimi * struct {
884*62c56f98SSadaf Ebrahimi * PskIdentity identities<7..2^16-1>;
885*62c56f98SSadaf Ebrahimi * PskBinderEntry binders<33..2^16-1>;
886*62c56f98SSadaf Ebrahimi * } OfferedPsks;
887*62c56f98SSadaf Ebrahimi *
888*62c56f98SSadaf Ebrahimi * struct {
889*62c56f98SSadaf Ebrahimi * select (Handshake.msg_type) {
890*62c56f98SSadaf Ebrahimi * case client_hello: OfferedPsks;
891*62c56f98SSadaf Ebrahimi * ...
892*62c56f98SSadaf Ebrahimi * };
893*62c56f98SSadaf Ebrahimi * } PreSharedKeyExtension;
894*62c56f98SSadaf Ebrahimi *
895*62c56f98SSadaf Ebrahimi */
mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len,size_t * binders_len)896*62c56f98SSadaf Ebrahimi int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
897*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end,
898*62c56f98SSadaf Ebrahimi size_t *out_len, size_t *binders_len)
899*62c56f98SSadaf Ebrahimi {
900*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
901*62c56f98SSadaf Ebrahimi int configured_psk_count = 0;
902*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
903*62c56f98SSadaf Ebrahimi psa_algorithm_t hash_alg = PSA_ALG_NONE;
904*62c56f98SSadaf Ebrahimi const unsigned char *identity;
905*62c56f98SSadaf Ebrahimi size_t identity_len;
906*62c56f98SSadaf Ebrahimi size_t l_binders_len = 0;
907*62c56f98SSadaf Ebrahimi size_t output_len;
908*62c56f98SSadaf Ebrahimi
909*62c56f98SSadaf Ebrahimi *out_len = 0;
910*62c56f98SSadaf Ebrahimi *binders_len = 0;
911*62c56f98SSadaf Ebrahimi
912*62c56f98SSadaf Ebrahimi /* Check if we have any PSKs to offer. If no, skip pre_shared_key */
913*62c56f98SSadaf Ebrahimi configured_psk_count = ssl_tls13_get_configured_psk_count(ssl);
914*62c56f98SSadaf Ebrahimi if (configured_psk_count == 0) {
915*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("skip pre_shared_key extensions"));
916*62c56f98SSadaf Ebrahimi return 0;
917*62c56f98SSadaf Ebrahimi }
918*62c56f98SSadaf Ebrahimi
919*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(4, ("Pre-configured PSK number = %d",
920*62c56f98SSadaf Ebrahimi configured_psk_count));
921*62c56f98SSadaf Ebrahimi
922*62c56f98SSadaf Ebrahimi /* Check if we have space to write the extension, binders included.
923*62c56f98SSadaf Ebrahimi * - extension_type (2 bytes)
924*62c56f98SSadaf Ebrahimi * - extension_data_len (2 bytes)
925*62c56f98SSadaf Ebrahimi * - identities_len (2 bytes)
926*62c56f98SSadaf Ebrahimi */
927*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
928*62c56f98SSadaf Ebrahimi p += 6;
929*62c56f98SSadaf Ebrahimi
930*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
931*62c56f98SSadaf Ebrahimi if (ssl_tls13_ticket_get_identity(
932*62c56f98SSadaf Ebrahimi ssl, &hash_alg, &identity, &identity_len) == 0) {
933*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_HAVE_TIME)
934*62c56f98SSadaf Ebrahimi mbedtls_time_t now = mbedtls_time(NULL);
935*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session = ssl->session_negotiate;
936*62c56f98SSadaf Ebrahimi uint32_t obfuscated_ticket_age =
937*62c56f98SSadaf Ebrahimi (uint32_t) (now - session->ticket_received);
938*62c56f98SSadaf Ebrahimi
939*62c56f98SSadaf Ebrahimi /*
940*62c56f98SSadaf Ebrahimi * The ticket timestamp is in seconds but the ticket age is in
941*62c56f98SSadaf Ebrahimi * milliseconds. If the ticket was received at the end of a second and
942*62c56f98SSadaf Ebrahimi * re-used here just at the beginning of the next second, the computed
943*62c56f98SSadaf Ebrahimi * age `now - session->ticket_received` is equal to 1s thus 1000 ms
944*62c56f98SSadaf Ebrahimi * while the actual age could be just a few milliseconds or tens of
945*62c56f98SSadaf Ebrahimi * milliseconds. If the server has more accurate ticket timestamps
946*62c56f98SSadaf Ebrahimi * (typically timestamps in milliseconds), as part of the processing of
947*62c56f98SSadaf Ebrahimi * the ClientHello, it may compute a ticket lifetime smaller than the
948*62c56f98SSadaf Ebrahimi * one computed here and potentially reject the ticket. To avoid that,
949*62c56f98SSadaf Ebrahimi * remove one second to the ticket age if possible.
950*62c56f98SSadaf Ebrahimi */
951*62c56f98SSadaf Ebrahimi if (obfuscated_ticket_age > 0) {
952*62c56f98SSadaf Ebrahimi obfuscated_ticket_age -= 1;
953*62c56f98SSadaf Ebrahimi }
954*62c56f98SSadaf Ebrahimi
955*62c56f98SSadaf Ebrahimi obfuscated_ticket_age *= 1000;
956*62c56f98SSadaf Ebrahimi obfuscated_ticket_age += session->ticket_age_add;
957*62c56f98SSadaf Ebrahimi
958*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_identity(ssl, p, end,
959*62c56f98SSadaf Ebrahimi identity, identity_len,
960*62c56f98SSadaf Ebrahimi obfuscated_ticket_age,
961*62c56f98SSadaf Ebrahimi &output_len);
962*62c56f98SSadaf Ebrahimi #else
963*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len,
964*62c56f98SSadaf Ebrahimi 0, &output_len);
965*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_HAVE_TIME */
966*62c56f98SSadaf Ebrahimi if (ret != 0) {
967*62c56f98SSadaf Ebrahimi return ret;
968*62c56f98SSadaf Ebrahimi }
969*62c56f98SSadaf Ebrahimi
970*62c56f98SSadaf Ebrahimi p += output_len;
971*62c56f98SSadaf Ebrahimi l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
972*62c56f98SSadaf Ebrahimi }
973*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
974*62c56f98SSadaf Ebrahimi
975*62c56f98SSadaf Ebrahimi if (ssl_tls13_psk_get_identity(
976*62c56f98SSadaf Ebrahimi ssl, &hash_alg, &identity, &identity_len) == 0) {
977*62c56f98SSadaf Ebrahimi
978*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_identity(ssl, p, end, identity, identity_len, 0,
979*62c56f98SSadaf Ebrahimi &output_len);
980*62c56f98SSadaf Ebrahimi if (ret != 0) {
981*62c56f98SSadaf Ebrahimi return ret;
982*62c56f98SSadaf Ebrahimi }
983*62c56f98SSadaf Ebrahimi
984*62c56f98SSadaf Ebrahimi p += output_len;
985*62c56f98SSadaf Ebrahimi l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg);
986*62c56f98SSadaf Ebrahimi }
987*62c56f98SSadaf Ebrahimi
988*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
989*62c56f98SSadaf Ebrahimi ("client hello, adding pre_shared_key extension, "
990*62c56f98SSadaf Ebrahimi "omitting PSK binder list"));
991*62c56f98SSadaf Ebrahimi
992*62c56f98SSadaf Ebrahimi /* Take into account the two bytes for the length of the binders. */
993*62c56f98SSadaf Ebrahimi l_binders_len += 2;
994*62c56f98SSadaf Ebrahimi /* Check if there is enough space for binders */
995*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, l_binders_len);
996*62c56f98SSadaf Ebrahimi
997*62c56f98SSadaf Ebrahimi /*
998*62c56f98SSadaf Ebrahimi * - extension_type (2 bytes)
999*62c56f98SSadaf Ebrahimi * - extension_data_len (2 bytes)
1000*62c56f98SSadaf Ebrahimi * - identities_len (2 bytes)
1001*62c56f98SSadaf Ebrahimi */
1002*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, buf, 0);
1003*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(p - buf - 4 + l_binders_len, buf, 2);
1004*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(p - buf - 6, buf, 4);
1005*62c56f98SSadaf Ebrahimi
1006*62c56f98SSadaf Ebrahimi *out_len = (p - buf) + l_binders_len;
1007*62c56f98SSadaf Ebrahimi *binders_len = l_binders_len;
1008*62c56f98SSadaf Ebrahimi
1009*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key identities", buf, p - buf);
1010*62c56f98SSadaf Ebrahimi
1011*62c56f98SSadaf Ebrahimi return 0;
1012*62c56f98SSadaf Ebrahimi }
1013*62c56f98SSadaf Ebrahimi
mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end)1014*62c56f98SSadaf Ebrahimi int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
1015*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end)
1016*62c56f98SSadaf Ebrahimi {
1017*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1018*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
1019*62c56f98SSadaf Ebrahimi psa_algorithm_t hash_alg = PSA_ALG_NONE;
1020*62c56f98SSadaf Ebrahimi const unsigned char *psk;
1021*62c56f98SSadaf Ebrahimi size_t psk_len;
1022*62c56f98SSadaf Ebrahimi size_t output_len;
1023*62c56f98SSadaf Ebrahimi
1024*62c56f98SSadaf Ebrahimi /* Check if we have space to write binders_len.
1025*62c56f98SSadaf Ebrahimi * - binders_len (2 bytes)
1026*62c56f98SSadaf Ebrahimi */
1027*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
1028*62c56f98SSadaf Ebrahimi p += 2;
1029*62c56f98SSadaf Ebrahimi
1030*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1031*62c56f98SSadaf Ebrahimi if (ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
1032*62c56f98SSadaf Ebrahimi
1033*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_binder(ssl, p, end,
1034*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION,
1035*62c56f98SSadaf Ebrahimi hash_alg, psk, psk_len,
1036*62c56f98SSadaf Ebrahimi &output_len);
1037*62c56f98SSadaf Ebrahimi if (ret != 0) {
1038*62c56f98SSadaf Ebrahimi return ret;
1039*62c56f98SSadaf Ebrahimi }
1040*62c56f98SSadaf Ebrahimi p += output_len;
1041*62c56f98SSadaf Ebrahimi }
1042*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1043*62c56f98SSadaf Ebrahimi
1044*62c56f98SSadaf Ebrahimi if (ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len) == 0) {
1045*62c56f98SSadaf Ebrahimi
1046*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_binder(ssl, p, end,
1047*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL,
1048*62c56f98SSadaf Ebrahimi hash_alg, psk, psk_len,
1049*62c56f98SSadaf Ebrahimi &output_len);
1050*62c56f98SSadaf Ebrahimi if (ret != 0) {
1051*62c56f98SSadaf Ebrahimi return ret;
1052*62c56f98SSadaf Ebrahimi }
1053*62c56f98SSadaf Ebrahimi p += output_len;
1054*62c56f98SSadaf Ebrahimi }
1055*62c56f98SSadaf Ebrahimi
1056*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding PSK binder list."));
1057*62c56f98SSadaf Ebrahimi
1058*62c56f98SSadaf Ebrahimi /*
1059*62c56f98SSadaf Ebrahimi * - binders_len (2 bytes)
1060*62c56f98SSadaf Ebrahimi */
1061*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(p - buf - 2, buf, 0);
1062*62c56f98SSadaf Ebrahimi
1063*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key binders", buf, p - buf);
1064*62c56f98SSadaf Ebrahimi
1065*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(
1066*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
1067*62c56f98SSadaf Ebrahimi
1068*62c56f98SSadaf Ebrahimi return 0;
1069*62c56f98SSadaf Ebrahimi }
1070*62c56f98SSadaf Ebrahimi
1071*62c56f98SSadaf Ebrahimi /*
1072*62c56f98SSadaf Ebrahimi * struct {
1073*62c56f98SSadaf Ebrahimi * opaque identity<1..2^16-1>;
1074*62c56f98SSadaf Ebrahimi * uint32 obfuscated_ticket_age;
1075*62c56f98SSadaf Ebrahimi * } PskIdentity;
1076*62c56f98SSadaf Ebrahimi *
1077*62c56f98SSadaf Ebrahimi * opaque PskBinderEntry<32..255>;
1078*62c56f98SSadaf Ebrahimi *
1079*62c56f98SSadaf Ebrahimi * struct {
1080*62c56f98SSadaf Ebrahimi *
1081*62c56f98SSadaf Ebrahimi * select (Handshake.msg_type) {
1082*62c56f98SSadaf Ebrahimi * ...
1083*62c56f98SSadaf Ebrahimi * case server_hello: uint16 selected_identity;
1084*62c56f98SSadaf Ebrahimi * };
1085*62c56f98SSadaf Ebrahimi *
1086*62c56f98SSadaf Ebrahimi * } PreSharedKeyExtension;
1087*62c56f98SSadaf Ebrahimi *
1088*62c56f98SSadaf Ebrahimi */
1089*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1090*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
1091*62c56f98SSadaf Ebrahimi const unsigned char *buf,
1092*62c56f98SSadaf Ebrahimi const unsigned char *end)
1093*62c56f98SSadaf Ebrahimi {
1094*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1095*62c56f98SSadaf Ebrahimi int selected_identity;
1096*62c56f98SSadaf Ebrahimi const unsigned char *psk;
1097*62c56f98SSadaf Ebrahimi size_t psk_len;
1098*62c56f98SSadaf Ebrahimi psa_algorithm_t hash_alg;
1099*62c56f98SSadaf Ebrahimi
1100*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
1101*62c56f98SSadaf Ebrahimi selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);
1102*62c56f98SSadaf Ebrahimi ssl->handshake->selected_identity = (uint16_t) selected_identity;
1103*62c56f98SSadaf Ebrahimi
1104*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));
1105*62c56f98SSadaf Ebrahimi
1106*62c56f98SSadaf Ebrahimi if (selected_identity >= ssl_tls13_get_configured_psk_count(ssl)) {
1107*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid PSK identity."));
1108*62c56f98SSadaf Ebrahimi
1109*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1110*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1111*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1112*62c56f98SSadaf Ebrahimi }
1113*62c56f98SSadaf Ebrahimi
1114*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1115*62c56f98SSadaf Ebrahimi if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {
1116*62c56f98SSadaf Ebrahimi ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1117*62c56f98SSadaf Ebrahimi } else
1118*62c56f98SSadaf Ebrahimi #endif
1119*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
1120*62c56f98SSadaf Ebrahimi ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);
1121*62c56f98SSadaf Ebrahimi } else {
1122*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1123*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1124*62c56f98SSadaf Ebrahimi }
1125*62c56f98SSadaf Ebrahimi if (ret != 0) {
1126*62c56f98SSadaf Ebrahimi return ret;
1127*62c56f98SSadaf Ebrahimi }
1128*62c56f98SSadaf Ebrahimi
1129*62c56f98SSadaf Ebrahimi if (mbedtls_md_psa_alg_from_type(ssl->handshake->ciphersuite_info->mac)
1130*62c56f98SSadaf Ebrahimi != hash_alg) {
1131*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
1132*62c56f98SSadaf Ebrahimi 1, ("Invalid ciphersuite for external psk."));
1133*62c56f98SSadaf Ebrahimi
1134*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1135*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1136*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1137*62c56f98SSadaf Ebrahimi }
1138*62c56f98SSadaf Ebrahimi
1139*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1140*62c56f98SSadaf Ebrahimi if (ret != 0) {
1141*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1142*62c56f98SSadaf Ebrahimi return ret;
1143*62c56f98SSadaf Ebrahimi }
1144*62c56f98SSadaf Ebrahimi
1145*62c56f98SSadaf Ebrahimi return 0;
1146*62c56f98SSadaf Ebrahimi }
1147*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1148*62c56f98SSadaf Ebrahimi
mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)1149*62c56f98SSadaf Ebrahimi int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
1150*62c56f98SSadaf Ebrahimi unsigned char *buf,
1151*62c56f98SSadaf Ebrahimi unsigned char *end,
1152*62c56f98SSadaf Ebrahimi size_t *out_len)
1153*62c56f98SSadaf Ebrahimi {
1154*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1155*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
1156*62c56f98SSadaf Ebrahimi size_t ext_len;
1157*62c56f98SSadaf Ebrahimi
1158*62c56f98SSadaf Ebrahimi *out_len = 0;
1159*62c56f98SSadaf Ebrahimi
1160*62c56f98SSadaf Ebrahimi /* Write supported_versions extension
1161*62c56f98SSadaf Ebrahimi *
1162*62c56f98SSadaf Ebrahimi * Supported Versions Extension is mandatory with TLS 1.3.
1163*62c56f98SSadaf Ebrahimi */
1164*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_supported_versions_ext(ssl, p, end, &ext_len);
1165*62c56f98SSadaf Ebrahimi if (ret != 0) {
1166*62c56f98SSadaf Ebrahimi return ret;
1167*62c56f98SSadaf Ebrahimi }
1168*62c56f98SSadaf Ebrahimi p += ext_len;
1169*62c56f98SSadaf Ebrahimi
1170*62c56f98SSadaf Ebrahimi /* Echo the cookie if the server provided one in its preceding
1171*62c56f98SSadaf Ebrahimi * HelloRetryRequest message.
1172*62c56f98SSadaf Ebrahimi */
1173*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_cookie_ext(ssl, p, end, &ext_len);
1174*62c56f98SSadaf Ebrahimi if (ret != 0) {
1175*62c56f98SSadaf Ebrahimi return ret;
1176*62c56f98SSadaf Ebrahimi }
1177*62c56f98SSadaf Ebrahimi p += ext_len;
1178*62c56f98SSadaf Ebrahimi
1179*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1180*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
1181*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
1182*62c56f98SSadaf Ebrahimi if (ret != 0) {
1183*62c56f98SSadaf Ebrahimi return ret;
1184*62c56f98SSadaf Ebrahimi }
1185*62c56f98SSadaf Ebrahimi p += ext_len;
1186*62c56f98SSadaf Ebrahimi }
1187*62c56f98SSadaf Ebrahimi #endif
1188*62c56f98SSadaf Ebrahimi
1189*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_EARLY_DATA)
1190*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
1191*62c56f98SSadaf Ebrahimi ssl_tls13_early_data_has_valid_ticket(ssl) &&
1192*62c56f98SSadaf Ebrahimi ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
1193*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_write_early_data_ext(ssl, p, end, &ext_len);
1194*62c56f98SSadaf Ebrahimi if (ret != 0) {
1195*62c56f98SSadaf Ebrahimi return ret;
1196*62c56f98SSadaf Ebrahimi }
1197*62c56f98SSadaf Ebrahimi p += ext_len;
1198*62c56f98SSadaf Ebrahimi
1199*62c56f98SSadaf Ebrahimi /* Initializes the status to `rejected`. It will be updated to
1200*62c56f98SSadaf Ebrahimi * `accepted` if the EncryptedExtension message contain an early data
1201*62c56f98SSadaf Ebrahimi * indication extension.
1202*62c56f98SSadaf Ebrahimi */
1203*62c56f98SSadaf Ebrahimi ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
1204*62c56f98SSadaf Ebrahimi } else {
1205*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension"));
1206*62c56f98SSadaf Ebrahimi ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
1207*62c56f98SSadaf Ebrahimi }
1208*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_EARLY_DATA */
1209*62c56f98SSadaf Ebrahimi
1210*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1211*62c56f98SSadaf Ebrahimi /* For PSK-based key exchange we need the pre_shared_key extension
1212*62c56f98SSadaf Ebrahimi * and the psk_key_exchange_modes extension.
1213*62c56f98SSadaf Ebrahimi *
1214*62c56f98SSadaf Ebrahimi * The pre_shared_key extension MUST be the last extension in the
1215*62c56f98SSadaf Ebrahimi * ClientHello. Servers MUST check that it is the last extension and
1216*62c56f98SSadaf Ebrahimi * otherwise fail the handshake with an "illegal_parameter" alert.
1217*62c56f98SSadaf Ebrahimi *
1218*62c56f98SSadaf Ebrahimi * Add the psk_key_exchange_modes extension.
1219*62c56f98SSadaf Ebrahimi */
1220*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_psk_key_exchange_modes_ext(ssl, p, end, &ext_len);
1221*62c56f98SSadaf Ebrahimi if (ret != 0) {
1222*62c56f98SSadaf Ebrahimi return ret;
1223*62c56f98SSadaf Ebrahimi }
1224*62c56f98SSadaf Ebrahimi p += ext_len;
1225*62c56f98SSadaf Ebrahimi #endif
1226*62c56f98SSadaf Ebrahimi
1227*62c56f98SSadaf Ebrahimi *out_len = p - buf;
1228*62c56f98SSadaf Ebrahimi
1229*62c56f98SSadaf Ebrahimi return 0;
1230*62c56f98SSadaf Ebrahimi }
1231*62c56f98SSadaf Ebrahimi
mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context * ssl)1232*62c56f98SSadaf Ebrahimi int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
1233*62c56f98SSadaf Ebrahimi {
1234*62c56f98SSadaf Ebrahimi ((void) ssl);
1235*62c56f98SSadaf Ebrahimi
1236*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_EARLY_DATA)
1237*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1238*62c56f98SSadaf Ebrahimi psa_algorithm_t hash_alg = PSA_ALG_NONE;
1239*62c56f98SSadaf Ebrahimi const unsigned char *psk;
1240*62c56f98SSadaf Ebrahimi size_t psk_len;
1241*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1242*62c56f98SSadaf Ebrahimi
1243*62c56f98SSadaf Ebrahimi if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
1244*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1245*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
1246*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
1247*62c56f98SSadaf Ebrahimi #endif
1248*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
1249*62c56f98SSadaf Ebrahimi 1, ("Set hs psk for early data when writing the first psk"));
1250*62c56f98SSadaf Ebrahimi
1251*62c56f98SSadaf Ebrahimi ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
1252*62c56f98SSadaf Ebrahimi if (ret != 0) {
1253*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1254*62c56f98SSadaf Ebrahimi 1, "ssl_tls13_ticket_get_psk", ret);
1255*62c56f98SSadaf Ebrahimi return ret;
1256*62c56f98SSadaf Ebrahimi }
1257*62c56f98SSadaf Ebrahimi
1258*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len);
1259*62c56f98SSadaf Ebrahimi if (ret != 0) {
1260*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
1261*62c56f98SSadaf Ebrahimi return ret;
1262*62c56f98SSadaf Ebrahimi }
1263*62c56f98SSadaf Ebrahimi
1264*62c56f98SSadaf Ebrahimi /*
1265*62c56f98SSadaf Ebrahimi * Early data are going to be encrypted using the ciphersuite
1266*62c56f98SSadaf Ebrahimi * associated with the pre-shared key used for the handshake.
1267*62c56f98SSadaf Ebrahimi * Note that if the server rejects early data, the handshake
1268*62c56f98SSadaf Ebrahimi * based on the pre-shared key may complete successfully
1269*62c56f98SSadaf Ebrahimi * with a selected ciphersuite different from the ciphersuite
1270*62c56f98SSadaf Ebrahimi * associated with the pre-shared key. Only the hashes of the
1271*62c56f98SSadaf Ebrahimi * two ciphersuites have to be the same. In that case, the
1272*62c56f98SSadaf Ebrahimi * encrypted handshake data and application data are
1273*62c56f98SSadaf Ebrahimi * encrypted using a different ciphersuite than the one used for
1274*62c56f98SSadaf Ebrahimi * the rejected early data.
1275*62c56f98SSadaf Ebrahimi */
1276*62c56f98SSadaf Ebrahimi ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
1277*62c56f98SSadaf Ebrahimi ssl->session_negotiate->ciphersuite);
1278*62c56f98SSadaf Ebrahimi ssl->handshake->ciphersuite_info = ciphersuite_info;
1279*62c56f98SSadaf Ebrahimi
1280*62c56f98SSadaf Ebrahimi /* Enable psk and psk_ephemeral to make stage early happy */
1281*62c56f98SSadaf Ebrahimi ssl->handshake->key_exchange_mode =
1282*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
1283*62c56f98SSadaf Ebrahimi
1284*62c56f98SSadaf Ebrahimi /* Start the TLS 1.3 key schedule:
1285*62c56f98SSadaf Ebrahimi * Set the PSK and derive early secret.
1286*62c56f98SSadaf Ebrahimi */
1287*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1288*62c56f98SSadaf Ebrahimi if (ret != 0) {
1289*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1290*62c56f98SSadaf Ebrahimi 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
1291*62c56f98SSadaf Ebrahimi return ret;
1292*62c56f98SSadaf Ebrahimi }
1293*62c56f98SSadaf Ebrahimi
1294*62c56f98SSadaf Ebrahimi /* Derive early data key material */
1295*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
1296*62c56f98SSadaf Ebrahimi if (ret != 0) {
1297*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1298*62c56f98SSadaf Ebrahimi 1, "mbedtls_ssl_tls13_compute_early_transform", ret);
1299*62c56f98SSadaf Ebrahimi return ret;
1300*62c56f98SSadaf Ebrahimi }
1301*62c56f98SSadaf Ebrahimi
1302*62c56f98SSadaf Ebrahimi }
1303*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_EARLY_DATA */
1304*62c56f98SSadaf Ebrahimi return 0;
1305*62c56f98SSadaf Ebrahimi }
1306*62c56f98SSadaf Ebrahimi /*
1307*62c56f98SSadaf Ebrahimi * Functions for parsing and processing Server Hello
1308*62c56f98SSadaf Ebrahimi */
1309*62c56f98SSadaf Ebrahimi
1310*62c56f98SSadaf Ebrahimi /**
1311*62c56f98SSadaf Ebrahimi * \brief Detect if the ServerHello contains a supported_versions extension
1312*62c56f98SSadaf Ebrahimi * or not.
1313*62c56f98SSadaf Ebrahimi *
1314*62c56f98SSadaf Ebrahimi * \param[in] ssl SSL context
1315*62c56f98SSadaf Ebrahimi * \param[in] buf Buffer containing the ServerHello message
1316*62c56f98SSadaf Ebrahimi * \param[in] end End of the buffer containing the ServerHello message
1317*62c56f98SSadaf Ebrahimi *
1318*62c56f98SSadaf Ebrahimi * \return 0 if the ServerHello does not contain a supported_versions extension
1319*62c56f98SSadaf Ebrahimi * \return 1 if the ServerHello contains a supported_versions extension
1320*62c56f98SSadaf Ebrahimi * \return A negative value if an error occurred while parsing the ServerHello.
1321*62c56f98SSadaf Ebrahimi */
1322*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_is_supported_versions_ext_present(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1323*62c56f98SSadaf Ebrahimi static int ssl_tls13_is_supported_versions_ext_present(
1324*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl,
1325*62c56f98SSadaf Ebrahimi const unsigned char *buf,
1326*62c56f98SSadaf Ebrahimi const unsigned char *end)
1327*62c56f98SSadaf Ebrahimi {
1328*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
1329*62c56f98SSadaf Ebrahimi size_t legacy_session_id_echo_len;
1330*62c56f98SSadaf Ebrahimi const unsigned char *supported_versions_data;
1331*62c56f98SSadaf Ebrahimi const unsigned char *supported_versions_data_end;
1332*62c56f98SSadaf Ebrahimi
1333*62c56f98SSadaf Ebrahimi /*
1334*62c56f98SSadaf Ebrahimi * Check there is enough data to access the legacy_session_id_echo vector
1335*62c56f98SSadaf Ebrahimi * length:
1336*62c56f98SSadaf Ebrahimi * - legacy_version 2 bytes
1337*62c56f98SSadaf Ebrahimi * - random MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes
1338*62c56f98SSadaf Ebrahimi * - legacy_session_id_echo length 1 byte
1339*62c56f98SSadaf Ebrahimi */
1340*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 3);
1341*62c56f98SSadaf Ebrahimi p += MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2;
1342*62c56f98SSadaf Ebrahimi legacy_session_id_echo_len = *p;
1343*62c56f98SSadaf Ebrahimi
1344*62c56f98SSadaf Ebrahimi /*
1345*62c56f98SSadaf Ebrahimi * Jump to the extensions, jumping over:
1346*62c56f98SSadaf Ebrahimi * - legacy_session_id_echo (legacy_session_id_echo_len + 1) bytes
1347*62c56f98SSadaf Ebrahimi * - cipher_suite 2 bytes
1348*62c56f98SSadaf Ebrahimi * - legacy_compression_method 1 byte
1349*62c56f98SSadaf Ebrahimi */
1350*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len + 4);
1351*62c56f98SSadaf Ebrahimi p += legacy_session_id_echo_len + 4;
1352*62c56f98SSadaf Ebrahimi
1353*62c56f98SSadaf Ebrahimi return mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
1354*62c56f98SSadaf Ebrahimi ssl, p, end,
1355*62c56f98SSadaf Ebrahimi &supported_versions_data, &supported_versions_data_end);
1356*62c56f98SSadaf Ebrahimi }
1357*62c56f98SSadaf Ebrahimi
1358*62c56f98SSadaf Ebrahimi /* Returns a negative value on failure, and otherwise
1359*62c56f98SSadaf Ebrahimi * - 1 if the last eight bytes of the ServerHello random bytes indicate that
1360*62c56f98SSadaf Ebrahimi * the server is TLS 1.3 capable but negotiating TLS 1.2 or below.
1361*62c56f98SSadaf Ebrahimi * - 0 otherwise
1362*62c56f98SSadaf Ebrahimi */
1363*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1364*62c56f98SSadaf Ebrahimi static int ssl_tls13_is_downgrade_negotiation(mbedtls_ssl_context *ssl,
1365*62c56f98SSadaf Ebrahimi const unsigned char *buf,
1366*62c56f98SSadaf Ebrahimi const unsigned char *end)
1367*62c56f98SSadaf Ebrahimi {
1368*62c56f98SSadaf Ebrahimi /* First seven bytes of the magic downgrade strings, see RFC 8446 4.1.3 */
1369*62c56f98SSadaf Ebrahimi static const unsigned char magic_downgrade_string[] =
1370*62c56f98SSadaf Ebrahimi { 0x44, 0x4F, 0x57, 0x4E, 0x47, 0x52, 0x44 };
1371*62c56f98SSadaf Ebrahimi const unsigned char *last_eight_bytes_of_random;
1372*62c56f98SSadaf Ebrahimi unsigned char last_byte_of_random;
1373*62c56f98SSadaf Ebrahimi
1374*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 2);
1375*62c56f98SSadaf Ebrahimi last_eight_bytes_of_random = buf + 2 + MBEDTLS_SERVER_HELLO_RANDOM_LEN - 8;
1376*62c56f98SSadaf Ebrahimi
1377*62c56f98SSadaf Ebrahimi if (memcmp(last_eight_bytes_of_random,
1378*62c56f98SSadaf Ebrahimi magic_downgrade_string,
1379*62c56f98SSadaf Ebrahimi sizeof(magic_downgrade_string)) == 0) {
1380*62c56f98SSadaf Ebrahimi last_byte_of_random = last_eight_bytes_of_random[7];
1381*62c56f98SSadaf Ebrahimi return last_byte_of_random == 0 ||
1382*62c56f98SSadaf Ebrahimi last_byte_of_random == 1;
1383*62c56f98SSadaf Ebrahimi }
1384*62c56f98SSadaf Ebrahimi
1385*62c56f98SSadaf Ebrahimi return 0;
1386*62c56f98SSadaf Ebrahimi }
1387*62c56f98SSadaf Ebrahimi
1388*62c56f98SSadaf Ebrahimi /* Returns a negative value on failure, and otherwise
1389*62c56f98SSadaf Ebrahimi * - SSL_SERVER_HELLO or
1390*62c56f98SSadaf Ebrahimi * - SSL_SERVER_HELLO_HRR
1391*62c56f98SSadaf Ebrahimi * to indicate which message is expected and to be parsed next.
1392*62c56f98SSadaf Ebrahimi */
1393*62c56f98SSadaf Ebrahimi #define SSL_SERVER_HELLO 0
1394*62c56f98SSadaf Ebrahimi #define SSL_SERVER_HELLO_HRR 1
1395*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_server_hello_is_hrr(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1396*62c56f98SSadaf Ebrahimi static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,
1397*62c56f98SSadaf Ebrahimi const unsigned char *buf,
1398*62c56f98SSadaf Ebrahimi const unsigned char *end)
1399*62c56f98SSadaf Ebrahimi {
1400*62c56f98SSadaf Ebrahimi
1401*62c56f98SSadaf Ebrahimi /* Check whether this message is a HelloRetryRequest ( HRR ) message.
1402*62c56f98SSadaf Ebrahimi *
1403*62c56f98SSadaf Ebrahimi * Server Hello and HRR are only distinguished by Random set to the
1404*62c56f98SSadaf Ebrahimi * special value of the SHA-256 of "HelloRetryRequest".
1405*62c56f98SSadaf Ebrahimi *
1406*62c56f98SSadaf Ebrahimi * struct {
1407*62c56f98SSadaf Ebrahimi * ProtocolVersion legacy_version = 0x0303;
1408*62c56f98SSadaf Ebrahimi * Random random;
1409*62c56f98SSadaf Ebrahimi * opaque legacy_session_id_echo<0..32>;
1410*62c56f98SSadaf Ebrahimi * CipherSuite cipher_suite;
1411*62c56f98SSadaf Ebrahimi * uint8 legacy_compression_method = 0;
1412*62c56f98SSadaf Ebrahimi * Extension extensions<6..2^16-1>;
1413*62c56f98SSadaf Ebrahimi * } ServerHello;
1414*62c56f98SSadaf Ebrahimi *
1415*62c56f98SSadaf Ebrahimi */
1416*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(
1417*62c56f98SSadaf Ebrahimi buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));
1418*62c56f98SSadaf Ebrahimi
1419*62c56f98SSadaf Ebrahimi if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
1420*62c56f98SSadaf Ebrahimi sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {
1421*62c56f98SSadaf Ebrahimi return SSL_SERVER_HELLO_HRR;
1422*62c56f98SSadaf Ebrahimi }
1423*62c56f98SSadaf Ebrahimi
1424*62c56f98SSadaf Ebrahimi return SSL_SERVER_HELLO;
1425*62c56f98SSadaf Ebrahimi }
1426*62c56f98SSadaf Ebrahimi
1427*62c56f98SSadaf Ebrahimi /*
1428*62c56f98SSadaf Ebrahimi * Returns a negative value on failure, and otherwise
1429*62c56f98SSadaf Ebrahimi * - SSL_SERVER_HELLO or
1430*62c56f98SSadaf Ebrahimi * - SSL_SERVER_HELLO_HRR or
1431*62c56f98SSadaf Ebrahimi * - SSL_SERVER_HELLO_TLS1_2
1432*62c56f98SSadaf Ebrahimi */
1433*62c56f98SSadaf Ebrahimi #define SSL_SERVER_HELLO_TLS1_2 2
1434*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_preprocess_server_hello(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1435*62c56f98SSadaf Ebrahimi static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
1436*62c56f98SSadaf Ebrahimi const unsigned char *buf,
1437*62c56f98SSadaf Ebrahimi const unsigned char *end)
1438*62c56f98SSadaf Ebrahimi {
1439*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1440*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1441*62c56f98SSadaf Ebrahimi
1442*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_is_supported_versions_ext_present(
1443*62c56f98SSadaf Ebrahimi ssl, buf, end));
1444*62c56f98SSadaf Ebrahimi
1445*62c56f98SSadaf Ebrahimi if (ret == 0) {
1446*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK_NEG(
1447*62c56f98SSadaf Ebrahimi ssl_tls13_is_downgrade_negotiation(ssl, buf, end));
1448*62c56f98SSadaf Ebrahimi
1449*62c56f98SSadaf Ebrahimi /* If the server is negotiating TLS 1.2 or below and:
1450*62c56f98SSadaf Ebrahimi * . we did not propose TLS 1.2 or
1451*62c56f98SSadaf Ebrahimi * . the server responded it is TLS 1.3 capable but negotiating a lower
1452*62c56f98SSadaf Ebrahimi * version of the protocol and thus we are under downgrade attack
1453*62c56f98SSadaf Ebrahimi * abort the handshake with an "illegal parameter" alert.
1454*62c56f98SSadaf Ebrahimi */
1455*62c56f98SSadaf Ebrahimi if (handshake->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || ret) {
1456*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1457*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1458*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1459*62c56f98SSadaf Ebrahimi }
1460*62c56f98SSadaf Ebrahimi
1461*62c56f98SSadaf Ebrahimi /*
1462*62c56f98SSadaf Ebrahimi * Version 1.2 of the protocol has been negotiated, set the
1463*62c56f98SSadaf Ebrahimi * ssl->keep_current_message flag for the ServerHello to be kept and
1464*62c56f98SSadaf Ebrahimi * parsed as a TLS 1.2 ServerHello. We also change ssl->tls_version to
1465*62c56f98SSadaf Ebrahimi * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
1466*62c56f98SSadaf Ebrahimi * will dispatch to the TLS 1.2 state machine.
1467*62c56f98SSadaf Ebrahimi */
1468*62c56f98SSadaf Ebrahimi ssl->keep_current_message = 1;
1469*62c56f98SSadaf Ebrahimi ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
1470*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
1471*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
1472*62c56f98SSadaf Ebrahimi buf, (size_t) (end - buf)));
1473*62c56f98SSadaf Ebrahimi
1474*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
1475*62c56f98SSadaf Ebrahimi ret = ssl_tls13_reset_key_share(ssl);
1476*62c56f98SSadaf Ebrahimi if (ret != 0) {
1477*62c56f98SSadaf Ebrahimi return ret;
1478*62c56f98SSadaf Ebrahimi }
1479*62c56f98SSadaf Ebrahimi }
1480*62c56f98SSadaf Ebrahimi
1481*62c56f98SSadaf Ebrahimi return SSL_SERVER_HELLO_TLS1_2;
1482*62c56f98SSadaf Ebrahimi }
1483*62c56f98SSadaf Ebrahimi
1484*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1485*62c56f98SSadaf Ebrahimi ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1486*62c56f98SSadaf Ebrahimi ssl->session_negotiate->tls_version = ssl->tls_version;
1487*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1488*62c56f98SSadaf Ebrahimi
1489*62c56f98SSadaf Ebrahimi handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
1490*62c56f98SSadaf Ebrahimi
1491*62c56f98SSadaf Ebrahimi ret = ssl_server_hello_is_hrr(ssl, buf, end);
1492*62c56f98SSadaf Ebrahimi switch (ret) {
1493*62c56f98SSadaf Ebrahimi case SSL_SERVER_HELLO:
1494*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("received ServerHello message"));
1495*62c56f98SSadaf Ebrahimi break;
1496*62c56f98SSadaf Ebrahimi case SSL_SERVER_HELLO_HRR:
1497*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));
1498*62c56f98SSadaf Ebrahimi /* If a client receives a second HelloRetryRequest in the same
1499*62c56f98SSadaf Ebrahimi * connection (i.e., where the ClientHello was itself in response
1500*62c56f98SSadaf Ebrahimi * to a HelloRetryRequest), it MUST abort the handshake with an
1501*62c56f98SSadaf Ebrahimi * "unexpected_message" alert.
1502*62c56f98SSadaf Ebrahimi */
1503*62c56f98SSadaf Ebrahimi if (handshake->hello_retry_request_count > 0) {
1504*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));
1505*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(
1506*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
1507*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
1508*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
1509*62c56f98SSadaf Ebrahimi }
1510*62c56f98SSadaf Ebrahimi /*
1511*62c56f98SSadaf Ebrahimi * Clients must abort the handshake with an "illegal_parameter"
1512*62c56f98SSadaf Ebrahimi * alert if the HelloRetryRequest would not result in any change
1513*62c56f98SSadaf Ebrahimi * in the ClientHello.
1514*62c56f98SSadaf Ebrahimi * In a PSK only key exchange that what we expect.
1515*62c56f98SSadaf Ebrahimi */
1516*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
1517*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1,
1518*62c56f98SSadaf Ebrahimi ("Unexpected HRR in pure PSK key exchange."));
1519*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(
1520*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1521*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1522*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1523*62c56f98SSadaf Ebrahimi }
1524*62c56f98SSadaf Ebrahimi
1525*62c56f98SSadaf Ebrahimi handshake->hello_retry_request_count++;
1526*62c56f98SSadaf Ebrahimi
1527*62c56f98SSadaf Ebrahimi break;
1528*62c56f98SSadaf Ebrahimi }
1529*62c56f98SSadaf Ebrahimi
1530*62c56f98SSadaf Ebrahimi cleanup:
1531*62c56f98SSadaf Ebrahimi
1532*62c56f98SSadaf Ebrahimi return ret;
1533*62c56f98SSadaf Ebrahimi }
1534*62c56f98SSadaf Ebrahimi
1535*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context * ssl,const unsigned char ** buf,const unsigned char * end)1536*62c56f98SSadaf Ebrahimi static int ssl_tls13_check_server_hello_session_id_echo(mbedtls_ssl_context *ssl,
1537*62c56f98SSadaf Ebrahimi const unsigned char **buf,
1538*62c56f98SSadaf Ebrahimi const unsigned char *end)
1539*62c56f98SSadaf Ebrahimi {
1540*62c56f98SSadaf Ebrahimi const unsigned char *p = *buf;
1541*62c56f98SSadaf Ebrahimi size_t legacy_session_id_echo_len;
1542*62c56f98SSadaf Ebrahimi
1543*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1544*62c56f98SSadaf Ebrahimi legacy_session_id_echo_len = *p++;
1545*62c56f98SSadaf Ebrahimi
1546*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_echo_len);
1547*62c56f98SSadaf Ebrahimi
1548*62c56f98SSadaf Ebrahimi /* legacy_session_id_echo */
1549*62c56f98SSadaf Ebrahimi if (ssl->session_negotiate->id_len != legacy_session_id_echo_len ||
1550*62c56f98SSadaf Ebrahimi memcmp(ssl->session_negotiate->id, p, legacy_session_id_echo_len) != 0) {
1551*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "Expected Session ID",
1552*62c56f98SSadaf Ebrahimi ssl->session_negotiate->id,
1553*62c56f98SSadaf Ebrahimi ssl->session_negotiate->id_len);
1554*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "Received Session ID", p,
1555*62c56f98SSadaf Ebrahimi legacy_session_id_echo_len);
1556*62c56f98SSadaf Ebrahimi
1557*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1558*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1559*62c56f98SSadaf Ebrahimi
1560*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1561*62c56f98SSadaf Ebrahimi }
1562*62c56f98SSadaf Ebrahimi
1563*62c56f98SSadaf Ebrahimi p += legacy_session_id_echo_len;
1564*62c56f98SSadaf Ebrahimi *buf = p;
1565*62c56f98SSadaf Ebrahimi
1566*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "Session ID", ssl->session_negotiate->id,
1567*62c56f98SSadaf Ebrahimi ssl->session_negotiate->id_len);
1568*62c56f98SSadaf Ebrahimi return 0;
1569*62c56f98SSadaf Ebrahimi }
1570*62c56f98SSadaf Ebrahimi
1571*62c56f98SSadaf Ebrahimi /* Parse ServerHello message and configure context
1572*62c56f98SSadaf Ebrahimi *
1573*62c56f98SSadaf Ebrahimi * struct {
1574*62c56f98SSadaf Ebrahimi * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1575*62c56f98SSadaf Ebrahimi * Random random;
1576*62c56f98SSadaf Ebrahimi * opaque legacy_session_id_echo<0..32>;
1577*62c56f98SSadaf Ebrahimi * CipherSuite cipher_suite;
1578*62c56f98SSadaf Ebrahimi * uint8 legacy_compression_method = 0;
1579*62c56f98SSadaf Ebrahimi * Extension extensions<6..2^16-1>;
1580*62c56f98SSadaf Ebrahimi * } ServerHello;
1581*62c56f98SSadaf Ebrahimi */
1582*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_server_hello(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end,int is_hrr)1583*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
1584*62c56f98SSadaf Ebrahimi const unsigned char *buf,
1585*62c56f98SSadaf Ebrahimi const unsigned char *end,
1586*62c56f98SSadaf Ebrahimi int is_hrr)
1587*62c56f98SSadaf Ebrahimi {
1588*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1589*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
1590*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1591*62c56f98SSadaf Ebrahimi size_t extensions_len;
1592*62c56f98SSadaf Ebrahimi const unsigned char *extensions_end;
1593*62c56f98SSadaf Ebrahimi uint16_t cipher_suite;
1594*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1595*62c56f98SSadaf Ebrahimi int fatal_alert = 0;
1596*62c56f98SSadaf Ebrahimi uint32_t allowed_extensions_mask;
1597*62c56f98SSadaf Ebrahimi int hs_msg_type = is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
1598*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_HS_SERVER_HELLO;
1599*62c56f98SSadaf Ebrahimi
1600*62c56f98SSadaf Ebrahimi /*
1601*62c56f98SSadaf Ebrahimi * Check there is space for minimal fields
1602*62c56f98SSadaf Ebrahimi *
1603*62c56f98SSadaf Ebrahimi * - legacy_version ( 2 bytes)
1604*62c56f98SSadaf Ebrahimi * - random (MBEDTLS_SERVER_HELLO_RANDOM_LEN bytes)
1605*62c56f98SSadaf Ebrahimi * - legacy_session_id_echo ( 1 byte ), minimum size
1606*62c56f98SSadaf Ebrahimi * - cipher_suite ( 2 bytes)
1607*62c56f98SSadaf Ebrahimi * - legacy_compression_method ( 1 byte )
1608*62c56f98SSadaf Ebrahimi */
1609*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN + 6);
1610*62c56f98SSadaf Ebrahimi
1611*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(4, "server hello", p, end - p);
1612*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", p, 2);
1613*62c56f98SSadaf Ebrahimi
1614*62c56f98SSadaf Ebrahimi /* ...
1615*62c56f98SSadaf Ebrahimi * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1616*62c56f98SSadaf Ebrahimi * ...
1617*62c56f98SSadaf Ebrahimi * with ProtocolVersion defined as:
1618*62c56f98SSadaf Ebrahimi * uint16 ProtocolVersion;
1619*62c56f98SSadaf Ebrahimi */
1620*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1621*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_VERSION_TLS1_2) {
1622*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1623*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1624*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
1625*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1626*62c56f98SSadaf Ebrahimi goto cleanup;
1627*62c56f98SSadaf Ebrahimi }
1628*62c56f98SSadaf Ebrahimi p += 2;
1629*62c56f98SSadaf Ebrahimi
1630*62c56f98SSadaf Ebrahimi /* ...
1631*62c56f98SSadaf Ebrahimi * Random random;
1632*62c56f98SSadaf Ebrahimi * ...
1633*62c56f98SSadaf Ebrahimi * with Random defined as:
1634*62c56f98SSadaf Ebrahimi * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
1635*62c56f98SSadaf Ebrahimi */
1636*62c56f98SSadaf Ebrahimi if (!is_hrr) {
1637*62c56f98SSadaf Ebrahimi memcpy(&handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
1638*62c56f98SSadaf Ebrahimi MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1639*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
1640*62c56f98SSadaf Ebrahimi p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1641*62c56f98SSadaf Ebrahimi }
1642*62c56f98SSadaf Ebrahimi p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
1643*62c56f98SSadaf Ebrahimi
1644*62c56f98SSadaf Ebrahimi /* ...
1645*62c56f98SSadaf Ebrahimi * opaque legacy_session_id_echo<0..32>;
1646*62c56f98SSadaf Ebrahimi * ...
1647*62c56f98SSadaf Ebrahimi */
1648*62c56f98SSadaf Ebrahimi if (ssl_tls13_check_server_hello_session_id_echo(ssl, &p, end) != 0) {
1649*62c56f98SSadaf Ebrahimi fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
1650*62c56f98SSadaf Ebrahimi goto cleanup;
1651*62c56f98SSadaf Ebrahimi }
1652*62c56f98SSadaf Ebrahimi
1653*62c56f98SSadaf Ebrahimi /* ...
1654*62c56f98SSadaf Ebrahimi * CipherSuite cipher_suite;
1655*62c56f98SSadaf Ebrahimi * ...
1656*62c56f98SSadaf Ebrahimi * with CipherSuite defined as:
1657*62c56f98SSadaf Ebrahimi * uint8 CipherSuite[2];
1658*62c56f98SSadaf Ebrahimi */
1659*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1660*62c56f98SSadaf Ebrahimi cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
1661*62c56f98SSadaf Ebrahimi p += 2;
1662*62c56f98SSadaf Ebrahimi
1663*62c56f98SSadaf Ebrahimi
1664*62c56f98SSadaf Ebrahimi ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
1665*62c56f98SSadaf Ebrahimi /*
1666*62c56f98SSadaf Ebrahimi * Check whether this ciphersuite is valid and offered.
1667*62c56f98SSadaf Ebrahimi */
1668*62c56f98SSadaf Ebrahimi if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
1669*62c56f98SSadaf Ebrahimi ssl->tls_version,
1670*62c56f98SSadaf Ebrahimi ssl->tls_version) != 0) ||
1671*62c56f98SSadaf Ebrahimi !mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
1672*62c56f98SSadaf Ebrahimi fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
1673*62c56f98SSadaf Ebrahimi }
1674*62c56f98SSadaf Ebrahimi /*
1675*62c56f98SSadaf Ebrahimi * If we received an HRR before and that the proposed selected
1676*62c56f98SSadaf Ebrahimi * ciphersuite in this server hello is not the same as the one
1677*62c56f98SSadaf Ebrahimi * proposed in the HRR, we abort the handshake and send an
1678*62c56f98SSadaf Ebrahimi * "illegal_parameter" alert.
1679*62c56f98SSadaf Ebrahimi */
1680*62c56f98SSadaf Ebrahimi else if ((!is_hrr) && (handshake->hello_retry_request_count > 0) &&
1681*62c56f98SSadaf Ebrahimi (cipher_suite != ssl->session_negotiate->ciphersuite)) {
1682*62c56f98SSadaf Ebrahimi fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
1683*62c56f98SSadaf Ebrahimi }
1684*62c56f98SSadaf Ebrahimi
1685*62c56f98SSadaf Ebrahimi if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1686*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("invalid ciphersuite(%04x) parameter",
1687*62c56f98SSadaf Ebrahimi cipher_suite));
1688*62c56f98SSadaf Ebrahimi goto cleanup;
1689*62c56f98SSadaf Ebrahimi }
1690*62c56f98SSadaf Ebrahimi
1691*62c56f98SSadaf Ebrahimi /* Configure ciphersuites */
1692*62c56f98SSadaf Ebrahimi mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);
1693*62c56f98SSadaf Ebrahimi
1694*62c56f98SSadaf Ebrahimi handshake->ciphersuite_info = ciphersuite_info;
1695*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",
1696*62c56f98SSadaf Ebrahimi cipher_suite, ciphersuite_info->name));
1697*62c56f98SSadaf Ebrahimi
1698*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_HAVE_TIME)
1699*62c56f98SSadaf Ebrahimi ssl->session_negotiate->start = mbedtls_time(NULL);
1700*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_HAVE_TIME */
1701*62c56f98SSadaf Ebrahimi
1702*62c56f98SSadaf Ebrahimi /* ...
1703*62c56f98SSadaf Ebrahimi * uint8 legacy_compression_method = 0;
1704*62c56f98SSadaf Ebrahimi * ...
1705*62c56f98SSadaf Ebrahimi */
1706*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
1707*62c56f98SSadaf Ebrahimi if (p[0] != MBEDTLS_SSL_COMPRESS_NULL) {
1708*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
1709*62c56f98SSadaf Ebrahimi fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
1710*62c56f98SSadaf Ebrahimi goto cleanup;
1711*62c56f98SSadaf Ebrahimi }
1712*62c56f98SSadaf Ebrahimi p++;
1713*62c56f98SSadaf Ebrahimi
1714*62c56f98SSadaf Ebrahimi /* ...
1715*62c56f98SSadaf Ebrahimi * Extension extensions<6..2^16-1>;
1716*62c56f98SSadaf Ebrahimi * ...
1717*62c56f98SSadaf Ebrahimi * struct {
1718*62c56f98SSadaf Ebrahimi * ExtensionType extension_type; (2 bytes)
1719*62c56f98SSadaf Ebrahimi * opaque extension_data<0..2^16-1>;
1720*62c56f98SSadaf Ebrahimi * } Extension;
1721*62c56f98SSadaf Ebrahimi */
1722*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
1723*62c56f98SSadaf Ebrahimi extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
1724*62c56f98SSadaf Ebrahimi p += 2;
1725*62c56f98SSadaf Ebrahimi
1726*62c56f98SSadaf Ebrahimi /* Check extensions do not go beyond the buffer of data. */
1727*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
1728*62c56f98SSadaf Ebrahimi extensions_end = p + extensions_len;
1729*62c56f98SSadaf Ebrahimi
1730*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "server hello extensions", p, extensions_len);
1731*62c56f98SSadaf Ebrahimi
1732*62c56f98SSadaf Ebrahimi handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
1733*62c56f98SSadaf Ebrahimi allowed_extensions_mask = is_hrr ?
1734*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR :
1735*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH;
1736*62c56f98SSadaf Ebrahimi
1737*62c56f98SSadaf Ebrahimi while (p < extensions_end) {
1738*62c56f98SSadaf Ebrahimi unsigned int extension_type;
1739*62c56f98SSadaf Ebrahimi size_t extension_data_len;
1740*62c56f98SSadaf Ebrahimi const unsigned char *extension_data_end;
1741*62c56f98SSadaf Ebrahimi
1742*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1743*62c56f98SSadaf Ebrahimi extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1744*62c56f98SSadaf Ebrahimi extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
1745*62c56f98SSadaf Ebrahimi p += 4;
1746*62c56f98SSadaf Ebrahimi
1747*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
1748*62c56f98SSadaf Ebrahimi extension_data_end = p + extension_data_len;
1749*62c56f98SSadaf Ebrahimi
1750*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_check_received_extension(
1751*62c56f98SSadaf Ebrahimi ssl, hs_msg_type, extension_type, allowed_extensions_mask);
1752*62c56f98SSadaf Ebrahimi if (ret != 0) {
1753*62c56f98SSadaf Ebrahimi return ret;
1754*62c56f98SSadaf Ebrahimi }
1755*62c56f98SSadaf Ebrahimi
1756*62c56f98SSadaf Ebrahimi switch (extension_type) {
1757*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_COOKIE:
1758*62c56f98SSadaf Ebrahimi
1759*62c56f98SSadaf Ebrahimi ret = ssl_tls13_parse_cookie_ext(ssl,
1760*62c56f98SSadaf Ebrahimi p, extension_data_end);
1761*62c56f98SSadaf Ebrahimi if (ret != 0) {
1762*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1,
1763*62c56f98SSadaf Ebrahimi "ssl_tls13_parse_cookie_ext",
1764*62c56f98SSadaf Ebrahimi ret);
1765*62c56f98SSadaf Ebrahimi goto cleanup;
1766*62c56f98SSadaf Ebrahimi }
1767*62c56f98SSadaf Ebrahimi break;
1768*62c56f98SSadaf Ebrahimi
1769*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1770*62c56f98SSadaf Ebrahimi ret = ssl_tls13_parse_supported_versions_ext(ssl,
1771*62c56f98SSadaf Ebrahimi p,
1772*62c56f98SSadaf Ebrahimi extension_data_end);
1773*62c56f98SSadaf Ebrahimi if (ret != 0) {
1774*62c56f98SSadaf Ebrahimi goto cleanup;
1775*62c56f98SSadaf Ebrahimi }
1776*62c56f98SSadaf Ebrahimi break;
1777*62c56f98SSadaf Ebrahimi
1778*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1779*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1780*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
1781*62c56f98SSadaf Ebrahimi
1782*62c56f98SSadaf Ebrahimi if ((ret = ssl_tls13_parse_server_pre_shared_key_ext(
1783*62c56f98SSadaf Ebrahimi ssl, p, extension_data_end)) != 0) {
1784*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1785*62c56f98SSadaf Ebrahimi 1, ("ssl_tls13_parse_server_pre_shared_key_ext"), ret);
1786*62c56f98SSadaf Ebrahimi return ret;
1787*62c56f98SSadaf Ebrahimi }
1788*62c56f98SSadaf Ebrahimi break;
1789*62c56f98SSadaf Ebrahimi #endif
1790*62c56f98SSadaf Ebrahimi
1791*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_KEY_SHARE:
1792*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
1793*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
1794*62c56f98SSadaf Ebrahimi fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
1795*62c56f98SSadaf Ebrahimi goto cleanup;
1796*62c56f98SSadaf Ebrahimi }
1797*62c56f98SSadaf Ebrahimi
1798*62c56f98SSadaf Ebrahimi if (is_hrr) {
1799*62c56f98SSadaf Ebrahimi ret = ssl_tls13_parse_hrr_key_share_ext(ssl,
1800*62c56f98SSadaf Ebrahimi p, extension_data_end);
1801*62c56f98SSadaf Ebrahimi } else {
1802*62c56f98SSadaf Ebrahimi ret = ssl_tls13_parse_key_share_ext(ssl,
1803*62c56f98SSadaf Ebrahimi p, extension_data_end);
1804*62c56f98SSadaf Ebrahimi }
1805*62c56f98SSadaf Ebrahimi if (ret != 0) {
1806*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1,
1807*62c56f98SSadaf Ebrahimi "ssl_tls13_parse_key_share_ext",
1808*62c56f98SSadaf Ebrahimi ret);
1809*62c56f98SSadaf Ebrahimi goto cleanup;
1810*62c56f98SSadaf Ebrahimi }
1811*62c56f98SSadaf Ebrahimi break;
1812*62c56f98SSadaf Ebrahimi
1813*62c56f98SSadaf Ebrahimi default:
1814*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1815*62c56f98SSadaf Ebrahimi goto cleanup;
1816*62c56f98SSadaf Ebrahimi }
1817*62c56f98SSadaf Ebrahimi
1818*62c56f98SSadaf Ebrahimi p += extension_data_len;
1819*62c56f98SSadaf Ebrahimi }
1820*62c56f98SSadaf Ebrahimi
1821*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXTS(3, hs_msg_type, handshake->received_extensions);
1822*62c56f98SSadaf Ebrahimi
1823*62c56f98SSadaf Ebrahimi cleanup:
1824*62c56f98SSadaf Ebrahimi
1825*62c56f98SSadaf Ebrahimi if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT) {
1826*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
1827*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION);
1828*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
1829*62c56f98SSadaf Ebrahimi } else if (fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER) {
1830*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1831*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1832*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1833*62c56f98SSadaf Ebrahimi }
1834*62c56f98SSadaf Ebrahimi return ret;
1835*62c56f98SSadaf Ebrahimi }
1836*62c56f98SSadaf Ebrahimi
1837*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_DEBUG_C)
ssl_tls13_get_kex_mode_str(int mode)1838*62c56f98SSadaf Ebrahimi static const char *ssl_tls13_get_kex_mode_str(int mode)
1839*62c56f98SSadaf Ebrahimi {
1840*62c56f98SSadaf Ebrahimi switch (mode) {
1841*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK:
1842*62c56f98SSadaf Ebrahimi return "psk";
1843*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL:
1844*62c56f98SSadaf Ebrahimi return "ephemeral";
1845*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL:
1846*62c56f98SSadaf Ebrahimi return "psk_ephemeral";
1847*62c56f98SSadaf Ebrahimi default:
1848*62c56f98SSadaf Ebrahimi return "unknown mode";
1849*62c56f98SSadaf Ebrahimi }
1850*62c56f98SSadaf Ebrahimi }
1851*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_DEBUG_C */
1852*62c56f98SSadaf Ebrahimi
1853*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_postprocess_server_hello(mbedtls_ssl_context * ssl)1854*62c56f98SSadaf Ebrahimi static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
1855*62c56f98SSadaf Ebrahimi {
1856*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1857*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1858*62c56f98SSadaf Ebrahimi
1859*62c56f98SSadaf Ebrahimi /* Determine the key exchange mode:
1860*62c56f98SSadaf Ebrahimi * 1) If both the pre_shared_key and key_share extensions were received
1861*62c56f98SSadaf Ebrahimi * then the key exchange mode is PSK with EPHEMERAL.
1862*62c56f98SSadaf Ebrahimi * 2) If only the pre_shared_key extension was received then the key
1863*62c56f98SSadaf Ebrahimi * exchange mode is PSK-only.
1864*62c56f98SSadaf Ebrahimi * 3) If only the key_share extension was received then the key
1865*62c56f98SSadaf Ebrahimi * exchange mode is EPHEMERAL-only.
1866*62c56f98SSadaf Ebrahimi */
1867*62c56f98SSadaf Ebrahimi switch (handshake->received_extensions &
1868*62c56f98SSadaf Ebrahimi (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1869*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {
1870*62c56f98SSadaf Ebrahimi /* Only the pre_shared_key extension was received */
1871*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):
1872*62c56f98SSadaf Ebrahimi handshake->key_exchange_mode =
1873*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1874*62c56f98SSadaf Ebrahimi break;
1875*62c56f98SSadaf Ebrahimi
1876*62c56f98SSadaf Ebrahimi /* Only the key_share extension was received */
1877*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):
1878*62c56f98SSadaf Ebrahimi handshake->key_exchange_mode =
1879*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
1880*62c56f98SSadaf Ebrahimi break;
1881*62c56f98SSadaf Ebrahimi
1882*62c56f98SSadaf Ebrahimi /* Both the pre_shared_key and key_share extensions were received */
1883*62c56f98SSadaf Ebrahimi case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
1884*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):
1885*62c56f98SSadaf Ebrahimi handshake->key_exchange_mode =
1886*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1887*62c56f98SSadaf Ebrahimi break;
1888*62c56f98SSadaf Ebrahimi
1889*62c56f98SSadaf Ebrahimi /* Neither pre_shared_key nor key_share extension was received */
1890*62c56f98SSadaf Ebrahimi default:
1891*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("Unknown key exchange."));
1892*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1893*62c56f98SSadaf Ebrahimi goto cleanup;
1894*62c56f98SSadaf Ebrahimi }
1895*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_EARLY_DATA)
1896*62c56f98SSadaf Ebrahimi if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA) &&
1897*62c56f98SSadaf Ebrahimi (handshake->selected_identity != 0 ||
1898*62c56f98SSadaf Ebrahimi handshake->ciphersuite_info->id !=
1899*62c56f98SSadaf Ebrahimi ssl->session_negotiate->ciphersuite)) {
1900*62c56f98SSadaf Ebrahimi /* RFC8446 4.2.11
1901*62c56f98SSadaf Ebrahimi * If the server supplies an "early_data" extension, the
1902*62c56f98SSadaf Ebrahimi * client MUST verify that the server's selected_identity
1903*62c56f98SSadaf Ebrahimi * is 0. If any other value is returned, the client MUST
1904*62c56f98SSadaf Ebrahimi * abort the handshake with an "illegal_parameter" alert.
1905*62c56f98SSadaf Ebrahimi *
1906*62c56f98SSadaf Ebrahimi * RFC 8446 4.2.10
1907*62c56f98SSadaf Ebrahimi * In order to accept early data, the server MUST have accepted a PSK
1908*62c56f98SSadaf Ebrahimi * cipher suite and selected the first key offered in the client's
1909*62c56f98SSadaf Ebrahimi * "pre_shared_key" extension. In addition, it MUST verify that the
1910*62c56f98SSadaf Ebrahimi * following values are the same as those associated with the
1911*62c56f98SSadaf Ebrahimi * selected PSK:
1912*62c56f98SSadaf Ebrahimi * - The TLS version number
1913*62c56f98SSadaf Ebrahimi * - The selected cipher suite
1914*62c56f98SSadaf Ebrahimi * - The selected ALPN [RFC7301] protocol, if any
1915*62c56f98SSadaf Ebrahimi *
1916*62c56f98SSadaf Ebrahimi * We check here that when early data is involved the server
1917*62c56f98SSadaf Ebrahimi * selected the cipher suite associated to the pre-shared key
1918*62c56f98SSadaf Ebrahimi * as it must have.
1919*62c56f98SSadaf Ebrahimi */
1920*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1921*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1922*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1923*62c56f98SSadaf Ebrahimi }
1924*62c56f98SSadaf Ebrahimi #endif
1925*62c56f98SSadaf Ebrahimi
1926*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_conf_tls13_check_kex_modes(
1927*62c56f98SSadaf Ebrahimi ssl, handshake->key_exchange_mode)) {
1928*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1929*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
1930*62c56f98SSadaf Ebrahimi 2, ("Key exchange mode(%s) is not supported.",
1931*62c56f98SSadaf Ebrahimi ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
1932*62c56f98SSadaf Ebrahimi goto cleanup;
1933*62c56f98SSadaf Ebrahimi }
1934*62c56f98SSadaf Ebrahimi
1935*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
1936*62c56f98SSadaf Ebrahimi 3, ("Selected key exchange mode: %s",
1937*62c56f98SSadaf Ebrahimi ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
1938*62c56f98SSadaf Ebrahimi
1939*62c56f98SSadaf Ebrahimi /* Start the TLS 1.3 key scheduling if not already done.
1940*62c56f98SSadaf Ebrahimi *
1941*62c56f98SSadaf Ebrahimi * If we proposed early data then we have already derived an
1942*62c56f98SSadaf Ebrahimi * early secret using the selected PSK and its associated hash.
1943*62c56f98SSadaf Ebrahimi * It means that if the negotiated key exchange mode is psk or
1944*62c56f98SSadaf Ebrahimi * psk_ephemeral, we have already correctly computed the
1945*62c56f98SSadaf Ebrahimi * early secret and thus we do not do it again. In all other
1946*62c56f98SSadaf Ebrahimi * cases we compute it here.
1947*62c56f98SSadaf Ebrahimi */
1948*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_EARLY_DATA)
1949*62c56f98SSadaf Ebrahimi if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT ||
1950*62c56f98SSadaf Ebrahimi handshake->key_exchange_mode ==
1951*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)
1952*62c56f98SSadaf Ebrahimi #endif
1953*62c56f98SSadaf Ebrahimi {
1954*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1955*62c56f98SSadaf Ebrahimi if (ret != 0) {
1956*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1957*62c56f98SSadaf Ebrahimi 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret);
1958*62c56f98SSadaf Ebrahimi goto cleanup;
1959*62c56f98SSadaf Ebrahimi }
1960*62c56f98SSadaf Ebrahimi }
1961*62c56f98SSadaf Ebrahimi
1962*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
1963*62c56f98SSadaf Ebrahimi if (ret != 0) {
1964*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1,
1965*62c56f98SSadaf Ebrahimi "mbedtls_ssl_tls13_compute_handshake_transform",
1966*62c56f98SSadaf Ebrahimi ret);
1967*62c56f98SSadaf Ebrahimi goto cleanup;
1968*62c56f98SSadaf Ebrahimi }
1969*62c56f98SSadaf Ebrahimi
1970*62c56f98SSadaf Ebrahimi mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake);
1971*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
1972*62c56f98SSadaf Ebrahimi ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id;
1973*62c56f98SSadaf Ebrahimi ssl->session_in = ssl->session_negotiate;
1974*62c56f98SSadaf Ebrahimi
1975*62c56f98SSadaf Ebrahimi cleanup:
1976*62c56f98SSadaf Ebrahimi if (ret != 0) {
1977*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(
1978*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1979*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1980*62c56f98SSadaf Ebrahimi }
1981*62c56f98SSadaf Ebrahimi
1982*62c56f98SSadaf Ebrahimi return ret;
1983*62c56f98SSadaf Ebrahimi }
1984*62c56f98SSadaf Ebrahimi
1985*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_postprocess_hrr(mbedtls_ssl_context * ssl)1986*62c56f98SSadaf Ebrahimi static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)
1987*62c56f98SSadaf Ebrahimi {
1988*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1989*62c56f98SSadaf Ebrahimi
1990*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_reset_msg_layer(ssl, 0);
1991*62c56f98SSadaf Ebrahimi
1992*62c56f98SSadaf Ebrahimi /*
1993*62c56f98SSadaf Ebrahimi * We are going to re-generate a shared secret corresponding to the group
1994*62c56f98SSadaf Ebrahimi * selected by the server, which is different from the group for which we
1995*62c56f98SSadaf Ebrahimi * generated a shared secret in the first client hello.
1996*62c56f98SSadaf Ebrahimi * Thus, reset the shared secret.
1997*62c56f98SSadaf Ebrahimi */
1998*62c56f98SSadaf Ebrahimi ret = ssl_tls13_reset_key_share(ssl);
1999*62c56f98SSadaf Ebrahimi if (ret != 0) {
2000*62c56f98SSadaf Ebrahimi return ret;
2001*62c56f98SSadaf Ebrahimi }
2002*62c56f98SSadaf Ebrahimi
2003*62c56f98SSadaf Ebrahimi ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;
2004*62c56f98SSadaf Ebrahimi return 0;
2005*62c56f98SSadaf Ebrahimi }
2006*62c56f98SSadaf Ebrahimi
2007*62c56f98SSadaf Ebrahimi /*
2008*62c56f98SSadaf Ebrahimi * Wait and parse ServerHello handshake message.
2009*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_SERVER_HELLO
2010*62c56f98SSadaf Ebrahimi */
2011*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_server_hello(mbedtls_ssl_context * ssl)2012*62c56f98SSadaf Ebrahimi static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
2013*62c56f98SSadaf Ebrahimi {
2014*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2015*62c56f98SSadaf Ebrahimi unsigned char *buf = NULL;
2016*62c56f98SSadaf Ebrahimi size_t buf_len = 0;
2017*62c56f98SSadaf Ebrahimi int is_hrr = 0;
2018*62c56f98SSadaf Ebrahimi
2019*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));
2020*62c56f98SSadaf Ebrahimi
2021*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2022*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
2023*62c56f98SSadaf Ebrahimi
2024*62c56f98SSadaf Ebrahimi ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);
2025*62c56f98SSadaf Ebrahimi if (ret < 0) {
2026*62c56f98SSadaf Ebrahimi goto cleanup;
2027*62c56f98SSadaf Ebrahimi } else {
2028*62c56f98SSadaf Ebrahimi is_hrr = (ret == SSL_SERVER_HELLO_HRR);
2029*62c56f98SSadaf Ebrahimi }
2030*62c56f98SSadaf Ebrahimi
2031*62c56f98SSadaf Ebrahimi if (ret == SSL_SERVER_HELLO_TLS1_2) {
2032*62c56f98SSadaf Ebrahimi ret = 0;
2033*62c56f98SSadaf Ebrahimi goto cleanup;
2034*62c56f98SSadaf Ebrahimi }
2035*62c56f98SSadaf Ebrahimi
2036*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_server_hello(ssl, buf,
2037*62c56f98SSadaf Ebrahimi buf + buf_len,
2038*62c56f98SSadaf Ebrahimi is_hrr));
2039*62c56f98SSadaf Ebrahimi if (is_hrr) {
2040*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
2041*62c56f98SSadaf Ebrahimi }
2042*62c56f98SSadaf Ebrahimi
2043*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2044*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));
2045*62c56f98SSadaf Ebrahimi
2046*62c56f98SSadaf Ebrahimi if (is_hrr) {
2047*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
2048*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2049*62c56f98SSadaf Ebrahimi /* If not offering early data, the client sends a dummy CCS record
2050*62c56f98SSadaf Ebrahimi * immediately before its second flight. This may either be before
2051*62c56f98SSadaf Ebrahimi * its second ClientHello or before its encrypted handshake flight.
2052*62c56f98SSadaf Ebrahimi */
2053*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
2054*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
2055*62c56f98SSadaf Ebrahimi #else
2056*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2057*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2058*62c56f98SSadaf Ebrahimi } else {
2059*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_server_hello(ssl));
2060*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
2061*62c56f98SSadaf Ebrahimi }
2062*62c56f98SSadaf Ebrahimi
2063*62c56f98SSadaf Ebrahimi cleanup:
2064*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= %s ( %s )", __func__,
2065*62c56f98SSadaf Ebrahimi is_hrr ? "HelloRetryRequest" : "ServerHello"));
2066*62c56f98SSadaf Ebrahimi return ret;
2067*62c56f98SSadaf Ebrahimi }
2068*62c56f98SSadaf Ebrahimi
2069*62c56f98SSadaf Ebrahimi /*
2070*62c56f98SSadaf Ebrahimi *
2071*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2072*62c56f98SSadaf Ebrahimi *
2073*62c56f98SSadaf Ebrahimi * The EncryptedExtensions message contains any extensions which
2074*62c56f98SSadaf Ebrahimi * should be protected, i.e., any which are not needed to establish
2075*62c56f98SSadaf Ebrahimi * the cryptographic context.
2076*62c56f98SSadaf Ebrahimi */
2077*62c56f98SSadaf Ebrahimi
2078*62c56f98SSadaf Ebrahimi /* Parse EncryptedExtensions message
2079*62c56f98SSadaf Ebrahimi * struct {
2080*62c56f98SSadaf Ebrahimi * Extension extensions<0..2^16-1>;
2081*62c56f98SSadaf Ebrahimi * } EncryptedExtensions;
2082*62c56f98SSadaf Ebrahimi */
2083*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)2084*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
2085*62c56f98SSadaf Ebrahimi const unsigned char *buf,
2086*62c56f98SSadaf Ebrahimi const unsigned char *end)
2087*62c56f98SSadaf Ebrahimi {
2088*62c56f98SSadaf Ebrahimi int ret = 0;
2089*62c56f98SSadaf Ebrahimi size_t extensions_len;
2090*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
2091*62c56f98SSadaf Ebrahimi const unsigned char *extensions_end;
2092*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2093*62c56f98SSadaf Ebrahimi
2094*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2095*62c56f98SSadaf Ebrahimi extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
2096*62c56f98SSadaf Ebrahimi p += 2;
2097*62c56f98SSadaf Ebrahimi
2098*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
2099*62c56f98SSadaf Ebrahimi extensions_end = p + extensions_len;
2100*62c56f98SSadaf Ebrahimi
2101*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "encrypted extensions", p, extensions_len);
2102*62c56f98SSadaf Ebrahimi
2103*62c56f98SSadaf Ebrahimi handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2104*62c56f98SSadaf Ebrahimi
2105*62c56f98SSadaf Ebrahimi while (p < extensions_end) {
2106*62c56f98SSadaf Ebrahimi unsigned int extension_type;
2107*62c56f98SSadaf Ebrahimi size_t extension_data_len;
2108*62c56f98SSadaf Ebrahimi
2109*62c56f98SSadaf Ebrahimi /*
2110*62c56f98SSadaf Ebrahimi * struct {
2111*62c56f98SSadaf Ebrahimi * ExtensionType extension_type; (2 bytes)
2112*62c56f98SSadaf Ebrahimi * opaque extension_data<0..2^16-1>;
2113*62c56f98SSadaf Ebrahimi * } Extension;
2114*62c56f98SSadaf Ebrahimi */
2115*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2116*62c56f98SSadaf Ebrahimi extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2117*62c56f98SSadaf Ebrahimi extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
2118*62c56f98SSadaf Ebrahimi p += 4;
2119*62c56f98SSadaf Ebrahimi
2120*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
2121*62c56f98SSadaf Ebrahimi
2122*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_check_received_extension(
2123*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, extension_type,
2124*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE);
2125*62c56f98SSadaf Ebrahimi if (ret != 0) {
2126*62c56f98SSadaf Ebrahimi return ret;
2127*62c56f98SSadaf Ebrahimi }
2128*62c56f98SSadaf Ebrahimi
2129*62c56f98SSadaf Ebrahimi switch (extension_type) {
2130*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_ALPN)
2131*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_ALPN:
2132*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
2133*62c56f98SSadaf Ebrahimi
2134*62c56f98SSadaf Ebrahimi if ((ret = ssl_tls13_parse_alpn_ext(
2135*62c56f98SSadaf Ebrahimi ssl, p, (size_t) extension_data_len)) != 0) {
2136*62c56f98SSadaf Ebrahimi return ret;
2137*62c56f98SSadaf Ebrahimi }
2138*62c56f98SSadaf Ebrahimi
2139*62c56f98SSadaf Ebrahimi break;
2140*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_ALPN */
2141*62c56f98SSadaf Ebrahimi
2142*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_EARLY_DATA)
2143*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_EARLY_DATA:
2144*62c56f98SSadaf Ebrahimi
2145*62c56f98SSadaf Ebrahimi if (extension_data_len != 0) {
2146*62c56f98SSadaf Ebrahimi /* The message must be empty. */
2147*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2148*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_DECODE_ERROR);
2149*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_DECODE_ERROR;
2150*62c56f98SSadaf Ebrahimi }
2151*62c56f98SSadaf Ebrahimi
2152*62c56f98SSadaf Ebrahimi break;
2153*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_EARLY_DATA */
2154*62c56f98SSadaf Ebrahimi
2155*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2156*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
2157*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
2158*62c56f98SSadaf Ebrahimi
2159*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
2160*62c56f98SSadaf Ebrahimi ssl, p, p + extension_data_len);
2161*62c56f98SSadaf Ebrahimi
2162*62c56f98SSadaf Ebrahimi /* TODO: Return unconditionally here until we handle the record
2163*62c56f98SSadaf Ebrahimi * size limit correctly. Once handled correctly, only return in
2164*62c56f98SSadaf Ebrahimi * case of errors. */
2165*62c56f98SSadaf Ebrahimi return ret;
2166*62c56f98SSadaf Ebrahimi
2167*62c56f98SSadaf Ebrahimi break;
2168*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2169*62c56f98SSadaf Ebrahimi
2170*62c56f98SSadaf Ebrahimi default:
2171*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXT(
2172*62c56f98SSadaf Ebrahimi 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2173*62c56f98SSadaf Ebrahimi extension_type, "( ignored )");
2174*62c56f98SSadaf Ebrahimi break;
2175*62c56f98SSadaf Ebrahimi }
2176*62c56f98SSadaf Ebrahimi
2177*62c56f98SSadaf Ebrahimi p += extension_data_len;
2178*62c56f98SSadaf Ebrahimi }
2179*62c56f98SSadaf Ebrahimi
2180*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2181*62c56f98SSadaf Ebrahimi handshake->received_extensions);
2182*62c56f98SSadaf Ebrahimi
2183*62c56f98SSadaf Ebrahimi /* Check that we consumed all the message. */
2184*62c56f98SSadaf Ebrahimi if (p != end) {
2185*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("EncryptedExtension lengths misaligned"));
2186*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2187*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_DECODE_ERROR);
2188*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_DECODE_ERROR;
2189*62c56f98SSadaf Ebrahimi }
2190*62c56f98SSadaf Ebrahimi
2191*62c56f98SSadaf Ebrahimi return ret;
2192*62c56f98SSadaf Ebrahimi }
2193*62c56f98SSadaf Ebrahimi
2194*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context * ssl)2195*62c56f98SSadaf Ebrahimi static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
2196*62c56f98SSadaf Ebrahimi {
2197*62c56f98SSadaf Ebrahimi int ret;
2198*62c56f98SSadaf Ebrahimi unsigned char *buf;
2199*62c56f98SSadaf Ebrahimi size_t buf_len;
2200*62c56f98SSadaf Ebrahimi
2201*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));
2202*62c56f98SSadaf Ebrahimi
2203*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2204*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2205*62c56f98SSadaf Ebrahimi &buf, &buf_len));
2206*62c56f98SSadaf Ebrahimi
2207*62c56f98SSadaf Ebrahimi /* Process the message contents */
2208*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(
2209*62c56f98SSadaf Ebrahimi ssl_tls13_parse_encrypted_extensions(ssl, buf, buf + buf_len));
2210*62c56f98SSadaf Ebrahimi
2211*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_EARLY_DATA)
2212*62c56f98SSadaf Ebrahimi if (ssl->handshake->received_extensions &
2213*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
2214*62c56f98SSadaf Ebrahimi ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
2215*62c56f98SSadaf Ebrahimi }
2216*62c56f98SSadaf Ebrahimi #endif
2217*62c56f98SSadaf Ebrahimi
2218*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2219*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2220*62c56f98SSadaf Ebrahimi buf, buf_len));
2221*62c56f98SSadaf Ebrahimi
2222*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2223*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2224*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2225*62c56f98SSadaf Ebrahimi } else {
2226*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2227*62c56f98SSadaf Ebrahimi }
2228*62c56f98SSadaf Ebrahimi #else
2229*62c56f98SSadaf Ebrahimi ((void) ssl);
2230*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2231*62c56f98SSadaf Ebrahimi #endif
2232*62c56f98SSadaf Ebrahimi
2233*62c56f98SSadaf Ebrahimi cleanup:
2234*62c56f98SSadaf Ebrahimi
2235*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse encrypted extensions"));
2236*62c56f98SSadaf Ebrahimi return ret;
2237*62c56f98SSadaf Ebrahimi
2238*62c56f98SSadaf Ebrahimi }
2239*62c56f98SSadaf Ebrahimi
2240*62c56f98SSadaf Ebrahimi /*
2241*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA
2242*62c56f98SSadaf Ebrahimi *
2243*62c56f98SSadaf Ebrahimi * RFC 8446 section 4.5
2244*62c56f98SSadaf Ebrahimi *
2245*62c56f98SSadaf Ebrahimi * struct {} EndOfEarlyData;
2246*62c56f98SSadaf Ebrahimi *
2247*62c56f98SSadaf Ebrahimi * If the server sent an "early_data" extension in EncryptedExtensions, the
2248*62c56f98SSadaf Ebrahimi * client MUST send an EndOfEarlyData message after receiving the server
2249*62c56f98SSadaf Ebrahimi * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message.
2250*62c56f98SSadaf Ebrahimi */
2251*62c56f98SSadaf Ebrahimi
2252*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_end_of_early_data(mbedtls_ssl_context * ssl)2253*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)
2254*62c56f98SSadaf Ebrahimi {
2255*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2256*62c56f98SSadaf Ebrahimi unsigned char *buf = NULL;
2257*62c56f98SSadaf Ebrahimi size_t buf_len;
2258*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData"));
2259*62c56f98SSadaf Ebrahimi
2260*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2261*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
2262*62c56f98SSadaf Ebrahimi &buf, &buf_len));
2263*62c56f98SSadaf Ebrahimi
2264*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(
2265*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));
2266*62c56f98SSadaf Ebrahimi
2267*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(
2268*62c56f98SSadaf Ebrahimi mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));
2269*62c56f98SSadaf Ebrahimi
2270*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2271*62c56f98SSadaf Ebrahimi
2272*62c56f98SSadaf Ebrahimi cleanup:
2273*62c56f98SSadaf Ebrahimi
2274*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData"));
2275*62c56f98SSadaf Ebrahimi return ret;
2276*62c56f98SSadaf Ebrahimi }
2277*62c56f98SSadaf Ebrahimi
2278*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2279*62c56f98SSadaf Ebrahimi /*
2280*62c56f98SSadaf Ebrahimi * STATE HANDLING: CertificateRequest
2281*62c56f98SSadaf Ebrahimi *
2282*62c56f98SSadaf Ebrahimi */
2283*62c56f98SSadaf Ebrahimi #define SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST 0
2284*62c56f98SSadaf Ebrahimi #define SSL_CERTIFICATE_REQUEST_SKIP 1
2285*62c56f98SSadaf Ebrahimi /* Coordination:
2286*62c56f98SSadaf Ebrahimi * Deals with the ambiguity of not knowing if a CertificateRequest
2287*62c56f98SSadaf Ebrahimi * will be sent. Returns a negative code on failure, or
2288*62c56f98SSadaf Ebrahimi * - SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST
2289*62c56f98SSadaf Ebrahimi * - SSL_CERTIFICATE_REQUEST_SKIP
2290*62c56f98SSadaf Ebrahimi * indicating if a Certificate Request is expected or not.
2291*62c56f98SSadaf Ebrahimi */
2292*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context * ssl)2293*62c56f98SSadaf Ebrahimi static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
2294*62c56f98SSadaf Ebrahimi {
2295*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2296*62c56f98SSadaf Ebrahimi
2297*62c56f98SSadaf Ebrahimi if ((ret = mbedtls_ssl_read_record(ssl, 0)) != 0) {
2298*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2299*62c56f98SSadaf Ebrahimi return ret;
2300*62c56f98SSadaf Ebrahimi }
2301*62c56f98SSadaf Ebrahimi ssl->keep_current_message = 1;
2302*62c56f98SSadaf Ebrahimi
2303*62c56f98SSadaf Ebrahimi if ((ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE) &&
2304*62c56f98SSadaf Ebrahimi (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST)) {
2305*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("got a certificate request"));
2306*62c56f98SSadaf Ebrahimi return SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST;
2307*62c56f98SSadaf Ebrahimi }
2308*62c56f98SSadaf Ebrahimi
2309*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("got no certificate request"));
2310*62c56f98SSadaf Ebrahimi
2311*62c56f98SSadaf Ebrahimi return SSL_CERTIFICATE_REQUEST_SKIP;
2312*62c56f98SSadaf Ebrahimi }
2313*62c56f98SSadaf Ebrahimi
2314*62c56f98SSadaf Ebrahimi /*
2315*62c56f98SSadaf Ebrahimi * ssl_tls13_parse_certificate_request()
2316*62c56f98SSadaf Ebrahimi * Parse certificate request
2317*62c56f98SSadaf Ebrahimi * struct {
2318*62c56f98SSadaf Ebrahimi * opaque certificate_request_context<0..2^8-1>;
2319*62c56f98SSadaf Ebrahimi * Extension extensions<2..2^16-1>;
2320*62c56f98SSadaf Ebrahimi * } CertificateRequest;
2321*62c56f98SSadaf Ebrahimi */
2322*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_certificate_request(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)2323*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_certificate_request(mbedtls_ssl_context *ssl,
2324*62c56f98SSadaf Ebrahimi const unsigned char *buf,
2325*62c56f98SSadaf Ebrahimi const unsigned char *end)
2326*62c56f98SSadaf Ebrahimi {
2327*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2328*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
2329*62c56f98SSadaf Ebrahimi size_t certificate_request_context_len = 0;
2330*62c56f98SSadaf Ebrahimi size_t extensions_len = 0;
2331*62c56f98SSadaf Ebrahimi const unsigned char *extensions_end;
2332*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2333*62c56f98SSadaf Ebrahimi
2334*62c56f98SSadaf Ebrahimi /* ...
2335*62c56f98SSadaf Ebrahimi * opaque certificate_request_context<0..2^8-1>
2336*62c56f98SSadaf Ebrahimi * ...
2337*62c56f98SSadaf Ebrahimi */
2338*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
2339*62c56f98SSadaf Ebrahimi certificate_request_context_len = (size_t) p[0];
2340*62c56f98SSadaf Ebrahimi p += 1;
2341*62c56f98SSadaf Ebrahimi
2342*62c56f98SSadaf Ebrahimi if (certificate_request_context_len > 0) {
2343*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, certificate_request_context_len);
2344*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "Certificate Request Context",
2345*62c56f98SSadaf Ebrahimi p, certificate_request_context_len);
2346*62c56f98SSadaf Ebrahimi
2347*62c56f98SSadaf Ebrahimi handshake->certificate_request_context =
2348*62c56f98SSadaf Ebrahimi mbedtls_calloc(1, certificate_request_context_len);
2349*62c56f98SSadaf Ebrahimi if (handshake->certificate_request_context == NULL) {
2350*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2351*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2352*62c56f98SSadaf Ebrahimi }
2353*62c56f98SSadaf Ebrahimi memcpy(handshake->certificate_request_context, p,
2354*62c56f98SSadaf Ebrahimi certificate_request_context_len);
2355*62c56f98SSadaf Ebrahimi p += certificate_request_context_len;
2356*62c56f98SSadaf Ebrahimi }
2357*62c56f98SSadaf Ebrahimi
2358*62c56f98SSadaf Ebrahimi /* ...
2359*62c56f98SSadaf Ebrahimi * Extension extensions<2..2^16-1>;
2360*62c56f98SSadaf Ebrahimi * ...
2361*62c56f98SSadaf Ebrahimi */
2362*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2363*62c56f98SSadaf Ebrahimi extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
2364*62c56f98SSadaf Ebrahimi p += 2;
2365*62c56f98SSadaf Ebrahimi
2366*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
2367*62c56f98SSadaf Ebrahimi extensions_end = p + extensions_len;
2368*62c56f98SSadaf Ebrahimi
2369*62c56f98SSadaf Ebrahimi handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2370*62c56f98SSadaf Ebrahimi
2371*62c56f98SSadaf Ebrahimi while (p < extensions_end) {
2372*62c56f98SSadaf Ebrahimi unsigned int extension_type;
2373*62c56f98SSadaf Ebrahimi size_t extension_data_len;
2374*62c56f98SSadaf Ebrahimi
2375*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
2376*62c56f98SSadaf Ebrahimi extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2377*62c56f98SSadaf Ebrahimi extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
2378*62c56f98SSadaf Ebrahimi p += 4;
2379*62c56f98SSadaf Ebrahimi
2380*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
2381*62c56f98SSadaf Ebrahimi
2382*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_check_received_extension(
2383*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, extension_type,
2384*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR);
2385*62c56f98SSadaf Ebrahimi if (ret != 0) {
2386*62c56f98SSadaf Ebrahimi return ret;
2387*62c56f98SSadaf Ebrahimi }
2388*62c56f98SSadaf Ebrahimi
2389*62c56f98SSadaf Ebrahimi switch (extension_type) {
2390*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_SIG_ALG:
2391*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
2392*62c56f98SSadaf Ebrahimi ("found signature algorithms extension"));
2393*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_parse_sig_alg_ext(ssl, p,
2394*62c56f98SSadaf Ebrahimi p + extension_data_len);
2395*62c56f98SSadaf Ebrahimi if (ret != 0) {
2396*62c56f98SSadaf Ebrahimi return ret;
2397*62c56f98SSadaf Ebrahimi }
2398*62c56f98SSadaf Ebrahimi
2399*62c56f98SSadaf Ebrahimi break;
2400*62c56f98SSadaf Ebrahimi
2401*62c56f98SSadaf Ebrahimi default:
2402*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXT(
2403*62c56f98SSadaf Ebrahimi 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2404*62c56f98SSadaf Ebrahimi extension_type, "( ignored )");
2405*62c56f98SSadaf Ebrahimi break;
2406*62c56f98SSadaf Ebrahimi }
2407*62c56f98SSadaf Ebrahimi
2408*62c56f98SSadaf Ebrahimi p += extension_data_len;
2409*62c56f98SSadaf Ebrahimi }
2410*62c56f98SSadaf Ebrahimi
2411*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2412*62c56f98SSadaf Ebrahimi handshake->received_extensions);
2413*62c56f98SSadaf Ebrahimi
2414*62c56f98SSadaf Ebrahimi /* Check that we consumed all the message. */
2415*62c56f98SSadaf Ebrahimi if (p != end) {
2416*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1,
2417*62c56f98SSadaf Ebrahimi ("CertificateRequest misaligned"));
2418*62c56f98SSadaf Ebrahimi goto decode_error;
2419*62c56f98SSadaf Ebrahimi }
2420*62c56f98SSadaf Ebrahimi
2421*62c56f98SSadaf Ebrahimi /* RFC 8446 section 4.3.2
2422*62c56f98SSadaf Ebrahimi *
2423*62c56f98SSadaf Ebrahimi * The "signature_algorithms" extension MUST be specified
2424*62c56f98SSadaf Ebrahimi */
2425*62c56f98SSadaf Ebrahimi if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(SIG_ALG)) == 0) {
2426*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
2427*62c56f98SSadaf Ebrahimi ("no signature algorithms extension found"));
2428*62c56f98SSadaf Ebrahimi goto decode_error;
2429*62c56f98SSadaf Ebrahimi }
2430*62c56f98SSadaf Ebrahimi
2431*62c56f98SSadaf Ebrahimi ssl->handshake->client_auth = 1;
2432*62c56f98SSadaf Ebrahimi return 0;
2433*62c56f98SSadaf Ebrahimi
2434*62c56f98SSadaf Ebrahimi decode_error:
2435*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2436*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_DECODE_ERROR);
2437*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_DECODE_ERROR;
2438*62c56f98SSadaf Ebrahimi }
2439*62c56f98SSadaf Ebrahimi
2440*62c56f98SSadaf Ebrahimi /*
2441*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_CERTIFICATE_REQUEST
2442*62c56f98SSadaf Ebrahimi */
2443*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_certificate_request(mbedtls_ssl_context * ssl)2444*62c56f98SSadaf Ebrahimi static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)
2445*62c56f98SSadaf Ebrahimi {
2446*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2447*62c56f98SSadaf Ebrahimi
2448*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
2449*62c56f98SSadaf Ebrahimi
2450*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
2451*62c56f98SSadaf Ebrahimi
2452*62c56f98SSadaf Ebrahimi if (ret == SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST) {
2453*62c56f98SSadaf Ebrahimi unsigned char *buf;
2454*62c56f98SSadaf Ebrahimi size_t buf_len;
2455*62c56f98SSadaf Ebrahimi
2456*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2457*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2458*62c56f98SSadaf Ebrahimi &buf, &buf_len));
2459*62c56f98SSadaf Ebrahimi
2460*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(
2461*62c56f98SSadaf Ebrahimi ssl, buf, buf + buf_len));
2462*62c56f98SSadaf Ebrahimi
2463*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2464*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2465*62c56f98SSadaf Ebrahimi buf, buf_len));
2466*62c56f98SSadaf Ebrahimi } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
2467*62c56f98SSadaf Ebrahimi ret = 0;
2468*62c56f98SSadaf Ebrahimi } else {
2469*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2470*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2471*62c56f98SSadaf Ebrahimi goto cleanup;
2472*62c56f98SSadaf Ebrahimi }
2473*62c56f98SSadaf Ebrahimi
2474*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
2475*62c56f98SSadaf Ebrahimi
2476*62c56f98SSadaf Ebrahimi cleanup:
2477*62c56f98SSadaf Ebrahimi
2478*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
2479*62c56f98SSadaf Ebrahimi return ret;
2480*62c56f98SSadaf Ebrahimi }
2481*62c56f98SSadaf Ebrahimi
2482*62c56f98SSadaf Ebrahimi /*
2483*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2484*62c56f98SSadaf Ebrahimi */
2485*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_server_certificate(mbedtls_ssl_context * ssl)2486*62c56f98SSadaf Ebrahimi static int ssl_tls13_process_server_certificate(mbedtls_ssl_context *ssl)
2487*62c56f98SSadaf Ebrahimi {
2488*62c56f98SSadaf Ebrahimi int ret;
2489*62c56f98SSadaf Ebrahimi
2490*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_process_certificate(ssl);
2491*62c56f98SSadaf Ebrahimi if (ret != 0) {
2492*62c56f98SSadaf Ebrahimi return ret;
2493*62c56f98SSadaf Ebrahimi }
2494*62c56f98SSadaf Ebrahimi
2495*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2496*62c56f98SSadaf Ebrahimi return 0;
2497*62c56f98SSadaf Ebrahimi }
2498*62c56f98SSadaf Ebrahimi
2499*62c56f98SSadaf Ebrahimi /*
2500*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2501*62c56f98SSadaf Ebrahimi */
2502*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_certificate_verify(mbedtls_ssl_context * ssl)2503*62c56f98SSadaf Ebrahimi static int ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
2504*62c56f98SSadaf Ebrahimi {
2505*62c56f98SSadaf Ebrahimi int ret;
2506*62c56f98SSadaf Ebrahimi
2507*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
2508*62c56f98SSadaf Ebrahimi if (ret != 0) {
2509*62c56f98SSadaf Ebrahimi return ret;
2510*62c56f98SSadaf Ebrahimi }
2511*62c56f98SSadaf Ebrahimi
2512*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2513*62c56f98SSadaf Ebrahimi return 0;
2514*62c56f98SSadaf Ebrahimi }
2515*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2516*62c56f98SSadaf Ebrahimi
2517*62c56f98SSadaf Ebrahimi /*
2518*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_SERVER_FINISHED
2519*62c56f98SSadaf Ebrahimi */
2520*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_server_finished(mbedtls_ssl_context * ssl)2521*62c56f98SSadaf Ebrahimi static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)
2522*62c56f98SSadaf Ebrahimi {
2523*62c56f98SSadaf Ebrahimi int ret;
2524*62c56f98SSadaf Ebrahimi
2525*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_process_finished_message(ssl);
2526*62c56f98SSadaf Ebrahimi if (ret != 0) {
2527*62c56f98SSadaf Ebrahimi return ret;
2528*62c56f98SSadaf Ebrahimi }
2529*62c56f98SSadaf Ebrahimi
2530*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2531*62c56f98SSadaf Ebrahimi if (ret != 0) {
2532*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(
2533*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2534*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2535*62c56f98SSadaf Ebrahimi return ret;
2536*62c56f98SSadaf Ebrahimi }
2537*62c56f98SSadaf Ebrahimi
2538*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_EARLY_DATA)
2539*62c56f98SSadaf Ebrahimi if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
2540*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
2541*62c56f98SSadaf Ebrahimi } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
2542*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2543*62c56f98SSadaf Ebrahimi } else
2544*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_EARLY_DATA */
2545*62c56f98SSadaf Ebrahimi {
2546*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2547*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
2548*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);
2549*62c56f98SSadaf Ebrahimi #else
2550*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2551*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2552*62c56f98SSadaf Ebrahimi }
2553*62c56f98SSadaf Ebrahimi
2554*62c56f98SSadaf Ebrahimi return 0;
2555*62c56f98SSadaf Ebrahimi }
2556*62c56f98SSadaf Ebrahimi
2557*62c56f98SSadaf Ebrahimi /*
2558*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
2559*62c56f98SSadaf Ebrahimi */
2560*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_client_certificate(mbedtls_ssl_context * ssl)2561*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_client_certificate(mbedtls_ssl_context *ssl)
2562*62c56f98SSadaf Ebrahimi {
2563*62c56f98SSadaf Ebrahimi int non_empty_certificate_msg = 0;
2564*62c56f98SSadaf Ebrahimi
2565*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1,
2566*62c56f98SSadaf Ebrahimi ("Switch to handshake traffic keys for outbound traffic"));
2567*62c56f98SSadaf Ebrahimi mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_handshake);
2568*62c56f98SSadaf Ebrahimi
2569*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2570*62c56f98SSadaf Ebrahimi if (ssl->handshake->client_auth) {
2571*62c56f98SSadaf Ebrahimi int ret = mbedtls_ssl_tls13_write_certificate(ssl);
2572*62c56f98SSadaf Ebrahimi if (ret != 0) {
2573*62c56f98SSadaf Ebrahimi return ret;
2574*62c56f98SSadaf Ebrahimi }
2575*62c56f98SSadaf Ebrahimi
2576*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_own_cert(ssl) != NULL) {
2577*62c56f98SSadaf Ebrahimi non_empty_certificate_msg = 1;
2578*62c56f98SSadaf Ebrahimi }
2579*62c56f98SSadaf Ebrahimi } else {
2580*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate"));
2581*62c56f98SSadaf Ebrahimi }
2582*62c56f98SSadaf Ebrahimi #endif
2583*62c56f98SSadaf Ebrahimi
2584*62c56f98SSadaf Ebrahimi if (non_empty_certificate_msg) {
2585*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl,
2586*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
2587*62c56f98SSadaf Ebrahimi } else {
2588*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("skip write certificate verify"));
2589*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2590*62c56f98SSadaf Ebrahimi }
2591*62c56f98SSadaf Ebrahimi
2592*62c56f98SSadaf Ebrahimi return 0;
2593*62c56f98SSadaf Ebrahimi }
2594*62c56f98SSadaf Ebrahimi
2595*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2596*62c56f98SSadaf Ebrahimi /*
2597*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
2598*62c56f98SSadaf Ebrahimi */
2599*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context * ssl)2600*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_client_certificate_verify(mbedtls_ssl_context *ssl)
2601*62c56f98SSadaf Ebrahimi {
2602*62c56f98SSadaf Ebrahimi int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
2603*62c56f98SSadaf Ebrahimi
2604*62c56f98SSadaf Ebrahimi if (ret == 0) {
2605*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2606*62c56f98SSadaf Ebrahimi }
2607*62c56f98SSadaf Ebrahimi
2608*62c56f98SSadaf Ebrahimi return ret;
2609*62c56f98SSadaf Ebrahimi }
2610*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2611*62c56f98SSadaf Ebrahimi
2612*62c56f98SSadaf Ebrahimi /*
2613*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2614*62c56f98SSadaf Ebrahimi */
2615*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_client_finished(mbedtls_ssl_context * ssl)2616*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)
2617*62c56f98SSadaf Ebrahimi {
2618*62c56f98SSadaf Ebrahimi int ret;
2619*62c56f98SSadaf Ebrahimi
2620*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2621*62c56f98SSadaf Ebrahimi if (ret != 0) {
2622*62c56f98SSadaf Ebrahimi return ret;
2623*62c56f98SSadaf Ebrahimi }
2624*62c56f98SSadaf Ebrahimi
2625*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
2626*62c56f98SSadaf Ebrahimi if (ret != 0) {
2627*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
2628*62c56f98SSadaf Ebrahimi 1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);
2629*62c56f98SSadaf Ebrahimi return ret;
2630*62c56f98SSadaf Ebrahimi }
2631*62c56f98SSadaf Ebrahimi
2632*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_FLUSH_BUFFERS);
2633*62c56f98SSadaf Ebrahimi return 0;
2634*62c56f98SSadaf Ebrahimi }
2635*62c56f98SSadaf Ebrahimi
2636*62c56f98SSadaf Ebrahimi /*
2637*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_FLUSH_BUFFERS
2638*62c56f98SSadaf Ebrahimi */
2639*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_flush_buffers(mbedtls_ssl_context * ssl)2640*62c56f98SSadaf Ebrahimi static int ssl_tls13_flush_buffers(mbedtls_ssl_context *ssl)
2641*62c56f98SSadaf Ebrahimi {
2642*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
2643*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
2644*62c56f98SSadaf Ebrahimi return 0;
2645*62c56f98SSadaf Ebrahimi }
2646*62c56f98SSadaf Ebrahimi
2647*62c56f98SSadaf Ebrahimi /*
2648*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2649*62c56f98SSadaf Ebrahimi */
2650*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_handshake_wrapup(mbedtls_ssl_context * ssl)2651*62c56f98SSadaf Ebrahimi static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
2652*62c56f98SSadaf Ebrahimi {
2653*62c56f98SSadaf Ebrahimi
2654*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_handshake_wrapup(ssl);
2655*62c56f98SSadaf Ebrahimi
2656*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2657*62c56f98SSadaf Ebrahimi return 0;
2658*62c56f98SSadaf Ebrahimi }
2659*62c56f98SSadaf Ebrahimi
2660*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2661*62c56f98SSadaf Ebrahimi
2662*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)2663*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_new_session_ticket_exts(mbedtls_ssl_context *ssl,
2664*62c56f98SSadaf Ebrahimi const unsigned char *buf,
2665*62c56f98SSadaf Ebrahimi const unsigned char *end)
2666*62c56f98SSadaf Ebrahimi {
2667*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2668*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
2669*62c56f98SSadaf Ebrahimi
2670*62c56f98SSadaf Ebrahimi
2671*62c56f98SSadaf Ebrahimi handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2672*62c56f98SSadaf Ebrahimi
2673*62c56f98SSadaf Ebrahimi while (p < end) {
2674*62c56f98SSadaf Ebrahimi unsigned int extension_type;
2675*62c56f98SSadaf Ebrahimi size_t extension_data_len;
2676*62c56f98SSadaf Ebrahimi int ret;
2677*62c56f98SSadaf Ebrahimi
2678*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
2679*62c56f98SSadaf Ebrahimi extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
2680*62c56f98SSadaf Ebrahimi extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
2681*62c56f98SSadaf Ebrahimi p += 4;
2682*62c56f98SSadaf Ebrahimi
2683*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extension_data_len);
2684*62c56f98SSadaf Ebrahimi
2685*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_check_received_extension(
2686*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, extension_type,
2687*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST);
2688*62c56f98SSadaf Ebrahimi if (ret != 0) {
2689*62c56f98SSadaf Ebrahimi return ret;
2690*62c56f98SSadaf Ebrahimi }
2691*62c56f98SSadaf Ebrahimi
2692*62c56f98SSadaf Ebrahimi switch (extension_type) {
2693*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_EARLY_DATA)
2694*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_EARLY_DATA:
2695*62c56f98SSadaf Ebrahimi if (extension_data_len != 4) {
2696*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(
2697*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
2698*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_DECODE_ERROR);
2699*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_DECODE_ERROR;
2700*62c56f98SSadaf Ebrahimi }
2701*62c56f98SSadaf Ebrahimi if (ssl->session != NULL) {
2702*62c56f98SSadaf Ebrahimi ssl->session->ticket_flags |=
2703*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
2704*62c56f98SSadaf Ebrahimi }
2705*62c56f98SSadaf Ebrahimi break;
2706*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_EARLY_DATA */
2707*62c56f98SSadaf Ebrahimi
2708*62c56f98SSadaf Ebrahimi default:
2709*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXT(
2710*62c56f98SSadaf Ebrahimi 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2711*62c56f98SSadaf Ebrahimi extension_type, "( ignored )");
2712*62c56f98SSadaf Ebrahimi break;
2713*62c56f98SSadaf Ebrahimi }
2714*62c56f98SSadaf Ebrahimi
2715*62c56f98SSadaf Ebrahimi p += extension_data_len;
2716*62c56f98SSadaf Ebrahimi }
2717*62c56f98SSadaf Ebrahimi
2718*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2719*62c56f98SSadaf Ebrahimi handshake->received_extensions);
2720*62c56f98SSadaf Ebrahimi
2721*62c56f98SSadaf Ebrahimi return 0;
2722*62c56f98SSadaf Ebrahimi }
2723*62c56f98SSadaf Ebrahimi
2724*62c56f98SSadaf Ebrahimi /*
2725*62c56f98SSadaf Ebrahimi * From RFC8446, page 74
2726*62c56f98SSadaf Ebrahimi *
2727*62c56f98SSadaf Ebrahimi * struct {
2728*62c56f98SSadaf Ebrahimi * uint32 ticket_lifetime;
2729*62c56f98SSadaf Ebrahimi * uint32 ticket_age_add;
2730*62c56f98SSadaf Ebrahimi * opaque ticket_nonce<0..255>;
2731*62c56f98SSadaf Ebrahimi * opaque ticket<1..2^16-1>;
2732*62c56f98SSadaf Ebrahimi * Extension extensions<0..2^16-2>;
2733*62c56f98SSadaf Ebrahimi * } NewSessionTicket;
2734*62c56f98SSadaf Ebrahimi *
2735*62c56f98SSadaf Ebrahimi */
2736*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,unsigned char ** ticket_nonce,size_t * ticket_nonce_len)2737*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_new_session_ticket(mbedtls_ssl_context *ssl,
2738*62c56f98SSadaf Ebrahimi unsigned char *buf,
2739*62c56f98SSadaf Ebrahimi unsigned char *end,
2740*62c56f98SSadaf Ebrahimi unsigned char **ticket_nonce,
2741*62c56f98SSadaf Ebrahimi size_t *ticket_nonce_len)
2742*62c56f98SSadaf Ebrahimi {
2743*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2744*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
2745*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session = ssl->session;
2746*62c56f98SSadaf Ebrahimi size_t ticket_len;
2747*62c56f98SSadaf Ebrahimi unsigned char *ticket;
2748*62c56f98SSadaf Ebrahimi size_t extensions_len;
2749*62c56f98SSadaf Ebrahimi
2750*62c56f98SSadaf Ebrahimi *ticket_nonce = NULL;
2751*62c56f98SSadaf Ebrahimi *ticket_nonce_len = 0;
2752*62c56f98SSadaf Ebrahimi /*
2753*62c56f98SSadaf Ebrahimi * ticket_lifetime 4 bytes
2754*62c56f98SSadaf Ebrahimi * ticket_age_add 4 bytes
2755*62c56f98SSadaf Ebrahimi * ticket_nonce_len 1 byte
2756*62c56f98SSadaf Ebrahimi */
2757*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 9);
2758*62c56f98SSadaf Ebrahimi
2759*62c56f98SSadaf Ebrahimi session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
2760*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
2761*62c56f98SSadaf Ebrahimi ("ticket_lifetime: %u",
2762*62c56f98SSadaf Ebrahimi (unsigned int) session->ticket_lifetime));
2763*62c56f98SSadaf Ebrahimi
2764*62c56f98SSadaf Ebrahimi session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 4);
2765*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
2766*62c56f98SSadaf Ebrahimi ("ticket_age_add: %u",
2767*62c56f98SSadaf Ebrahimi (unsigned int) session->ticket_age_add));
2768*62c56f98SSadaf Ebrahimi
2769*62c56f98SSadaf Ebrahimi *ticket_nonce_len = p[8];
2770*62c56f98SSadaf Ebrahimi p += 9;
2771*62c56f98SSadaf Ebrahimi
2772*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, *ticket_nonce_len);
2773*62c56f98SSadaf Ebrahimi *ticket_nonce = p;
2774*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:", *ticket_nonce, *ticket_nonce_len);
2775*62c56f98SSadaf Ebrahimi p += *ticket_nonce_len;
2776*62c56f98SSadaf Ebrahimi
2777*62c56f98SSadaf Ebrahimi /* Ticket */
2778*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2779*62c56f98SSadaf Ebrahimi ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
2780*62c56f98SSadaf Ebrahimi p += 2;
2781*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ticket_len);
2782*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "received ticket", p, ticket_len);
2783*62c56f98SSadaf Ebrahimi
2784*62c56f98SSadaf Ebrahimi /* Check if we previously received a ticket already. */
2785*62c56f98SSadaf Ebrahimi if (session->ticket != NULL || session->ticket_len > 0) {
2786*62c56f98SSadaf Ebrahimi mbedtls_free(session->ticket);
2787*62c56f98SSadaf Ebrahimi session->ticket = NULL;
2788*62c56f98SSadaf Ebrahimi session->ticket_len = 0;
2789*62c56f98SSadaf Ebrahimi }
2790*62c56f98SSadaf Ebrahimi
2791*62c56f98SSadaf Ebrahimi if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
2792*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
2793*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2794*62c56f98SSadaf Ebrahimi }
2795*62c56f98SSadaf Ebrahimi memcpy(ticket, p, ticket_len);
2796*62c56f98SSadaf Ebrahimi p += ticket_len;
2797*62c56f98SSadaf Ebrahimi session->ticket = ticket;
2798*62c56f98SSadaf Ebrahimi session->ticket_len = ticket_len;
2799*62c56f98SSadaf Ebrahimi
2800*62c56f98SSadaf Ebrahimi /* Clear all flags in ticket_flags */
2801*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_clear_ticket_flags(
2802*62c56f98SSadaf Ebrahimi session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2803*62c56f98SSadaf Ebrahimi
2804*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
2805*62c56f98SSadaf Ebrahimi extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
2806*62c56f98SSadaf Ebrahimi p += 2;
2807*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
2808*62c56f98SSadaf Ebrahimi
2809*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "ticket extension", p, extensions_len);
2810*62c56f98SSadaf Ebrahimi
2811*62c56f98SSadaf Ebrahimi ret = ssl_tls13_parse_new_session_ticket_exts(ssl, p, p + extensions_len);
2812*62c56f98SSadaf Ebrahimi if (ret != 0) {
2813*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1,
2814*62c56f98SSadaf Ebrahimi "ssl_tls13_parse_new_session_ticket_exts",
2815*62c56f98SSadaf Ebrahimi ret);
2816*62c56f98SSadaf Ebrahimi return ret;
2817*62c56f98SSadaf Ebrahimi }
2818*62c56f98SSadaf Ebrahimi
2819*62c56f98SSadaf Ebrahimi /* session has been updated, allow export */
2820*62c56f98SSadaf Ebrahimi session->exported = 0;
2821*62c56f98SSadaf Ebrahimi
2822*62c56f98SSadaf Ebrahimi return 0;
2823*62c56f98SSadaf Ebrahimi }
2824*62c56f98SSadaf Ebrahimi
2825*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context * ssl,unsigned char * ticket_nonce,size_t ticket_nonce_len)2826*62c56f98SSadaf Ebrahimi static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
2827*62c56f98SSadaf Ebrahimi unsigned char *ticket_nonce,
2828*62c56f98SSadaf Ebrahimi size_t ticket_nonce_len)
2829*62c56f98SSadaf Ebrahimi {
2830*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2831*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session = ssl->session;
2832*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2833*62c56f98SSadaf Ebrahimi psa_algorithm_t psa_hash_alg;
2834*62c56f98SSadaf Ebrahimi int hash_length;
2835*62c56f98SSadaf Ebrahimi
2836*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_HAVE_TIME)
2837*62c56f98SSadaf Ebrahimi /* Store ticket creation time */
2838*62c56f98SSadaf Ebrahimi session->ticket_received = mbedtls_time(NULL);
2839*62c56f98SSadaf Ebrahimi #endif
2840*62c56f98SSadaf Ebrahimi
2841*62c56f98SSadaf Ebrahimi ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
2842*62c56f98SSadaf Ebrahimi if (ciphersuite_info == NULL) {
2843*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2844*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2845*62c56f98SSadaf Ebrahimi }
2846*62c56f98SSadaf Ebrahimi
2847*62c56f98SSadaf Ebrahimi psa_hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
2848*62c56f98SSadaf Ebrahimi hash_length = PSA_HASH_LENGTH(psa_hash_alg);
2849*62c56f98SSadaf Ebrahimi if (hash_length == -1 ||
2850*62c56f98SSadaf Ebrahimi (size_t) hash_length > sizeof(session->resumption_key)) {
2851*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2852*62c56f98SSadaf Ebrahimi }
2853*62c56f98SSadaf Ebrahimi
2854*62c56f98SSadaf Ebrahimi
2855*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
2856*62c56f98SSadaf Ebrahimi session->app_secrets.resumption_master_secret,
2857*62c56f98SSadaf Ebrahimi hash_length);
2858*62c56f98SSadaf Ebrahimi
2859*62c56f98SSadaf Ebrahimi /* Compute resumption key
2860*62c56f98SSadaf Ebrahimi *
2861*62c56f98SSadaf Ebrahimi * HKDF-Expand-Label( resumption_master_secret,
2862*62c56f98SSadaf Ebrahimi * "resumption", ticket_nonce, Hash.length )
2863*62c56f98SSadaf Ebrahimi */
2864*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_hkdf_expand_label(
2865*62c56f98SSadaf Ebrahimi psa_hash_alg,
2866*62c56f98SSadaf Ebrahimi session->app_secrets.resumption_master_secret,
2867*62c56f98SSadaf Ebrahimi hash_length,
2868*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
2869*62c56f98SSadaf Ebrahimi ticket_nonce,
2870*62c56f98SSadaf Ebrahimi ticket_nonce_len,
2871*62c56f98SSadaf Ebrahimi session->resumption_key,
2872*62c56f98SSadaf Ebrahimi hash_length);
2873*62c56f98SSadaf Ebrahimi
2874*62c56f98SSadaf Ebrahimi if (ret != 0) {
2875*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(2,
2876*62c56f98SSadaf Ebrahimi "Creating the ticket-resumed PSK failed",
2877*62c56f98SSadaf Ebrahimi ret);
2878*62c56f98SSadaf Ebrahimi return ret;
2879*62c56f98SSadaf Ebrahimi }
2880*62c56f98SSadaf Ebrahimi
2881*62c56f98SSadaf Ebrahimi session->resumption_key_len = hash_length;
2882*62c56f98SSadaf Ebrahimi
2883*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
2884*62c56f98SSadaf Ebrahimi session->resumption_key,
2885*62c56f98SSadaf Ebrahimi session->resumption_key_len);
2886*62c56f98SSadaf Ebrahimi
2887*62c56f98SSadaf Ebrahimi /* Set ticket_flags depends on the selected key exchange modes */
2888*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_set_ticket_flags(
2889*62c56f98SSadaf Ebrahimi session, ssl->conf->tls13_kex_modes);
2890*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
2891*62c56f98SSadaf Ebrahimi
2892*62c56f98SSadaf Ebrahimi return 0;
2893*62c56f98SSadaf Ebrahimi }
2894*62c56f98SSadaf Ebrahimi
2895*62c56f98SSadaf Ebrahimi /*
2896*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
2897*62c56f98SSadaf Ebrahimi */
2898*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_new_session_ticket(mbedtls_ssl_context * ssl)2899*62c56f98SSadaf Ebrahimi static int ssl_tls13_process_new_session_ticket(mbedtls_ssl_context *ssl)
2900*62c56f98SSadaf Ebrahimi {
2901*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2902*62c56f98SSadaf Ebrahimi unsigned char *buf;
2903*62c56f98SSadaf Ebrahimi size_t buf_len;
2904*62c56f98SSadaf Ebrahimi unsigned char *ticket_nonce;
2905*62c56f98SSadaf Ebrahimi size_t ticket_nonce_len;
2906*62c56f98SSadaf Ebrahimi
2907*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
2908*62c56f98SSadaf Ebrahimi
2909*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
2910*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2911*62c56f98SSadaf Ebrahimi &buf, &buf_len));
2912*62c56f98SSadaf Ebrahimi
2913*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_new_session_ticket(
2914*62c56f98SSadaf Ebrahimi ssl, buf, buf + buf_len,
2915*62c56f98SSadaf Ebrahimi &ticket_nonce, &ticket_nonce_len));
2916*62c56f98SSadaf Ebrahimi
2917*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_new_session_ticket(
2918*62c56f98SSadaf Ebrahimi ssl, ticket_nonce, ticket_nonce_len));
2919*62c56f98SSadaf Ebrahimi
2920*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2921*62c56f98SSadaf Ebrahimi
2922*62c56f98SSadaf Ebrahimi cleanup:
2923*62c56f98SSadaf Ebrahimi
2924*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
2925*62c56f98SSadaf Ebrahimi return ret;
2926*62c56f98SSadaf Ebrahimi }
2927*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2928*62c56f98SSadaf Ebrahimi
mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context * ssl)2929*62c56f98SSadaf Ebrahimi int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
2930*62c56f98SSadaf Ebrahimi {
2931*62c56f98SSadaf Ebrahimi int ret = 0;
2932*62c56f98SSadaf Ebrahimi
2933*62c56f98SSadaf Ebrahimi switch (ssl->state) {
2934*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_HELLO_REQUEST:
2935*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2936*62c56f98SSadaf Ebrahimi break;
2937*62c56f98SSadaf Ebrahimi
2938*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CLIENT_HELLO:
2939*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_write_client_hello(ssl);
2940*62c56f98SSadaf Ebrahimi break;
2941*62c56f98SSadaf Ebrahimi
2942*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_SERVER_HELLO:
2943*62c56f98SSadaf Ebrahimi ret = ssl_tls13_process_server_hello(ssl);
2944*62c56f98SSadaf Ebrahimi break;
2945*62c56f98SSadaf Ebrahimi
2946*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
2947*62c56f98SSadaf Ebrahimi ret = ssl_tls13_process_encrypted_extensions(ssl);
2948*62c56f98SSadaf Ebrahimi break;
2949*62c56f98SSadaf Ebrahimi
2950*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2951*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CERTIFICATE_REQUEST:
2952*62c56f98SSadaf Ebrahimi ret = ssl_tls13_process_certificate_request(ssl);
2953*62c56f98SSadaf Ebrahimi break;
2954*62c56f98SSadaf Ebrahimi
2955*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_SERVER_CERTIFICATE:
2956*62c56f98SSadaf Ebrahimi ret = ssl_tls13_process_server_certificate(ssl);
2957*62c56f98SSadaf Ebrahimi break;
2958*62c56f98SSadaf Ebrahimi
2959*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CERTIFICATE_VERIFY:
2960*62c56f98SSadaf Ebrahimi ret = ssl_tls13_process_certificate_verify(ssl);
2961*62c56f98SSadaf Ebrahimi break;
2962*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2963*62c56f98SSadaf Ebrahimi
2964*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_SERVER_FINISHED:
2965*62c56f98SSadaf Ebrahimi ret = ssl_tls13_process_server_finished(ssl);
2966*62c56f98SSadaf Ebrahimi break;
2967*62c56f98SSadaf Ebrahimi
2968*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_END_OF_EARLY_DATA:
2969*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_end_of_early_data(ssl);
2970*62c56f98SSadaf Ebrahimi break;
2971*62c56f98SSadaf Ebrahimi
2972*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CLIENT_CERTIFICATE:
2973*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_client_certificate(ssl);
2974*62c56f98SSadaf Ebrahimi break;
2975*62c56f98SSadaf Ebrahimi
2976*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2977*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
2978*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_client_certificate_verify(ssl);
2979*62c56f98SSadaf Ebrahimi break;
2980*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2981*62c56f98SSadaf Ebrahimi
2982*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CLIENT_FINISHED:
2983*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_client_finished(ssl);
2984*62c56f98SSadaf Ebrahimi break;
2985*62c56f98SSadaf Ebrahimi
2986*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_FLUSH_BUFFERS:
2987*62c56f98SSadaf Ebrahimi ret = ssl_tls13_flush_buffers(ssl);
2988*62c56f98SSadaf Ebrahimi break;
2989*62c56f98SSadaf Ebrahimi
2990*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
2991*62c56f98SSadaf Ebrahimi ret = ssl_tls13_handshake_wrapup(ssl);
2992*62c56f98SSadaf Ebrahimi break;
2993*62c56f98SSadaf Ebrahimi
2994*62c56f98SSadaf Ebrahimi /*
2995*62c56f98SSadaf Ebrahimi * Injection of dummy-CCS's for middlebox compatibility
2996*62c56f98SSadaf Ebrahimi */
2997*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2998*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
2999*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3000*62c56f98SSadaf Ebrahimi if (ret == 0) {
3001*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3002*62c56f98SSadaf Ebrahimi }
3003*62c56f98SSadaf Ebrahimi break;
3004*62c56f98SSadaf Ebrahimi
3005*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
3006*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3007*62c56f98SSadaf Ebrahimi if (ret == 0) {
3008*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
3009*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
3010*62c56f98SSadaf Ebrahimi }
3011*62c56f98SSadaf Ebrahimi break;
3012*62c56f98SSadaf Ebrahimi
3013*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
3014*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3015*62c56f98SSadaf Ebrahimi if (ret == 0) {
3016*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
3017*62c56f98SSadaf Ebrahimi
3018*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_EARLY_DATA)
3019*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
3020*62c56f98SSadaf Ebrahimi 1, ("Switch to early data keys for outbound traffic"));
3021*62c56f98SSadaf Ebrahimi mbedtls_ssl_set_outbound_transform(
3022*62c56f98SSadaf Ebrahimi ssl, ssl->handshake->transform_earlydata);
3023*62c56f98SSadaf Ebrahimi #endif
3024*62c56f98SSadaf Ebrahimi }
3025*62c56f98SSadaf Ebrahimi break;
3026*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3027*62c56f98SSadaf Ebrahimi
3028*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3029*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
3030*62c56f98SSadaf Ebrahimi ret = ssl_tls13_process_new_session_ticket(ssl);
3031*62c56f98SSadaf Ebrahimi if (ret != 0) {
3032*62c56f98SSadaf Ebrahimi break;
3033*62c56f98SSadaf Ebrahimi }
3034*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET;
3035*62c56f98SSadaf Ebrahimi break;
3036*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3037*62c56f98SSadaf Ebrahimi
3038*62c56f98SSadaf Ebrahimi default:
3039*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3040*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3041*62c56f98SSadaf Ebrahimi }
3042*62c56f98SSadaf Ebrahimi
3043*62c56f98SSadaf Ebrahimi return ret;
3044*62c56f98SSadaf Ebrahimi }
3045*62c56f98SSadaf Ebrahimi
3046*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
3047