1*62c56f98SSadaf Ebrahimi /*
2*62c56f98SSadaf Ebrahimi * TLS 1.3 server-side functions
3*62c56f98SSadaf Ebrahimi *
4*62c56f98SSadaf Ebrahimi * Copyright The Mbed TLS Contributors
5*62c56f98SSadaf Ebrahimi * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6*62c56f98SSadaf Ebrahimi */
7*62c56f98SSadaf Ebrahimi
8*62c56f98SSadaf Ebrahimi #include "common.h"
9*62c56f98SSadaf Ebrahimi
10*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
11*62c56f98SSadaf Ebrahimi
12*62c56f98SSadaf Ebrahimi #include "mbedtls/debug.h"
13*62c56f98SSadaf Ebrahimi #include "mbedtls/error.h"
14*62c56f98SSadaf Ebrahimi #include "mbedtls/platform.h"
15*62c56f98SSadaf Ebrahimi #include "mbedtls/constant_time.h"
16*62c56f98SSadaf Ebrahimi #include "mbedtls/oid.h"
17*62c56f98SSadaf Ebrahimi #include "md_psa.h"
18*62c56f98SSadaf Ebrahimi
19*62c56f98SSadaf Ebrahimi #include "ssl_misc.h"
20*62c56f98SSadaf Ebrahimi #include "ssl_tls13_keys.h"
21*62c56f98SSadaf Ebrahimi #include "ssl_debug_helpers.h"
22*62c56f98SSadaf Ebrahimi
23*62c56f98SSadaf Ebrahimi
ssl_tls13_validate_peer_ciphersuite(mbedtls_ssl_context * ssl,unsigned int cipher_suite)24*62c56f98SSadaf Ebrahimi static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
25*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl,
26*62c56f98SSadaf Ebrahimi unsigned int cipher_suite)
27*62c56f98SSadaf Ebrahimi {
28*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
29*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
30*62c56f98SSadaf Ebrahimi return NULL;
31*62c56f98SSadaf Ebrahimi }
32*62c56f98SSadaf Ebrahimi
33*62c56f98SSadaf Ebrahimi ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
34*62c56f98SSadaf Ebrahimi if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
35*62c56f98SSadaf Ebrahimi ssl->tls_version,
36*62c56f98SSadaf Ebrahimi ssl->tls_version) != 0)) {
37*62c56f98SSadaf Ebrahimi return NULL;
38*62c56f98SSadaf Ebrahimi }
39*62c56f98SSadaf Ebrahimi return ciphersuite_info;
40*62c56f98SSadaf Ebrahimi }
41*62c56f98SSadaf Ebrahimi
42*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
43*62c56f98SSadaf Ebrahimi /* From RFC 8446:
44*62c56f98SSadaf Ebrahimi *
45*62c56f98SSadaf Ebrahimi * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
46*62c56f98SSadaf Ebrahimi * struct {
47*62c56f98SSadaf Ebrahimi * PskKeyExchangeMode ke_modes<1..255>;
48*62c56f98SSadaf Ebrahimi * } PskKeyExchangeModes;
49*62c56f98SSadaf Ebrahimi */
50*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)51*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
52*62c56f98SSadaf Ebrahimi const unsigned char *buf,
53*62c56f98SSadaf Ebrahimi const unsigned char *end)
54*62c56f98SSadaf Ebrahimi {
55*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
56*62c56f98SSadaf Ebrahimi size_t ke_modes_len;
57*62c56f98SSadaf Ebrahimi int ke_modes = 0;
58*62c56f98SSadaf Ebrahimi
59*62c56f98SSadaf Ebrahimi /* Read ke_modes length (1 Byte) */
60*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
61*62c56f98SSadaf Ebrahimi ke_modes_len = *p++;
62*62c56f98SSadaf Ebrahimi /* Currently, there are only two PSK modes, so even without looking
63*62c56f98SSadaf Ebrahimi * at the content, something's wrong if the list has more than 2 items. */
64*62c56f98SSadaf Ebrahimi if (ke_modes_len > 2) {
65*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
66*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
67*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
68*62c56f98SSadaf Ebrahimi }
69*62c56f98SSadaf Ebrahimi
70*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ke_modes_len);
71*62c56f98SSadaf Ebrahimi
72*62c56f98SSadaf Ebrahimi while (ke_modes_len-- != 0) {
73*62c56f98SSadaf Ebrahimi switch (*p++) {
74*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
75*62c56f98SSadaf Ebrahimi ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
76*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK KEX MODE"));
77*62c56f98SSadaf Ebrahimi break;
78*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:
79*62c56f98SSadaf Ebrahimi ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
80*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK_EPHEMERAL KEX MODE"));
81*62c56f98SSadaf Ebrahimi break;
82*62c56f98SSadaf Ebrahimi default:
83*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
84*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
85*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
86*62c56f98SSadaf Ebrahimi }
87*62c56f98SSadaf Ebrahimi }
88*62c56f98SSadaf Ebrahimi
89*62c56f98SSadaf Ebrahimi ssl->handshake->tls13_kex_modes = ke_modes;
90*62c56f98SSadaf Ebrahimi return 0;
91*62c56f98SSadaf Ebrahimi }
92*62c56f98SSadaf Ebrahimi
93*62c56f98SSadaf Ebrahimi #define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1
94*62c56f98SSadaf Ebrahimi #define SSL_TLS1_3_OFFERED_PSK_MATCH 0
95*62c56f98SSadaf Ebrahimi
96*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
97*62c56f98SSadaf Ebrahimi
98*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_offered_psks_check_identity_match_ticket(mbedtls_ssl_context * ssl,const unsigned char * identity,size_t identity_len,uint32_t obfuscated_ticket_age,mbedtls_ssl_session * session)99*62c56f98SSadaf Ebrahimi static int ssl_tls13_offered_psks_check_identity_match_ticket(
100*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl,
101*62c56f98SSadaf Ebrahimi const unsigned char *identity,
102*62c56f98SSadaf Ebrahimi size_t identity_len,
103*62c56f98SSadaf Ebrahimi uint32_t obfuscated_ticket_age,
104*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session)
105*62c56f98SSadaf Ebrahimi {
106*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
107*62c56f98SSadaf Ebrahimi unsigned char *ticket_buffer;
108*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_HAVE_TIME)
109*62c56f98SSadaf Ebrahimi mbedtls_time_t now;
110*62c56f98SSadaf Ebrahimi uint64_t age_in_s;
111*62c56f98SSadaf Ebrahimi int64_t age_diff_in_ms;
112*62c56f98SSadaf Ebrahimi #endif
113*62c56f98SSadaf Ebrahimi
114*62c56f98SSadaf Ebrahimi ((void) obfuscated_ticket_age);
115*62c56f98SSadaf Ebrahimi
116*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> check_identity_match_ticket"));
117*62c56f98SSadaf Ebrahimi
118*62c56f98SSadaf Ebrahimi /* Ticket parser is not configured, Skip */
119*62c56f98SSadaf Ebrahimi if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) {
120*62c56f98SSadaf Ebrahimi return 0;
121*62c56f98SSadaf Ebrahimi }
122*62c56f98SSadaf Ebrahimi
123*62c56f98SSadaf Ebrahimi /* We create a copy of the encrypted ticket since the ticket parsing
124*62c56f98SSadaf Ebrahimi * function is allowed to use its input buffer as an output buffer
125*62c56f98SSadaf Ebrahimi * (in-place decryption). We do, however, need the original buffer for
126*62c56f98SSadaf Ebrahimi * computing the PSK binder value.
127*62c56f98SSadaf Ebrahimi */
128*62c56f98SSadaf Ebrahimi ticket_buffer = mbedtls_calloc(1, identity_len);
129*62c56f98SSadaf Ebrahimi if (ticket_buffer == NULL) {
130*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
131*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ALLOC_FAILED;
132*62c56f98SSadaf Ebrahimi }
133*62c56f98SSadaf Ebrahimi memcpy(ticket_buffer, identity, identity_len);
134*62c56f98SSadaf Ebrahimi
135*62c56f98SSadaf Ebrahimi if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket,
136*62c56f98SSadaf Ebrahimi session,
137*62c56f98SSadaf Ebrahimi ticket_buffer, identity_len)) != 0) {
138*62c56f98SSadaf Ebrahimi if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
139*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
140*62c56f98SSadaf Ebrahimi } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
141*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
142*62c56f98SSadaf Ebrahimi } else {
143*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret);
144*62c56f98SSadaf Ebrahimi }
145*62c56f98SSadaf Ebrahimi }
146*62c56f98SSadaf Ebrahimi
147*62c56f98SSadaf Ebrahimi /* We delete the temporary buffer */
148*62c56f98SSadaf Ebrahimi mbedtls_free(ticket_buffer);
149*62c56f98SSadaf Ebrahimi
150*62c56f98SSadaf Ebrahimi if (ret != 0) {
151*62c56f98SSadaf Ebrahimi goto exit;
152*62c56f98SSadaf Ebrahimi }
153*62c56f98SSadaf Ebrahimi
154*62c56f98SSadaf Ebrahimi /* RFC 8446 section 4.2.9
155*62c56f98SSadaf Ebrahimi *
156*62c56f98SSadaf Ebrahimi * Servers SHOULD NOT send NewSessionTicket with tickets that are not
157*62c56f98SSadaf Ebrahimi * compatible with the advertised modes; however, if a server does so,
158*62c56f98SSadaf Ebrahimi * the impact will just be that the client's attempts at resumption fail.
159*62c56f98SSadaf Ebrahimi *
160*62c56f98SSadaf Ebrahimi * We regard the ticket with incompatible key exchange modes as not match.
161*62c56f98SSadaf Ebrahimi */
162*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR;
163*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_TICKET_FLAGS(4,
164*62c56f98SSadaf Ebrahimi session->ticket_flags);
165*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_check_kex_modes(
166*62c56f98SSadaf Ebrahimi ssl,
167*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_get_ticket_flags(
168*62c56f98SSadaf Ebrahimi session,
169*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL))) {
170*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode"));
171*62c56f98SSadaf Ebrahimi goto exit;
172*62c56f98SSadaf Ebrahimi }
173*62c56f98SSadaf Ebrahimi
174*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
175*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_HAVE_TIME)
176*62c56f98SSadaf Ebrahimi now = mbedtls_time(NULL);
177*62c56f98SSadaf Ebrahimi
178*62c56f98SSadaf Ebrahimi if (now < session->start) {
179*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
180*62c56f98SSadaf Ebrahimi 3, ("Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG
181*62c56f98SSadaf Ebrahimi ", start=%" MBEDTLS_PRINTF_LONGLONG " )",
182*62c56f98SSadaf Ebrahimi (long long) now, (long long) session->start));
183*62c56f98SSadaf Ebrahimi goto exit;
184*62c56f98SSadaf Ebrahimi }
185*62c56f98SSadaf Ebrahimi
186*62c56f98SSadaf Ebrahimi age_in_s = (uint64_t) (now - session->start);
187*62c56f98SSadaf Ebrahimi
188*62c56f98SSadaf Ebrahimi /* RFC 8446 section 4.6.1
189*62c56f98SSadaf Ebrahimi *
190*62c56f98SSadaf Ebrahimi * Servers MUST NOT use any value greater than 604800 seconds (7 days).
191*62c56f98SSadaf Ebrahimi *
192*62c56f98SSadaf Ebrahimi * RFC 8446 section 4.2.11.1
193*62c56f98SSadaf Ebrahimi *
194*62c56f98SSadaf Ebrahimi * Clients MUST NOT attempt to use tickets which have ages greater than
195*62c56f98SSadaf Ebrahimi * the "ticket_lifetime" value which was provided with the ticket.
196*62c56f98SSadaf Ebrahimi *
197*62c56f98SSadaf Ebrahimi * For time being, the age MUST be less than 604800 seconds (7 days).
198*62c56f98SSadaf Ebrahimi */
199*62c56f98SSadaf Ebrahimi if (age_in_s > 604800) {
200*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
201*62c56f98SSadaf Ebrahimi 3, ("Ticket age exceeds limitation ticket_age=%lu",
202*62c56f98SSadaf Ebrahimi (long unsigned int) age_in_s));
203*62c56f98SSadaf Ebrahimi goto exit;
204*62c56f98SSadaf Ebrahimi }
205*62c56f98SSadaf Ebrahimi
206*62c56f98SSadaf Ebrahimi /* RFC 8446 section 4.2.10
207*62c56f98SSadaf Ebrahimi *
208*62c56f98SSadaf Ebrahimi * For PSKs provisioned via NewSessionTicket, a server MUST validate that
209*62c56f98SSadaf Ebrahimi * the ticket age for the selected PSK identity (computed by subtracting
210*62c56f98SSadaf Ebrahimi * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
211*62c56f98SSadaf Ebrahimi * within a small tolerance of the time since the ticket was issued.
212*62c56f98SSadaf Ebrahimi *
213*62c56f98SSadaf Ebrahimi * NOTE: When `now == session->start`, `age_diff_in_ms` may be negative
214*62c56f98SSadaf Ebrahimi * as the age units are different on the server (s) and in the
215*62c56f98SSadaf Ebrahimi * client (ms) side. Add a -1000 ms tolerance window to take this
216*62c56f98SSadaf Ebrahimi * into account.
217*62c56f98SSadaf Ebrahimi */
218*62c56f98SSadaf Ebrahimi age_diff_in_ms = age_in_s * 1000;
219*62c56f98SSadaf Ebrahimi age_diff_in_ms -= (obfuscated_ticket_age - session->ticket_age_add);
220*62c56f98SSadaf Ebrahimi if (age_diff_in_ms <= -1000 ||
221*62c56f98SSadaf Ebrahimi age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) {
222*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
223*62c56f98SSadaf Ebrahimi 3, ("Ticket age outside tolerance window ( diff=%d )",
224*62c56f98SSadaf Ebrahimi (int) age_diff_in_ms));
225*62c56f98SSadaf Ebrahimi goto exit;
226*62c56f98SSadaf Ebrahimi }
227*62c56f98SSadaf Ebrahimi
228*62c56f98SSadaf Ebrahimi ret = 0;
229*62c56f98SSadaf Ebrahimi
230*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_HAVE_TIME */
231*62c56f98SSadaf Ebrahimi
232*62c56f98SSadaf Ebrahimi exit:
233*62c56f98SSadaf Ebrahimi if (ret != 0) {
234*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_free(session);
235*62c56f98SSadaf Ebrahimi }
236*62c56f98SSadaf Ebrahimi
237*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= check_identity_match_ticket"));
238*62c56f98SSadaf Ebrahimi return ret;
239*62c56f98SSadaf Ebrahimi }
240*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
241*62c56f98SSadaf Ebrahimi
242*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_offered_psks_check_identity_match(mbedtls_ssl_context * ssl,const unsigned char * identity,size_t identity_len,uint32_t obfuscated_ticket_age,int * psk_type,mbedtls_ssl_session * session)243*62c56f98SSadaf Ebrahimi static int ssl_tls13_offered_psks_check_identity_match(
244*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl,
245*62c56f98SSadaf Ebrahimi const unsigned char *identity,
246*62c56f98SSadaf Ebrahimi size_t identity_len,
247*62c56f98SSadaf Ebrahimi uint32_t obfuscated_ticket_age,
248*62c56f98SSadaf Ebrahimi int *psk_type,
249*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session)
250*62c56f98SSadaf Ebrahimi {
251*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
252*62c56f98SSadaf Ebrahimi
253*62c56f98SSadaf Ebrahimi ((void) session);
254*62c56f98SSadaf Ebrahimi ((void) obfuscated_ticket_age);
255*62c56f98SSadaf Ebrahimi *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
256*62c56f98SSadaf Ebrahimi
257*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(4, "identity", identity, identity_len);
258*62c56f98SSadaf Ebrahimi ssl->handshake->resume = 0;
259*62c56f98SSadaf Ebrahimi
260*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
261*62c56f98SSadaf Ebrahimi if (ssl_tls13_offered_psks_check_identity_match_ticket(
262*62c56f98SSadaf Ebrahimi ssl, identity, identity_len, obfuscated_ticket_age,
263*62c56f98SSadaf Ebrahimi session) == SSL_TLS1_3_OFFERED_PSK_MATCH) {
264*62c56f98SSadaf Ebrahimi ssl->handshake->resume = 1;
265*62c56f98SSadaf Ebrahimi *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
266*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_set_hs_psk(ssl,
267*62c56f98SSadaf Ebrahimi session->resumption_key,
268*62c56f98SSadaf Ebrahimi session->resumption_key_len);
269*62c56f98SSadaf Ebrahimi if (ret != 0) {
270*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
271*62c56f98SSadaf Ebrahimi return ret;
272*62c56f98SSadaf Ebrahimi }
273*62c56f98SSadaf Ebrahimi
274*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(4, "Ticket-resumed PSK:",
275*62c56f98SSadaf Ebrahimi session->resumption_key,
276*62c56f98SSadaf Ebrahimi session->resumption_key_len);
277*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u",
278*62c56f98SSadaf Ebrahimi (unsigned) obfuscated_ticket_age));
279*62c56f98SSadaf Ebrahimi return SSL_TLS1_3_OFFERED_PSK_MATCH;
280*62c56f98SSadaf Ebrahimi }
281*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
282*62c56f98SSadaf Ebrahimi
283*62c56f98SSadaf Ebrahimi /* Check identity with external configured function */
284*62c56f98SSadaf Ebrahimi if (ssl->conf->f_psk != NULL) {
285*62c56f98SSadaf Ebrahimi if (ssl->conf->f_psk(
286*62c56f98SSadaf Ebrahimi ssl->conf->p_psk, ssl, identity, identity_len) == 0) {
287*62c56f98SSadaf Ebrahimi return SSL_TLS1_3_OFFERED_PSK_MATCH;
288*62c56f98SSadaf Ebrahimi }
289*62c56f98SSadaf Ebrahimi return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
290*62c56f98SSadaf Ebrahimi }
291*62c56f98SSadaf Ebrahimi
292*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(5, "identity", identity, identity_len);
293*62c56f98SSadaf Ebrahimi /* Check identity with pre-configured psk */
294*62c56f98SSadaf Ebrahimi if (ssl->conf->psk_identity != NULL &&
295*62c56f98SSadaf Ebrahimi identity_len == ssl->conf->psk_identity_len &&
296*62c56f98SSadaf Ebrahimi mbedtls_ct_memcmp(ssl->conf->psk_identity,
297*62c56f98SSadaf Ebrahimi identity, identity_len) == 0) {
298*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_set_hs_psk(ssl, ssl->conf->psk, ssl->conf->psk_len);
299*62c56f98SSadaf Ebrahimi if (ret != 0) {
300*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
301*62c56f98SSadaf Ebrahimi return ret;
302*62c56f98SSadaf Ebrahimi }
303*62c56f98SSadaf Ebrahimi return SSL_TLS1_3_OFFERED_PSK_MATCH;
304*62c56f98SSadaf Ebrahimi }
305*62c56f98SSadaf Ebrahimi
306*62c56f98SSadaf Ebrahimi return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
307*62c56f98SSadaf Ebrahimi }
308*62c56f98SSadaf Ebrahimi
309*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_offered_psks_check_binder_match(mbedtls_ssl_context * ssl,const unsigned char * binder,size_t binder_len,int psk_type,psa_algorithm_t psk_hash_alg)310*62c56f98SSadaf Ebrahimi static int ssl_tls13_offered_psks_check_binder_match(
311*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl,
312*62c56f98SSadaf Ebrahimi const unsigned char *binder, size_t binder_len,
313*62c56f98SSadaf Ebrahimi int psk_type, psa_algorithm_t psk_hash_alg)
314*62c56f98SSadaf Ebrahimi {
315*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
316*62c56f98SSadaf Ebrahimi
317*62c56f98SSadaf Ebrahimi unsigned char transcript[PSA_HASH_MAX_SIZE];
318*62c56f98SSadaf Ebrahimi size_t transcript_len;
319*62c56f98SSadaf Ebrahimi unsigned char *psk;
320*62c56f98SSadaf Ebrahimi size_t psk_len;
321*62c56f98SSadaf Ebrahimi unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
322*62c56f98SSadaf Ebrahimi
323*62c56f98SSadaf Ebrahimi /* Get current state of handshake transcript. */
324*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_get_handshake_transcript(
325*62c56f98SSadaf Ebrahimi ssl, mbedtls_md_type_from_psa_alg(psk_hash_alg),
326*62c56f98SSadaf Ebrahimi transcript, sizeof(transcript), &transcript_len);
327*62c56f98SSadaf Ebrahimi if (ret != 0) {
328*62c56f98SSadaf Ebrahimi return ret;
329*62c56f98SSadaf Ebrahimi }
330*62c56f98SSadaf Ebrahimi
331*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len);
332*62c56f98SSadaf Ebrahimi if (ret != 0) {
333*62c56f98SSadaf Ebrahimi return ret;
334*62c56f98SSadaf Ebrahimi }
335*62c56f98SSadaf Ebrahimi
336*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_create_psk_binder(ssl, psk_hash_alg,
337*62c56f98SSadaf Ebrahimi psk, psk_len, psk_type,
338*62c56f98SSadaf Ebrahimi transcript,
339*62c56f98SSadaf Ebrahimi server_computed_binder);
340*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_USE_PSA_CRYPTO)
341*62c56f98SSadaf Ebrahimi mbedtls_free((void *) psk);
342*62c56f98SSadaf Ebrahimi #endif
343*62c56f98SSadaf Ebrahimi if (ret != 0) {
344*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("PSK binder calculation failed."));
345*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
346*62c56f98SSadaf Ebrahimi }
347*62c56f98SSadaf Ebrahimi
348*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( computed ): ",
349*62c56f98SSadaf Ebrahimi server_computed_binder, transcript_len);
350*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len);
351*62c56f98SSadaf Ebrahimi
352*62c56f98SSadaf Ebrahimi if (mbedtls_ct_memcmp(server_computed_binder, binder, binder_len) == 0) {
353*62c56f98SSadaf Ebrahimi return SSL_TLS1_3_OFFERED_PSK_MATCH;
354*62c56f98SSadaf Ebrahimi }
355*62c56f98SSadaf Ebrahimi
356*62c56f98SSadaf Ebrahimi mbedtls_platform_zeroize(server_computed_binder,
357*62c56f98SSadaf Ebrahimi sizeof(server_computed_binder));
358*62c56f98SSadaf Ebrahimi return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
359*62c56f98SSadaf Ebrahimi }
360*62c56f98SSadaf Ebrahimi
361*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_select_ciphersuite_for_psk(mbedtls_ssl_context * ssl,const unsigned char * cipher_suites,const unsigned char * cipher_suites_end,uint16_t * selected_ciphersuite,const mbedtls_ssl_ciphersuite_t ** selected_ciphersuite_info)362*62c56f98SSadaf Ebrahimi static int ssl_tls13_select_ciphersuite_for_psk(
363*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl,
364*62c56f98SSadaf Ebrahimi const unsigned char *cipher_suites,
365*62c56f98SSadaf Ebrahimi const unsigned char *cipher_suites_end,
366*62c56f98SSadaf Ebrahimi uint16_t *selected_ciphersuite,
367*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
368*62c56f98SSadaf Ebrahimi {
369*62c56f98SSadaf Ebrahimi psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256;
370*62c56f98SSadaf Ebrahimi
371*62c56f98SSadaf Ebrahimi *selected_ciphersuite = 0;
372*62c56f98SSadaf Ebrahimi *selected_ciphersuite_info = NULL;
373*62c56f98SSadaf Ebrahimi
374*62c56f98SSadaf Ebrahimi /* RFC 8446, page 55.
375*62c56f98SSadaf Ebrahimi *
376*62c56f98SSadaf Ebrahimi * For externally established PSKs, the Hash algorithm MUST be set when the
377*62c56f98SSadaf Ebrahimi * PSK is established or default to SHA-256 if no such algorithm is defined.
378*62c56f98SSadaf Ebrahimi *
379*62c56f98SSadaf Ebrahimi */
380*62c56f98SSadaf Ebrahimi
381*62c56f98SSadaf Ebrahimi /*
382*62c56f98SSadaf Ebrahimi * Search for a matching ciphersuite
383*62c56f98SSadaf Ebrahimi */
384*62c56f98SSadaf Ebrahimi for (const unsigned char *p = cipher_suites;
385*62c56f98SSadaf Ebrahimi p < cipher_suites_end; p += 2) {
386*62c56f98SSadaf Ebrahimi uint16_t cipher_suite;
387*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
388*62c56f98SSadaf Ebrahimi
389*62c56f98SSadaf Ebrahimi cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
390*62c56f98SSadaf Ebrahimi ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,
391*62c56f98SSadaf Ebrahimi cipher_suite);
392*62c56f98SSadaf Ebrahimi if (ciphersuite_info == NULL) {
393*62c56f98SSadaf Ebrahimi continue;
394*62c56f98SSadaf Ebrahimi }
395*62c56f98SSadaf Ebrahimi
396*62c56f98SSadaf Ebrahimi /* MAC of selected ciphersuite MUST be same with PSK binder if exist.
397*62c56f98SSadaf Ebrahimi * Otherwise, client should reject.
398*62c56f98SSadaf Ebrahimi */
399*62c56f98SSadaf Ebrahimi if (psk_hash_alg == mbedtls_md_psa_alg_from_type(ciphersuite_info->mac)) {
400*62c56f98SSadaf Ebrahimi *selected_ciphersuite = cipher_suite;
401*62c56f98SSadaf Ebrahimi *selected_ciphersuite_info = ciphersuite_info;
402*62c56f98SSadaf Ebrahimi return 0;
403*62c56f98SSadaf Ebrahimi }
404*62c56f98SSadaf Ebrahimi }
405*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite"));
406*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
407*62c56f98SSadaf Ebrahimi }
408*62c56f98SSadaf Ebrahimi
409*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
410*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_select_ciphersuite_for_resumption(mbedtls_ssl_context * ssl,const unsigned char * cipher_suites,const unsigned char * cipher_suites_end,mbedtls_ssl_session * session,uint16_t * selected_ciphersuite,const mbedtls_ssl_ciphersuite_t ** selected_ciphersuite_info)411*62c56f98SSadaf Ebrahimi static int ssl_tls13_select_ciphersuite_for_resumption(
412*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl,
413*62c56f98SSadaf Ebrahimi const unsigned char *cipher_suites,
414*62c56f98SSadaf Ebrahimi const unsigned char *cipher_suites_end,
415*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session,
416*62c56f98SSadaf Ebrahimi uint16_t *selected_ciphersuite,
417*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
418*62c56f98SSadaf Ebrahimi {
419*62c56f98SSadaf Ebrahimi
420*62c56f98SSadaf Ebrahimi *selected_ciphersuite = 0;
421*62c56f98SSadaf Ebrahimi *selected_ciphersuite_info = NULL;
422*62c56f98SSadaf Ebrahimi for (const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2) {
423*62c56f98SSadaf Ebrahimi uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
424*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
425*62c56f98SSadaf Ebrahimi
426*62c56f98SSadaf Ebrahimi if (cipher_suite != session->ciphersuite) {
427*62c56f98SSadaf Ebrahimi continue;
428*62c56f98SSadaf Ebrahimi }
429*62c56f98SSadaf Ebrahimi
430*62c56f98SSadaf Ebrahimi ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,
431*62c56f98SSadaf Ebrahimi cipher_suite);
432*62c56f98SSadaf Ebrahimi if (ciphersuite_info == NULL) {
433*62c56f98SSadaf Ebrahimi continue;
434*62c56f98SSadaf Ebrahimi }
435*62c56f98SSadaf Ebrahimi
436*62c56f98SSadaf Ebrahimi *selected_ciphersuite = cipher_suite;
437*62c56f98SSadaf Ebrahimi *selected_ciphersuite_info = ciphersuite_info;
438*62c56f98SSadaf Ebrahimi
439*62c56f98SSadaf Ebrahimi return 0;
440*62c56f98SSadaf Ebrahimi }
441*62c56f98SSadaf Ebrahimi
442*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
443*62c56f98SSadaf Ebrahimi }
444*62c56f98SSadaf Ebrahimi
445*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_copy_ticket(mbedtls_ssl_session * dst,const mbedtls_ssl_session * src)446*62c56f98SSadaf Ebrahimi static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst,
447*62c56f98SSadaf Ebrahimi const mbedtls_ssl_session *src)
448*62c56f98SSadaf Ebrahimi {
449*62c56f98SSadaf Ebrahimi dst->ticket_age_add = src->ticket_age_add;
450*62c56f98SSadaf Ebrahimi dst->ticket_flags = src->ticket_flags;
451*62c56f98SSadaf Ebrahimi dst->resumption_key_len = src->resumption_key_len;
452*62c56f98SSadaf Ebrahimi if (src->resumption_key_len == 0) {
453*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
454*62c56f98SSadaf Ebrahimi }
455*62c56f98SSadaf Ebrahimi memcpy(dst->resumption_key, src->resumption_key, src->resumption_key_len);
456*62c56f98SSadaf Ebrahimi
457*62c56f98SSadaf Ebrahimi return 0;
458*62c56f98SSadaf Ebrahimi }
459*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
460*62c56f98SSadaf Ebrahimi
461*62c56f98SSadaf Ebrahimi /* Parser for pre_shared_key extension in client hello
462*62c56f98SSadaf Ebrahimi * struct {
463*62c56f98SSadaf Ebrahimi * opaque identity<1..2^16-1>;
464*62c56f98SSadaf Ebrahimi * uint32 obfuscated_ticket_age;
465*62c56f98SSadaf Ebrahimi * } PskIdentity;
466*62c56f98SSadaf Ebrahimi *
467*62c56f98SSadaf Ebrahimi * opaque PskBinderEntry<32..255>;
468*62c56f98SSadaf Ebrahimi *
469*62c56f98SSadaf Ebrahimi * struct {
470*62c56f98SSadaf Ebrahimi * PskIdentity identities<7..2^16-1>;
471*62c56f98SSadaf Ebrahimi * PskBinderEntry binders<33..2^16-1>;
472*62c56f98SSadaf Ebrahimi * } OfferedPsks;
473*62c56f98SSadaf Ebrahimi *
474*62c56f98SSadaf Ebrahimi * struct {
475*62c56f98SSadaf Ebrahimi * select (Handshake.msg_type) {
476*62c56f98SSadaf Ebrahimi * case client_hello: OfferedPsks;
477*62c56f98SSadaf Ebrahimi * ....
478*62c56f98SSadaf Ebrahimi * };
479*62c56f98SSadaf Ebrahimi * } PreSharedKeyExtension;
480*62c56f98SSadaf Ebrahimi */
481*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context * ssl,const unsigned char * pre_shared_key_ext,const unsigned char * pre_shared_key_ext_end,const unsigned char * ciphersuites,const unsigned char * ciphersuites_end)482*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_pre_shared_key_ext(
483*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl,
484*62c56f98SSadaf Ebrahimi const unsigned char *pre_shared_key_ext,
485*62c56f98SSadaf Ebrahimi const unsigned char *pre_shared_key_ext_end,
486*62c56f98SSadaf Ebrahimi const unsigned char *ciphersuites,
487*62c56f98SSadaf Ebrahimi const unsigned char *ciphersuites_end)
488*62c56f98SSadaf Ebrahimi {
489*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
490*62c56f98SSadaf Ebrahimi const unsigned char *identities = pre_shared_key_ext;
491*62c56f98SSadaf Ebrahimi const unsigned char *p_identity_len;
492*62c56f98SSadaf Ebrahimi size_t identities_len;
493*62c56f98SSadaf Ebrahimi const unsigned char *identities_end;
494*62c56f98SSadaf Ebrahimi const unsigned char *binders;
495*62c56f98SSadaf Ebrahimi const unsigned char *p_binder_len;
496*62c56f98SSadaf Ebrahimi size_t binders_len;
497*62c56f98SSadaf Ebrahimi const unsigned char *binders_end;
498*62c56f98SSadaf Ebrahimi int matched_identity = -1;
499*62c56f98SSadaf Ebrahimi int identity_id = -1;
500*62c56f98SSadaf Ebrahimi
501*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key extension",
502*62c56f98SSadaf Ebrahimi pre_shared_key_ext,
503*62c56f98SSadaf Ebrahimi pre_shared_key_ext_end - pre_shared_key_ext);
504*62c56f98SSadaf Ebrahimi
505*62c56f98SSadaf Ebrahimi /* identities_len 2 bytes
506*62c56f98SSadaf Ebrahimi * identities_data >= 7 bytes
507*62c56f98SSadaf Ebrahimi */
508*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(identities, pre_shared_key_ext_end, 7 + 2);
509*62c56f98SSadaf Ebrahimi identities_len = MBEDTLS_GET_UINT16_BE(identities, 0);
510*62c56f98SSadaf Ebrahimi p_identity_len = identities + 2;
511*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, pre_shared_key_ext_end,
512*62c56f98SSadaf Ebrahimi identities_len);
513*62c56f98SSadaf Ebrahimi identities_end = p_identity_len + identities_len;
514*62c56f98SSadaf Ebrahimi
515*62c56f98SSadaf Ebrahimi /* binders_len 2 bytes
516*62c56f98SSadaf Ebrahimi * binders >= 33 bytes
517*62c56f98SSadaf Ebrahimi */
518*62c56f98SSadaf Ebrahimi binders = identities_end;
519*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(binders, pre_shared_key_ext_end, 33 + 2);
520*62c56f98SSadaf Ebrahimi binders_len = MBEDTLS_GET_UINT16_BE(binders, 0);
521*62c56f98SSadaf Ebrahimi p_binder_len = binders + 2;
522*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len);
523*62c56f98SSadaf Ebrahimi binders_end = p_binder_len + binders_len;
524*62c56f98SSadaf Ebrahimi
525*62c56f98SSadaf Ebrahimi ret = ssl->handshake->update_checksum(ssl, pre_shared_key_ext,
526*62c56f98SSadaf Ebrahimi identities_end - pre_shared_key_ext);
527*62c56f98SSadaf Ebrahimi if (0 != ret) {
528*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
529*62c56f98SSadaf Ebrahimi return ret;
530*62c56f98SSadaf Ebrahimi }
531*62c56f98SSadaf Ebrahimi
532*62c56f98SSadaf Ebrahimi while (p_identity_len < identities_end && p_binder_len < binders_end) {
533*62c56f98SSadaf Ebrahimi const unsigned char *identity;
534*62c56f98SSadaf Ebrahimi size_t identity_len;
535*62c56f98SSadaf Ebrahimi uint32_t obfuscated_ticket_age;
536*62c56f98SSadaf Ebrahimi const unsigned char *binder;
537*62c56f98SSadaf Ebrahimi size_t binder_len;
538*62c56f98SSadaf Ebrahimi int psk_type;
539*62c56f98SSadaf Ebrahimi uint16_t cipher_suite;
540*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
541*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
542*62c56f98SSadaf Ebrahimi mbedtls_ssl_session session;
543*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_init(&session);
544*62c56f98SSadaf Ebrahimi #endif
545*62c56f98SSadaf Ebrahimi
546*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4);
547*62c56f98SSadaf Ebrahimi identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0);
548*62c56f98SSadaf Ebrahimi identity = p_identity_len + 2;
549*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(identity, identities_end, identity_len + 4);
550*62c56f98SSadaf Ebrahimi obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE(identity, identity_len);
551*62c56f98SSadaf Ebrahimi p_identity_len += identity_len + 6;
552*62c56f98SSadaf Ebrahimi
553*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, binders_end, 1 + 32);
554*62c56f98SSadaf Ebrahimi binder_len = *p_binder_len;
555*62c56f98SSadaf Ebrahimi binder = p_binder_len + 1;
556*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(binder, binders_end, binder_len);
557*62c56f98SSadaf Ebrahimi p_binder_len += binder_len + 1;
558*62c56f98SSadaf Ebrahimi
559*62c56f98SSadaf Ebrahimi identity_id++;
560*62c56f98SSadaf Ebrahimi if (matched_identity != -1) {
561*62c56f98SSadaf Ebrahimi continue;
562*62c56f98SSadaf Ebrahimi }
563*62c56f98SSadaf Ebrahimi
564*62c56f98SSadaf Ebrahimi ret = ssl_tls13_offered_psks_check_identity_match(
565*62c56f98SSadaf Ebrahimi ssl, identity, identity_len, obfuscated_ticket_age,
566*62c56f98SSadaf Ebrahimi &psk_type, &session);
567*62c56f98SSadaf Ebrahimi if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
568*62c56f98SSadaf Ebrahimi continue;
569*62c56f98SSadaf Ebrahimi }
570*62c56f98SSadaf Ebrahimi
571*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity"));
572*62c56f98SSadaf Ebrahimi switch (psk_type) {
573*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
574*62c56f98SSadaf Ebrahimi ret = ssl_tls13_select_ciphersuite_for_psk(
575*62c56f98SSadaf Ebrahimi ssl, ciphersuites, ciphersuites_end,
576*62c56f98SSadaf Ebrahimi &cipher_suite, &ciphersuite_info);
577*62c56f98SSadaf Ebrahimi break;
578*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
579*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
580*62c56f98SSadaf Ebrahimi ret = ssl_tls13_select_ciphersuite_for_resumption(
581*62c56f98SSadaf Ebrahimi ssl, ciphersuites, ciphersuites_end, &session,
582*62c56f98SSadaf Ebrahimi &cipher_suite, &ciphersuite_info);
583*62c56f98SSadaf Ebrahimi if (ret != 0) {
584*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_free(&session);
585*62c56f98SSadaf Ebrahimi }
586*62c56f98SSadaf Ebrahimi #else
587*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
588*62c56f98SSadaf Ebrahimi #endif
589*62c56f98SSadaf Ebrahimi break;
590*62c56f98SSadaf Ebrahimi default:
591*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
592*62c56f98SSadaf Ebrahimi }
593*62c56f98SSadaf Ebrahimi if (ret != 0) {
594*62c56f98SSadaf Ebrahimi /* See below, no cipher_suite available, abort handshake */
595*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(
596*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
597*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
598*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
599*62c56f98SSadaf Ebrahimi 2, "ssl_tls13_select_ciphersuite", ret);
600*62c56f98SSadaf Ebrahimi return ret;
601*62c56f98SSadaf Ebrahimi }
602*62c56f98SSadaf Ebrahimi
603*62c56f98SSadaf Ebrahimi ret = ssl_tls13_offered_psks_check_binder_match(
604*62c56f98SSadaf Ebrahimi ssl, binder, binder_len, psk_type,
605*62c56f98SSadaf Ebrahimi mbedtls_md_psa_alg_from_type(ciphersuite_info->mac));
606*62c56f98SSadaf Ebrahimi if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
607*62c56f98SSadaf Ebrahimi /* For security reasons, the handshake should be aborted when we
608*62c56f98SSadaf Ebrahimi * fail to validate a binder value. See RFC 8446 section 4.2.11.2
609*62c56f98SSadaf Ebrahimi * and appendix E.6. */
610*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
611*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_free(&session);
612*62c56f98SSadaf Ebrahimi #endif
613*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder."));
614*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
615*62c56f98SSadaf Ebrahimi 1, "ssl_tls13_offered_psks_check_binder_match", ret);
616*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(
617*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
618*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
619*62c56f98SSadaf Ebrahimi return ret;
620*62c56f98SSadaf Ebrahimi }
621*62c56f98SSadaf Ebrahimi
622*62c56f98SSadaf Ebrahimi matched_identity = identity_id;
623*62c56f98SSadaf Ebrahimi
624*62c56f98SSadaf Ebrahimi /* Update handshake parameters */
625*62c56f98SSadaf Ebrahimi ssl->handshake->ciphersuite_info = ciphersuite_info;
626*62c56f98SSadaf Ebrahimi ssl->session_negotiate->ciphersuite = cipher_suite;
627*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("overwrite ciphersuite: %04x - %s",
628*62c56f98SSadaf Ebrahimi cipher_suite, ciphersuite_info->name));
629*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
630*62c56f98SSadaf Ebrahimi if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
631*62c56f98SSadaf Ebrahimi ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate,
632*62c56f98SSadaf Ebrahimi &session);
633*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_free(&session);
634*62c56f98SSadaf Ebrahimi if (ret != 0) {
635*62c56f98SSadaf Ebrahimi return ret;
636*62c56f98SSadaf Ebrahimi }
637*62c56f98SSadaf Ebrahimi }
638*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
639*62c56f98SSadaf Ebrahimi }
640*62c56f98SSadaf Ebrahimi
641*62c56f98SSadaf Ebrahimi if (p_identity_len != identities_end || p_binder_len != binders_end) {
642*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("pre_shared_key extension decode error"));
643*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
644*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_DECODE_ERROR);
645*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_DECODE_ERROR;
646*62c56f98SSadaf Ebrahimi }
647*62c56f98SSadaf Ebrahimi
648*62c56f98SSadaf Ebrahimi /* Update the handshake transcript with the binder list. */
649*62c56f98SSadaf Ebrahimi ret = ssl->handshake->update_checksum(
650*62c56f98SSadaf Ebrahimi ssl, identities_end, (size_t) (binders_end - identities_end));
651*62c56f98SSadaf Ebrahimi if (0 != ret) {
652*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
653*62c56f98SSadaf Ebrahimi return ret;
654*62c56f98SSadaf Ebrahimi }
655*62c56f98SSadaf Ebrahimi if (matched_identity == -1) {
656*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("No matched PSK or ticket."));
657*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
658*62c56f98SSadaf Ebrahimi }
659*62c56f98SSadaf Ebrahimi
660*62c56f98SSadaf Ebrahimi ssl->handshake->selected_identity = (uint16_t) matched_identity;
661*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("Pre shared key found"));
662*62c56f98SSadaf Ebrahimi
663*62c56f98SSadaf Ebrahimi return 0;
664*62c56f98SSadaf Ebrahimi }
665*62c56f98SSadaf Ebrahimi
666*62c56f98SSadaf Ebrahimi /*
667*62c56f98SSadaf Ebrahimi * struct {
668*62c56f98SSadaf Ebrahimi * select ( Handshake.msg_type ) {
669*62c56f98SSadaf Ebrahimi * ....
670*62c56f98SSadaf Ebrahimi * case server_hello:
671*62c56f98SSadaf Ebrahimi * uint16 selected_identity;
672*62c56f98SSadaf Ebrahimi * }
673*62c56f98SSadaf Ebrahimi * } PreSharedKeyExtension;
674*62c56f98SSadaf Ebrahimi */
ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)675*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
676*62c56f98SSadaf Ebrahimi unsigned char *buf,
677*62c56f98SSadaf Ebrahimi unsigned char *end,
678*62c56f98SSadaf Ebrahimi size_t *olen)
679*62c56f98SSadaf Ebrahimi {
680*62c56f98SSadaf Ebrahimi unsigned char *p = (unsigned char *) buf;
681*62c56f98SSadaf Ebrahimi
682*62c56f98SSadaf Ebrahimi *olen = 0;
683*62c56f98SSadaf Ebrahimi
684*62c56f98SSadaf Ebrahimi int not_using_psk = 0;
685*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_USE_PSA_CRYPTO)
686*62c56f98SSadaf Ebrahimi not_using_psk = (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque));
687*62c56f98SSadaf Ebrahimi #else
688*62c56f98SSadaf Ebrahimi not_using_psk = (ssl->handshake->psk == NULL);
689*62c56f98SSadaf Ebrahimi #endif
690*62c56f98SSadaf Ebrahimi if (not_using_psk) {
691*62c56f98SSadaf Ebrahimi /* We shouldn't have called this extension writer unless we've
692*62c56f98SSadaf Ebrahimi * chosen to use a PSK. */
693*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
694*62c56f98SSadaf Ebrahimi }
695*62c56f98SSadaf Ebrahimi
696*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding pre_shared_key extension"));
697*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
698*62c56f98SSadaf Ebrahimi
699*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0);
700*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(2, p, 2);
701*62c56f98SSadaf Ebrahimi
702*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(ssl->handshake->selected_identity, p, 4);
703*62c56f98SSadaf Ebrahimi
704*62c56f98SSadaf Ebrahimi *olen = 6;
705*62c56f98SSadaf Ebrahimi
706*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(4, ("sent selected_identity: %u",
707*62c56f98SSadaf Ebrahimi ssl->handshake->selected_identity));
708*62c56f98SSadaf Ebrahimi
709*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
710*62c56f98SSadaf Ebrahimi
711*62c56f98SSadaf Ebrahimi return 0;
712*62c56f98SSadaf Ebrahimi }
713*62c56f98SSadaf Ebrahimi
714*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
715*62c56f98SSadaf Ebrahimi
716*62c56f98SSadaf Ebrahimi /* From RFC 8446:
717*62c56f98SSadaf Ebrahimi * struct {
718*62c56f98SSadaf Ebrahimi * ProtocolVersion versions<2..254>;
719*62c56f98SSadaf Ebrahimi * } SupportedVersions;
720*62c56f98SSadaf Ebrahimi */
721*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)722*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
723*62c56f98SSadaf Ebrahimi const unsigned char *buf,
724*62c56f98SSadaf Ebrahimi const unsigned char *end)
725*62c56f98SSadaf Ebrahimi {
726*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
727*62c56f98SSadaf Ebrahimi size_t versions_len;
728*62c56f98SSadaf Ebrahimi const unsigned char *versions_end;
729*62c56f98SSadaf Ebrahimi uint16_t tls_version;
730*62c56f98SSadaf Ebrahimi int found_supported_version = 0;
731*62c56f98SSadaf Ebrahimi
732*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
733*62c56f98SSadaf Ebrahimi versions_len = p[0];
734*62c56f98SSadaf Ebrahimi p += 1;
735*62c56f98SSadaf Ebrahimi
736*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, versions_len);
737*62c56f98SSadaf Ebrahimi versions_end = p + versions_len;
738*62c56f98SSadaf Ebrahimi while (p < versions_end) {
739*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, versions_end, 2);
740*62c56f98SSadaf Ebrahimi tls_version = mbedtls_ssl_read_version(p, ssl->conf->transport);
741*62c56f98SSadaf Ebrahimi p += 2;
742*62c56f98SSadaf Ebrahimi
743*62c56f98SSadaf Ebrahimi if (MBEDTLS_SSL_VERSION_TLS1_3 == tls_version) {
744*62c56f98SSadaf Ebrahimi found_supported_version = 1;
745*62c56f98SSadaf Ebrahimi break;
746*62c56f98SSadaf Ebrahimi }
747*62c56f98SSadaf Ebrahimi
748*62c56f98SSadaf Ebrahimi if ((MBEDTLS_SSL_VERSION_TLS1_2 == tls_version) &&
749*62c56f98SSadaf Ebrahimi mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
750*62c56f98SSadaf Ebrahimi found_supported_version = 1;
751*62c56f98SSadaf Ebrahimi break;
752*62c56f98SSadaf Ebrahimi }
753*62c56f98SSadaf Ebrahimi }
754*62c56f98SSadaf Ebrahimi
755*62c56f98SSadaf Ebrahimi if (!found_supported_version) {
756*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("No supported version found."));
757*62c56f98SSadaf Ebrahimi
758*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
759*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
760*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
761*62c56f98SSadaf Ebrahimi }
762*62c56f98SSadaf Ebrahimi
763*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("Negotiated version: [%04x]",
764*62c56f98SSadaf Ebrahimi (unsigned int) tls_version));
765*62c56f98SSadaf Ebrahimi
766*62c56f98SSadaf Ebrahimi return (int) tls_version;
767*62c56f98SSadaf Ebrahimi }
768*62c56f98SSadaf Ebrahimi
769*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
770*62c56f98SSadaf Ebrahimi /*
771*62c56f98SSadaf Ebrahimi *
772*62c56f98SSadaf Ebrahimi * From RFC 8446:
773*62c56f98SSadaf Ebrahimi * enum {
774*62c56f98SSadaf Ebrahimi * ... (0xFFFF)
775*62c56f98SSadaf Ebrahimi * } NamedGroup;
776*62c56f98SSadaf Ebrahimi * struct {
777*62c56f98SSadaf Ebrahimi * NamedGroup named_group_list<2..2^16-1>;
778*62c56f98SSadaf Ebrahimi * } NamedGroupList;
779*62c56f98SSadaf Ebrahimi */
780*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)781*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
782*62c56f98SSadaf Ebrahimi const unsigned char *buf,
783*62c56f98SSadaf Ebrahimi const unsigned char *end)
784*62c56f98SSadaf Ebrahimi {
785*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
786*62c56f98SSadaf Ebrahimi size_t named_group_list_len;
787*62c56f98SSadaf Ebrahimi const unsigned char *named_group_list_end;
788*62c56f98SSadaf Ebrahimi
789*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "supported_groups extension", p, end - buf);
790*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
791*62c56f98SSadaf Ebrahimi named_group_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
792*62c56f98SSadaf Ebrahimi p += 2;
793*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, named_group_list_len);
794*62c56f98SSadaf Ebrahimi named_group_list_end = p + named_group_list_len;
795*62c56f98SSadaf Ebrahimi ssl->handshake->hrr_selected_group = 0;
796*62c56f98SSadaf Ebrahimi
797*62c56f98SSadaf Ebrahimi while (p < named_group_list_end) {
798*62c56f98SSadaf Ebrahimi uint16_t named_group;
799*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, named_group_list_end, 2);
800*62c56f98SSadaf Ebrahimi named_group = MBEDTLS_GET_UINT16_BE(p, 0);
801*62c56f98SSadaf Ebrahimi p += 2;
802*62c56f98SSadaf Ebrahimi
803*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2,
804*62c56f98SSadaf Ebrahimi ("got named group: %s(%04x)",
805*62c56f98SSadaf Ebrahimi mbedtls_ssl_named_group_to_str(named_group),
806*62c56f98SSadaf Ebrahimi named_group));
807*62c56f98SSadaf Ebrahimi
808*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_named_group_is_offered(ssl, named_group) ||
809*62c56f98SSadaf Ebrahimi !mbedtls_ssl_named_group_is_supported(named_group) ||
810*62c56f98SSadaf Ebrahimi ssl->handshake->hrr_selected_group != 0) {
811*62c56f98SSadaf Ebrahimi continue;
812*62c56f98SSadaf Ebrahimi }
813*62c56f98SSadaf Ebrahimi
814*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2,
815*62c56f98SSadaf Ebrahimi ("add named group %s(%04x) into received list.",
816*62c56f98SSadaf Ebrahimi mbedtls_ssl_named_group_to_str(named_group),
817*62c56f98SSadaf Ebrahimi named_group));
818*62c56f98SSadaf Ebrahimi
819*62c56f98SSadaf Ebrahimi ssl->handshake->hrr_selected_group = named_group;
820*62c56f98SSadaf Ebrahimi }
821*62c56f98SSadaf Ebrahimi
822*62c56f98SSadaf Ebrahimi return 0;
823*62c56f98SSadaf Ebrahimi
824*62c56f98SSadaf Ebrahimi }
825*62c56f98SSadaf Ebrahimi #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
826*62c56f98SSadaf Ebrahimi
827*62c56f98SSadaf Ebrahimi #define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
828*62c56f98SSadaf Ebrahimi
829*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
830*62c56f98SSadaf Ebrahimi /*
831*62c56f98SSadaf Ebrahimi * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
832*62c56f98SSadaf Ebrahimi * extension is correct and stores the first acceptable key share and its
833*62c56f98SSadaf Ebrahimi * associated group.
834*62c56f98SSadaf Ebrahimi *
835*62c56f98SSadaf Ebrahimi * Possible return values are:
836*62c56f98SSadaf Ebrahimi * - 0: Successful processing of the client provided key share extension.
837*62c56f98SSadaf Ebrahimi * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by
838*62c56f98SSadaf Ebrahimi * the client does not match a group supported by the server. A
839*62c56f98SSadaf Ebrahimi * HelloRetryRequest will be needed.
840*62c56f98SSadaf Ebrahimi * - A negative value for fatal errors.
841*62c56f98SSadaf Ebrahimi */
842*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)843*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl,
844*62c56f98SSadaf Ebrahimi const unsigned char *buf,
845*62c56f98SSadaf Ebrahimi const unsigned char *end)
846*62c56f98SSadaf Ebrahimi {
847*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
848*62c56f98SSadaf Ebrahimi unsigned char const *p = buf;
849*62c56f98SSadaf Ebrahimi unsigned char const *client_shares_end;
850*62c56f98SSadaf Ebrahimi size_t client_shares_len;
851*62c56f98SSadaf Ebrahimi
852*62c56f98SSadaf Ebrahimi /* From RFC 8446:
853*62c56f98SSadaf Ebrahimi *
854*62c56f98SSadaf Ebrahimi * struct {
855*62c56f98SSadaf Ebrahimi * KeyShareEntry client_shares<0..2^16-1>;
856*62c56f98SSadaf Ebrahimi * } KeyShareClientHello;
857*62c56f98SSadaf Ebrahimi *
858*62c56f98SSadaf Ebrahimi */
859*62c56f98SSadaf Ebrahimi
860*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
861*62c56f98SSadaf Ebrahimi client_shares_len = MBEDTLS_GET_UINT16_BE(p, 0);
862*62c56f98SSadaf Ebrahimi p += 2;
863*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, client_shares_len);
864*62c56f98SSadaf Ebrahimi
865*62c56f98SSadaf Ebrahimi ssl->handshake->offered_group_id = 0;
866*62c56f98SSadaf Ebrahimi client_shares_end = p + client_shares_len;
867*62c56f98SSadaf Ebrahimi
868*62c56f98SSadaf Ebrahimi /* We try to find a suitable key share entry and copy it to the
869*62c56f98SSadaf Ebrahimi * handshake context. Later, we have to find out whether we can do
870*62c56f98SSadaf Ebrahimi * something with the provided key share or whether we have to
871*62c56f98SSadaf Ebrahimi * dismiss it and send a HelloRetryRequest message.
872*62c56f98SSadaf Ebrahimi */
873*62c56f98SSadaf Ebrahimi
874*62c56f98SSadaf Ebrahimi while (p < client_shares_end) {
875*62c56f98SSadaf Ebrahimi uint16_t group;
876*62c56f98SSadaf Ebrahimi size_t key_exchange_len;
877*62c56f98SSadaf Ebrahimi const unsigned char *key_exchange;
878*62c56f98SSadaf Ebrahimi
879*62c56f98SSadaf Ebrahimi /*
880*62c56f98SSadaf Ebrahimi * struct {
881*62c56f98SSadaf Ebrahimi * NamedGroup group;
882*62c56f98SSadaf Ebrahimi * opaque key_exchange<1..2^16-1>;
883*62c56f98SSadaf Ebrahimi * } KeyShareEntry;
884*62c56f98SSadaf Ebrahimi */
885*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, 4);
886*62c56f98SSadaf Ebrahimi group = MBEDTLS_GET_UINT16_BE(p, 0);
887*62c56f98SSadaf Ebrahimi key_exchange_len = MBEDTLS_GET_UINT16_BE(p, 2);
888*62c56f98SSadaf Ebrahimi p += 4;
889*62c56f98SSadaf Ebrahimi key_exchange = p;
890*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, key_exchange_len);
891*62c56f98SSadaf Ebrahimi p += key_exchange_len;
892*62c56f98SSadaf Ebrahimi
893*62c56f98SSadaf Ebrahimi /* Continue parsing even if we have already found a match,
894*62c56f98SSadaf Ebrahimi * for input validation purposes.
895*62c56f98SSadaf Ebrahimi */
896*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_named_group_is_offered(ssl, group) ||
897*62c56f98SSadaf Ebrahimi !mbedtls_ssl_named_group_is_supported(group) ||
898*62c56f98SSadaf Ebrahimi ssl->handshake->offered_group_id != 0) {
899*62c56f98SSadaf Ebrahimi continue;
900*62c56f98SSadaf Ebrahimi }
901*62c56f98SSadaf Ebrahimi
902*62c56f98SSadaf Ebrahimi /*
903*62c56f98SSadaf Ebrahimi * ECDHE and FFDHE groups are supported
904*62c56f98SSadaf Ebrahimi */
905*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
906*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
907*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH/FFDH group: %s (%04x)",
908*62c56f98SSadaf Ebrahimi mbedtls_ssl_named_group_to_str(group),
909*62c56f98SSadaf Ebrahimi group));
910*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_read_public_xxdhe_share(
911*62c56f98SSadaf Ebrahimi ssl, key_exchange - 2, key_exchange_len + 2);
912*62c56f98SSadaf Ebrahimi if (ret != 0) {
913*62c56f98SSadaf Ebrahimi return ret;
914*62c56f98SSadaf Ebrahimi }
915*62c56f98SSadaf Ebrahimi
916*62c56f98SSadaf Ebrahimi } else {
917*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(4, ("Unrecognized NamedGroup %u",
918*62c56f98SSadaf Ebrahimi (unsigned) group));
919*62c56f98SSadaf Ebrahimi continue;
920*62c56f98SSadaf Ebrahimi }
921*62c56f98SSadaf Ebrahimi
922*62c56f98SSadaf Ebrahimi ssl->handshake->offered_group_id = group;
923*62c56f98SSadaf Ebrahimi }
924*62c56f98SSadaf Ebrahimi
925*62c56f98SSadaf Ebrahimi
926*62c56f98SSadaf Ebrahimi if (ssl->handshake->offered_group_id == 0) {
927*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("no matching key share"));
928*62c56f98SSadaf Ebrahimi return SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH;
929*62c56f98SSadaf Ebrahimi }
930*62c56f98SSadaf Ebrahimi return 0;
931*62c56f98SSadaf Ebrahimi }
932*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
933*62c56f98SSadaf Ebrahimi
934*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_client_hello_has_exts(mbedtls_ssl_context * ssl,int exts_mask)935*62c56f98SSadaf Ebrahimi static int ssl_tls13_client_hello_has_exts(mbedtls_ssl_context *ssl,
936*62c56f98SSadaf Ebrahimi int exts_mask)
937*62c56f98SSadaf Ebrahimi {
938*62c56f98SSadaf Ebrahimi int masked = ssl->handshake->received_extensions & exts_mask;
939*62c56f98SSadaf Ebrahimi return masked == exts_mask;
940*62c56f98SSadaf Ebrahimi }
941*62c56f98SSadaf Ebrahimi
942*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
943*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(mbedtls_ssl_context * ssl)944*62c56f98SSadaf Ebrahimi static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
945*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl)
946*62c56f98SSadaf Ebrahimi {
947*62c56f98SSadaf Ebrahimi return ssl_tls13_client_hello_has_exts(
948*62c56f98SSadaf Ebrahimi ssl,
949*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |
950*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |
951*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(SIG_ALG));
952*62c56f98SSadaf Ebrahimi }
953*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
954*62c56f98SSadaf Ebrahimi
955*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
956*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_client_hello_has_exts_for_psk_key_exchange(mbedtls_ssl_context * ssl)957*62c56f98SSadaf Ebrahimi static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
958*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl)
959*62c56f98SSadaf Ebrahimi {
960*62c56f98SSadaf Ebrahimi return ssl_tls13_client_hello_has_exts(
961*62c56f98SSadaf Ebrahimi ssl,
962*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
963*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
964*62c56f98SSadaf Ebrahimi }
965*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */
966*62c56f98SSadaf Ebrahimi
967*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
968*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(mbedtls_ssl_context * ssl)969*62c56f98SSadaf Ebrahimi static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
970*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl)
971*62c56f98SSadaf Ebrahimi {
972*62c56f98SSadaf Ebrahimi return ssl_tls13_client_hello_has_exts(
973*62c56f98SSadaf Ebrahimi ssl,
974*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |
975*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |
976*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
977*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
978*62c56f98SSadaf Ebrahimi }
979*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */
980*62c56f98SSadaf Ebrahimi
981*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context * ssl)982*62c56f98SSadaf Ebrahimi static int ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
983*62c56f98SSadaf Ebrahimi {
984*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
985*62c56f98SSadaf Ebrahimi return mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) &&
986*62c56f98SSadaf Ebrahimi ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
987*62c56f98SSadaf Ebrahimi #else
988*62c56f98SSadaf Ebrahimi ((void) ssl);
989*62c56f98SSadaf Ebrahimi return 0;
990*62c56f98SSadaf Ebrahimi #endif
991*62c56f98SSadaf Ebrahimi }
992*62c56f98SSadaf Ebrahimi
993*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context * ssl)994*62c56f98SSadaf Ebrahimi static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl)
995*62c56f98SSadaf Ebrahimi {
996*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
997*62c56f98SSadaf Ebrahimi return mbedtls_ssl_conf_tls13_psk_enabled(ssl) &&
998*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_psk_enabled(ssl) &&
999*62c56f98SSadaf Ebrahimi ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
1000*62c56f98SSadaf Ebrahimi #else
1001*62c56f98SSadaf Ebrahimi ((void) ssl);
1002*62c56f98SSadaf Ebrahimi return 0;
1003*62c56f98SSadaf Ebrahimi #endif
1004*62c56f98SSadaf Ebrahimi }
1005*62c56f98SSadaf Ebrahimi
1006*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context * ssl)1007*62c56f98SSadaf Ebrahimi static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
1008*62c56f98SSadaf Ebrahimi {
1009*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
1010*62c56f98SSadaf Ebrahimi return mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) &&
1011*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) &&
1012*62c56f98SSadaf Ebrahimi ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
1013*62c56f98SSadaf Ebrahimi #else
1014*62c56f98SSadaf Ebrahimi ((void) ssl);
1015*62c56f98SSadaf Ebrahimi return 0;
1016*62c56f98SSadaf Ebrahimi #endif
1017*62c56f98SSadaf Ebrahimi }
1018*62c56f98SSadaf Ebrahimi
ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context * ssl)1019*62c56f98SSadaf Ebrahimi static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl)
1020*62c56f98SSadaf Ebrahimi {
1021*62c56f98SSadaf Ebrahimi /*
1022*62c56f98SSadaf Ebrahimi * Determine the key exchange algorithm to use.
1023*62c56f98SSadaf Ebrahimi * There are three types of key exchanges supported in TLS 1.3:
1024*62c56f98SSadaf Ebrahimi * - (EC)DH with ECDSA,
1025*62c56f98SSadaf Ebrahimi * - (EC)DH with PSK,
1026*62c56f98SSadaf Ebrahimi * - plain PSK.
1027*62c56f98SSadaf Ebrahimi *
1028*62c56f98SSadaf Ebrahimi * The PSK-based key exchanges may additionally be used with 0-RTT.
1029*62c56f98SSadaf Ebrahimi *
1030*62c56f98SSadaf Ebrahimi * Our built-in order of preference is
1031*62c56f98SSadaf Ebrahimi * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
1032*62c56f98SSadaf Ebrahimi * 2 ) Certificate Mode ( ephemeral )
1033*62c56f98SSadaf Ebrahimi * 3 ) Plain PSK Mode ( psk )
1034*62c56f98SSadaf Ebrahimi */
1035*62c56f98SSadaf Ebrahimi
1036*62c56f98SSadaf Ebrahimi ssl->handshake->key_exchange_mode =
1037*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
1038*62c56f98SSadaf Ebrahimi
1039*62c56f98SSadaf Ebrahimi if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
1040*62c56f98SSadaf Ebrahimi ssl->handshake->key_exchange_mode =
1041*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1042*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral"));
1043*62c56f98SSadaf Ebrahimi } else
1044*62c56f98SSadaf Ebrahimi if (ssl_tls13_check_ephemeral_key_exchange(ssl)) {
1045*62c56f98SSadaf Ebrahimi ssl->handshake->key_exchange_mode =
1046*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
1047*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral"));
1048*62c56f98SSadaf Ebrahimi } else
1049*62c56f98SSadaf Ebrahimi if (ssl_tls13_check_psk_key_exchange(ssl)) {
1050*62c56f98SSadaf Ebrahimi ssl->handshake->key_exchange_mode =
1051*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1052*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk"));
1053*62c56f98SSadaf Ebrahimi } else {
1054*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
1055*62c56f98SSadaf Ebrahimi 1,
1056*62c56f98SSadaf Ebrahimi ("ClientHello message misses mandatory extensions."));
1057*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION,
1058*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1059*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1060*62c56f98SSadaf Ebrahimi }
1061*62c56f98SSadaf Ebrahimi
1062*62c56f98SSadaf Ebrahimi return 0;
1063*62c56f98SSadaf Ebrahimi
1064*62c56f98SSadaf Ebrahimi }
1065*62c56f98SSadaf Ebrahimi
1066*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1067*62c56f98SSadaf Ebrahimi defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
1068*62c56f98SSadaf Ebrahimi
1069*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_USE_PSA_CRYPTO)
ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)1070*62c56f98SSadaf Ebrahimi static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
1071*62c56f98SSadaf Ebrahimi {
1072*62c56f98SSadaf Ebrahimi switch (sig_alg) {
1073*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
1074*62c56f98SSadaf Ebrahimi return PSA_ALG_ECDSA(PSA_ALG_SHA_256);
1075*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
1076*62c56f98SSadaf Ebrahimi return PSA_ALG_ECDSA(PSA_ALG_SHA_384);
1077*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
1078*62c56f98SSadaf Ebrahimi return PSA_ALG_ECDSA(PSA_ALG_SHA_512);
1079*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
1080*62c56f98SSadaf Ebrahimi return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
1081*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
1082*62c56f98SSadaf Ebrahimi return PSA_ALG_RSA_PSS(PSA_ALG_SHA_384);
1083*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
1084*62c56f98SSadaf Ebrahimi return PSA_ALG_RSA_PSS(PSA_ALG_SHA_512);
1085*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
1086*62c56f98SSadaf Ebrahimi return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
1087*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
1088*62c56f98SSadaf Ebrahimi return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384);
1089*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
1090*62c56f98SSadaf Ebrahimi return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_512);
1091*62c56f98SSadaf Ebrahimi default:
1092*62c56f98SSadaf Ebrahimi return PSA_ALG_NONE;
1093*62c56f98SSadaf Ebrahimi }
1094*62c56f98SSadaf Ebrahimi }
1095*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_USE_PSA_CRYPTO */
1096*62c56f98SSadaf Ebrahimi
1097*62c56f98SSadaf Ebrahimi /*
1098*62c56f98SSadaf Ebrahimi * Pick best ( private key, certificate chain ) pair based on the signature
1099*62c56f98SSadaf Ebrahimi * algorithms supported by the client.
1100*62c56f98SSadaf Ebrahimi */
1101*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_pick_key_cert(mbedtls_ssl_context * ssl)1102*62c56f98SSadaf Ebrahimi static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
1103*62c56f98SSadaf Ebrahimi {
1104*62c56f98SSadaf Ebrahimi mbedtls_ssl_key_cert *key_cert, *key_cert_list;
1105*62c56f98SSadaf Ebrahimi const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
1106*62c56f98SSadaf Ebrahimi
1107*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1108*62c56f98SSadaf Ebrahimi if (ssl->handshake->sni_key_cert != NULL) {
1109*62c56f98SSadaf Ebrahimi key_cert_list = ssl->handshake->sni_key_cert;
1110*62c56f98SSadaf Ebrahimi } else
1111*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1112*62c56f98SSadaf Ebrahimi key_cert_list = ssl->conf->key_cert;
1113*62c56f98SSadaf Ebrahimi
1114*62c56f98SSadaf Ebrahimi if (key_cert_list == NULL) {
1115*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
1116*62c56f98SSadaf Ebrahimi return -1;
1117*62c56f98SSadaf Ebrahimi }
1118*62c56f98SSadaf Ebrahimi
1119*62c56f98SSadaf Ebrahimi for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
1120*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {
1121*62c56f98SSadaf Ebrahimi continue;
1122*62c56f98SSadaf Ebrahimi }
1123*62c56f98SSadaf Ebrahimi
1124*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {
1125*62c56f98SSadaf Ebrahimi continue;
1126*62c56f98SSadaf Ebrahimi }
1127*62c56f98SSadaf Ebrahimi
1128*62c56f98SSadaf Ebrahimi for (key_cert = key_cert_list; key_cert != NULL;
1129*62c56f98SSadaf Ebrahimi key_cert = key_cert->next) {
1130*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_USE_PSA_CRYPTO)
1131*62c56f98SSadaf Ebrahimi psa_algorithm_t psa_alg = PSA_ALG_NONE;
1132*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_USE_PSA_CRYPTO */
1133*62c56f98SSadaf Ebrahimi
1134*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_CRT(3, "certificate (chain) candidate",
1135*62c56f98SSadaf Ebrahimi key_cert->cert);
1136*62c56f98SSadaf Ebrahimi
1137*62c56f98SSadaf Ebrahimi /*
1138*62c56f98SSadaf Ebrahimi * This avoids sending the client a cert it'll reject based on
1139*62c56f98SSadaf Ebrahimi * keyUsage or other extensions.
1140*62c56f98SSadaf Ebrahimi */
1141*62c56f98SSadaf Ebrahimi if (mbedtls_x509_crt_check_key_usage(
1142*62c56f98SSadaf Ebrahimi key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0 ||
1143*62c56f98SSadaf Ebrahimi mbedtls_x509_crt_check_extended_key_usage(
1144*62c56f98SSadaf Ebrahimi key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
1145*62c56f98SSadaf Ebrahimi MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) != 0) {
1146*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
1147*62c56f98SSadaf Ebrahimi "(extended) key usage extension"));
1148*62c56f98SSadaf Ebrahimi continue;
1149*62c56f98SSadaf Ebrahimi }
1150*62c56f98SSadaf Ebrahimi
1151*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
1152*62c56f98SSadaf Ebrahimi ("ssl_tls13_pick_key_cert:"
1153*62c56f98SSadaf Ebrahimi "check signature algorithm %s [%04x]",
1154*62c56f98SSadaf Ebrahimi mbedtls_ssl_sig_alg_to_str(*sig_alg),
1155*62c56f98SSadaf Ebrahimi *sig_alg));
1156*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_USE_PSA_CRYPTO)
1157*62c56f98SSadaf Ebrahimi psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg(*sig_alg);
1158*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_USE_PSA_CRYPTO */
1159*62c56f98SSadaf Ebrahimi
1160*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
1161*62c56f98SSadaf Ebrahimi *sig_alg, &key_cert->cert->pk)
1162*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_USE_PSA_CRYPTO)
1163*62c56f98SSadaf Ebrahimi && psa_alg != PSA_ALG_NONE &&
1164*62c56f98SSadaf Ebrahimi mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
1165*62c56f98SSadaf Ebrahimi PSA_KEY_USAGE_SIGN_HASH) == 1
1166*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_USE_PSA_CRYPTO */
1167*62c56f98SSadaf Ebrahimi ) {
1168*62c56f98SSadaf Ebrahimi ssl->handshake->key_cert = key_cert;
1169*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
1170*62c56f98SSadaf Ebrahimi ("ssl_tls13_pick_key_cert:"
1171*62c56f98SSadaf Ebrahimi "selected signature algorithm"
1172*62c56f98SSadaf Ebrahimi " %s [%04x]",
1173*62c56f98SSadaf Ebrahimi mbedtls_ssl_sig_alg_to_str(*sig_alg),
1174*62c56f98SSadaf Ebrahimi *sig_alg));
1175*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_CRT(
1176*62c56f98SSadaf Ebrahimi 3, "selected certificate (chain)",
1177*62c56f98SSadaf Ebrahimi ssl->handshake->key_cert->cert);
1178*62c56f98SSadaf Ebrahimi return 0;
1179*62c56f98SSadaf Ebrahimi }
1180*62c56f98SSadaf Ebrahimi }
1181*62c56f98SSadaf Ebrahimi }
1182*62c56f98SSadaf Ebrahimi
1183*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("ssl_tls13_pick_key_cert:"
1184*62c56f98SSadaf Ebrahimi "no suitable certificate found"));
1185*62c56f98SSadaf Ebrahimi return -1;
1186*62c56f98SSadaf Ebrahimi }
1187*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_X509_CRT_PARSE_C &&
1188*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1189*62c56f98SSadaf Ebrahimi
1190*62c56f98SSadaf Ebrahimi /*
1191*62c56f98SSadaf Ebrahimi *
1192*62c56f98SSadaf Ebrahimi * STATE HANDLING: ClientHello
1193*62c56f98SSadaf Ebrahimi *
1194*62c56f98SSadaf Ebrahimi * There are three possible classes of outcomes when parsing the ClientHello:
1195*62c56f98SSadaf Ebrahimi *
1196*62c56f98SSadaf Ebrahimi * 1) The ClientHello was well-formed and matched the server's configuration.
1197*62c56f98SSadaf Ebrahimi *
1198*62c56f98SSadaf Ebrahimi * In this case, the server progresses to sending its ServerHello.
1199*62c56f98SSadaf Ebrahimi *
1200*62c56f98SSadaf Ebrahimi * 2) The ClientHello was well-formed but didn't match the server's
1201*62c56f98SSadaf Ebrahimi * configuration.
1202*62c56f98SSadaf Ebrahimi *
1203*62c56f98SSadaf Ebrahimi * For example, the client might not have offered a key share which
1204*62c56f98SSadaf Ebrahimi * the server supports, or the server might require a cookie.
1205*62c56f98SSadaf Ebrahimi *
1206*62c56f98SSadaf Ebrahimi * In this case, the server sends a HelloRetryRequest.
1207*62c56f98SSadaf Ebrahimi *
1208*62c56f98SSadaf Ebrahimi * 3) The ClientHello was ill-formed
1209*62c56f98SSadaf Ebrahimi *
1210*62c56f98SSadaf Ebrahimi * In this case, we abort the handshake.
1211*62c56f98SSadaf Ebrahimi *
1212*62c56f98SSadaf Ebrahimi */
1213*62c56f98SSadaf Ebrahimi
1214*62c56f98SSadaf Ebrahimi /*
1215*62c56f98SSadaf Ebrahimi * Structure of this message:
1216*62c56f98SSadaf Ebrahimi *
1217*62c56f98SSadaf Ebrahimi * uint16 ProtocolVersion;
1218*62c56f98SSadaf Ebrahimi * opaque Random[32];
1219*62c56f98SSadaf Ebrahimi * uint8 CipherSuite[2]; // Cryptographic suite selector
1220*62c56f98SSadaf Ebrahimi *
1221*62c56f98SSadaf Ebrahimi * struct {
1222*62c56f98SSadaf Ebrahimi * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1223*62c56f98SSadaf Ebrahimi * Random random;
1224*62c56f98SSadaf Ebrahimi * opaque legacy_session_id<0..32>;
1225*62c56f98SSadaf Ebrahimi * CipherSuite cipher_suites<2..2^16-2>;
1226*62c56f98SSadaf Ebrahimi * opaque legacy_compression_methods<1..2^8-1>;
1227*62c56f98SSadaf Ebrahimi * Extension extensions<8..2^16-1>;
1228*62c56f98SSadaf Ebrahimi * } ClientHello;
1229*62c56f98SSadaf Ebrahimi */
1230*62c56f98SSadaf Ebrahimi
1231*62c56f98SSadaf Ebrahimi #define SSL_CLIENT_HELLO_OK 0
1232*62c56f98SSadaf Ebrahimi #define SSL_CLIENT_HELLO_HRR_REQUIRED 1
1233*62c56f98SSadaf Ebrahimi #define SSL_CLIENT_HELLO_TLS1_2 2
1234*62c56f98SSadaf Ebrahimi
1235*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_client_hello(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1236*62c56f98SSadaf Ebrahimi static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
1237*62c56f98SSadaf Ebrahimi const unsigned char *buf,
1238*62c56f98SSadaf Ebrahimi const unsigned char *end)
1239*62c56f98SSadaf Ebrahimi {
1240*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1241*62c56f98SSadaf Ebrahimi const unsigned char *p = buf;
1242*62c56f98SSadaf Ebrahimi const unsigned char *random;
1243*62c56f98SSadaf Ebrahimi size_t legacy_session_id_len;
1244*62c56f98SSadaf Ebrahimi const unsigned char *legacy_session_id;
1245*62c56f98SSadaf Ebrahimi size_t cipher_suites_len;
1246*62c56f98SSadaf Ebrahimi const unsigned char *cipher_suites;
1247*62c56f98SSadaf Ebrahimi const unsigned char *cipher_suites_end;
1248*62c56f98SSadaf Ebrahimi size_t extensions_len;
1249*62c56f98SSadaf Ebrahimi const unsigned char *extensions_end;
1250*62c56f98SSadaf Ebrahimi const unsigned char *supported_versions_data;
1251*62c56f98SSadaf Ebrahimi const unsigned char *supported_versions_data_end;
1252*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1253*62c56f98SSadaf Ebrahimi int hrr_required = 0;
1254*62c56f98SSadaf Ebrahimi int no_usable_share_for_key_agreement = 0;
1255*62c56f98SSadaf Ebrahimi
1256*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1257*62c56f98SSadaf Ebrahimi const unsigned char *pre_shared_key_ext = NULL;
1258*62c56f98SSadaf Ebrahimi const unsigned char *pre_shared_key_ext_end = NULL;
1259*62c56f98SSadaf Ebrahimi #endif
1260*62c56f98SSadaf Ebrahimi
1261*62c56f98SSadaf Ebrahimi /*
1262*62c56f98SSadaf Ebrahimi * ClientHello layout:
1263*62c56f98SSadaf Ebrahimi * 0 . 1 protocol version
1264*62c56f98SSadaf Ebrahimi * 2 . 33 random bytes
1265*62c56f98SSadaf Ebrahimi * 34 . 34 session id length ( 1 byte )
1266*62c56f98SSadaf Ebrahimi * 35 . 34+x session id
1267*62c56f98SSadaf Ebrahimi * .. . .. ciphersuite list length ( 2 bytes )
1268*62c56f98SSadaf Ebrahimi * .. . .. ciphersuite list
1269*62c56f98SSadaf Ebrahimi * .. . .. compression alg. list length ( 1 byte )
1270*62c56f98SSadaf Ebrahimi * .. . .. compression alg. list
1271*62c56f98SSadaf Ebrahimi * .. . .. extensions length ( 2 bytes, optional )
1272*62c56f98SSadaf Ebrahimi * .. . .. extensions ( optional )
1273*62c56f98SSadaf Ebrahimi */
1274*62c56f98SSadaf Ebrahimi
1275*62c56f98SSadaf Ebrahimi /*
1276*62c56f98SSadaf Ebrahimi * Minimal length ( with everything empty and extensions omitted ) is
1277*62c56f98SSadaf Ebrahimi * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1278*62c56f98SSadaf Ebrahimi * read at least up to session id length without worrying.
1279*62c56f98SSadaf Ebrahimi */
1280*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 38);
1281*62c56f98SSadaf Ebrahimi
1282*62c56f98SSadaf Ebrahimi /* ...
1283*62c56f98SSadaf Ebrahimi * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1284*62c56f98SSadaf Ebrahimi * ...
1285*62c56f98SSadaf Ebrahimi * with ProtocolVersion defined as:
1286*62c56f98SSadaf Ebrahimi * uint16 ProtocolVersion;
1287*62c56f98SSadaf Ebrahimi */
1288*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1289*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_VERSION_TLS1_2) {
1290*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1291*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1292*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
1293*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1294*62c56f98SSadaf Ebrahimi }
1295*62c56f98SSadaf Ebrahimi p += 2;
1296*62c56f98SSadaf Ebrahimi
1297*62c56f98SSadaf Ebrahimi /* ...
1298*62c56f98SSadaf Ebrahimi * Random random;
1299*62c56f98SSadaf Ebrahimi * ...
1300*62c56f98SSadaf Ebrahimi * with Random defined as:
1301*62c56f98SSadaf Ebrahimi * opaque Random[32];
1302*62c56f98SSadaf Ebrahimi */
1303*62c56f98SSadaf Ebrahimi random = p;
1304*62c56f98SSadaf Ebrahimi p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
1305*62c56f98SSadaf Ebrahimi
1306*62c56f98SSadaf Ebrahimi /* ...
1307*62c56f98SSadaf Ebrahimi * opaque legacy_session_id<0..32>;
1308*62c56f98SSadaf Ebrahimi * ...
1309*62c56f98SSadaf Ebrahimi */
1310*62c56f98SSadaf Ebrahimi legacy_session_id_len = *(p++);
1311*62c56f98SSadaf Ebrahimi legacy_session_id = p;
1312*62c56f98SSadaf Ebrahimi
1313*62c56f98SSadaf Ebrahimi /*
1314*62c56f98SSadaf Ebrahimi * Check we have enough data for the legacy session identifier
1315*62c56f98SSadaf Ebrahimi * and the ciphersuite list length.
1316*62c56f98SSadaf Ebrahimi */
1317*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_len + 2);
1318*62c56f98SSadaf Ebrahimi p += legacy_session_id_len;
1319*62c56f98SSadaf Ebrahimi
1320*62c56f98SSadaf Ebrahimi /* ...
1321*62c56f98SSadaf Ebrahimi * CipherSuite cipher_suites<2..2^16-2>;
1322*62c56f98SSadaf Ebrahimi * ...
1323*62c56f98SSadaf Ebrahimi * with CipherSuite defined as:
1324*62c56f98SSadaf Ebrahimi * uint8 CipherSuite[2];
1325*62c56f98SSadaf Ebrahimi */
1326*62c56f98SSadaf Ebrahimi cipher_suites_len = MBEDTLS_GET_UINT16_BE(p, 0);
1327*62c56f98SSadaf Ebrahimi p += 2;
1328*62c56f98SSadaf Ebrahimi cipher_suites = p;
1329*62c56f98SSadaf Ebrahimi
1330*62c56f98SSadaf Ebrahimi /*
1331*62c56f98SSadaf Ebrahimi * The length of the ciphersuite list has to be even.
1332*62c56f98SSadaf Ebrahimi */
1333*62c56f98SSadaf Ebrahimi if (cipher_suites_len & 1) {
1334*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1335*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_DECODE_ERROR);
1336*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_DECODE_ERROR;
1337*62c56f98SSadaf Ebrahimi }
1338*62c56f98SSadaf Ebrahimi
1339*62c56f98SSadaf Ebrahimi /* Check we have enough data for the ciphersuite list, the legacy
1340*62c56f98SSadaf Ebrahimi * compression methods and the length of the extensions.
1341*62c56f98SSadaf Ebrahimi *
1342*62c56f98SSadaf Ebrahimi * cipher_suites cipher_suites_len bytes
1343*62c56f98SSadaf Ebrahimi * legacy_compression_methods 2 bytes
1344*62c56f98SSadaf Ebrahimi * extensions_len 2 bytes
1345*62c56f98SSadaf Ebrahimi */
1346*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 2 + 2);
1347*62c56f98SSadaf Ebrahimi p += cipher_suites_len;
1348*62c56f98SSadaf Ebrahimi cipher_suites_end = p;
1349*62c56f98SSadaf Ebrahimi
1350*62c56f98SSadaf Ebrahimi /*
1351*62c56f98SSadaf Ebrahimi * Search for the supported versions extension and parse it to determine
1352*62c56f98SSadaf Ebrahimi * if the client supports TLS 1.3.
1353*62c56f98SSadaf Ebrahimi */
1354*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
1355*62c56f98SSadaf Ebrahimi ssl, p + 2, end,
1356*62c56f98SSadaf Ebrahimi &supported_versions_data, &supported_versions_data_end);
1357*62c56f98SSadaf Ebrahimi if (ret < 0) {
1358*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1,
1359*62c56f98SSadaf Ebrahimi ("mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts"), ret);
1360*62c56f98SSadaf Ebrahimi return ret;
1361*62c56f98SSadaf Ebrahimi }
1362*62c56f98SSadaf Ebrahimi
1363*62c56f98SSadaf Ebrahimi if (ret == 0) {
1364*62c56f98SSadaf Ebrahimi return SSL_CLIENT_HELLO_TLS1_2;
1365*62c56f98SSadaf Ebrahimi }
1366*62c56f98SSadaf Ebrahimi
1367*62c56f98SSadaf Ebrahimi if (ret == 1) {
1368*62c56f98SSadaf Ebrahimi ret = ssl_tls13_parse_supported_versions_ext(ssl,
1369*62c56f98SSadaf Ebrahimi supported_versions_data,
1370*62c56f98SSadaf Ebrahimi supported_versions_data_end);
1371*62c56f98SSadaf Ebrahimi if (ret < 0) {
1372*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1,
1373*62c56f98SSadaf Ebrahimi ("ssl_tls13_parse_supported_versions_ext"), ret);
1374*62c56f98SSadaf Ebrahimi return ret;
1375*62c56f98SSadaf Ebrahimi }
1376*62c56f98SSadaf Ebrahimi
1377*62c56f98SSadaf Ebrahimi /*
1378*62c56f98SSadaf Ebrahimi * The supported versions extension was parsed successfully as the
1379*62c56f98SSadaf Ebrahimi * value returned by ssl_tls13_parse_supported_versions_ext() is
1380*62c56f98SSadaf Ebrahimi * positive. The return value is then equal to
1381*62c56f98SSadaf Ebrahimi * MBEDTLS_SSL_VERSION_TLS1_2 or MBEDTLS_SSL_VERSION_TLS1_3, defining
1382*62c56f98SSadaf Ebrahimi * the TLS version to negotiate.
1383*62c56f98SSadaf Ebrahimi */
1384*62c56f98SSadaf Ebrahimi if (MBEDTLS_SSL_VERSION_TLS1_2 == ret) {
1385*62c56f98SSadaf Ebrahimi return SSL_CLIENT_HELLO_TLS1_2;
1386*62c56f98SSadaf Ebrahimi }
1387*62c56f98SSadaf Ebrahimi }
1388*62c56f98SSadaf Ebrahimi
1389*62c56f98SSadaf Ebrahimi /*
1390*62c56f98SSadaf Ebrahimi * We negotiate TLS 1.3.
1391*62c56f98SSadaf Ebrahimi */
1392*62c56f98SSadaf Ebrahimi ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
1393*62c56f98SSadaf Ebrahimi
1394*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1395*62c56f98SSadaf Ebrahimi /* Store minor version for later use with ticket serialization. */
1396*62c56f98SSadaf Ebrahimi ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
1397*62c56f98SSadaf Ebrahimi ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1398*62c56f98SSadaf Ebrahimi #endif
1399*62c56f98SSadaf Ebrahimi
1400*62c56f98SSadaf Ebrahimi /*
1401*62c56f98SSadaf Ebrahimi * We are negotiating the version 1.3 of the protocol. Do what we have
1402*62c56f98SSadaf Ebrahimi * postponed: copy of the client random bytes, copy of the legacy session
1403*62c56f98SSadaf Ebrahimi * identifier and selection of the TLS 1.3 cipher suite.
1404*62c56f98SSadaf Ebrahimi */
1405*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes",
1406*62c56f98SSadaf Ebrahimi random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
1407*62c56f98SSadaf Ebrahimi memcpy(&handshake->randbytes[0], random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
1408*62c56f98SSadaf Ebrahimi
1409*62c56f98SSadaf Ebrahimi if (legacy_session_id_len > sizeof(ssl->session_negotiate->id)) {
1410*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1411*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_DECODE_ERROR;
1412*62c56f98SSadaf Ebrahimi }
1413*62c56f98SSadaf Ebrahimi ssl->session_negotiate->id_len = legacy_session_id_len;
1414*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id",
1415*62c56f98SSadaf Ebrahimi legacy_session_id, legacy_session_id_len);
1416*62c56f98SSadaf Ebrahimi memcpy(&ssl->session_negotiate->id[0],
1417*62c56f98SSadaf Ebrahimi legacy_session_id, legacy_session_id_len);
1418*62c56f98SSadaf Ebrahimi
1419*62c56f98SSadaf Ebrahimi /*
1420*62c56f98SSadaf Ebrahimi * Search for a matching ciphersuite
1421*62c56f98SSadaf Ebrahimi */
1422*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "client hello, list of cipher suites",
1423*62c56f98SSadaf Ebrahimi cipher_suites, cipher_suites_len);
1424*62c56f98SSadaf Ebrahimi for (const unsigned char *cipher_suites_p = cipher_suites;
1425*62c56f98SSadaf Ebrahimi cipher_suites_p < cipher_suites_end; cipher_suites_p += 2) {
1426*62c56f98SSadaf Ebrahimi uint16_t cipher_suite;
1427*62c56f98SSadaf Ebrahimi const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1428*62c56f98SSadaf Ebrahimi
1429*62c56f98SSadaf Ebrahimi /*
1430*62c56f98SSadaf Ebrahimi * "cipher_suites_end - cipher_suites_p is even" is an invariant of the
1431*62c56f98SSadaf Ebrahimi * loop. As cipher_suites_end - cipher_suites_p > 0, we have
1432*62c56f98SSadaf Ebrahimi * cipher_suites_end - cipher_suites_p >= 2 and it is thus safe to read
1433*62c56f98SSadaf Ebrahimi * two bytes.
1434*62c56f98SSadaf Ebrahimi */
1435*62c56f98SSadaf Ebrahimi cipher_suite = MBEDTLS_GET_UINT16_BE(cipher_suites_p, 0);
1436*62c56f98SSadaf Ebrahimi ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
1437*62c56f98SSadaf Ebrahimi ssl, cipher_suite);
1438*62c56f98SSadaf Ebrahimi if (ciphersuite_info == NULL) {
1439*62c56f98SSadaf Ebrahimi continue;
1440*62c56f98SSadaf Ebrahimi }
1441*62c56f98SSadaf Ebrahimi
1442*62c56f98SSadaf Ebrahimi ssl->session_negotiate->ciphersuite = cipher_suite;
1443*62c56f98SSadaf Ebrahimi handshake->ciphersuite_info = ciphersuite_info;
1444*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s",
1445*62c56f98SSadaf Ebrahimi cipher_suite,
1446*62c56f98SSadaf Ebrahimi ciphersuite_info->name));
1447*62c56f98SSadaf Ebrahimi break;
1448*62c56f98SSadaf Ebrahimi }
1449*62c56f98SSadaf Ebrahimi
1450*62c56f98SSadaf Ebrahimi if (handshake->ciphersuite_info == NULL) {
1451*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1452*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1453*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1454*62c56f98SSadaf Ebrahimi }
1455*62c56f98SSadaf Ebrahimi
1456*62c56f98SSadaf Ebrahimi /* ...
1457*62c56f98SSadaf Ebrahimi * opaque legacy_compression_methods<1..2^8-1>;
1458*62c56f98SSadaf Ebrahimi * ...
1459*62c56f98SSadaf Ebrahimi */
1460*62c56f98SSadaf Ebrahimi if (p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL) {
1461*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
1462*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1463*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1464*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1465*62c56f98SSadaf Ebrahimi }
1466*62c56f98SSadaf Ebrahimi p += 2;
1467*62c56f98SSadaf Ebrahimi
1468*62c56f98SSadaf Ebrahimi /* ...
1469*62c56f98SSadaf Ebrahimi * Extension extensions<8..2^16-1>;
1470*62c56f98SSadaf Ebrahimi * ...
1471*62c56f98SSadaf Ebrahimi * with Extension defined as:
1472*62c56f98SSadaf Ebrahimi * struct {
1473*62c56f98SSadaf Ebrahimi * ExtensionType extension_type;
1474*62c56f98SSadaf Ebrahimi * opaque extension_data<0..2^16-1>;
1475*62c56f98SSadaf Ebrahimi * } Extension;
1476*62c56f98SSadaf Ebrahimi */
1477*62c56f98SSadaf Ebrahimi extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
1478*62c56f98SSadaf Ebrahimi p += 2;
1479*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
1480*62c56f98SSadaf Ebrahimi extensions_end = p + extensions_len;
1481*62c56f98SSadaf Ebrahimi
1482*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", p, extensions_len);
1483*62c56f98SSadaf Ebrahimi handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
1484*62c56f98SSadaf Ebrahimi
1485*62c56f98SSadaf Ebrahimi while (p < extensions_end) {
1486*62c56f98SSadaf Ebrahimi unsigned int extension_type;
1487*62c56f98SSadaf Ebrahimi size_t extension_data_len;
1488*62c56f98SSadaf Ebrahimi const unsigned char *extension_data_end;
1489*62c56f98SSadaf Ebrahimi
1490*62c56f98SSadaf Ebrahimi /* RFC 8446, section 4.2.11
1491*62c56f98SSadaf Ebrahimi *
1492*62c56f98SSadaf Ebrahimi * The "pre_shared_key" extension MUST be the last extension in the
1493*62c56f98SSadaf Ebrahimi * ClientHello (this facilitates implementation as described below).
1494*62c56f98SSadaf Ebrahimi * Servers MUST check that it is the last extension and otherwise fail
1495*62c56f98SSadaf Ebrahimi * the handshake with an "illegal_parameter" alert.
1496*62c56f98SSadaf Ebrahimi */
1497*62c56f98SSadaf Ebrahimi if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) {
1498*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
1499*62c56f98SSadaf Ebrahimi 3, ("pre_shared_key is not last extension."));
1500*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(
1501*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1502*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1503*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1504*62c56f98SSadaf Ebrahimi }
1505*62c56f98SSadaf Ebrahimi
1506*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1507*62c56f98SSadaf Ebrahimi extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1508*62c56f98SSadaf Ebrahimi extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
1509*62c56f98SSadaf Ebrahimi p += 4;
1510*62c56f98SSadaf Ebrahimi
1511*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
1512*62c56f98SSadaf Ebrahimi extension_data_end = p + extension_data_len;
1513*62c56f98SSadaf Ebrahimi
1514*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_check_received_extension(
1515*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
1516*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH);
1517*62c56f98SSadaf Ebrahimi if (ret != 0) {
1518*62c56f98SSadaf Ebrahimi return ret;
1519*62c56f98SSadaf Ebrahimi }
1520*62c56f98SSadaf Ebrahimi
1521*62c56f98SSadaf Ebrahimi switch (extension_type) {
1522*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1523*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_SERVERNAME:
1524*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1525*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_parse_server_name_ext(ssl, p,
1526*62c56f98SSadaf Ebrahimi extension_data_end);
1527*62c56f98SSadaf Ebrahimi if (ret != 0) {
1528*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1529*62c56f98SSadaf Ebrahimi 1, "mbedtls_ssl_parse_servername_ext", ret);
1530*62c56f98SSadaf Ebrahimi return ret;
1531*62c56f98SSadaf Ebrahimi }
1532*62c56f98SSadaf Ebrahimi break;
1533*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1534*62c56f98SSadaf Ebrahimi
1535*62c56f98SSadaf Ebrahimi #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
1536*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1537*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension"));
1538*62c56f98SSadaf Ebrahimi
1539*62c56f98SSadaf Ebrahimi /* Supported Groups Extension
1540*62c56f98SSadaf Ebrahimi *
1541*62c56f98SSadaf Ebrahimi * When sent by the client, the "supported_groups" extension
1542*62c56f98SSadaf Ebrahimi * indicates the named groups which the client supports,
1543*62c56f98SSadaf Ebrahimi * ordered from most preferred to least preferred.
1544*62c56f98SSadaf Ebrahimi */
1545*62c56f98SSadaf Ebrahimi ret = ssl_tls13_parse_supported_groups_ext(
1546*62c56f98SSadaf Ebrahimi ssl, p, extension_data_end);
1547*62c56f98SSadaf Ebrahimi if (ret != 0) {
1548*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1549*62c56f98SSadaf Ebrahimi 1, "ssl_tls13_parse_supported_groups_ext", ret);
1550*62c56f98SSadaf Ebrahimi return ret;
1551*62c56f98SSadaf Ebrahimi }
1552*62c56f98SSadaf Ebrahimi
1553*62c56f98SSadaf Ebrahimi break;
1554*62c56f98SSadaf Ebrahimi #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH*/
1555*62c56f98SSadaf Ebrahimi
1556*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1557*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_KEY_SHARE:
1558*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension"));
1559*62c56f98SSadaf Ebrahimi
1560*62c56f98SSadaf Ebrahimi /*
1561*62c56f98SSadaf Ebrahimi * Key Share Extension
1562*62c56f98SSadaf Ebrahimi *
1563*62c56f98SSadaf Ebrahimi * When sent by the client, the "key_share" extension
1564*62c56f98SSadaf Ebrahimi * contains the endpoint's cryptographic parameters for
1565*62c56f98SSadaf Ebrahimi * ECDHE/DHE key establishment methods.
1566*62c56f98SSadaf Ebrahimi */
1567*62c56f98SSadaf Ebrahimi ret = ssl_tls13_parse_key_shares_ext(
1568*62c56f98SSadaf Ebrahimi ssl, p, extension_data_end);
1569*62c56f98SSadaf Ebrahimi if (ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH) {
1570*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("No usable share for key agreement."));
1571*62c56f98SSadaf Ebrahimi no_usable_share_for_key_agreement = 1;
1572*62c56f98SSadaf Ebrahimi }
1573*62c56f98SSadaf Ebrahimi
1574*62c56f98SSadaf Ebrahimi if (ret < 0) {
1575*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1576*62c56f98SSadaf Ebrahimi 1, "ssl_tls13_parse_key_shares_ext", ret);
1577*62c56f98SSadaf Ebrahimi return ret;
1578*62c56f98SSadaf Ebrahimi }
1579*62c56f98SSadaf Ebrahimi
1580*62c56f98SSadaf Ebrahimi break;
1581*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
1582*62c56f98SSadaf Ebrahimi
1583*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1584*62c56f98SSadaf Ebrahimi /* Already parsed */
1585*62c56f98SSadaf Ebrahimi break;
1586*62c56f98SSadaf Ebrahimi
1587*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1588*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
1589*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
1590*62c56f98SSadaf Ebrahimi 3, ("found psk key exchange modes extension"));
1591*62c56f98SSadaf Ebrahimi
1592*62c56f98SSadaf Ebrahimi ret = ssl_tls13_parse_key_exchange_modes_ext(
1593*62c56f98SSadaf Ebrahimi ssl, p, extension_data_end);
1594*62c56f98SSadaf Ebrahimi if (ret != 0) {
1595*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1596*62c56f98SSadaf Ebrahimi 1, "ssl_tls13_parse_key_exchange_modes_ext", ret);
1597*62c56f98SSadaf Ebrahimi return ret;
1598*62c56f98SSadaf Ebrahimi }
1599*62c56f98SSadaf Ebrahimi
1600*62c56f98SSadaf Ebrahimi break;
1601*62c56f98SSadaf Ebrahimi #endif
1602*62c56f98SSadaf Ebrahimi
1603*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1604*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
1605*62c56f98SSadaf Ebrahimi if ((handshake->received_extensions &
1606*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)) == 0) {
1607*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(
1608*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1609*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1610*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1611*62c56f98SSadaf Ebrahimi }
1612*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1613*62c56f98SSadaf Ebrahimi /* Delay processing of the PSK identity once we have
1614*62c56f98SSadaf Ebrahimi * found out which algorithms to use. We keep a pointer
1615*62c56f98SSadaf Ebrahimi * to the buffer and the size for later processing.
1616*62c56f98SSadaf Ebrahimi */
1617*62c56f98SSadaf Ebrahimi pre_shared_key_ext = p;
1618*62c56f98SSadaf Ebrahimi pre_shared_key_ext_end = extension_data_end;
1619*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1620*62c56f98SSadaf Ebrahimi break;
1621*62c56f98SSadaf Ebrahimi
1622*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_ALPN)
1623*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_ALPN:
1624*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
1625*62c56f98SSadaf Ebrahimi
1626*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_parse_alpn_ext(ssl, p, extension_data_end);
1627*62c56f98SSadaf Ebrahimi if (ret != 0) {
1628*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1629*62c56f98SSadaf Ebrahimi 1, ("mbedtls_ssl_parse_alpn_ext"), ret);
1630*62c56f98SSadaf Ebrahimi return ret;
1631*62c56f98SSadaf Ebrahimi }
1632*62c56f98SSadaf Ebrahimi break;
1633*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_ALPN */
1634*62c56f98SSadaf Ebrahimi
1635*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
1636*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_SIG_ALG:
1637*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
1638*62c56f98SSadaf Ebrahimi
1639*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_parse_sig_alg_ext(
1640*62c56f98SSadaf Ebrahimi ssl, p, extension_data_end);
1641*62c56f98SSadaf Ebrahimi if (ret != 0) {
1642*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1643*62c56f98SSadaf Ebrahimi 1, "mbedtls_ssl_parse_sig_alg_ext", ret);
1644*62c56f98SSadaf Ebrahimi return ret;
1645*62c56f98SSadaf Ebrahimi }
1646*62c56f98SSadaf Ebrahimi break;
1647*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1648*62c56f98SSadaf Ebrahimi
1649*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1650*62c56f98SSadaf Ebrahimi case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
1651*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
1652*62c56f98SSadaf Ebrahimi
1653*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
1654*62c56f98SSadaf Ebrahimi ssl, p, extension_data_end);
1655*62c56f98SSadaf Ebrahimi
1656*62c56f98SSadaf Ebrahimi /*
1657*62c56f98SSadaf Ebrahimi * TODO: Return unconditionally here until we handle the record
1658*62c56f98SSadaf Ebrahimi * size limit correctly.
1659*62c56f98SSadaf Ebrahimi * Once handled correctly, only return in case of errors.
1660*62c56f98SSadaf Ebrahimi */
1661*62c56f98SSadaf Ebrahimi return ret;
1662*62c56f98SSadaf Ebrahimi
1663*62c56f98SSadaf Ebrahimi break;
1664*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
1665*62c56f98SSadaf Ebrahimi
1666*62c56f98SSadaf Ebrahimi default:
1667*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXT(
1668*62c56f98SSadaf Ebrahimi 3, MBEDTLS_SSL_HS_CLIENT_HELLO,
1669*62c56f98SSadaf Ebrahimi extension_type, "( ignored )");
1670*62c56f98SSadaf Ebrahimi break;
1671*62c56f98SSadaf Ebrahimi }
1672*62c56f98SSadaf Ebrahimi
1673*62c56f98SSadaf Ebrahimi p += extension_data_len;
1674*62c56f98SSadaf Ebrahimi }
1675*62c56f98SSadaf Ebrahimi
1676*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO,
1677*62c56f98SSadaf Ebrahimi handshake->received_extensions);
1678*62c56f98SSadaf Ebrahimi
1679*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
1680*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_HS_CLIENT_HELLO,
1681*62c56f98SSadaf Ebrahimi p - buf);
1682*62c56f98SSadaf Ebrahimi if (0 != ret) {
1683*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret);
1684*62c56f98SSadaf Ebrahimi return ret;
1685*62c56f98SSadaf Ebrahimi }
1686*62c56f98SSadaf Ebrahimi
1687*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1688*62c56f98SSadaf Ebrahimi /* Update checksum with either
1689*62c56f98SSadaf Ebrahimi * - The entire content of the CH message, if no PSK extension is present
1690*62c56f98SSadaf Ebrahimi * - The content up to but excluding the PSK extension, if present.
1691*62c56f98SSadaf Ebrahimi */
1692*62c56f98SSadaf Ebrahimi /* If we've settled on a PSK-based exchange, parse PSK identity ext */
1693*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_some_psk_enabled(ssl) &&
1694*62c56f98SSadaf Ebrahimi mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
1695*62c56f98SSadaf Ebrahimi (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY))) {
1696*62c56f98SSadaf Ebrahimi ret = handshake->update_checksum(ssl, buf,
1697*62c56f98SSadaf Ebrahimi pre_shared_key_ext - buf);
1698*62c56f98SSadaf Ebrahimi if (0 != ret) {
1699*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1700*62c56f98SSadaf Ebrahimi return ret;
1701*62c56f98SSadaf Ebrahimi }
1702*62c56f98SSadaf Ebrahimi ret = ssl_tls13_parse_pre_shared_key_ext(ssl,
1703*62c56f98SSadaf Ebrahimi pre_shared_key_ext,
1704*62c56f98SSadaf Ebrahimi pre_shared_key_ext_end,
1705*62c56f98SSadaf Ebrahimi cipher_suites,
1706*62c56f98SSadaf Ebrahimi cipher_suites_end);
1707*62c56f98SSadaf Ebrahimi if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
1708*62c56f98SSadaf Ebrahimi handshake->received_extensions &= ~MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY);
1709*62c56f98SSadaf Ebrahimi } else if (ret != 0) {
1710*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1711*62c56f98SSadaf Ebrahimi 1, "ssl_tls13_parse_pre_shared_key_ext", ret);
1712*62c56f98SSadaf Ebrahimi return ret;
1713*62c56f98SSadaf Ebrahimi }
1714*62c56f98SSadaf Ebrahimi } else
1715*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1716*62c56f98SSadaf Ebrahimi {
1717*62c56f98SSadaf Ebrahimi ret = handshake->update_checksum(ssl, buf, p - buf);
1718*62c56f98SSadaf Ebrahimi if (0 != ret) {
1719*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1720*62c56f98SSadaf Ebrahimi return ret;
1721*62c56f98SSadaf Ebrahimi }
1722*62c56f98SSadaf Ebrahimi }
1723*62c56f98SSadaf Ebrahimi
1724*62c56f98SSadaf Ebrahimi ret = ssl_tls13_determine_key_exchange_mode(ssl);
1725*62c56f98SSadaf Ebrahimi if (ret < 0) {
1726*62c56f98SSadaf Ebrahimi return ret;
1727*62c56f98SSadaf Ebrahimi }
1728*62c56f98SSadaf Ebrahimi
1729*62c56f98SSadaf Ebrahimi if (ssl->handshake->key_exchange_mode !=
1730*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) {
1731*62c56f98SSadaf Ebrahimi hrr_required = (no_usable_share_for_key_agreement != 0);
1732*62c56f98SSadaf Ebrahimi }
1733*62c56f98SSadaf Ebrahimi
1734*62c56f98SSadaf Ebrahimi mbedtls_ssl_optimize_checksum(ssl, handshake->ciphersuite_info);
1735*62c56f98SSadaf Ebrahimi
1736*62c56f98SSadaf Ebrahimi return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK;
1737*62c56f98SSadaf Ebrahimi }
1738*62c56f98SSadaf Ebrahimi
1739*62c56f98SSadaf Ebrahimi /* Update the handshake state machine */
1740*62c56f98SSadaf Ebrahimi
1741*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_postprocess_client_hello(mbedtls_ssl_context * ssl)1742*62c56f98SSadaf Ebrahimi static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl)
1743*62c56f98SSadaf Ebrahimi {
1744*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1745*62c56f98SSadaf Ebrahimi
1746*62c56f98SSadaf Ebrahimi /*
1747*62c56f98SSadaf Ebrahimi * Server certificate selection
1748*62c56f98SSadaf Ebrahimi */
1749*62c56f98SSadaf Ebrahimi if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1750*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1751*62c56f98SSadaf Ebrahimi return ret;
1752*62c56f98SSadaf Ebrahimi }
1753*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1754*62c56f98SSadaf Ebrahimi ssl->handshake->sni_name = NULL;
1755*62c56f98SSadaf Ebrahimi ssl->handshake->sni_name_len = 0;
1756*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1757*62c56f98SSadaf Ebrahimi
1758*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1759*62c56f98SSadaf Ebrahimi if (ret != 0) {
1760*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1,
1761*62c56f98SSadaf Ebrahimi "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret);
1762*62c56f98SSadaf Ebrahimi return ret;
1763*62c56f98SSadaf Ebrahimi }
1764*62c56f98SSadaf Ebrahimi
1765*62c56f98SSadaf Ebrahimi return 0;
1766*62c56f98SSadaf Ebrahimi
1767*62c56f98SSadaf Ebrahimi }
1768*62c56f98SSadaf Ebrahimi
1769*62c56f98SSadaf Ebrahimi /*
1770*62c56f98SSadaf Ebrahimi * Main entry point from the state machine; orchestrates the otherfunctions.
1771*62c56f98SSadaf Ebrahimi */
1772*62c56f98SSadaf Ebrahimi
1773*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_client_hello(mbedtls_ssl_context * ssl)1774*62c56f98SSadaf Ebrahimi static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
1775*62c56f98SSadaf Ebrahimi {
1776*62c56f98SSadaf Ebrahimi
1777*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1778*62c56f98SSadaf Ebrahimi unsigned char *buf = NULL;
1779*62c56f98SSadaf Ebrahimi size_t buflen = 0;
1780*62c56f98SSadaf Ebrahimi int parse_client_hello_ret;
1781*62c56f98SSadaf Ebrahimi
1782*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
1783*62c56f98SSadaf Ebrahimi
1784*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1785*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
1786*62c56f98SSadaf Ebrahimi &buf, &buflen));
1787*62c56f98SSadaf Ebrahimi
1788*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_parse_client_hello(ssl, buf,
1789*62c56f98SSadaf Ebrahimi buf + buflen));
1790*62c56f98SSadaf Ebrahimi parse_client_hello_ret = ret; /* Store positive return value of
1791*62c56f98SSadaf Ebrahimi * parse_client_hello,
1792*62c56f98SSadaf Ebrahimi * as negative error codes are handled
1793*62c56f98SSadaf Ebrahimi * by MBEDTLS_SSL_PROC_CHK_NEG. */
1794*62c56f98SSadaf Ebrahimi
1795*62c56f98SSadaf Ebrahimi /*
1796*62c56f98SSadaf Ebrahimi * Version 1.2 of the protocol has been chosen, set the
1797*62c56f98SSadaf Ebrahimi * ssl->keep_current_message flag for the ClientHello to be kept and parsed
1798*62c56f98SSadaf Ebrahimi * as a TLS 1.2 ClientHello. We also change ssl->tls_version to
1799*62c56f98SSadaf Ebrahimi * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
1800*62c56f98SSadaf Ebrahimi * will dispatch to the TLS 1.2 state machine.
1801*62c56f98SSadaf Ebrahimi */
1802*62c56f98SSadaf Ebrahimi if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) {
1803*62c56f98SSadaf Ebrahimi ssl->keep_current_message = 1;
1804*62c56f98SSadaf Ebrahimi ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
1805*62c56f98SSadaf Ebrahimi return 0;
1806*62c56f98SSadaf Ebrahimi }
1807*62c56f98SSadaf Ebrahimi
1808*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_client_hello(ssl));
1809*62c56f98SSadaf Ebrahimi
1810*62c56f98SSadaf Ebrahimi if (SSL_CLIENT_HELLO_OK == parse_client_hello_ret) {
1811*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
1812*62c56f98SSadaf Ebrahimi } else {
1813*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST);
1814*62c56f98SSadaf Ebrahimi }
1815*62c56f98SSadaf Ebrahimi
1816*62c56f98SSadaf Ebrahimi cleanup:
1817*62c56f98SSadaf Ebrahimi
1818*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
1819*62c56f98SSadaf Ebrahimi return ret;
1820*62c56f98SSadaf Ebrahimi }
1821*62c56f98SSadaf Ebrahimi
1822*62c56f98SSadaf Ebrahimi /*
1823*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_SERVER_HELLO
1824*62c56f98SSadaf Ebrahimi */
1825*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_prepare_server_hello(mbedtls_ssl_context * ssl)1826*62c56f98SSadaf Ebrahimi static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
1827*62c56f98SSadaf Ebrahimi {
1828*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1829*62c56f98SSadaf Ebrahimi unsigned char *server_randbytes =
1830*62c56f98SSadaf Ebrahimi ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
1831*62c56f98SSadaf Ebrahimi if (ssl->conf->f_rng == NULL) {
1832*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
1833*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_NO_RNG;
1834*62c56f98SSadaf Ebrahimi }
1835*62c56f98SSadaf Ebrahimi
1836*62c56f98SSadaf Ebrahimi if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes,
1837*62c56f98SSadaf Ebrahimi MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {
1838*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
1839*62c56f98SSadaf Ebrahimi return ret;
1840*62c56f98SSadaf Ebrahimi }
1841*62c56f98SSadaf Ebrahimi
1842*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", server_randbytes,
1843*62c56f98SSadaf Ebrahimi MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1844*62c56f98SSadaf Ebrahimi
1845*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_HAVE_TIME)
1846*62c56f98SSadaf Ebrahimi ssl->session_negotiate->start = mbedtls_time(NULL);
1847*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_HAVE_TIME */
1848*62c56f98SSadaf Ebrahimi
1849*62c56f98SSadaf Ebrahimi return ret;
1850*62c56f98SSadaf Ebrahimi }
1851*62c56f98SSadaf Ebrahimi
1852*62c56f98SSadaf Ebrahimi /*
1853*62c56f98SSadaf Ebrahimi * ssl_tls13_write_server_hello_supported_versions_ext ():
1854*62c56f98SSadaf Ebrahimi *
1855*62c56f98SSadaf Ebrahimi * struct {
1856*62c56f98SSadaf Ebrahimi * ProtocolVersion selected_version;
1857*62c56f98SSadaf Ebrahimi * } SupportedVersions;
1858*62c56f98SSadaf Ebrahimi */
1859*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_server_hello_supported_versions_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)1860*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_server_hello_supported_versions_ext(
1861*62c56f98SSadaf Ebrahimi mbedtls_ssl_context *ssl,
1862*62c56f98SSadaf Ebrahimi unsigned char *buf,
1863*62c56f98SSadaf Ebrahimi unsigned char *end,
1864*62c56f98SSadaf Ebrahimi size_t *out_len)
1865*62c56f98SSadaf Ebrahimi {
1866*62c56f98SSadaf Ebrahimi *out_len = 0;
1867*62c56f98SSadaf Ebrahimi
1868*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, write selected version"));
1869*62c56f98SSadaf Ebrahimi
1870*62c56f98SSadaf Ebrahimi /* Check if we have space to write the extension:
1871*62c56f98SSadaf Ebrahimi * - extension_type (2 bytes)
1872*62c56f98SSadaf Ebrahimi * - extension_data_length (2 bytes)
1873*62c56f98SSadaf Ebrahimi * - selected_version (2 bytes)
1874*62c56f98SSadaf Ebrahimi */
1875*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
1876*62c56f98SSadaf Ebrahimi
1877*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0);
1878*62c56f98SSadaf Ebrahimi
1879*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(2, buf, 2);
1880*62c56f98SSadaf Ebrahimi
1881*62c56f98SSadaf Ebrahimi mbedtls_ssl_write_version(buf + 4,
1882*62c56f98SSadaf Ebrahimi ssl->conf->transport,
1883*62c56f98SSadaf Ebrahimi ssl->tls_version);
1884*62c56f98SSadaf Ebrahimi
1885*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [%04x]",
1886*62c56f98SSadaf Ebrahimi ssl->tls_version));
1887*62c56f98SSadaf Ebrahimi
1888*62c56f98SSadaf Ebrahimi *out_len = 6;
1889*62c56f98SSadaf Ebrahimi
1890*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(
1891*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
1892*62c56f98SSadaf Ebrahimi
1893*62c56f98SSadaf Ebrahimi return 0;
1894*62c56f98SSadaf Ebrahimi }
1895*62c56f98SSadaf Ebrahimi
1896*62c56f98SSadaf Ebrahimi
1897*62c56f98SSadaf Ebrahimi
1898*62c56f98SSadaf Ebrahimi /* Generate and export a single key share. For hybrid KEMs, this can
1899*62c56f98SSadaf Ebrahimi * be called multiple times with the different components of the hybrid. */
1900*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context * ssl,uint16_t named_group,unsigned char * buf,unsigned char * end,size_t * out_len)1901*62c56f98SSadaf Ebrahimi static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl,
1902*62c56f98SSadaf Ebrahimi uint16_t named_group,
1903*62c56f98SSadaf Ebrahimi unsigned char *buf,
1904*62c56f98SSadaf Ebrahimi unsigned char *end,
1905*62c56f98SSadaf Ebrahimi size_t *out_len)
1906*62c56f98SSadaf Ebrahimi {
1907*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1908*62c56f98SSadaf Ebrahimi
1909*62c56f98SSadaf Ebrahimi *out_len = 0;
1910*62c56f98SSadaf Ebrahimi
1911*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1912*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group) ||
1913*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
1914*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
1915*62c56f98SSadaf Ebrahimi ssl, named_group, buf, end, out_len);
1916*62c56f98SSadaf Ebrahimi if (ret != 0) {
1917*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
1918*62c56f98SSadaf Ebrahimi 1, "mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange",
1919*62c56f98SSadaf Ebrahimi ret);
1920*62c56f98SSadaf Ebrahimi return ret;
1921*62c56f98SSadaf Ebrahimi }
1922*62c56f98SSadaf Ebrahimi } else
1923*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
1924*62c56f98SSadaf Ebrahimi if (0 /* Other kinds of KEMs */) {
1925*62c56f98SSadaf Ebrahimi } else {
1926*62c56f98SSadaf Ebrahimi ((void) ssl);
1927*62c56f98SSadaf Ebrahimi ((void) named_group);
1928*62c56f98SSadaf Ebrahimi ((void) buf);
1929*62c56f98SSadaf Ebrahimi ((void) end);
1930*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1931*62c56f98SSadaf Ebrahimi }
1932*62c56f98SSadaf Ebrahimi
1933*62c56f98SSadaf Ebrahimi return ret;
1934*62c56f98SSadaf Ebrahimi }
1935*62c56f98SSadaf Ebrahimi
1936*62c56f98SSadaf Ebrahimi /*
1937*62c56f98SSadaf Ebrahimi * ssl_tls13_write_key_share_ext
1938*62c56f98SSadaf Ebrahimi *
1939*62c56f98SSadaf Ebrahimi * Structure of key_share extension in ServerHello:
1940*62c56f98SSadaf Ebrahimi *
1941*62c56f98SSadaf Ebrahimi * struct {
1942*62c56f98SSadaf Ebrahimi * NamedGroup group;
1943*62c56f98SSadaf Ebrahimi * opaque key_exchange<1..2^16-1>;
1944*62c56f98SSadaf Ebrahimi * } KeyShareEntry;
1945*62c56f98SSadaf Ebrahimi * struct {
1946*62c56f98SSadaf Ebrahimi * KeyShareEntry server_share;
1947*62c56f98SSadaf Ebrahimi * } KeyShareServerHello;
1948*62c56f98SSadaf Ebrahimi */
1949*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_key_share_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)1950*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
1951*62c56f98SSadaf Ebrahimi unsigned char *buf,
1952*62c56f98SSadaf Ebrahimi unsigned char *end,
1953*62c56f98SSadaf Ebrahimi size_t *out_len)
1954*62c56f98SSadaf Ebrahimi {
1955*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1956*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
1957*62c56f98SSadaf Ebrahimi uint16_t group = ssl->handshake->offered_group_id;
1958*62c56f98SSadaf Ebrahimi unsigned char *server_share = buf + 4;
1959*62c56f98SSadaf Ebrahimi size_t key_exchange_length;
1960*62c56f98SSadaf Ebrahimi
1961*62c56f98SSadaf Ebrahimi *out_len = 0;
1962*62c56f98SSadaf Ebrahimi
1963*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding key share extension"));
1964*62c56f98SSadaf Ebrahimi
1965*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("server hello, write selected_group: %s (%04x)",
1966*62c56f98SSadaf Ebrahimi mbedtls_ssl_named_group_to_str(group),
1967*62c56f98SSadaf Ebrahimi group));
1968*62c56f98SSadaf Ebrahimi
1969*62c56f98SSadaf Ebrahimi /* Check if we have space for header and length fields:
1970*62c56f98SSadaf Ebrahimi * - extension_type (2 bytes)
1971*62c56f98SSadaf Ebrahimi * - extension_data_length (2 bytes)
1972*62c56f98SSadaf Ebrahimi * - group (2 bytes)
1973*62c56f98SSadaf Ebrahimi * - key_exchange_length (2 bytes)
1974*62c56f98SSadaf Ebrahimi */
1975*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 8);
1976*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, p, 0);
1977*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(group, server_share, 0);
1978*62c56f98SSadaf Ebrahimi p += 8;
1979*62c56f98SSadaf Ebrahimi
1980*62c56f98SSadaf Ebrahimi /* When we introduce PQC-ECDHE hybrids, we'll want to call this
1981*62c56f98SSadaf Ebrahimi * function multiple times. */
1982*62c56f98SSadaf Ebrahimi ret = ssl_tls13_generate_and_write_key_share(
1983*62c56f98SSadaf Ebrahimi ssl, group, server_share + 4, end, &key_exchange_length);
1984*62c56f98SSadaf Ebrahimi if (ret != 0) {
1985*62c56f98SSadaf Ebrahimi return ret;
1986*62c56f98SSadaf Ebrahimi }
1987*62c56f98SSadaf Ebrahimi p += key_exchange_length;
1988*62c56f98SSadaf Ebrahimi
1989*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(key_exchange_length, server_share + 2, 0);
1990*62c56f98SSadaf Ebrahimi
1991*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(p - server_share, buf, 2);
1992*62c56f98SSadaf Ebrahimi
1993*62c56f98SSadaf Ebrahimi *out_len = p - buf;
1994*62c56f98SSadaf Ebrahimi
1995*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
1996*62c56f98SSadaf Ebrahimi
1997*62c56f98SSadaf Ebrahimi return 0;
1998*62c56f98SSadaf Ebrahimi }
1999*62c56f98SSadaf Ebrahimi
2000*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_hrr_key_share_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)2001*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_hrr_key_share_ext(mbedtls_ssl_context *ssl,
2002*62c56f98SSadaf Ebrahimi unsigned char *buf,
2003*62c56f98SSadaf Ebrahimi unsigned char *end,
2004*62c56f98SSadaf Ebrahimi size_t *out_len)
2005*62c56f98SSadaf Ebrahimi {
2006*62c56f98SSadaf Ebrahimi uint16_t selected_group = ssl->handshake->hrr_selected_group;
2007*62c56f98SSadaf Ebrahimi /* key_share Extension
2008*62c56f98SSadaf Ebrahimi *
2009*62c56f98SSadaf Ebrahimi * struct {
2010*62c56f98SSadaf Ebrahimi * select (Handshake.msg_type) {
2011*62c56f98SSadaf Ebrahimi * ...
2012*62c56f98SSadaf Ebrahimi * case hello_retry_request:
2013*62c56f98SSadaf Ebrahimi * NamedGroup selected_group;
2014*62c56f98SSadaf Ebrahimi * ...
2015*62c56f98SSadaf Ebrahimi * };
2016*62c56f98SSadaf Ebrahimi * } KeyShare;
2017*62c56f98SSadaf Ebrahimi */
2018*62c56f98SSadaf Ebrahimi
2019*62c56f98SSadaf Ebrahimi *out_len = 0;
2020*62c56f98SSadaf Ebrahimi
2021*62c56f98SSadaf Ebrahimi /*
2022*62c56f98SSadaf Ebrahimi * For a pure PSK key exchange, there is no group to agree upon. The purpose
2023*62c56f98SSadaf Ebrahimi * of the HRR is then to transmit a cookie to force the client to demonstrate
2024*62c56f98SSadaf Ebrahimi * reachability at their apparent network address (primarily useful for DTLS).
2025*62c56f98SSadaf Ebrahimi */
2026*62c56f98SSadaf Ebrahimi if (!mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
2027*62c56f98SSadaf Ebrahimi return 0;
2028*62c56f98SSadaf Ebrahimi }
2029*62c56f98SSadaf Ebrahimi
2030*62c56f98SSadaf Ebrahimi /* We should only send the key_share extension if the client's initial
2031*62c56f98SSadaf Ebrahimi * key share was not acceptable. */
2032*62c56f98SSadaf Ebrahimi if (ssl->handshake->offered_group_id != 0) {
2033*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(4, ("Skip key_share extension in HRR"));
2034*62c56f98SSadaf Ebrahimi return 0;
2035*62c56f98SSadaf Ebrahimi }
2036*62c56f98SSadaf Ebrahimi
2037*62c56f98SSadaf Ebrahimi if (selected_group == 0) {
2038*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("no matching named group found"));
2039*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2040*62c56f98SSadaf Ebrahimi }
2041*62c56f98SSadaf Ebrahimi
2042*62c56f98SSadaf Ebrahimi /* Check if we have enough space:
2043*62c56f98SSadaf Ebrahimi * - extension_type (2 bytes)
2044*62c56f98SSadaf Ebrahimi * - extension_data_length (2 bytes)
2045*62c56f98SSadaf Ebrahimi * - selected_group (2 bytes)
2046*62c56f98SSadaf Ebrahimi */
2047*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
2048*62c56f98SSadaf Ebrahimi
2049*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
2050*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(2, buf, 2);
2051*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(selected_group, buf, 4);
2052*62c56f98SSadaf Ebrahimi
2053*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
2054*62c56f98SSadaf Ebrahimi ("HRR selected_group: %s (%x)",
2055*62c56f98SSadaf Ebrahimi mbedtls_ssl_named_group_to_str(selected_group),
2056*62c56f98SSadaf Ebrahimi selected_group));
2057*62c56f98SSadaf Ebrahimi
2058*62c56f98SSadaf Ebrahimi *out_len = 6;
2059*62c56f98SSadaf Ebrahimi
2060*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
2061*62c56f98SSadaf Ebrahimi
2062*62c56f98SSadaf Ebrahimi return 0;
2063*62c56f98SSadaf Ebrahimi }
2064*62c56f98SSadaf Ebrahimi
2065*62c56f98SSadaf Ebrahimi /*
2066*62c56f98SSadaf Ebrahimi * Structure of ServerHello message:
2067*62c56f98SSadaf Ebrahimi *
2068*62c56f98SSadaf Ebrahimi * struct {
2069*62c56f98SSadaf Ebrahimi * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
2070*62c56f98SSadaf Ebrahimi * Random random;
2071*62c56f98SSadaf Ebrahimi * opaque legacy_session_id_echo<0..32>;
2072*62c56f98SSadaf Ebrahimi * CipherSuite cipher_suite;
2073*62c56f98SSadaf Ebrahimi * uint8 legacy_compression_method = 0;
2074*62c56f98SSadaf Ebrahimi * Extension extensions<6..2^16-1>;
2075*62c56f98SSadaf Ebrahimi * } ServerHello;
2076*62c56f98SSadaf Ebrahimi */
2077*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_server_hello_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len,int is_hrr)2078*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_server_hello_body(mbedtls_ssl_context *ssl,
2079*62c56f98SSadaf Ebrahimi unsigned char *buf,
2080*62c56f98SSadaf Ebrahimi unsigned char *end,
2081*62c56f98SSadaf Ebrahimi size_t *out_len,
2082*62c56f98SSadaf Ebrahimi int is_hrr)
2083*62c56f98SSadaf Ebrahimi {
2084*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2085*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
2086*62c56f98SSadaf Ebrahimi unsigned char *p_extensions_len;
2087*62c56f98SSadaf Ebrahimi size_t output_len;
2088*62c56f98SSadaf Ebrahimi
2089*62c56f98SSadaf Ebrahimi *out_len = 0;
2090*62c56f98SSadaf Ebrahimi ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2091*62c56f98SSadaf Ebrahimi
2092*62c56f98SSadaf Ebrahimi /* ...
2093*62c56f98SSadaf Ebrahimi * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
2094*62c56f98SSadaf Ebrahimi * ...
2095*62c56f98SSadaf Ebrahimi * with ProtocolVersion defined as:
2096*62c56f98SSadaf Ebrahimi * uint16 ProtocolVersion;
2097*62c56f98SSadaf Ebrahimi */
2098*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2099*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(0x0303, p, 0);
2100*62c56f98SSadaf Ebrahimi p += 2;
2101*62c56f98SSadaf Ebrahimi
2102*62c56f98SSadaf Ebrahimi /* ...
2103*62c56f98SSadaf Ebrahimi * Random random;
2104*62c56f98SSadaf Ebrahimi * ...
2105*62c56f98SSadaf Ebrahimi * with Random defined as:
2106*62c56f98SSadaf Ebrahimi * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
2107*62c56f98SSadaf Ebrahimi */
2108*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2109*62c56f98SSadaf Ebrahimi if (is_hrr) {
2110*62c56f98SSadaf Ebrahimi memcpy(p, mbedtls_ssl_tls13_hello_retry_request_magic,
2111*62c56f98SSadaf Ebrahimi MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2112*62c56f98SSadaf Ebrahimi } else {
2113*62c56f98SSadaf Ebrahimi memcpy(p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],
2114*62c56f98SSadaf Ebrahimi MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2115*62c56f98SSadaf Ebrahimi }
2116*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
2117*62c56f98SSadaf Ebrahimi p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2118*62c56f98SSadaf Ebrahimi p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
2119*62c56f98SSadaf Ebrahimi
2120*62c56f98SSadaf Ebrahimi /* ...
2121*62c56f98SSadaf Ebrahimi * opaque legacy_session_id_echo<0..32>;
2122*62c56f98SSadaf Ebrahimi * ...
2123*62c56f98SSadaf Ebrahimi */
2124*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + ssl->session_negotiate->id_len);
2125*62c56f98SSadaf Ebrahimi *p++ = (unsigned char) ssl->session_negotiate->id_len;
2126*62c56f98SSadaf Ebrahimi if (ssl->session_negotiate->id_len > 0) {
2127*62c56f98SSadaf Ebrahimi memcpy(p, &ssl->session_negotiate->id[0],
2128*62c56f98SSadaf Ebrahimi ssl->session_negotiate->id_len);
2129*62c56f98SSadaf Ebrahimi p += ssl->session_negotiate->id_len;
2130*62c56f98SSadaf Ebrahimi
2131*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id,
2132*62c56f98SSadaf Ebrahimi ssl->session_negotiate->id_len);
2133*62c56f98SSadaf Ebrahimi }
2134*62c56f98SSadaf Ebrahimi
2135*62c56f98SSadaf Ebrahimi /* ...
2136*62c56f98SSadaf Ebrahimi * CipherSuite cipher_suite;
2137*62c56f98SSadaf Ebrahimi * ...
2138*62c56f98SSadaf Ebrahimi * with CipherSuite defined as:
2139*62c56f98SSadaf Ebrahimi * uint8 CipherSuite[2];
2140*62c56f98SSadaf Ebrahimi */
2141*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2142*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
2143*62c56f98SSadaf Ebrahimi p += 2;
2144*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3,
2145*62c56f98SSadaf Ebrahimi ("server hello, chosen ciphersuite: %s ( id=%d )",
2146*62c56f98SSadaf Ebrahimi mbedtls_ssl_get_ciphersuite_name(
2147*62c56f98SSadaf Ebrahimi ssl->session_negotiate->ciphersuite),
2148*62c56f98SSadaf Ebrahimi ssl->session_negotiate->ciphersuite));
2149*62c56f98SSadaf Ebrahimi
2150*62c56f98SSadaf Ebrahimi /* ...
2151*62c56f98SSadaf Ebrahimi * uint8 legacy_compression_method = 0;
2152*62c56f98SSadaf Ebrahimi * ...
2153*62c56f98SSadaf Ebrahimi */
2154*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1);
2155*62c56f98SSadaf Ebrahimi *p++ = MBEDTLS_SSL_COMPRESS_NULL;
2156*62c56f98SSadaf Ebrahimi
2157*62c56f98SSadaf Ebrahimi /* ...
2158*62c56f98SSadaf Ebrahimi * Extension extensions<6..2^16-1>;
2159*62c56f98SSadaf Ebrahimi * ...
2160*62c56f98SSadaf Ebrahimi * struct {
2161*62c56f98SSadaf Ebrahimi * ExtensionType extension_type; (2 bytes)
2162*62c56f98SSadaf Ebrahimi * opaque extension_data<0..2^16-1>;
2163*62c56f98SSadaf Ebrahimi * } Extension;
2164*62c56f98SSadaf Ebrahimi */
2165*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2166*62c56f98SSadaf Ebrahimi p_extensions_len = p;
2167*62c56f98SSadaf Ebrahimi p += 2;
2168*62c56f98SSadaf Ebrahimi
2169*62c56f98SSadaf Ebrahimi if ((ret = ssl_tls13_write_server_hello_supported_versions_ext(
2170*62c56f98SSadaf Ebrahimi ssl, p, end, &output_len)) != 0) {
2171*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
2172*62c56f98SSadaf Ebrahimi 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret);
2173*62c56f98SSadaf Ebrahimi return ret;
2174*62c56f98SSadaf Ebrahimi }
2175*62c56f98SSadaf Ebrahimi p += output_len;
2176*62c56f98SSadaf Ebrahimi
2177*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
2178*62c56f98SSadaf Ebrahimi if (is_hrr) {
2179*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_hrr_key_share_ext(ssl, p, end, &output_len);
2180*62c56f98SSadaf Ebrahimi } else {
2181*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_key_share_ext(ssl, p, end, &output_len);
2182*62c56f98SSadaf Ebrahimi }
2183*62c56f98SSadaf Ebrahimi if (ret != 0) {
2184*62c56f98SSadaf Ebrahimi return ret;
2185*62c56f98SSadaf Ebrahimi }
2186*62c56f98SSadaf Ebrahimi p += output_len;
2187*62c56f98SSadaf Ebrahimi }
2188*62c56f98SSadaf Ebrahimi
2189*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2190*62c56f98SSadaf Ebrahimi if (!is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2191*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_server_pre_shared_key_ext(ssl, p, end, &output_len);
2192*62c56f98SSadaf Ebrahimi if (ret != 0) {
2193*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_server_pre_shared_key_ext",
2194*62c56f98SSadaf Ebrahimi ret);
2195*62c56f98SSadaf Ebrahimi return ret;
2196*62c56f98SSadaf Ebrahimi }
2197*62c56f98SSadaf Ebrahimi p += output_len;
2198*62c56f98SSadaf Ebrahimi }
2199*62c56f98SSadaf Ebrahimi #endif
2200*62c56f98SSadaf Ebrahimi
2201*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
2202*62c56f98SSadaf Ebrahimi
2203*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(4, "server hello extensions",
2204*62c56f98SSadaf Ebrahimi p_extensions_len, p - p_extensions_len);
2205*62c56f98SSadaf Ebrahimi
2206*62c56f98SSadaf Ebrahimi *out_len = p - buf;
2207*62c56f98SSadaf Ebrahimi
2208*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "server hello", buf, *out_len);
2209*62c56f98SSadaf Ebrahimi
2210*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXTS(
2211*62c56f98SSadaf Ebrahimi 3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
2212*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_HS_SERVER_HELLO,
2213*62c56f98SSadaf Ebrahimi ssl->handshake->sent_extensions);
2214*62c56f98SSadaf Ebrahimi
2215*62c56f98SSadaf Ebrahimi return ret;
2216*62c56f98SSadaf Ebrahimi }
2217*62c56f98SSadaf Ebrahimi
2218*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_finalize_server_hello(mbedtls_ssl_context * ssl)2219*62c56f98SSadaf Ebrahimi static int ssl_tls13_finalize_server_hello(mbedtls_ssl_context *ssl)
2220*62c56f98SSadaf Ebrahimi {
2221*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2222*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
2223*62c56f98SSadaf Ebrahimi if (ret != 0) {
2224*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1,
2225*62c56f98SSadaf Ebrahimi "mbedtls_ssl_tls13_compute_handshake_transform",
2226*62c56f98SSadaf Ebrahimi ret);
2227*62c56f98SSadaf Ebrahimi return ret;
2228*62c56f98SSadaf Ebrahimi }
2229*62c56f98SSadaf Ebrahimi
2230*62c56f98SSadaf Ebrahimi return ret;
2231*62c56f98SSadaf Ebrahimi }
2232*62c56f98SSadaf Ebrahimi
2233*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_server_hello(mbedtls_ssl_context * ssl)2234*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl)
2235*62c56f98SSadaf Ebrahimi {
2236*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2237*62c56f98SSadaf Ebrahimi unsigned char *buf;
2238*62c56f98SSadaf Ebrahimi size_t buf_len, msg_len;
2239*62c56f98SSadaf Ebrahimi
2240*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
2241*62c56f98SSadaf Ebrahimi
2242*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl));
2243*62c56f98SSadaf Ebrahimi
2244*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2245*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
2246*62c56f98SSadaf Ebrahimi
2247*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
2248*62c56f98SSadaf Ebrahimi buf + buf_len,
2249*62c56f98SSadaf Ebrahimi &msg_len,
2250*62c56f98SSadaf Ebrahimi 0));
2251*62c56f98SSadaf Ebrahimi
2252*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2253*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
2254*62c56f98SSadaf Ebrahimi
2255*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2256*62c56f98SSadaf Ebrahimi ssl, buf_len, msg_len));
2257*62c56f98SSadaf Ebrahimi
2258*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_finalize_server_hello(ssl));
2259*62c56f98SSadaf Ebrahimi
2260*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2261*62c56f98SSadaf Ebrahimi /* The server sends a dummy change_cipher_spec record immediately
2262*62c56f98SSadaf Ebrahimi * after its first handshake message. This may either be after
2263*62c56f98SSadaf Ebrahimi * a ServerHello or a HelloRetryRequest.
2264*62c56f98SSadaf Ebrahimi */
2265*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
2266*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO);
2267*62c56f98SSadaf Ebrahimi #else
2268*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
2269*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2270*62c56f98SSadaf Ebrahimi
2271*62c56f98SSadaf Ebrahimi cleanup:
2272*62c56f98SSadaf Ebrahimi
2273*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2274*62c56f98SSadaf Ebrahimi return ret;
2275*62c56f98SSadaf Ebrahimi }
2276*62c56f98SSadaf Ebrahimi
2277*62c56f98SSadaf Ebrahimi
2278*62c56f98SSadaf Ebrahimi /*
2279*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
2280*62c56f98SSadaf Ebrahimi */
2281*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context * ssl)2282*62c56f98SSadaf Ebrahimi static int ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context *ssl)
2283*62c56f98SSadaf Ebrahimi {
2284*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2285*62c56f98SSadaf Ebrahimi if (ssl->handshake->hello_retry_request_count > 0) {
2286*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs"));
2287*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2288*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2289*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2290*62c56f98SSadaf Ebrahimi }
2291*62c56f98SSadaf Ebrahimi
2292*62c56f98SSadaf Ebrahimi /*
2293*62c56f98SSadaf Ebrahimi * Create stateless transcript hash for HRR
2294*62c56f98SSadaf Ebrahimi */
2295*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(4, ("Reset transcript for HRR"));
2296*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_reset_transcript_for_hrr(ssl);
2297*62c56f98SSadaf Ebrahimi if (ret != 0) {
2298*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_transcript_for_hrr", ret);
2299*62c56f98SSadaf Ebrahimi return ret;
2300*62c56f98SSadaf Ebrahimi }
2301*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_reset_msg_layer(ssl, 0);
2302*62c56f98SSadaf Ebrahimi
2303*62c56f98SSadaf Ebrahimi return 0;
2304*62c56f98SSadaf Ebrahimi }
2305*62c56f98SSadaf Ebrahimi
2306*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_hello_retry_request(mbedtls_ssl_context * ssl)2307*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl)
2308*62c56f98SSadaf Ebrahimi {
2309*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2310*62c56f98SSadaf Ebrahimi unsigned char *buf;
2311*62c56f98SSadaf Ebrahimi size_t buf_len, msg_len;
2312*62c56f98SSadaf Ebrahimi
2313*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello retry request"));
2314*62c56f98SSadaf Ebrahimi
2315*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_hello_retry_request(ssl));
2316*62c56f98SSadaf Ebrahimi
2317*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2318*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
2319*62c56f98SSadaf Ebrahimi &buf, &buf_len));
2320*62c56f98SSadaf Ebrahimi
2321*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
2322*62c56f98SSadaf Ebrahimi buf + buf_len,
2323*62c56f98SSadaf Ebrahimi &msg_len,
2324*62c56f98SSadaf Ebrahimi 1));
2325*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2326*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
2327*62c56f98SSadaf Ebrahimi
2328*62c56f98SSadaf Ebrahimi
2329*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len,
2330*62c56f98SSadaf Ebrahimi msg_len));
2331*62c56f98SSadaf Ebrahimi
2332*62c56f98SSadaf Ebrahimi ssl->handshake->hello_retry_request_count++;
2333*62c56f98SSadaf Ebrahimi
2334*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2335*62c56f98SSadaf Ebrahimi /* The server sends a dummy change_cipher_spec record immediately
2336*62c56f98SSadaf Ebrahimi * after its first handshake message. This may either be after
2337*62c56f98SSadaf Ebrahimi * a ServerHello or a HelloRetryRequest.
2338*62c56f98SSadaf Ebrahimi */
2339*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
2340*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST);
2341*62c56f98SSadaf Ebrahimi #else
2342*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2343*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2344*62c56f98SSadaf Ebrahimi
2345*62c56f98SSadaf Ebrahimi cleanup:
2346*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello retry request"));
2347*62c56f98SSadaf Ebrahimi return ret;
2348*62c56f98SSadaf Ebrahimi }
2349*62c56f98SSadaf Ebrahimi
2350*62c56f98SSadaf Ebrahimi /*
2351*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2352*62c56f98SSadaf Ebrahimi */
2353*62c56f98SSadaf Ebrahimi
2354*62c56f98SSadaf Ebrahimi /*
2355*62c56f98SSadaf Ebrahimi * struct {
2356*62c56f98SSadaf Ebrahimi * Extension extensions<0..2 ^ 16 - 1>;
2357*62c56f98SSadaf Ebrahimi * } EncryptedExtensions;
2358*62c56f98SSadaf Ebrahimi *
2359*62c56f98SSadaf Ebrahimi */
2360*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)2361*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl,
2362*62c56f98SSadaf Ebrahimi unsigned char *buf,
2363*62c56f98SSadaf Ebrahimi unsigned char *end,
2364*62c56f98SSadaf Ebrahimi size_t *out_len)
2365*62c56f98SSadaf Ebrahimi {
2366*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2367*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
2368*62c56f98SSadaf Ebrahimi size_t extensions_len = 0;
2369*62c56f98SSadaf Ebrahimi unsigned char *p_extensions_len;
2370*62c56f98SSadaf Ebrahimi size_t output_len;
2371*62c56f98SSadaf Ebrahimi
2372*62c56f98SSadaf Ebrahimi *out_len = 0;
2373*62c56f98SSadaf Ebrahimi
2374*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2375*62c56f98SSadaf Ebrahimi p_extensions_len = p;
2376*62c56f98SSadaf Ebrahimi p += 2;
2377*62c56f98SSadaf Ebrahimi
2378*62c56f98SSadaf Ebrahimi ((void) ssl);
2379*62c56f98SSadaf Ebrahimi ((void) ret);
2380*62c56f98SSadaf Ebrahimi ((void) output_len);
2381*62c56f98SSadaf Ebrahimi
2382*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_ALPN)
2383*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_write_alpn_ext(ssl, p, end, &output_len);
2384*62c56f98SSadaf Ebrahimi if (ret != 0) {
2385*62c56f98SSadaf Ebrahimi return ret;
2386*62c56f98SSadaf Ebrahimi }
2387*62c56f98SSadaf Ebrahimi p += output_len;
2388*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_ALPN */
2389*62c56f98SSadaf Ebrahimi
2390*62c56f98SSadaf Ebrahimi extensions_len = (p - p_extensions_len) - 2;
2391*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);
2392*62c56f98SSadaf Ebrahimi
2393*62c56f98SSadaf Ebrahimi *out_len = p - buf;
2394*62c56f98SSadaf Ebrahimi
2395*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(4, "encrypted extensions", buf, *out_len);
2396*62c56f98SSadaf Ebrahimi
2397*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXTS(
2398*62c56f98SSadaf Ebrahimi 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions);
2399*62c56f98SSadaf Ebrahimi
2400*62c56f98SSadaf Ebrahimi return 0;
2401*62c56f98SSadaf Ebrahimi }
2402*62c56f98SSadaf Ebrahimi
2403*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context * ssl)2404*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
2405*62c56f98SSadaf Ebrahimi {
2406*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2407*62c56f98SSadaf Ebrahimi unsigned char *buf;
2408*62c56f98SSadaf Ebrahimi size_t buf_len, msg_len;
2409*62c56f98SSadaf Ebrahimi
2410*62c56f98SSadaf Ebrahimi mbedtls_ssl_set_outbound_transform(ssl,
2411*62c56f98SSadaf Ebrahimi ssl->handshake->transform_handshake);
2412*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(
2413*62c56f98SSadaf Ebrahimi 3, ("switching to handshake transform for outbound data"));
2414*62c56f98SSadaf Ebrahimi
2415*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions"));
2416*62c56f98SSadaf Ebrahimi
2417*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2418*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2419*62c56f98SSadaf Ebrahimi &buf, &buf_len));
2420*62c56f98SSadaf Ebrahimi
2421*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body(
2422*62c56f98SSadaf Ebrahimi ssl, buf, buf + buf_len, &msg_len));
2423*62c56f98SSadaf Ebrahimi
2424*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2425*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2426*62c56f98SSadaf Ebrahimi buf, msg_len));
2427*62c56f98SSadaf Ebrahimi
2428*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2429*62c56f98SSadaf Ebrahimi ssl, buf_len, msg_len));
2430*62c56f98SSadaf Ebrahimi
2431*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2432*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2433*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2434*62c56f98SSadaf Ebrahimi } else {
2435*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2436*62c56f98SSadaf Ebrahimi }
2437*62c56f98SSadaf Ebrahimi #else
2438*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2439*62c56f98SSadaf Ebrahimi #endif
2440*62c56f98SSadaf Ebrahimi
2441*62c56f98SSadaf Ebrahimi cleanup:
2442*62c56f98SSadaf Ebrahimi
2443*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= write encrypted extensions"));
2444*62c56f98SSadaf Ebrahimi return ret;
2445*62c56f98SSadaf Ebrahimi }
2446*62c56f98SSadaf Ebrahimi
2447*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2448*62c56f98SSadaf Ebrahimi #define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
2449*62c56f98SSadaf Ebrahimi #define SSL_CERTIFICATE_REQUEST_SKIP 1
2450*62c56f98SSadaf Ebrahimi /* Coordination:
2451*62c56f98SSadaf Ebrahimi * Check whether a CertificateRequest message should be written.
2452*62c56f98SSadaf Ebrahimi * Returns a negative code on failure, or
2453*62c56f98SSadaf Ebrahimi * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
2454*62c56f98SSadaf Ebrahimi * - SSL_CERTIFICATE_REQUEST_SKIP
2455*62c56f98SSadaf Ebrahimi * indicating if the writing of the CertificateRequest
2456*62c56f98SSadaf Ebrahimi * should be skipped or not.
2457*62c56f98SSadaf Ebrahimi */
2458*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context * ssl)2459*62c56f98SSadaf Ebrahimi static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
2460*62c56f98SSadaf Ebrahimi {
2461*62c56f98SSadaf Ebrahimi int authmode;
2462*62c56f98SSadaf Ebrahimi
2463*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2464*62c56f98SSadaf Ebrahimi if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
2465*62c56f98SSadaf Ebrahimi authmode = ssl->handshake->sni_authmode;
2466*62c56f98SSadaf Ebrahimi } else
2467*62c56f98SSadaf Ebrahimi #endif
2468*62c56f98SSadaf Ebrahimi authmode = ssl->conf->authmode;
2469*62c56f98SSadaf Ebrahimi
2470*62c56f98SSadaf Ebrahimi if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
2471*62c56f98SSadaf Ebrahimi ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
2472*62c56f98SSadaf Ebrahimi return SSL_CERTIFICATE_REQUEST_SKIP;
2473*62c56f98SSadaf Ebrahimi }
2474*62c56f98SSadaf Ebrahimi
2475*62c56f98SSadaf Ebrahimi ssl->handshake->certificate_request_sent = 1;
2476*62c56f98SSadaf Ebrahimi
2477*62c56f98SSadaf Ebrahimi return SSL_CERTIFICATE_REQUEST_SEND_REQUEST;
2478*62c56f98SSadaf Ebrahimi }
2479*62c56f98SSadaf Ebrahimi
2480*62c56f98SSadaf Ebrahimi /*
2481*62c56f98SSadaf Ebrahimi * struct {
2482*62c56f98SSadaf Ebrahimi * opaque certificate_request_context<0..2^8-1>;
2483*62c56f98SSadaf Ebrahimi * Extension extensions<2..2^16-1>;
2484*62c56f98SSadaf Ebrahimi * } CertificateRequest;
2485*62c56f98SSadaf Ebrahimi *
2486*62c56f98SSadaf Ebrahimi */
2487*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_request_body(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)2488*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_certificate_request_body(mbedtls_ssl_context *ssl,
2489*62c56f98SSadaf Ebrahimi unsigned char *buf,
2490*62c56f98SSadaf Ebrahimi const unsigned char *end,
2491*62c56f98SSadaf Ebrahimi size_t *out_len)
2492*62c56f98SSadaf Ebrahimi {
2493*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2494*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
2495*62c56f98SSadaf Ebrahimi size_t output_len = 0;
2496*62c56f98SSadaf Ebrahimi unsigned char *p_extensions_len;
2497*62c56f98SSadaf Ebrahimi
2498*62c56f98SSadaf Ebrahimi *out_len = 0;
2499*62c56f98SSadaf Ebrahimi
2500*62c56f98SSadaf Ebrahimi /* Check if we have enough space:
2501*62c56f98SSadaf Ebrahimi * - certificate_request_context (1 byte)
2502*62c56f98SSadaf Ebrahimi * - extensions length (2 bytes)
2503*62c56f98SSadaf Ebrahimi */
2504*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
2505*62c56f98SSadaf Ebrahimi
2506*62c56f98SSadaf Ebrahimi /*
2507*62c56f98SSadaf Ebrahimi * Write certificate_request_context
2508*62c56f98SSadaf Ebrahimi */
2509*62c56f98SSadaf Ebrahimi /*
2510*62c56f98SSadaf Ebrahimi * We use a zero length context for the normal handshake
2511*62c56f98SSadaf Ebrahimi * messages. For post-authentication handshake messages
2512*62c56f98SSadaf Ebrahimi * this request context would be set to a non-zero value.
2513*62c56f98SSadaf Ebrahimi */
2514*62c56f98SSadaf Ebrahimi *p++ = 0x0;
2515*62c56f98SSadaf Ebrahimi
2516*62c56f98SSadaf Ebrahimi /*
2517*62c56f98SSadaf Ebrahimi * Write extensions
2518*62c56f98SSadaf Ebrahimi */
2519*62c56f98SSadaf Ebrahimi /* The extensions must contain the signature_algorithms. */
2520*62c56f98SSadaf Ebrahimi p_extensions_len = p;
2521*62c56f98SSadaf Ebrahimi p += 2;
2522*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len);
2523*62c56f98SSadaf Ebrahimi if (ret != 0) {
2524*62c56f98SSadaf Ebrahimi return ret;
2525*62c56f98SSadaf Ebrahimi }
2526*62c56f98SSadaf Ebrahimi
2527*62c56f98SSadaf Ebrahimi p += output_len;
2528*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
2529*62c56f98SSadaf Ebrahimi
2530*62c56f98SSadaf Ebrahimi *out_len = p - buf;
2531*62c56f98SSadaf Ebrahimi
2532*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXTS(
2533*62c56f98SSadaf Ebrahimi 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions);
2534*62c56f98SSadaf Ebrahimi
2535*62c56f98SSadaf Ebrahimi return 0;
2536*62c56f98SSadaf Ebrahimi }
2537*62c56f98SSadaf Ebrahimi
2538*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_request(mbedtls_ssl_context * ssl)2539*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl)
2540*62c56f98SSadaf Ebrahimi {
2541*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2542*62c56f98SSadaf Ebrahimi
2543*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2544*62c56f98SSadaf Ebrahimi
2545*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
2546*62c56f98SSadaf Ebrahimi
2547*62c56f98SSadaf Ebrahimi if (ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST) {
2548*62c56f98SSadaf Ebrahimi unsigned char *buf;
2549*62c56f98SSadaf Ebrahimi size_t buf_len, msg_len;
2550*62c56f98SSadaf Ebrahimi
2551*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2552*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2553*62c56f98SSadaf Ebrahimi &buf, &buf_len));
2554*62c56f98SSadaf Ebrahimi
2555*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body(
2556*62c56f98SSadaf Ebrahimi ssl, buf, buf + buf_len, &msg_len));
2557*62c56f98SSadaf Ebrahimi
2558*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2559*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2560*62c56f98SSadaf Ebrahimi buf, msg_len));
2561*62c56f98SSadaf Ebrahimi
2562*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2563*62c56f98SSadaf Ebrahimi ssl, buf_len, msg_len));
2564*62c56f98SSadaf Ebrahimi } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
2565*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2566*62c56f98SSadaf Ebrahimi ret = 0;
2567*62c56f98SSadaf Ebrahimi } else {
2568*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2569*62c56f98SSadaf Ebrahimi ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2570*62c56f98SSadaf Ebrahimi goto cleanup;
2571*62c56f98SSadaf Ebrahimi }
2572*62c56f98SSadaf Ebrahimi
2573*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
2574*62c56f98SSadaf Ebrahimi cleanup:
2575*62c56f98SSadaf Ebrahimi
2576*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
2577*62c56f98SSadaf Ebrahimi return ret;
2578*62c56f98SSadaf Ebrahimi }
2579*62c56f98SSadaf Ebrahimi
2580*62c56f98SSadaf Ebrahimi /*
2581*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2582*62c56f98SSadaf Ebrahimi */
2583*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_server_certificate(mbedtls_ssl_context * ssl)2584*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_server_certificate(mbedtls_ssl_context *ssl)
2585*62c56f98SSadaf Ebrahimi {
2586*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2587*62c56f98SSadaf Ebrahimi
2588*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_X509_CRT_PARSE_C)
2589*62c56f98SSadaf Ebrahimi if ((ssl_tls13_pick_key_cert(ssl) != 0) ||
2590*62c56f98SSadaf Ebrahimi mbedtls_ssl_own_cert(ssl) == NULL) {
2591*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("No certificate available."));
2592*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2593*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2594*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2595*62c56f98SSadaf Ebrahimi }
2596*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_X509_CRT_PARSE_C */
2597*62c56f98SSadaf Ebrahimi
2598*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_write_certificate(ssl);
2599*62c56f98SSadaf Ebrahimi if (ret != 0) {
2600*62c56f98SSadaf Ebrahimi return ret;
2601*62c56f98SSadaf Ebrahimi }
2602*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2603*62c56f98SSadaf Ebrahimi return 0;
2604*62c56f98SSadaf Ebrahimi }
2605*62c56f98SSadaf Ebrahimi
2606*62c56f98SSadaf Ebrahimi /*
2607*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2608*62c56f98SSadaf Ebrahimi */
2609*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_verify(mbedtls_ssl_context * ssl)2610*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
2611*62c56f98SSadaf Ebrahimi {
2612*62c56f98SSadaf Ebrahimi int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
2613*62c56f98SSadaf Ebrahimi if (ret != 0) {
2614*62c56f98SSadaf Ebrahimi return ret;
2615*62c56f98SSadaf Ebrahimi }
2616*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2617*62c56f98SSadaf Ebrahimi return 0;
2618*62c56f98SSadaf Ebrahimi }
2619*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2620*62c56f98SSadaf Ebrahimi
2621*62c56f98SSadaf Ebrahimi /*
2622*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_SERVER_FINISHED
2623*62c56f98SSadaf Ebrahimi */
2624*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_server_finished(mbedtls_ssl_context * ssl)2625*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl)
2626*62c56f98SSadaf Ebrahimi {
2627*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2628*62c56f98SSadaf Ebrahimi
2629*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2630*62c56f98SSadaf Ebrahimi if (ret != 0) {
2631*62c56f98SSadaf Ebrahimi return ret;
2632*62c56f98SSadaf Ebrahimi }
2633*62c56f98SSadaf Ebrahimi
2634*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2635*62c56f98SSadaf Ebrahimi if (ret != 0) {
2636*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PEND_FATAL_ALERT(
2637*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2638*62c56f98SSadaf Ebrahimi MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2639*62c56f98SSadaf Ebrahimi return ret;
2640*62c56f98SSadaf Ebrahimi }
2641*62c56f98SSadaf Ebrahimi
2642*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
2643*62c56f98SSadaf Ebrahimi mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake);
2644*62c56f98SSadaf Ebrahimi
2645*62c56f98SSadaf Ebrahimi if (ssl->handshake->certificate_request_sent) {
2646*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2647*62c56f98SSadaf Ebrahimi } else {
2648*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate"));
2649*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
2650*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2651*62c56f98SSadaf Ebrahimi }
2652*62c56f98SSadaf Ebrahimi
2653*62c56f98SSadaf Ebrahimi return 0;
2654*62c56f98SSadaf Ebrahimi }
2655*62c56f98SSadaf Ebrahimi
2656*62c56f98SSadaf Ebrahimi /*
2657*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2658*62c56f98SSadaf Ebrahimi */
2659*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_client_finished(mbedtls_ssl_context * ssl)2660*62c56f98SSadaf Ebrahimi static int ssl_tls13_process_client_finished(mbedtls_ssl_context *ssl)
2661*62c56f98SSadaf Ebrahimi {
2662*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2663*62c56f98SSadaf Ebrahimi
2664*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_process_finished_message(ssl);
2665*62c56f98SSadaf Ebrahimi if (ret != 0) {
2666*62c56f98SSadaf Ebrahimi return ret;
2667*62c56f98SSadaf Ebrahimi }
2668*62c56f98SSadaf Ebrahimi
2669*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
2670*62c56f98SSadaf Ebrahimi if (ret != 0) {
2671*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(
2672*62c56f98SSadaf Ebrahimi 1, "mbedtls_ssl_tls13_compute_resumption_master_secret", ret);
2673*62c56f98SSadaf Ebrahimi }
2674*62c56f98SSadaf Ebrahimi
2675*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
2676*62c56f98SSadaf Ebrahimi return 0;
2677*62c56f98SSadaf Ebrahimi }
2678*62c56f98SSadaf Ebrahimi
2679*62c56f98SSadaf Ebrahimi /*
2680*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2681*62c56f98SSadaf Ebrahimi */
2682*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_handshake_wrapup(mbedtls_ssl_context * ssl)2683*62c56f98SSadaf Ebrahimi static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
2684*62c56f98SSadaf Ebrahimi {
2685*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
2686*62c56f98SSadaf Ebrahimi
2687*62c56f98SSadaf Ebrahimi mbedtls_ssl_tls13_handshake_wrapup(ssl);
2688*62c56f98SSadaf Ebrahimi
2689*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
2690*62c56f98SSadaf Ebrahimi defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2691*62c56f98SSadaf Ebrahimi /* TODO: Remove the check of SOME_PSK_ENABLED since SESSION_TICKETS requires
2692*62c56f98SSadaf Ebrahimi * SOME_PSK_ENABLED to be enabled. Here is just to make CI happy. It is
2693*62c56f98SSadaf Ebrahimi * expected to be resolved with issue#6395.
2694*62c56f98SSadaf Ebrahimi */
2695*62c56f98SSadaf Ebrahimi /* Sent NewSessionTicket message only when client supports PSK */
2696*62c56f98SSadaf Ebrahimi if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) {
2697*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
2698*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
2699*62c56f98SSadaf Ebrahimi } else
2700*62c56f98SSadaf Ebrahimi #endif
2701*62c56f98SSadaf Ebrahimi {
2702*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2703*62c56f98SSadaf Ebrahimi }
2704*62c56f98SSadaf Ebrahimi return 0;
2705*62c56f98SSadaf Ebrahimi }
2706*62c56f98SSadaf Ebrahimi
2707*62c56f98SSadaf Ebrahimi /*
2708*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
2709*62c56f98SSadaf Ebrahimi */
2710*62c56f98SSadaf Ebrahimi #define SSL_NEW_SESSION_TICKET_SKIP 0
2711*62c56f98SSadaf Ebrahimi #define SSL_NEW_SESSION_TICKET_WRITE 1
2712*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context * ssl)2713*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ssl)
2714*62c56f98SSadaf Ebrahimi {
2715*62c56f98SSadaf Ebrahimi /* Check whether the use of session tickets is enabled */
2716*62c56f98SSadaf Ebrahimi if (ssl->conf->f_ticket_write == NULL) {
2717*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
2718*62c56f98SSadaf Ebrahimi " callback is not set"));
2719*62c56f98SSadaf Ebrahimi return SSL_NEW_SESSION_TICKET_SKIP;
2720*62c56f98SSadaf Ebrahimi }
2721*62c56f98SSadaf Ebrahimi if (ssl->conf->new_session_tickets_count == 0) {
2722*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
2723*62c56f98SSadaf Ebrahimi " configured count is zero"));
2724*62c56f98SSadaf Ebrahimi return SSL_NEW_SESSION_TICKET_SKIP;
2725*62c56f98SSadaf Ebrahimi }
2726*62c56f98SSadaf Ebrahimi
2727*62c56f98SSadaf Ebrahimi if (ssl->handshake->new_session_tickets_count == 0) {
2728*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: all tickets have "
2729*62c56f98SSadaf Ebrahimi "been sent."));
2730*62c56f98SSadaf Ebrahimi return SSL_NEW_SESSION_TICKET_SKIP;
2731*62c56f98SSadaf Ebrahimi }
2732*62c56f98SSadaf Ebrahimi
2733*62c56f98SSadaf Ebrahimi return SSL_NEW_SESSION_TICKET_WRITE;
2734*62c56f98SSadaf Ebrahimi }
2735*62c56f98SSadaf Ebrahimi
2736*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2737*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context * ssl,unsigned char * ticket_nonce,size_t ticket_nonce_size)2738*62c56f98SSadaf Ebrahimi static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
2739*62c56f98SSadaf Ebrahimi unsigned char *ticket_nonce,
2740*62c56f98SSadaf Ebrahimi size_t ticket_nonce_size)
2741*62c56f98SSadaf Ebrahimi {
2742*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2743*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session = ssl->session;
2744*62c56f98SSadaf Ebrahimi mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2745*62c56f98SSadaf Ebrahimi psa_algorithm_t psa_hash_alg;
2746*62c56f98SSadaf Ebrahimi int hash_length;
2747*62c56f98SSadaf Ebrahimi
2748*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg"));
2749*62c56f98SSadaf Ebrahimi
2750*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_HAVE_TIME)
2751*62c56f98SSadaf Ebrahimi session->start = mbedtls_time(NULL);
2752*62c56f98SSadaf Ebrahimi #endif
2753*62c56f98SSadaf Ebrahimi
2754*62c56f98SSadaf Ebrahimi /* Set ticket_flags depends on the advertised psk key exchange mode */
2755*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_clear_ticket_flags(
2756*62c56f98SSadaf Ebrahimi session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2757*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2758*62c56f98SSadaf Ebrahimi mbedtls_ssl_session_set_ticket_flags(
2759*62c56f98SSadaf Ebrahimi session, ssl->handshake->tls13_kex_modes);
2760*62c56f98SSadaf Ebrahimi #endif
2761*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
2762*62c56f98SSadaf Ebrahimi
2763*62c56f98SSadaf Ebrahimi /* Generate ticket_age_add */
2764*62c56f98SSadaf Ebrahimi if ((ret = ssl->conf->f_rng(ssl->conf->p_rng,
2765*62c56f98SSadaf Ebrahimi (unsigned char *) &session->ticket_age_add,
2766*62c56f98SSadaf Ebrahimi sizeof(session->ticket_age_add)) != 0)) {
2767*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret);
2768*62c56f98SSadaf Ebrahimi return ret;
2769*62c56f98SSadaf Ebrahimi }
2770*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
2771*62c56f98SSadaf Ebrahimi (unsigned int) session->ticket_age_add));
2772*62c56f98SSadaf Ebrahimi
2773*62c56f98SSadaf Ebrahimi /* Generate ticket_nonce */
2774*62c56f98SSadaf Ebrahimi ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size);
2775*62c56f98SSadaf Ebrahimi if (ret != 0) {
2776*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret);
2777*62c56f98SSadaf Ebrahimi return ret;
2778*62c56f98SSadaf Ebrahimi }
2779*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:",
2780*62c56f98SSadaf Ebrahimi ticket_nonce, ticket_nonce_size);
2781*62c56f98SSadaf Ebrahimi
2782*62c56f98SSadaf Ebrahimi ciphersuite_info =
2783*62c56f98SSadaf Ebrahimi (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
2784*62c56f98SSadaf Ebrahimi psa_hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
2785*62c56f98SSadaf Ebrahimi hash_length = PSA_HASH_LENGTH(psa_hash_alg);
2786*62c56f98SSadaf Ebrahimi if (hash_length == -1 ||
2787*62c56f98SSadaf Ebrahimi (size_t) hash_length > sizeof(session->resumption_key)) {
2788*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2789*62c56f98SSadaf Ebrahimi }
2790*62c56f98SSadaf Ebrahimi
2791*62c56f98SSadaf Ebrahimi /* In this code the psk key length equals the length of the hash */
2792*62c56f98SSadaf Ebrahimi session->resumption_key_len = hash_length;
2793*62c56f98SSadaf Ebrahimi session->ciphersuite = ciphersuite_info->id;
2794*62c56f98SSadaf Ebrahimi
2795*62c56f98SSadaf Ebrahimi /* Compute resumption key
2796*62c56f98SSadaf Ebrahimi *
2797*62c56f98SSadaf Ebrahimi * HKDF-Expand-Label( resumption_master_secret,
2798*62c56f98SSadaf Ebrahimi * "resumption", ticket_nonce, Hash.length )
2799*62c56f98SSadaf Ebrahimi */
2800*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_hkdf_expand_label(
2801*62c56f98SSadaf Ebrahimi psa_hash_alg,
2802*62c56f98SSadaf Ebrahimi session->app_secrets.resumption_master_secret,
2803*62c56f98SSadaf Ebrahimi hash_length,
2804*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
2805*62c56f98SSadaf Ebrahimi ticket_nonce,
2806*62c56f98SSadaf Ebrahimi ticket_nonce_size,
2807*62c56f98SSadaf Ebrahimi session->resumption_key,
2808*62c56f98SSadaf Ebrahimi hash_length);
2809*62c56f98SSadaf Ebrahimi
2810*62c56f98SSadaf Ebrahimi if (ret != 0) {
2811*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(2,
2812*62c56f98SSadaf Ebrahimi "Creating the ticket-resumed PSK failed",
2813*62c56f98SSadaf Ebrahimi ret);
2814*62c56f98SSadaf Ebrahimi return ret;
2815*62c56f98SSadaf Ebrahimi }
2816*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
2817*62c56f98SSadaf Ebrahimi session->resumption_key,
2818*62c56f98SSadaf Ebrahimi session->resumption_key_len);
2819*62c56f98SSadaf Ebrahimi
2820*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
2821*62c56f98SSadaf Ebrahimi session->app_secrets.resumption_master_secret,
2822*62c56f98SSadaf Ebrahimi hash_length);
2823*62c56f98SSadaf Ebrahimi
2824*62c56f98SSadaf Ebrahimi return 0;
2825*62c56f98SSadaf Ebrahimi }
2826*62c56f98SSadaf Ebrahimi
2827*62c56f98SSadaf Ebrahimi /* This function creates a NewSessionTicket message in the following format:
2828*62c56f98SSadaf Ebrahimi *
2829*62c56f98SSadaf Ebrahimi * struct {
2830*62c56f98SSadaf Ebrahimi * uint32 ticket_lifetime;
2831*62c56f98SSadaf Ebrahimi * uint32 ticket_age_add;
2832*62c56f98SSadaf Ebrahimi * opaque ticket_nonce<0..255>;
2833*62c56f98SSadaf Ebrahimi * opaque ticket<1..2^16-1>;
2834*62c56f98SSadaf Ebrahimi * Extension extensions<0..2^16-2>;
2835*62c56f98SSadaf Ebrahimi * } NewSessionTicket;
2836*62c56f98SSadaf Ebrahimi *
2837*62c56f98SSadaf Ebrahimi * The ticket inside the NewSessionTicket message is an encrypted container
2838*62c56f98SSadaf Ebrahimi * carrying the necessary information so that the server is later able to
2839*62c56f98SSadaf Ebrahimi * re-start the communication.
2840*62c56f98SSadaf Ebrahimi *
2841*62c56f98SSadaf Ebrahimi * The following fields are placed inside the ticket by the
2842*62c56f98SSadaf Ebrahimi * f_ticket_write() function:
2843*62c56f98SSadaf Ebrahimi *
2844*62c56f98SSadaf Ebrahimi * - creation time (start)
2845*62c56f98SSadaf Ebrahimi * - flags (flags)
2846*62c56f98SSadaf Ebrahimi * - age add (ticket_age_add)
2847*62c56f98SSadaf Ebrahimi * - key (key)
2848*62c56f98SSadaf Ebrahimi * - key length (key_len)
2849*62c56f98SSadaf Ebrahimi * - ciphersuite (ciphersuite)
2850*62c56f98SSadaf Ebrahimi */
2851*62c56f98SSadaf Ebrahimi MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len,unsigned char * ticket_nonce,size_t ticket_nonce_size)2852*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
2853*62c56f98SSadaf Ebrahimi unsigned char *buf,
2854*62c56f98SSadaf Ebrahimi unsigned char *end,
2855*62c56f98SSadaf Ebrahimi size_t *out_len,
2856*62c56f98SSadaf Ebrahimi unsigned char *ticket_nonce,
2857*62c56f98SSadaf Ebrahimi size_t ticket_nonce_size)
2858*62c56f98SSadaf Ebrahimi {
2859*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2860*62c56f98SSadaf Ebrahimi unsigned char *p = buf;
2861*62c56f98SSadaf Ebrahimi mbedtls_ssl_session *session = ssl->session;
2862*62c56f98SSadaf Ebrahimi size_t ticket_len;
2863*62c56f98SSadaf Ebrahimi uint32_t ticket_lifetime;
2864*62c56f98SSadaf Ebrahimi
2865*62c56f98SSadaf Ebrahimi *out_len = 0;
2866*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg"));
2867*62c56f98SSadaf Ebrahimi
2868*62c56f98SSadaf Ebrahimi /*
2869*62c56f98SSadaf Ebrahimi * ticket_lifetime 4 bytes
2870*62c56f98SSadaf Ebrahimi * ticket_age_add 4 bytes
2871*62c56f98SSadaf Ebrahimi * ticket_nonce 1 + ticket_nonce_size bytes
2872*62c56f98SSadaf Ebrahimi * ticket >=2 bytes
2873*62c56f98SSadaf Ebrahimi */
2874*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + 4 + 1 + ticket_nonce_size + 2);
2875*62c56f98SSadaf Ebrahimi
2876*62c56f98SSadaf Ebrahimi /* Generate ticket and ticket_lifetime */
2877*62c56f98SSadaf Ebrahimi ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
2878*62c56f98SSadaf Ebrahimi session,
2879*62c56f98SSadaf Ebrahimi p + 9 + ticket_nonce_size + 2,
2880*62c56f98SSadaf Ebrahimi end,
2881*62c56f98SSadaf Ebrahimi &ticket_len,
2882*62c56f98SSadaf Ebrahimi &ticket_lifetime);
2883*62c56f98SSadaf Ebrahimi if (ret != 0) {
2884*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "write_ticket", ret);
2885*62c56f98SSadaf Ebrahimi return ret;
2886*62c56f98SSadaf Ebrahimi }
2887*62c56f98SSadaf Ebrahimi /* RFC 8446 4.6.1
2888*62c56f98SSadaf Ebrahimi * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
2889*62c56f98SSadaf Ebrahimi * unsigned integer in network byte order from the time of ticket
2890*62c56f98SSadaf Ebrahimi * issuance. Servers MUST NOT use any value greater than
2891*62c56f98SSadaf Ebrahimi * 604800 seconds (7 days). The value of zero indicates that the
2892*62c56f98SSadaf Ebrahimi * ticket should be discarded immediately. Clients MUST NOT cache
2893*62c56f98SSadaf Ebrahimi * tickets for longer than 7 days, regardless of the ticket_lifetime,
2894*62c56f98SSadaf Ebrahimi * and MAY delete tickets earlier based on local policy. A server
2895*62c56f98SSadaf Ebrahimi * MAY treat a ticket as valid for a shorter period of time than what
2896*62c56f98SSadaf Ebrahimi * is stated in the ticket_lifetime.
2897*62c56f98SSadaf Ebrahimi */
2898*62c56f98SSadaf Ebrahimi if (ticket_lifetime > 604800) {
2899*62c56f98SSadaf Ebrahimi ticket_lifetime = 604800;
2900*62c56f98SSadaf Ebrahimi }
2901*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);
2902*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",
2903*62c56f98SSadaf Ebrahimi (unsigned int) ticket_lifetime));
2904*62c56f98SSadaf Ebrahimi
2905*62c56f98SSadaf Ebrahimi /* Write ticket_age_add */
2906*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 4);
2907*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
2908*62c56f98SSadaf Ebrahimi (unsigned int) session->ticket_age_add));
2909*62c56f98SSadaf Ebrahimi
2910*62c56f98SSadaf Ebrahimi /* Write ticket_nonce */
2911*62c56f98SSadaf Ebrahimi p[8] = (unsigned char) ticket_nonce_size;
2912*62c56f98SSadaf Ebrahimi if (ticket_nonce_size > 0) {
2913*62c56f98SSadaf Ebrahimi memcpy(p + 9, ticket_nonce, ticket_nonce_size);
2914*62c56f98SSadaf Ebrahimi }
2915*62c56f98SSadaf Ebrahimi p += 9 + ticket_nonce_size;
2916*62c56f98SSadaf Ebrahimi
2917*62c56f98SSadaf Ebrahimi /* Write ticket */
2918*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(ticket_len, p, 0);
2919*62c56f98SSadaf Ebrahimi p += 2;
2920*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(4, "ticket", p, ticket_len);
2921*62c56f98SSadaf Ebrahimi p += ticket_len;
2922*62c56f98SSadaf Ebrahimi
2923*62c56f98SSadaf Ebrahimi /* Ticket Extensions
2924*62c56f98SSadaf Ebrahimi *
2925*62c56f98SSadaf Ebrahimi * Note: We currently don't have any extensions.
2926*62c56f98SSadaf Ebrahimi * Set length to zero.
2927*62c56f98SSadaf Ebrahimi */
2928*62c56f98SSadaf Ebrahimi ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2929*62c56f98SSadaf Ebrahimi
2930*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2931*62c56f98SSadaf Ebrahimi MBEDTLS_PUT_UINT16_BE(0, p, 0);
2932*62c56f98SSadaf Ebrahimi p += 2;
2933*62c56f98SSadaf Ebrahimi
2934*62c56f98SSadaf Ebrahimi *out_len = p - buf;
2935*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_BUF(4, "ticket", buf, *out_len);
2936*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
2937*62c56f98SSadaf Ebrahimi
2938*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PRINT_EXTS(
2939*62c56f98SSadaf Ebrahimi 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions);
2940*62c56f98SSadaf Ebrahimi
2941*62c56f98SSadaf Ebrahimi return 0;
2942*62c56f98SSadaf Ebrahimi }
2943*62c56f98SSadaf Ebrahimi
2944*62c56f98SSadaf Ebrahimi /*
2945*62c56f98SSadaf Ebrahimi * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
2946*62c56f98SSadaf Ebrahimi */
ssl_tls13_write_new_session_ticket(mbedtls_ssl_context * ssl)2947*62c56f98SSadaf Ebrahimi static int ssl_tls13_write_new_session_ticket(mbedtls_ssl_context *ssl)
2948*62c56f98SSadaf Ebrahimi {
2949*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2950*62c56f98SSadaf Ebrahimi
2951*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_write_new_session_ticket_coordinate(ssl));
2952*62c56f98SSadaf Ebrahimi
2953*62c56f98SSadaf Ebrahimi if (ret == SSL_NEW_SESSION_TICKET_WRITE) {
2954*62c56f98SSadaf Ebrahimi unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
2955*62c56f98SSadaf Ebrahimi unsigned char *buf;
2956*62c56f98SSadaf Ebrahimi size_t buf_len, msg_len;
2957*62c56f98SSadaf Ebrahimi
2958*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket(
2959*62c56f98SSadaf Ebrahimi ssl, ticket_nonce, sizeof(ticket_nonce)));
2960*62c56f98SSadaf Ebrahimi
2961*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2962*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2963*62c56f98SSadaf Ebrahimi &buf, &buf_len));
2964*62c56f98SSadaf Ebrahimi
2965*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body(
2966*62c56f98SSadaf Ebrahimi ssl, buf, buf + buf_len, &msg_len,
2967*62c56f98SSadaf Ebrahimi ticket_nonce, sizeof(ticket_nonce)));
2968*62c56f98SSadaf Ebrahimi
2969*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2970*62c56f98SSadaf Ebrahimi ssl, buf_len, msg_len));
2971*62c56f98SSadaf Ebrahimi
2972*62c56f98SSadaf Ebrahimi /* Limit session tickets count to one when resumption connection.
2973*62c56f98SSadaf Ebrahimi *
2974*62c56f98SSadaf Ebrahimi * See document of mbedtls_ssl_conf_new_session_tickets.
2975*62c56f98SSadaf Ebrahimi */
2976*62c56f98SSadaf Ebrahimi if (ssl->handshake->resume == 1) {
2977*62c56f98SSadaf Ebrahimi ssl->handshake->new_session_tickets_count = 0;
2978*62c56f98SSadaf Ebrahimi } else {
2979*62c56f98SSadaf Ebrahimi ssl->handshake->new_session_tickets_count--;
2980*62c56f98SSadaf Ebrahimi }
2981*62c56f98SSadaf Ebrahimi
2982*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
2983*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH);
2984*62c56f98SSadaf Ebrahimi } else {
2985*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2986*62c56f98SSadaf Ebrahimi }
2987*62c56f98SSadaf Ebrahimi
2988*62c56f98SSadaf Ebrahimi cleanup:
2989*62c56f98SSadaf Ebrahimi
2990*62c56f98SSadaf Ebrahimi return ret;
2991*62c56f98SSadaf Ebrahimi }
2992*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2993*62c56f98SSadaf Ebrahimi
2994*62c56f98SSadaf Ebrahimi /*
2995*62c56f98SSadaf Ebrahimi * TLS 1.3 State Machine -- server side
2996*62c56f98SSadaf Ebrahimi */
mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context * ssl)2997*62c56f98SSadaf Ebrahimi int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)
2998*62c56f98SSadaf Ebrahimi {
2999*62c56f98SSadaf Ebrahimi int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3000*62c56f98SSadaf Ebrahimi
3001*62c56f98SSadaf Ebrahimi if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) {
3002*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3003*62c56f98SSadaf Ebrahimi }
3004*62c56f98SSadaf Ebrahimi
3005*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("tls13 server state: %s(%d)",
3006*62c56f98SSadaf Ebrahimi mbedtls_ssl_states_str(ssl->state),
3007*62c56f98SSadaf Ebrahimi ssl->state));
3008*62c56f98SSadaf Ebrahimi
3009*62c56f98SSadaf Ebrahimi switch (ssl->state) {
3010*62c56f98SSadaf Ebrahimi /* start state */
3011*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_HELLO_REQUEST:
3012*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3013*62c56f98SSadaf Ebrahimi ret = 0;
3014*62c56f98SSadaf Ebrahimi break;
3015*62c56f98SSadaf Ebrahimi
3016*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CLIENT_HELLO:
3017*62c56f98SSadaf Ebrahimi ret = ssl_tls13_process_client_hello(ssl);
3018*62c56f98SSadaf Ebrahimi if (ret != 0) {
3019*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_process_client_hello", ret);
3020*62c56f98SSadaf Ebrahimi }
3021*62c56f98SSadaf Ebrahimi break;
3022*62c56f98SSadaf Ebrahimi
3023*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
3024*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_hello_retry_request(ssl);
3025*62c56f98SSadaf Ebrahimi if (ret != 0) {
3026*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_hello_retry_request", ret);
3027*62c56f98SSadaf Ebrahimi return ret;
3028*62c56f98SSadaf Ebrahimi }
3029*62c56f98SSadaf Ebrahimi break;
3030*62c56f98SSadaf Ebrahimi
3031*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_SERVER_HELLO:
3032*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_server_hello(ssl);
3033*62c56f98SSadaf Ebrahimi break;
3034*62c56f98SSadaf Ebrahimi
3035*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
3036*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_encrypted_extensions(ssl);
3037*62c56f98SSadaf Ebrahimi if (ret != 0) {
3038*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_encrypted_extensions", ret);
3039*62c56f98SSadaf Ebrahimi return ret;
3040*62c56f98SSadaf Ebrahimi }
3041*62c56f98SSadaf Ebrahimi break;
3042*62c56f98SSadaf Ebrahimi
3043*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
3044*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3045*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_certificate_request(ssl);
3046*62c56f98SSadaf Ebrahimi break;
3047*62c56f98SSadaf Ebrahimi
3048*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_SERVER_CERTIFICATE:
3049*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_server_certificate(ssl);
3050*62c56f98SSadaf Ebrahimi break;
3051*62c56f98SSadaf Ebrahimi
3052*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3053*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_certificate_verify(ssl);
3054*62c56f98SSadaf Ebrahimi break;
3055*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
3056*62c56f98SSadaf Ebrahimi
3057*62c56f98SSadaf Ebrahimi /*
3058*62c56f98SSadaf Ebrahimi * Injection of dummy-CCS's for middlebox compatibility
3059*62c56f98SSadaf Ebrahimi */
3060*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
3061*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
3062*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3063*62c56f98SSadaf Ebrahimi if (ret == 0) {
3064*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3065*62c56f98SSadaf Ebrahimi }
3066*62c56f98SSadaf Ebrahimi break;
3067*62c56f98SSadaf Ebrahimi
3068*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
3069*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3070*62c56f98SSadaf Ebrahimi if (ret == 0) {
3071*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
3072*62c56f98SSadaf Ebrahimi }
3073*62c56f98SSadaf Ebrahimi break;
3074*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3075*62c56f98SSadaf Ebrahimi
3076*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_SERVER_FINISHED:
3077*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_server_finished(ssl);
3078*62c56f98SSadaf Ebrahimi break;
3079*62c56f98SSadaf Ebrahimi
3080*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CLIENT_FINISHED:
3081*62c56f98SSadaf Ebrahimi ret = ssl_tls13_process_client_finished(ssl);
3082*62c56f98SSadaf Ebrahimi break;
3083*62c56f98SSadaf Ebrahimi
3084*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3085*62c56f98SSadaf Ebrahimi ret = ssl_tls13_handshake_wrapup(ssl);
3086*62c56f98SSadaf Ebrahimi break;
3087*62c56f98SSadaf Ebrahimi
3088*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
3089*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3090*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_process_certificate(ssl);
3091*62c56f98SSadaf Ebrahimi if (ret == 0) {
3092*62c56f98SSadaf Ebrahimi if (ssl->session_negotiate->peer_cert != NULL) {
3093*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
3094*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
3095*62c56f98SSadaf Ebrahimi } else {
3096*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
3097*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
3098*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_CLIENT_FINISHED);
3099*62c56f98SSadaf Ebrahimi }
3100*62c56f98SSadaf Ebrahimi }
3101*62c56f98SSadaf Ebrahimi break;
3102*62c56f98SSadaf Ebrahimi
3103*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
3104*62c56f98SSadaf Ebrahimi ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
3105*62c56f98SSadaf Ebrahimi if (ret == 0) {
3106*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
3107*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_CLIENT_FINISHED);
3108*62c56f98SSadaf Ebrahimi }
3109*62c56f98SSadaf Ebrahimi break;
3110*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
3111*62c56f98SSadaf Ebrahimi
3112*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3113*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
3114*62c56f98SSadaf Ebrahimi ret = ssl_tls13_write_new_session_ticket(ssl);
3115*62c56f98SSadaf Ebrahimi if (ret != 0) {
3116*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_RET(1,
3117*62c56f98SSadaf Ebrahimi "ssl_tls13_write_new_session_ticket ",
3118*62c56f98SSadaf Ebrahimi ret);
3119*62c56f98SSadaf Ebrahimi }
3120*62c56f98SSadaf Ebrahimi break;
3121*62c56f98SSadaf Ebrahimi case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH:
3122*62c56f98SSadaf Ebrahimi /* This state is necessary to do the flush of the New Session
3123*62c56f98SSadaf Ebrahimi * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
3124*62c56f98SSadaf Ebrahimi * as part of ssl_prepare_handshake_step.
3125*62c56f98SSadaf Ebrahimi */
3126*62c56f98SSadaf Ebrahimi ret = 0;
3127*62c56f98SSadaf Ebrahimi
3128*62c56f98SSadaf Ebrahimi if (ssl->handshake->new_session_tickets_count == 0) {
3129*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
3130*62c56f98SSadaf Ebrahimi } else {
3131*62c56f98SSadaf Ebrahimi mbedtls_ssl_handshake_set_state(
3132*62c56f98SSadaf Ebrahimi ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
3133*62c56f98SSadaf Ebrahimi }
3134*62c56f98SSadaf Ebrahimi break;
3135*62c56f98SSadaf Ebrahimi
3136*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3137*62c56f98SSadaf Ebrahimi
3138*62c56f98SSadaf Ebrahimi default:
3139*62c56f98SSadaf Ebrahimi MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3140*62c56f98SSadaf Ebrahimi return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3141*62c56f98SSadaf Ebrahimi }
3142*62c56f98SSadaf Ebrahimi
3143*62c56f98SSadaf Ebrahimi return ret;
3144*62c56f98SSadaf Ebrahimi }
3145*62c56f98SSadaf Ebrahimi
3146*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */
3147