1 /*
2 * TLS 1.3 server-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #include "common.h"
9
10 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
11
12 #include "mbedtls/debug.h"
13 #include "mbedtls/error.h"
14 #include "mbedtls/platform.h"
15 #include "mbedtls/constant_time.h"
16 #include "mbedtls/oid.h"
17 #include "md_psa.h"
18
19 #include "ssl_misc.h"
20 #include "ssl_tls13_keys.h"
21 #include "ssl_debug_helpers.h"
22
23
ssl_tls13_validate_peer_ciphersuite(mbedtls_ssl_context * ssl,unsigned int cipher_suite)24 static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
25 mbedtls_ssl_context *ssl,
26 unsigned int cipher_suite)
27 {
28 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
29 if (!mbedtls_ssl_tls13_cipher_suite_is_offered(ssl, cipher_suite)) {
30 return NULL;
31 }
32
33 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite);
34 if ((mbedtls_ssl_validate_ciphersuite(ssl, ciphersuite_info,
35 ssl->tls_version,
36 ssl->tls_version) != 0)) {
37 return NULL;
38 }
39 return ciphersuite_info;
40 }
41
42 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
43 /* From RFC 8446:
44 *
45 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
46 * struct {
47 * PskKeyExchangeMode ke_modes<1..255>;
48 * } PskKeyExchangeModes;
49 */
50 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)51 static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
52 const unsigned char *buf,
53 const unsigned char *end)
54 {
55 const unsigned char *p = buf;
56 size_t ke_modes_len;
57 int ke_modes = 0;
58
59 /* Read ke_modes length (1 Byte) */
60 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
61 ke_modes_len = *p++;
62 /* Currently, there are only two PSK modes, so even without looking
63 * at the content, something's wrong if the list has more than 2 items. */
64 if (ke_modes_len > 2) {
65 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
66 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
67 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
68 }
69
70 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, ke_modes_len);
71
72 while (ke_modes_len-- != 0) {
73 switch (*p++) {
74 case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
75 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
76 MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK KEX MODE"));
77 break;
78 case MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE:
79 ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
80 MBEDTLS_SSL_DEBUG_MSG(3, ("Found PSK_EPHEMERAL KEX MODE"));
81 break;
82 default:
83 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
84 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
85 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
86 }
87 }
88
89 ssl->handshake->tls13_kex_modes = ke_modes;
90 return 0;
91 }
92
93 #define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 1
94 #define SSL_TLS1_3_OFFERED_PSK_MATCH 0
95
96 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
97
98 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_offered_psks_check_identity_match_ticket(mbedtls_ssl_context * ssl,const unsigned char * identity,size_t identity_len,uint32_t obfuscated_ticket_age,mbedtls_ssl_session * session)99 static int ssl_tls13_offered_psks_check_identity_match_ticket(
100 mbedtls_ssl_context *ssl,
101 const unsigned char *identity,
102 size_t identity_len,
103 uint32_t obfuscated_ticket_age,
104 mbedtls_ssl_session *session)
105 {
106 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
107 unsigned char *ticket_buffer;
108 #if defined(MBEDTLS_HAVE_TIME)
109 mbedtls_time_t now;
110 uint64_t age_in_s;
111 int64_t age_diff_in_ms;
112 #endif
113
114 ((void) obfuscated_ticket_age);
115
116 MBEDTLS_SSL_DEBUG_MSG(2, ("=> check_identity_match_ticket"));
117
118 /* Ticket parser is not configured, Skip */
119 if (ssl->conf->f_ticket_parse == NULL || identity_len == 0) {
120 return 0;
121 }
122
123 /* We create a copy of the encrypted ticket since the ticket parsing
124 * function is allowed to use its input buffer as an output buffer
125 * (in-place decryption). We do, however, need the original buffer for
126 * computing the PSK binder value.
127 */
128 ticket_buffer = mbedtls_calloc(1, identity_len);
129 if (ticket_buffer == NULL) {
130 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
131 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
132 }
133 memcpy(ticket_buffer, identity, identity_len);
134
135 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket,
136 session,
137 ticket_buffer, identity_len)) != 0) {
138 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
139 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
140 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
141 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
142 } else {
143 MBEDTLS_SSL_DEBUG_RET(1, "ticket_parse", ret);
144 }
145 }
146
147 /* We delete the temporary buffer */
148 mbedtls_free(ticket_buffer);
149
150 if (ret != 0) {
151 goto exit;
152 }
153
154 /* RFC 8446 section 4.2.9
155 *
156 * Servers SHOULD NOT send NewSessionTicket with tickets that are not
157 * compatible with the advertised modes; however, if a server does so,
158 * the impact will just be that the client's attempts at resumption fail.
159 *
160 * We regard the ticket with incompatible key exchange modes as not match.
161 */
162 ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR;
163 MBEDTLS_SSL_PRINT_TICKET_FLAGS(4,
164 session->ticket_flags);
165 if (mbedtls_ssl_tls13_check_kex_modes(
166 ssl,
167 mbedtls_ssl_session_get_ticket_flags(
168 session,
169 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL))) {
170 MBEDTLS_SSL_DEBUG_MSG(3, ("No suitable key exchange mode"));
171 goto exit;
172 }
173
174 ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
175 #if defined(MBEDTLS_HAVE_TIME)
176 now = mbedtls_time(NULL);
177
178 if (now < session->start) {
179 MBEDTLS_SSL_DEBUG_MSG(
180 3, ("Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG
181 ", start=%" MBEDTLS_PRINTF_LONGLONG " )",
182 (long long) now, (long long) session->start));
183 goto exit;
184 }
185
186 age_in_s = (uint64_t) (now - session->start);
187
188 /* RFC 8446 section 4.6.1
189 *
190 * Servers MUST NOT use any value greater than 604800 seconds (7 days).
191 *
192 * RFC 8446 section 4.2.11.1
193 *
194 * Clients MUST NOT attempt to use tickets which have ages greater than
195 * the "ticket_lifetime" value which was provided with the ticket.
196 *
197 * For time being, the age MUST be less than 604800 seconds (7 days).
198 */
199 if (age_in_s > 604800) {
200 MBEDTLS_SSL_DEBUG_MSG(
201 3, ("Ticket age exceeds limitation ticket_age=%lu",
202 (long unsigned int) age_in_s));
203 goto exit;
204 }
205
206 /* RFC 8446 section 4.2.10
207 *
208 * For PSKs provisioned via NewSessionTicket, a server MUST validate that
209 * the ticket age for the selected PSK identity (computed by subtracting
210 * ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
211 * within a small tolerance of the time since the ticket was issued.
212 *
213 * NOTE: When `now == session->start`, `age_diff_in_ms` may be negative
214 * as the age units are different on the server (s) and in the
215 * client (ms) side. Add a -1000 ms tolerance window to take this
216 * into account.
217 */
218 age_diff_in_ms = age_in_s * 1000;
219 age_diff_in_ms -= (obfuscated_ticket_age - session->ticket_age_add);
220 if (age_diff_in_ms <= -1000 ||
221 age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) {
222 MBEDTLS_SSL_DEBUG_MSG(
223 3, ("Ticket age outside tolerance window ( diff=%d )",
224 (int) age_diff_in_ms));
225 goto exit;
226 }
227
228 ret = 0;
229
230 #endif /* MBEDTLS_HAVE_TIME */
231
232 exit:
233 if (ret != 0) {
234 mbedtls_ssl_session_free(session);
235 }
236
237 MBEDTLS_SSL_DEBUG_MSG(2, ("<= check_identity_match_ticket"));
238 return ret;
239 }
240 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
241
242 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_offered_psks_check_identity_match(mbedtls_ssl_context * ssl,const unsigned char * identity,size_t identity_len,uint32_t obfuscated_ticket_age,int * psk_type,mbedtls_ssl_session * session)243 static int ssl_tls13_offered_psks_check_identity_match(
244 mbedtls_ssl_context *ssl,
245 const unsigned char *identity,
246 size_t identity_len,
247 uint32_t obfuscated_ticket_age,
248 int *psk_type,
249 mbedtls_ssl_session *session)
250 {
251 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
252
253 ((void) session);
254 ((void) obfuscated_ticket_age);
255 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
256
257 MBEDTLS_SSL_DEBUG_BUF(4, "identity", identity, identity_len);
258 ssl->handshake->resume = 0;
259
260 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
261 if (ssl_tls13_offered_psks_check_identity_match_ticket(
262 ssl, identity, identity_len, obfuscated_ticket_age,
263 session) == SSL_TLS1_3_OFFERED_PSK_MATCH) {
264 ssl->handshake->resume = 1;
265 *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
266 ret = mbedtls_ssl_set_hs_psk(ssl,
267 session->resumption_key,
268 session->resumption_key_len);
269 if (ret != 0) {
270 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
271 return ret;
272 }
273
274 MBEDTLS_SSL_DEBUG_BUF(4, "Ticket-resumed PSK:",
275 session->resumption_key,
276 session->resumption_key_len);
277 MBEDTLS_SSL_DEBUG_MSG(4, ("ticket: obfuscated_ticket_age: %u",
278 (unsigned) obfuscated_ticket_age));
279 return SSL_TLS1_3_OFFERED_PSK_MATCH;
280 }
281 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
282
283 /* Check identity with external configured function */
284 if (ssl->conf->f_psk != NULL) {
285 if (ssl->conf->f_psk(
286 ssl->conf->p_psk, ssl, identity, identity_len) == 0) {
287 return SSL_TLS1_3_OFFERED_PSK_MATCH;
288 }
289 return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
290 }
291
292 MBEDTLS_SSL_DEBUG_BUF(5, "identity", identity, identity_len);
293 /* Check identity with pre-configured psk */
294 if (ssl->conf->psk_identity != NULL &&
295 identity_len == ssl->conf->psk_identity_len &&
296 mbedtls_ct_memcmp(ssl->conf->psk_identity,
297 identity, identity_len) == 0) {
298 ret = mbedtls_ssl_set_hs_psk(ssl, ssl->conf->psk, ssl->conf->psk_len);
299 if (ret != 0) {
300 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret);
301 return ret;
302 }
303 return SSL_TLS1_3_OFFERED_PSK_MATCH;
304 }
305
306 return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
307 }
308
309 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_offered_psks_check_binder_match(mbedtls_ssl_context * ssl,const unsigned char * binder,size_t binder_len,int psk_type,psa_algorithm_t psk_hash_alg)310 static int ssl_tls13_offered_psks_check_binder_match(
311 mbedtls_ssl_context *ssl,
312 const unsigned char *binder, size_t binder_len,
313 int psk_type, psa_algorithm_t psk_hash_alg)
314 {
315 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
316
317 unsigned char transcript[PSA_HASH_MAX_SIZE];
318 size_t transcript_len;
319 unsigned char *psk;
320 size_t psk_len;
321 unsigned char server_computed_binder[PSA_HASH_MAX_SIZE];
322
323 /* Get current state of handshake transcript. */
324 ret = mbedtls_ssl_get_handshake_transcript(
325 ssl, mbedtls_md_type_from_psa_alg(psk_hash_alg),
326 transcript, sizeof(transcript), &transcript_len);
327 if (ret != 0) {
328 return ret;
329 }
330
331 ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len);
332 if (ret != 0) {
333 return ret;
334 }
335
336 ret = mbedtls_ssl_tls13_create_psk_binder(ssl, psk_hash_alg,
337 psk, psk_len, psk_type,
338 transcript,
339 server_computed_binder);
340 #if defined(MBEDTLS_USE_PSA_CRYPTO)
341 mbedtls_free((void *) psk);
342 #endif
343 if (ret != 0) {
344 MBEDTLS_SSL_DEBUG_MSG(1, ("PSK binder calculation failed."));
345 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
346 }
347
348 MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( computed ): ",
349 server_computed_binder, transcript_len);
350 MBEDTLS_SSL_DEBUG_BUF(3, "psk binder ( received ): ", binder, binder_len);
351
352 if (mbedtls_ct_memcmp(server_computed_binder, binder, binder_len) == 0) {
353 return SSL_TLS1_3_OFFERED_PSK_MATCH;
354 }
355
356 mbedtls_platform_zeroize(server_computed_binder,
357 sizeof(server_computed_binder));
358 return SSL_TLS1_3_OFFERED_PSK_NOT_MATCH;
359 }
360
361 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_select_ciphersuite_for_psk(mbedtls_ssl_context * ssl,const unsigned char * cipher_suites,const unsigned char * cipher_suites_end,uint16_t * selected_ciphersuite,const mbedtls_ssl_ciphersuite_t ** selected_ciphersuite_info)362 static int ssl_tls13_select_ciphersuite_for_psk(
363 mbedtls_ssl_context *ssl,
364 const unsigned char *cipher_suites,
365 const unsigned char *cipher_suites_end,
366 uint16_t *selected_ciphersuite,
367 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
368 {
369 psa_algorithm_t psk_hash_alg = PSA_ALG_SHA_256;
370
371 *selected_ciphersuite = 0;
372 *selected_ciphersuite_info = NULL;
373
374 /* RFC 8446, page 55.
375 *
376 * For externally established PSKs, the Hash algorithm MUST be set when the
377 * PSK is established or default to SHA-256 if no such algorithm is defined.
378 *
379 */
380
381 /*
382 * Search for a matching ciphersuite
383 */
384 for (const unsigned char *p = cipher_suites;
385 p < cipher_suites_end; p += 2) {
386 uint16_t cipher_suite;
387 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
388
389 cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
390 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,
391 cipher_suite);
392 if (ciphersuite_info == NULL) {
393 continue;
394 }
395
396 /* MAC of selected ciphersuite MUST be same with PSK binder if exist.
397 * Otherwise, client should reject.
398 */
399 if (psk_hash_alg == mbedtls_md_psa_alg_from_type(ciphersuite_info->mac)) {
400 *selected_ciphersuite = cipher_suite;
401 *selected_ciphersuite_info = ciphersuite_info;
402 return 0;
403 }
404 }
405 MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite"));
406 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
407 }
408
409 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
410 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_select_ciphersuite_for_resumption(mbedtls_ssl_context * ssl,const unsigned char * cipher_suites,const unsigned char * cipher_suites_end,mbedtls_ssl_session * session,uint16_t * selected_ciphersuite,const mbedtls_ssl_ciphersuite_t ** selected_ciphersuite_info)411 static int ssl_tls13_select_ciphersuite_for_resumption(
412 mbedtls_ssl_context *ssl,
413 const unsigned char *cipher_suites,
414 const unsigned char *cipher_suites_end,
415 mbedtls_ssl_session *session,
416 uint16_t *selected_ciphersuite,
417 const mbedtls_ssl_ciphersuite_t **selected_ciphersuite_info)
418 {
419
420 *selected_ciphersuite = 0;
421 *selected_ciphersuite_info = NULL;
422 for (const unsigned char *p = cipher_suites; p < cipher_suites_end; p += 2) {
423 uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
424 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
425
426 if (cipher_suite != session->ciphersuite) {
427 continue;
428 }
429
430 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(ssl,
431 cipher_suite);
432 if (ciphersuite_info == NULL) {
433 continue;
434 }
435
436 *selected_ciphersuite = cipher_suite;
437 *selected_ciphersuite_info = ciphersuite_info;
438
439 return 0;
440 }
441
442 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
443 }
444
445 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_copy_ticket(mbedtls_ssl_session * dst,const mbedtls_ssl_session * src)446 static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst,
447 const mbedtls_ssl_session *src)
448 {
449 dst->ticket_age_add = src->ticket_age_add;
450 dst->ticket_flags = src->ticket_flags;
451 dst->resumption_key_len = src->resumption_key_len;
452 if (src->resumption_key_len == 0) {
453 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
454 }
455 memcpy(dst->resumption_key, src->resumption_key, src->resumption_key_len);
456
457 return 0;
458 }
459 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
460
461 /* Parser for pre_shared_key extension in client hello
462 * struct {
463 * opaque identity<1..2^16-1>;
464 * uint32 obfuscated_ticket_age;
465 * } PskIdentity;
466 *
467 * opaque PskBinderEntry<32..255>;
468 *
469 * struct {
470 * PskIdentity identities<7..2^16-1>;
471 * PskBinderEntry binders<33..2^16-1>;
472 * } OfferedPsks;
473 *
474 * struct {
475 * select (Handshake.msg_type) {
476 * case client_hello: OfferedPsks;
477 * ....
478 * };
479 * } PreSharedKeyExtension;
480 */
481 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context * ssl,const unsigned char * pre_shared_key_ext,const unsigned char * pre_shared_key_ext_end,const unsigned char * ciphersuites,const unsigned char * ciphersuites_end)482 static int ssl_tls13_parse_pre_shared_key_ext(
483 mbedtls_ssl_context *ssl,
484 const unsigned char *pre_shared_key_ext,
485 const unsigned char *pre_shared_key_ext_end,
486 const unsigned char *ciphersuites,
487 const unsigned char *ciphersuites_end)
488 {
489 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
490 const unsigned char *identities = pre_shared_key_ext;
491 const unsigned char *p_identity_len;
492 size_t identities_len;
493 const unsigned char *identities_end;
494 const unsigned char *binders;
495 const unsigned char *p_binder_len;
496 size_t binders_len;
497 const unsigned char *binders_end;
498 int matched_identity = -1;
499 int identity_id = -1;
500
501 MBEDTLS_SSL_DEBUG_BUF(3, "pre_shared_key extension",
502 pre_shared_key_ext,
503 pre_shared_key_ext_end - pre_shared_key_ext);
504
505 /* identities_len 2 bytes
506 * identities_data >= 7 bytes
507 */
508 MBEDTLS_SSL_CHK_BUF_READ_PTR(identities, pre_shared_key_ext_end, 7 + 2);
509 identities_len = MBEDTLS_GET_UINT16_BE(identities, 0);
510 p_identity_len = identities + 2;
511 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, pre_shared_key_ext_end,
512 identities_len);
513 identities_end = p_identity_len + identities_len;
514
515 /* binders_len 2 bytes
516 * binders >= 33 bytes
517 */
518 binders = identities_end;
519 MBEDTLS_SSL_CHK_BUF_READ_PTR(binders, pre_shared_key_ext_end, 33 + 2);
520 binders_len = MBEDTLS_GET_UINT16_BE(binders, 0);
521 p_binder_len = binders + 2;
522 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len);
523 binders_end = p_binder_len + binders_len;
524
525 ret = ssl->handshake->update_checksum(ssl, pre_shared_key_ext,
526 identities_end - pre_shared_key_ext);
527 if (0 != ret) {
528 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
529 return ret;
530 }
531
532 while (p_identity_len < identities_end && p_binder_len < binders_end) {
533 const unsigned char *identity;
534 size_t identity_len;
535 uint32_t obfuscated_ticket_age;
536 const unsigned char *binder;
537 size_t binder_len;
538 int psk_type;
539 uint16_t cipher_suite;
540 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
541 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
542 mbedtls_ssl_session session;
543 mbedtls_ssl_session_init(&session);
544 #endif
545
546 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4);
547 identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0);
548 identity = p_identity_len + 2;
549 MBEDTLS_SSL_CHK_BUF_READ_PTR(identity, identities_end, identity_len + 4);
550 obfuscated_ticket_age = MBEDTLS_GET_UINT32_BE(identity, identity_len);
551 p_identity_len += identity_len + 6;
552
553 MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, binders_end, 1 + 32);
554 binder_len = *p_binder_len;
555 binder = p_binder_len + 1;
556 MBEDTLS_SSL_CHK_BUF_READ_PTR(binder, binders_end, binder_len);
557 p_binder_len += binder_len + 1;
558
559 identity_id++;
560 if (matched_identity != -1) {
561 continue;
562 }
563
564 ret = ssl_tls13_offered_psks_check_identity_match(
565 ssl, identity, identity_len, obfuscated_ticket_age,
566 &psk_type, &session);
567 if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
568 continue;
569 }
570
571 MBEDTLS_SSL_DEBUG_MSG(4, ("found matched identity"));
572 switch (psk_type) {
573 case MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL:
574 ret = ssl_tls13_select_ciphersuite_for_psk(
575 ssl, ciphersuites, ciphersuites_end,
576 &cipher_suite, &ciphersuite_info);
577 break;
578 case MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION:
579 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
580 ret = ssl_tls13_select_ciphersuite_for_resumption(
581 ssl, ciphersuites, ciphersuites_end, &session,
582 &cipher_suite, &ciphersuite_info);
583 if (ret != 0) {
584 mbedtls_ssl_session_free(&session);
585 }
586 #else
587 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
588 #endif
589 break;
590 default:
591 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
592 }
593 if (ret != 0) {
594 /* See below, no cipher_suite available, abort handshake */
595 MBEDTLS_SSL_PEND_FATAL_ALERT(
596 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
597 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
598 MBEDTLS_SSL_DEBUG_RET(
599 2, "ssl_tls13_select_ciphersuite", ret);
600 return ret;
601 }
602
603 ret = ssl_tls13_offered_psks_check_binder_match(
604 ssl, binder, binder_len, psk_type,
605 mbedtls_md_psa_alg_from_type(ciphersuite_info->mac));
606 if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
607 /* For security reasons, the handshake should be aborted when we
608 * fail to validate a binder value. See RFC 8446 section 4.2.11.2
609 * and appendix E.6. */
610 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
611 mbedtls_ssl_session_free(&session);
612 #endif
613 MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder."));
614 MBEDTLS_SSL_DEBUG_RET(
615 1, "ssl_tls13_offered_psks_check_binder_match", ret);
616 MBEDTLS_SSL_PEND_FATAL_ALERT(
617 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
618 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
619 return ret;
620 }
621
622 matched_identity = identity_id;
623
624 /* Update handshake parameters */
625 ssl->handshake->ciphersuite_info = ciphersuite_info;
626 ssl->session_negotiate->ciphersuite = cipher_suite;
627 MBEDTLS_SSL_DEBUG_MSG(2, ("overwrite ciphersuite: %04x - %s",
628 cipher_suite, ciphersuite_info->name));
629 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
630 if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
631 ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate,
632 &session);
633 mbedtls_ssl_session_free(&session);
634 if (ret != 0) {
635 return ret;
636 }
637 }
638 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
639 }
640
641 if (p_identity_len != identities_end || p_binder_len != binders_end) {
642 MBEDTLS_SSL_DEBUG_MSG(3, ("pre_shared_key extension decode error"));
643 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
644 MBEDTLS_ERR_SSL_DECODE_ERROR);
645 return MBEDTLS_ERR_SSL_DECODE_ERROR;
646 }
647
648 /* Update the handshake transcript with the binder list. */
649 ret = ssl->handshake->update_checksum(
650 ssl, identities_end, (size_t) (binders_end - identities_end));
651 if (0 != ret) {
652 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
653 return ret;
654 }
655 if (matched_identity == -1) {
656 MBEDTLS_SSL_DEBUG_MSG(3, ("No matched PSK or ticket."));
657 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
658 }
659
660 ssl->handshake->selected_identity = (uint16_t) matched_identity;
661 MBEDTLS_SSL_DEBUG_MSG(3, ("Pre shared key found"));
662
663 return 0;
664 }
665
666 /*
667 * struct {
668 * select ( Handshake.msg_type ) {
669 * ....
670 * case server_hello:
671 * uint16 selected_identity;
672 * }
673 * } PreSharedKeyExtension;
674 */
ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * olen)675 static int ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
676 unsigned char *buf,
677 unsigned char *end,
678 size_t *olen)
679 {
680 unsigned char *p = (unsigned char *) buf;
681
682 *olen = 0;
683
684 int not_using_psk = 0;
685 #if defined(MBEDTLS_USE_PSA_CRYPTO)
686 not_using_psk = (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque));
687 #else
688 not_using_psk = (ssl->handshake->psk == NULL);
689 #endif
690 if (not_using_psk) {
691 /* We shouldn't have called this extension writer unless we've
692 * chosen to use a PSK. */
693 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
694 }
695
696 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding pre_shared_key extension"));
697 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
698
699 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0);
700 MBEDTLS_PUT_UINT16_BE(2, p, 2);
701
702 MBEDTLS_PUT_UINT16_BE(ssl->handshake->selected_identity, p, 4);
703
704 *olen = 6;
705
706 MBEDTLS_SSL_DEBUG_MSG(4, ("sent selected_identity: %u",
707 ssl->handshake->selected_identity));
708
709 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_PRE_SHARED_KEY);
710
711 return 0;
712 }
713
714 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
715
716 /* From RFC 8446:
717 * struct {
718 * ProtocolVersion versions<2..254>;
719 * } SupportedVersions;
720 */
721 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)722 static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
723 const unsigned char *buf,
724 const unsigned char *end)
725 {
726 const unsigned char *p = buf;
727 size_t versions_len;
728 const unsigned char *versions_end;
729 uint16_t tls_version;
730 int found_supported_version = 0;
731
732 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 1);
733 versions_len = p[0];
734 p += 1;
735
736 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, versions_len);
737 versions_end = p + versions_len;
738 while (p < versions_end) {
739 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, versions_end, 2);
740 tls_version = mbedtls_ssl_read_version(p, ssl->conf->transport);
741 p += 2;
742
743 if (MBEDTLS_SSL_VERSION_TLS1_3 == tls_version) {
744 found_supported_version = 1;
745 break;
746 }
747
748 if ((MBEDTLS_SSL_VERSION_TLS1_2 == tls_version) &&
749 mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
750 found_supported_version = 1;
751 break;
752 }
753 }
754
755 if (!found_supported_version) {
756 MBEDTLS_SSL_DEBUG_MSG(1, ("No supported version found."));
757
758 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
759 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
760 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
761 }
762
763 MBEDTLS_SSL_DEBUG_MSG(1, ("Negotiated version: [%04x]",
764 (unsigned int) tls_version));
765
766 return (int) tls_version;
767 }
768
769 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
770 /*
771 *
772 * From RFC 8446:
773 * enum {
774 * ... (0xFFFF)
775 * } NamedGroup;
776 * struct {
777 * NamedGroup named_group_list<2..2^16-1>;
778 * } NamedGroupList;
779 */
780 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)781 static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
782 const unsigned char *buf,
783 const unsigned char *end)
784 {
785 const unsigned char *p = buf;
786 size_t named_group_list_len;
787 const unsigned char *named_group_list_end;
788
789 MBEDTLS_SSL_DEBUG_BUF(3, "supported_groups extension", p, end - buf);
790 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
791 named_group_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
792 p += 2;
793 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, named_group_list_len);
794 named_group_list_end = p + named_group_list_len;
795 ssl->handshake->hrr_selected_group = 0;
796
797 while (p < named_group_list_end) {
798 uint16_t named_group;
799 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, named_group_list_end, 2);
800 named_group = MBEDTLS_GET_UINT16_BE(p, 0);
801 p += 2;
802
803 MBEDTLS_SSL_DEBUG_MSG(2,
804 ("got named group: %s(%04x)",
805 mbedtls_ssl_named_group_to_str(named_group),
806 named_group));
807
808 if (!mbedtls_ssl_named_group_is_offered(ssl, named_group) ||
809 !mbedtls_ssl_named_group_is_supported(named_group) ||
810 ssl->handshake->hrr_selected_group != 0) {
811 continue;
812 }
813
814 MBEDTLS_SSL_DEBUG_MSG(2,
815 ("add named group %s(%04x) into received list.",
816 mbedtls_ssl_named_group_to_str(named_group),
817 named_group));
818
819 ssl->handshake->hrr_selected_group = named_group;
820 }
821
822 return 0;
823
824 }
825 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
826
827 #define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
828
829 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
830 /*
831 * ssl_tls13_parse_key_shares_ext() verifies whether the information in the
832 * extension is correct and stores the first acceptable key share and its
833 * associated group.
834 *
835 * Possible return values are:
836 * - 0: Successful processing of the client provided key share extension.
837 * - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by
838 * the client does not match a group supported by the server. A
839 * HelloRetryRequest will be needed.
840 * - A negative value for fatal errors.
841 */
842 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)843 static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl,
844 const unsigned char *buf,
845 const unsigned char *end)
846 {
847 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
848 unsigned char const *p = buf;
849 unsigned char const *client_shares_end;
850 size_t client_shares_len;
851
852 /* From RFC 8446:
853 *
854 * struct {
855 * KeyShareEntry client_shares<0..2^16-1>;
856 * } KeyShareClientHello;
857 *
858 */
859
860 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
861 client_shares_len = MBEDTLS_GET_UINT16_BE(p, 0);
862 p += 2;
863 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, client_shares_len);
864
865 ssl->handshake->offered_group_id = 0;
866 client_shares_end = p + client_shares_len;
867
868 /* We try to find a suitable key share entry and copy it to the
869 * handshake context. Later, we have to find out whether we can do
870 * something with the provided key share or whether we have to
871 * dismiss it and send a HelloRetryRequest message.
872 */
873
874 while (p < client_shares_end) {
875 uint16_t group;
876 size_t key_exchange_len;
877 const unsigned char *key_exchange;
878
879 /*
880 * struct {
881 * NamedGroup group;
882 * opaque key_exchange<1..2^16-1>;
883 * } KeyShareEntry;
884 */
885 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, 4);
886 group = MBEDTLS_GET_UINT16_BE(p, 0);
887 key_exchange_len = MBEDTLS_GET_UINT16_BE(p, 2);
888 p += 4;
889 key_exchange = p;
890 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, client_shares_end, key_exchange_len);
891 p += key_exchange_len;
892
893 /* Continue parsing even if we have already found a match,
894 * for input validation purposes.
895 */
896 if (!mbedtls_ssl_named_group_is_offered(ssl, group) ||
897 !mbedtls_ssl_named_group_is_supported(group) ||
898 ssl->handshake->offered_group_id != 0) {
899 continue;
900 }
901
902 /*
903 * ECDHE and FFDHE groups are supported
904 */
905 if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
906 mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
907 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH/FFDH group: %s (%04x)",
908 mbedtls_ssl_named_group_to_str(group),
909 group));
910 ret = mbedtls_ssl_tls13_read_public_xxdhe_share(
911 ssl, key_exchange - 2, key_exchange_len + 2);
912 if (ret != 0) {
913 return ret;
914 }
915
916 } else {
917 MBEDTLS_SSL_DEBUG_MSG(4, ("Unrecognized NamedGroup %u",
918 (unsigned) group));
919 continue;
920 }
921
922 ssl->handshake->offered_group_id = group;
923 }
924
925
926 if (ssl->handshake->offered_group_id == 0) {
927 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching key share"));
928 return SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH;
929 }
930 return 0;
931 }
932 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
933
934 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_client_hello_has_exts(mbedtls_ssl_context * ssl,int exts_mask)935 static int ssl_tls13_client_hello_has_exts(mbedtls_ssl_context *ssl,
936 int exts_mask)
937 {
938 int masked = ssl->handshake->received_extensions & exts_mask;
939 return masked == exts_mask;
940 }
941
942 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
943 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(mbedtls_ssl_context * ssl)944 static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(
945 mbedtls_ssl_context *ssl)
946 {
947 return ssl_tls13_client_hello_has_exts(
948 ssl,
949 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |
950 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |
951 MBEDTLS_SSL_EXT_MASK(SIG_ALG));
952 }
953 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
954
955 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
956 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_client_hello_has_exts_for_psk_key_exchange(mbedtls_ssl_context * ssl)957 static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange(
958 mbedtls_ssl_context *ssl)
959 {
960 return ssl_tls13_client_hello_has_exts(
961 ssl,
962 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
963 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
964 }
965 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED */
966
967 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
968 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(mbedtls_ssl_context * ssl)969 static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(
970 mbedtls_ssl_context *ssl)
971 {
972 return ssl_tls13_client_hello_has_exts(
973 ssl,
974 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) |
975 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) |
976 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
977 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES));
978 }
979 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED */
980
981 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context * ssl)982 static int ssl_tls13_check_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
983 {
984 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
985 return mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) &&
986 ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
987 #else
988 ((void) ssl);
989 return 0;
990 #endif
991 }
992
993 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context * ssl)994 static int ssl_tls13_check_psk_key_exchange(mbedtls_ssl_context *ssl)
995 {
996 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
997 return mbedtls_ssl_conf_tls13_psk_enabled(ssl) &&
998 mbedtls_ssl_tls13_psk_enabled(ssl) &&
999 ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
1000 #else
1001 ((void) ssl);
1002 return 0;
1003 #endif
1004 }
1005
1006 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context * ssl)1007 static int ssl_tls13_check_psk_ephemeral_key_exchange(mbedtls_ssl_context *ssl)
1008 {
1009 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
1010 return mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) &&
1011 mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) &&
1012 ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
1013 #else
1014 ((void) ssl);
1015 return 0;
1016 #endif
1017 }
1018
ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context * ssl)1019 static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl)
1020 {
1021 /*
1022 * Determine the key exchange algorithm to use.
1023 * There are three types of key exchanges supported in TLS 1.3:
1024 * - (EC)DH with ECDSA,
1025 * - (EC)DH with PSK,
1026 * - plain PSK.
1027 *
1028 * The PSK-based key exchanges may additionally be used with 0-RTT.
1029 *
1030 * Our built-in order of preference is
1031 * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral )
1032 * 2 ) Certificate Mode ( ephemeral )
1033 * 3 ) Plain PSK Mode ( psk )
1034 */
1035
1036 ssl->handshake->key_exchange_mode =
1037 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
1038
1039 if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
1040 ssl->handshake->key_exchange_mode =
1041 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1042 MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk_ephemeral"));
1043 } else
1044 if (ssl_tls13_check_ephemeral_key_exchange(ssl)) {
1045 ssl->handshake->key_exchange_mode =
1046 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
1047 MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: ephemeral"));
1048 } else
1049 if (ssl_tls13_check_psk_key_exchange(ssl)) {
1050 ssl->handshake->key_exchange_mode =
1051 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1052 MBEDTLS_SSL_DEBUG_MSG(2, ("key exchange mode: psk"));
1053 } else {
1054 MBEDTLS_SSL_DEBUG_MSG(
1055 1,
1056 ("ClientHello message misses mandatory extensions."));
1057 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION,
1058 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1059 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1060 }
1061
1062 return 0;
1063
1064 }
1065
1066 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1067 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
1068
1069 #if defined(MBEDTLS_USE_PSA_CRYPTO)
ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)1070 static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
1071 {
1072 switch (sig_alg) {
1073 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
1074 return PSA_ALG_ECDSA(PSA_ALG_SHA_256);
1075 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
1076 return PSA_ALG_ECDSA(PSA_ALG_SHA_384);
1077 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
1078 return PSA_ALG_ECDSA(PSA_ALG_SHA_512);
1079 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
1080 return PSA_ALG_RSA_PSS(PSA_ALG_SHA_256);
1081 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
1082 return PSA_ALG_RSA_PSS(PSA_ALG_SHA_384);
1083 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
1084 return PSA_ALG_RSA_PSS(PSA_ALG_SHA_512);
1085 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
1086 return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
1087 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
1088 return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384);
1089 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
1090 return PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_512);
1091 default:
1092 return PSA_ALG_NONE;
1093 }
1094 }
1095 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1096
1097 /*
1098 * Pick best ( private key, certificate chain ) pair based on the signature
1099 * algorithms supported by the client.
1100 */
1101 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_pick_key_cert(mbedtls_ssl_context * ssl)1102 static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
1103 {
1104 mbedtls_ssl_key_cert *key_cert, *key_cert_list;
1105 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
1106
1107 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1108 if (ssl->handshake->sni_key_cert != NULL) {
1109 key_cert_list = ssl->handshake->sni_key_cert;
1110 } else
1111 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1112 key_cert_list = ssl->conf->key_cert;
1113
1114 if (key_cert_list == NULL) {
1115 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
1116 return -1;
1117 }
1118
1119 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
1120 if (!mbedtls_ssl_sig_alg_is_offered(ssl, *sig_alg)) {
1121 continue;
1122 }
1123
1124 if (!mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(*sig_alg)) {
1125 continue;
1126 }
1127
1128 for (key_cert = key_cert_list; key_cert != NULL;
1129 key_cert = key_cert->next) {
1130 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1131 psa_algorithm_t psa_alg = PSA_ALG_NONE;
1132 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1133
1134 MBEDTLS_SSL_DEBUG_CRT(3, "certificate (chain) candidate",
1135 key_cert->cert);
1136
1137 /*
1138 * This avoids sending the client a cert it'll reject based on
1139 * keyUsage or other extensions.
1140 */
1141 if (mbedtls_x509_crt_check_key_usage(
1142 key_cert->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0 ||
1143 mbedtls_x509_crt_check_extended_key_usage(
1144 key_cert->cert, MBEDTLS_OID_SERVER_AUTH,
1145 MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH)) != 0) {
1146 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
1147 "(extended) key usage extension"));
1148 continue;
1149 }
1150
1151 MBEDTLS_SSL_DEBUG_MSG(3,
1152 ("ssl_tls13_pick_key_cert:"
1153 "check signature algorithm %s [%04x]",
1154 mbedtls_ssl_sig_alg_to_str(*sig_alg),
1155 *sig_alg));
1156 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1157 psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg(*sig_alg);
1158 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1159
1160 if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
1161 *sig_alg, &key_cert->cert->pk)
1162 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1163 && psa_alg != PSA_ALG_NONE &&
1164 mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
1165 PSA_KEY_USAGE_SIGN_HASH) == 1
1166 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1167 ) {
1168 ssl->handshake->key_cert = key_cert;
1169 MBEDTLS_SSL_DEBUG_MSG(3,
1170 ("ssl_tls13_pick_key_cert:"
1171 "selected signature algorithm"
1172 " %s [%04x]",
1173 mbedtls_ssl_sig_alg_to_str(*sig_alg),
1174 *sig_alg));
1175 MBEDTLS_SSL_DEBUG_CRT(
1176 3, "selected certificate (chain)",
1177 ssl->handshake->key_cert->cert);
1178 return 0;
1179 }
1180 }
1181 }
1182
1183 MBEDTLS_SSL_DEBUG_MSG(2, ("ssl_tls13_pick_key_cert:"
1184 "no suitable certificate found"));
1185 return -1;
1186 }
1187 #endif /* MBEDTLS_X509_CRT_PARSE_C &&
1188 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1189
1190 /*
1191 *
1192 * STATE HANDLING: ClientHello
1193 *
1194 * There are three possible classes of outcomes when parsing the ClientHello:
1195 *
1196 * 1) The ClientHello was well-formed and matched the server's configuration.
1197 *
1198 * In this case, the server progresses to sending its ServerHello.
1199 *
1200 * 2) The ClientHello was well-formed but didn't match the server's
1201 * configuration.
1202 *
1203 * For example, the client might not have offered a key share which
1204 * the server supports, or the server might require a cookie.
1205 *
1206 * In this case, the server sends a HelloRetryRequest.
1207 *
1208 * 3) The ClientHello was ill-formed
1209 *
1210 * In this case, we abort the handshake.
1211 *
1212 */
1213
1214 /*
1215 * Structure of this message:
1216 *
1217 * uint16 ProtocolVersion;
1218 * opaque Random[32];
1219 * uint8 CipherSuite[2]; // Cryptographic suite selector
1220 *
1221 * struct {
1222 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
1223 * Random random;
1224 * opaque legacy_session_id<0..32>;
1225 * CipherSuite cipher_suites<2..2^16-2>;
1226 * opaque legacy_compression_methods<1..2^8-1>;
1227 * Extension extensions<8..2^16-1>;
1228 * } ClientHello;
1229 */
1230
1231 #define SSL_CLIENT_HELLO_OK 0
1232 #define SSL_CLIENT_HELLO_HRR_REQUIRED 1
1233 #define SSL_CLIENT_HELLO_TLS1_2 2
1234
1235 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_parse_client_hello(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)1236 static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
1237 const unsigned char *buf,
1238 const unsigned char *end)
1239 {
1240 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1241 const unsigned char *p = buf;
1242 const unsigned char *random;
1243 size_t legacy_session_id_len;
1244 const unsigned char *legacy_session_id;
1245 size_t cipher_suites_len;
1246 const unsigned char *cipher_suites;
1247 const unsigned char *cipher_suites_end;
1248 size_t extensions_len;
1249 const unsigned char *extensions_end;
1250 const unsigned char *supported_versions_data;
1251 const unsigned char *supported_versions_data_end;
1252 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1253 int hrr_required = 0;
1254 int no_usable_share_for_key_agreement = 0;
1255
1256 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1257 const unsigned char *pre_shared_key_ext = NULL;
1258 const unsigned char *pre_shared_key_ext_end = NULL;
1259 #endif
1260
1261 /*
1262 * ClientHello layout:
1263 * 0 . 1 protocol version
1264 * 2 . 33 random bytes
1265 * 34 . 34 session id length ( 1 byte )
1266 * 35 . 34+x session id
1267 * .. . .. ciphersuite list length ( 2 bytes )
1268 * .. . .. ciphersuite list
1269 * .. . .. compression alg. list length ( 1 byte )
1270 * .. . .. compression alg. list
1271 * .. . .. extensions length ( 2 bytes, optional )
1272 * .. . .. extensions ( optional )
1273 */
1274
1275 /*
1276 * Minimal length ( with everything empty and extensions omitted ) is
1277 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1278 * read at least up to session id length without worrying.
1279 */
1280 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 38);
1281
1282 /* ...
1283 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
1284 * ...
1285 * with ProtocolVersion defined as:
1286 * uint16 ProtocolVersion;
1287 */
1288 if (mbedtls_ssl_read_version(p, ssl->conf->transport) !=
1289 MBEDTLS_SSL_VERSION_TLS1_2) {
1290 MBEDTLS_SSL_DEBUG_MSG(1, ("Unsupported version of TLS."));
1291 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
1292 MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
1293 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
1294 }
1295 p += 2;
1296
1297 /* ...
1298 * Random random;
1299 * ...
1300 * with Random defined as:
1301 * opaque Random[32];
1302 */
1303 random = p;
1304 p += MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
1305
1306 /* ...
1307 * opaque legacy_session_id<0..32>;
1308 * ...
1309 */
1310 legacy_session_id_len = *(p++);
1311 legacy_session_id = p;
1312
1313 /*
1314 * Check we have enough data for the legacy session identifier
1315 * and the ciphersuite list length.
1316 */
1317 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_len + 2);
1318 p += legacy_session_id_len;
1319
1320 /* ...
1321 * CipherSuite cipher_suites<2..2^16-2>;
1322 * ...
1323 * with CipherSuite defined as:
1324 * uint8 CipherSuite[2];
1325 */
1326 cipher_suites_len = MBEDTLS_GET_UINT16_BE(p, 0);
1327 p += 2;
1328 cipher_suites = p;
1329
1330 /*
1331 * The length of the ciphersuite list has to be even.
1332 */
1333 if (cipher_suites_len & 1) {
1334 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
1335 MBEDTLS_ERR_SSL_DECODE_ERROR);
1336 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1337 }
1338
1339 /* Check we have enough data for the ciphersuite list, the legacy
1340 * compression methods and the length of the extensions.
1341 *
1342 * cipher_suites cipher_suites_len bytes
1343 * legacy_compression_methods 2 bytes
1344 * extensions_len 2 bytes
1345 */
1346 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 2 + 2);
1347 p += cipher_suites_len;
1348 cipher_suites_end = p;
1349
1350 /*
1351 * Search for the supported versions extension and parse it to determine
1352 * if the client supports TLS 1.3.
1353 */
1354 ret = mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
1355 ssl, p + 2, end,
1356 &supported_versions_data, &supported_versions_data_end);
1357 if (ret < 0) {
1358 MBEDTLS_SSL_DEBUG_RET(1,
1359 ("mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts"), ret);
1360 return ret;
1361 }
1362
1363 if (ret == 0) {
1364 return SSL_CLIENT_HELLO_TLS1_2;
1365 }
1366
1367 if (ret == 1) {
1368 ret = ssl_tls13_parse_supported_versions_ext(ssl,
1369 supported_versions_data,
1370 supported_versions_data_end);
1371 if (ret < 0) {
1372 MBEDTLS_SSL_DEBUG_RET(1,
1373 ("ssl_tls13_parse_supported_versions_ext"), ret);
1374 return ret;
1375 }
1376
1377 /*
1378 * The supported versions extension was parsed successfully as the
1379 * value returned by ssl_tls13_parse_supported_versions_ext() is
1380 * positive. The return value is then equal to
1381 * MBEDTLS_SSL_VERSION_TLS1_2 or MBEDTLS_SSL_VERSION_TLS1_3, defining
1382 * the TLS version to negotiate.
1383 */
1384 if (MBEDTLS_SSL_VERSION_TLS1_2 == ret) {
1385 return SSL_CLIENT_HELLO_TLS1_2;
1386 }
1387 }
1388
1389 /*
1390 * We negotiate TLS 1.3.
1391 */
1392 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
1393
1394 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1395 /* Store minor version for later use with ticket serialization. */
1396 ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
1397 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1398 #endif
1399
1400 /*
1401 * We are negotiating the version 1.3 of the protocol. Do what we have
1402 * postponed: copy of the client random bytes, copy of the legacy session
1403 * identifier and selection of the TLS 1.3 cipher suite.
1404 */
1405 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes",
1406 random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
1407 memcpy(&handshake->randbytes[0], random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
1408
1409 if (legacy_session_id_len > sizeof(ssl->session_negotiate->id)) {
1410 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1411 return MBEDTLS_ERR_SSL_DECODE_ERROR;
1412 }
1413 ssl->session_negotiate->id_len = legacy_session_id_len;
1414 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id",
1415 legacy_session_id, legacy_session_id_len);
1416 memcpy(&ssl->session_negotiate->id[0],
1417 legacy_session_id, legacy_session_id_len);
1418
1419 /*
1420 * Search for a matching ciphersuite
1421 */
1422 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, list of cipher suites",
1423 cipher_suites, cipher_suites_len);
1424 for (const unsigned char *cipher_suites_p = cipher_suites;
1425 cipher_suites_p < cipher_suites_end; cipher_suites_p += 2) {
1426 uint16_t cipher_suite;
1427 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1428
1429 /*
1430 * "cipher_suites_end - cipher_suites_p is even" is an invariant of the
1431 * loop. As cipher_suites_end - cipher_suites_p > 0, we have
1432 * cipher_suites_end - cipher_suites_p >= 2 and it is thus safe to read
1433 * two bytes.
1434 */
1435 cipher_suite = MBEDTLS_GET_UINT16_BE(cipher_suites_p, 0);
1436 ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
1437 ssl, cipher_suite);
1438 if (ciphersuite_info == NULL) {
1439 continue;
1440 }
1441
1442 ssl->session_negotiate->ciphersuite = cipher_suite;
1443 handshake->ciphersuite_info = ciphersuite_info;
1444 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %04x - %s",
1445 cipher_suite,
1446 ciphersuite_info->name));
1447 break;
1448 }
1449
1450 if (handshake->ciphersuite_info == NULL) {
1451 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
1452 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
1453 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
1454 }
1455
1456 /* ...
1457 * opaque legacy_compression_methods<1..2^8-1>;
1458 * ...
1459 */
1460 if (p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL) {
1461 MBEDTLS_SSL_DEBUG_MSG(1, ("bad legacy compression method"));
1462 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1463 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1464 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1465 }
1466 p += 2;
1467
1468 /* ...
1469 * Extension extensions<8..2^16-1>;
1470 * ...
1471 * with Extension defined as:
1472 * struct {
1473 * ExtensionType extension_type;
1474 * opaque extension_data<0..2^16-1>;
1475 * } Extension;
1476 */
1477 extensions_len = MBEDTLS_GET_UINT16_BE(p, 0);
1478 p += 2;
1479 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, extensions_len);
1480 extensions_end = p + extensions_len;
1481
1482 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", p, extensions_len);
1483 handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
1484
1485 while (p < extensions_end) {
1486 unsigned int extension_type;
1487 size_t extension_data_len;
1488 const unsigned char *extension_data_end;
1489
1490 /* RFC 8446, section 4.2.11
1491 *
1492 * The "pre_shared_key" extension MUST be the last extension in the
1493 * ClientHello (this facilitates implementation as described below).
1494 * Servers MUST check that it is the last extension and otherwise fail
1495 * the handshake with an "illegal_parameter" alert.
1496 */
1497 if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY)) {
1498 MBEDTLS_SSL_DEBUG_MSG(
1499 3, ("pre_shared_key is not last extension."));
1500 MBEDTLS_SSL_PEND_FATAL_ALERT(
1501 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1502 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1503 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1504 }
1505
1506 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, 4);
1507 extension_type = MBEDTLS_GET_UINT16_BE(p, 0);
1508 extension_data_len = MBEDTLS_GET_UINT16_BE(p, 2);
1509 p += 4;
1510
1511 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, extensions_end, extension_data_len);
1512 extension_data_end = p + extension_data_len;
1513
1514 ret = mbedtls_ssl_tls13_check_received_extension(
1515 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
1516 MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH);
1517 if (ret != 0) {
1518 return ret;
1519 }
1520
1521 switch (extension_type) {
1522 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1523 case MBEDTLS_TLS_EXT_SERVERNAME:
1524 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1525 ret = mbedtls_ssl_parse_server_name_ext(ssl, p,
1526 extension_data_end);
1527 if (ret != 0) {
1528 MBEDTLS_SSL_DEBUG_RET(
1529 1, "mbedtls_ssl_parse_servername_ext", ret);
1530 return ret;
1531 }
1532 break;
1533 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1534
1535 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
1536 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
1537 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension"));
1538
1539 /* Supported Groups Extension
1540 *
1541 * When sent by the client, the "supported_groups" extension
1542 * indicates the named groups which the client supports,
1543 * ordered from most preferred to least preferred.
1544 */
1545 ret = ssl_tls13_parse_supported_groups_ext(
1546 ssl, p, extension_data_end);
1547 if (ret != 0) {
1548 MBEDTLS_SSL_DEBUG_RET(
1549 1, "ssl_tls13_parse_supported_groups_ext", ret);
1550 return ret;
1551 }
1552
1553 break;
1554 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH*/
1555
1556 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1557 case MBEDTLS_TLS_EXT_KEY_SHARE:
1558 MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension"));
1559
1560 /*
1561 * Key Share Extension
1562 *
1563 * When sent by the client, the "key_share" extension
1564 * contains the endpoint's cryptographic parameters for
1565 * ECDHE/DHE key establishment methods.
1566 */
1567 ret = ssl_tls13_parse_key_shares_ext(
1568 ssl, p, extension_data_end);
1569 if (ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH) {
1570 MBEDTLS_SSL_DEBUG_MSG(2, ("No usable share for key agreement."));
1571 no_usable_share_for_key_agreement = 1;
1572 }
1573
1574 if (ret < 0) {
1575 MBEDTLS_SSL_DEBUG_RET(
1576 1, "ssl_tls13_parse_key_shares_ext", ret);
1577 return ret;
1578 }
1579
1580 break;
1581 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
1582
1583 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
1584 /* Already parsed */
1585 break;
1586
1587 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1588 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
1589 MBEDTLS_SSL_DEBUG_MSG(
1590 3, ("found psk key exchange modes extension"));
1591
1592 ret = ssl_tls13_parse_key_exchange_modes_ext(
1593 ssl, p, extension_data_end);
1594 if (ret != 0) {
1595 MBEDTLS_SSL_DEBUG_RET(
1596 1, "ssl_tls13_parse_key_exchange_modes_ext", ret);
1597 return ret;
1598 }
1599
1600 break;
1601 #endif
1602
1603 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
1604 MBEDTLS_SSL_DEBUG_MSG(3, ("found pre_shared_key extension"));
1605 if ((handshake->received_extensions &
1606 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES)) == 0) {
1607 MBEDTLS_SSL_PEND_FATAL_ALERT(
1608 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
1609 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
1610 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
1611 }
1612 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1613 /* Delay processing of the PSK identity once we have
1614 * found out which algorithms to use. We keep a pointer
1615 * to the buffer and the size for later processing.
1616 */
1617 pre_shared_key_ext = p;
1618 pre_shared_key_ext_end = extension_data_end;
1619 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1620 break;
1621
1622 #if defined(MBEDTLS_SSL_ALPN)
1623 case MBEDTLS_TLS_EXT_ALPN:
1624 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
1625
1626 ret = mbedtls_ssl_parse_alpn_ext(ssl, p, extension_data_end);
1627 if (ret != 0) {
1628 MBEDTLS_SSL_DEBUG_RET(
1629 1, ("mbedtls_ssl_parse_alpn_ext"), ret);
1630 return ret;
1631 }
1632 break;
1633 #endif /* MBEDTLS_SSL_ALPN */
1634
1635 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
1636 case MBEDTLS_TLS_EXT_SIG_ALG:
1637 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
1638
1639 ret = mbedtls_ssl_parse_sig_alg_ext(
1640 ssl, p, extension_data_end);
1641 if (ret != 0) {
1642 MBEDTLS_SSL_DEBUG_RET(
1643 1, "mbedtls_ssl_parse_sig_alg_ext", ret);
1644 return ret;
1645 }
1646 break;
1647 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
1648
1649 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
1650 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
1651 MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
1652
1653 ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
1654 ssl, p, extension_data_end);
1655
1656 /*
1657 * TODO: Return unconditionally here until we handle the record
1658 * size limit correctly.
1659 * Once handled correctly, only return in case of errors.
1660 */
1661 return ret;
1662
1663 break;
1664 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
1665
1666 default:
1667 MBEDTLS_SSL_PRINT_EXT(
1668 3, MBEDTLS_SSL_HS_CLIENT_HELLO,
1669 extension_type, "( ignored )");
1670 break;
1671 }
1672
1673 p += extension_data_len;
1674 }
1675
1676 MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO,
1677 handshake->received_extensions);
1678
1679 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
1680 MBEDTLS_SSL_HS_CLIENT_HELLO,
1681 p - buf);
1682 if (0 != ret) {
1683 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret);
1684 return ret;
1685 }
1686
1687 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1688 /* Update checksum with either
1689 * - The entire content of the CH message, if no PSK extension is present
1690 * - The content up to but excluding the PSK extension, if present.
1691 */
1692 /* If we've settled on a PSK-based exchange, parse PSK identity ext */
1693 if (mbedtls_ssl_tls13_some_psk_enabled(ssl) &&
1694 mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
1695 (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY))) {
1696 ret = handshake->update_checksum(ssl, buf,
1697 pre_shared_key_ext - buf);
1698 if (0 != ret) {
1699 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1700 return ret;
1701 }
1702 ret = ssl_tls13_parse_pre_shared_key_ext(ssl,
1703 pre_shared_key_ext,
1704 pre_shared_key_ext_end,
1705 cipher_suites,
1706 cipher_suites_end);
1707 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
1708 handshake->received_extensions &= ~MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY);
1709 } else if (ret != 0) {
1710 MBEDTLS_SSL_DEBUG_RET(
1711 1, "ssl_tls13_parse_pre_shared_key_ext", ret);
1712 return ret;
1713 }
1714 } else
1715 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1716 {
1717 ret = handshake->update_checksum(ssl, buf, p - buf);
1718 if (0 != ret) {
1719 MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
1720 return ret;
1721 }
1722 }
1723
1724 ret = ssl_tls13_determine_key_exchange_mode(ssl);
1725 if (ret < 0) {
1726 return ret;
1727 }
1728
1729 if (ssl->handshake->key_exchange_mode !=
1730 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) {
1731 hrr_required = (no_usable_share_for_key_agreement != 0);
1732 }
1733
1734 mbedtls_ssl_optimize_checksum(ssl, handshake->ciphersuite_info);
1735
1736 return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK;
1737 }
1738
1739 /* Update the handshake state machine */
1740
1741 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_postprocess_client_hello(mbedtls_ssl_context * ssl)1742 static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl)
1743 {
1744 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1745
1746 /*
1747 * Server certificate selection
1748 */
1749 if (ssl->conf->f_cert_cb && (ret = ssl->conf->f_cert_cb(ssl)) != 0) {
1750 MBEDTLS_SSL_DEBUG_RET(1, "f_cert_cb", ret);
1751 return ret;
1752 }
1753 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1754 ssl->handshake->sni_name = NULL;
1755 ssl->handshake->sni_name_len = 0;
1756 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1757
1758 ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl);
1759 if (ret != 0) {
1760 MBEDTLS_SSL_DEBUG_RET(1,
1761 "mbedtls_ssl_tls1_3_key_schedule_stage_early", ret);
1762 return ret;
1763 }
1764
1765 return 0;
1766
1767 }
1768
1769 /*
1770 * Main entry point from the state machine; orchestrates the otherfunctions.
1771 */
1772
1773 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_client_hello(mbedtls_ssl_context * ssl)1774 static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
1775 {
1776
1777 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1778 unsigned char *buf = NULL;
1779 size_t buflen = 0;
1780 int parse_client_hello_ret;
1781
1782 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
1783
1784 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
1785 ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
1786 &buf, &buflen));
1787
1788 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_parse_client_hello(ssl, buf,
1789 buf + buflen));
1790 parse_client_hello_ret = ret; /* Store positive return value of
1791 * parse_client_hello,
1792 * as negative error codes are handled
1793 * by MBEDTLS_SSL_PROC_CHK_NEG. */
1794
1795 /*
1796 * Version 1.2 of the protocol has been chosen, set the
1797 * ssl->keep_current_message flag for the ClientHello to be kept and parsed
1798 * as a TLS 1.2 ClientHello. We also change ssl->tls_version to
1799 * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
1800 * will dispatch to the TLS 1.2 state machine.
1801 */
1802 if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) {
1803 ssl->keep_current_message = 1;
1804 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
1805 return 0;
1806 }
1807
1808 MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_client_hello(ssl));
1809
1810 if (SSL_CLIENT_HELLO_OK == parse_client_hello_ret) {
1811 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
1812 } else {
1813 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_RETRY_REQUEST);
1814 }
1815
1816 cleanup:
1817
1818 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
1819 return ret;
1820 }
1821
1822 /*
1823 * Handler for MBEDTLS_SSL_SERVER_HELLO
1824 */
1825 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_prepare_server_hello(mbedtls_ssl_context * ssl)1826 static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
1827 {
1828 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1829 unsigned char *server_randbytes =
1830 ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
1831 if (ssl->conf->f_rng == NULL) {
1832 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
1833 return MBEDTLS_ERR_SSL_NO_RNG;
1834 }
1835
1836 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes,
1837 MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {
1838 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
1839 return ret;
1840 }
1841
1842 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", server_randbytes,
1843 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
1844
1845 #if defined(MBEDTLS_HAVE_TIME)
1846 ssl->session_negotiate->start = mbedtls_time(NULL);
1847 #endif /* MBEDTLS_HAVE_TIME */
1848
1849 return ret;
1850 }
1851
1852 /*
1853 * ssl_tls13_write_server_hello_supported_versions_ext ():
1854 *
1855 * struct {
1856 * ProtocolVersion selected_version;
1857 * } SupportedVersions;
1858 */
1859 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_server_hello_supported_versions_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)1860 static int ssl_tls13_write_server_hello_supported_versions_ext(
1861 mbedtls_ssl_context *ssl,
1862 unsigned char *buf,
1863 unsigned char *end,
1864 size_t *out_len)
1865 {
1866 *out_len = 0;
1867
1868 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, write selected version"));
1869
1870 /* Check if we have space to write the extension:
1871 * - extension_type (2 bytes)
1872 * - extension_data_length (2 bytes)
1873 * - selected_version (2 bytes)
1874 */
1875 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
1876
1877 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, buf, 0);
1878
1879 MBEDTLS_PUT_UINT16_BE(2, buf, 2);
1880
1881 mbedtls_ssl_write_version(buf + 4,
1882 ssl->conf->transport,
1883 ssl->tls_version);
1884
1885 MBEDTLS_SSL_DEBUG_MSG(3, ("supported version: [%04x]",
1886 ssl->tls_version));
1887
1888 *out_len = 6;
1889
1890 mbedtls_ssl_tls13_set_hs_sent_ext_mask(
1891 ssl, MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS);
1892
1893 return 0;
1894 }
1895
1896
1897
1898 /* Generate and export a single key share. For hybrid KEMs, this can
1899 * be called multiple times with the different components of the hybrid. */
1900 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context * ssl,uint16_t named_group,unsigned char * buf,unsigned char * end,size_t * out_len)1901 static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl,
1902 uint16_t named_group,
1903 unsigned char *buf,
1904 unsigned char *end,
1905 size_t *out_len)
1906 {
1907 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1908
1909 *out_len = 0;
1910
1911 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1912 if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group) ||
1913 mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
1914 ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
1915 ssl, named_group, buf, end, out_len);
1916 if (ret != 0) {
1917 MBEDTLS_SSL_DEBUG_RET(
1918 1, "mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange",
1919 ret);
1920 return ret;
1921 }
1922 } else
1923 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
1924 if (0 /* Other kinds of KEMs */) {
1925 } else {
1926 ((void) ssl);
1927 ((void) named_group);
1928 ((void) buf);
1929 ((void) end);
1930 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1931 }
1932
1933 return ret;
1934 }
1935
1936 /*
1937 * ssl_tls13_write_key_share_ext
1938 *
1939 * Structure of key_share extension in ServerHello:
1940 *
1941 * struct {
1942 * NamedGroup group;
1943 * opaque key_exchange<1..2^16-1>;
1944 * } KeyShareEntry;
1945 * struct {
1946 * KeyShareEntry server_share;
1947 * } KeyShareServerHello;
1948 */
1949 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_key_share_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)1950 static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
1951 unsigned char *buf,
1952 unsigned char *end,
1953 size_t *out_len)
1954 {
1955 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1956 unsigned char *p = buf;
1957 uint16_t group = ssl->handshake->offered_group_id;
1958 unsigned char *server_share = buf + 4;
1959 size_t key_exchange_length;
1960
1961 *out_len = 0;
1962
1963 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding key share extension"));
1964
1965 MBEDTLS_SSL_DEBUG_MSG(2, ("server hello, write selected_group: %s (%04x)",
1966 mbedtls_ssl_named_group_to_str(group),
1967 group));
1968
1969 /* Check if we have space for header and length fields:
1970 * - extension_type (2 bytes)
1971 * - extension_data_length (2 bytes)
1972 * - group (2 bytes)
1973 * - key_exchange_length (2 bytes)
1974 */
1975 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 8);
1976 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, p, 0);
1977 MBEDTLS_PUT_UINT16_BE(group, server_share, 0);
1978 p += 8;
1979
1980 /* When we introduce PQC-ECDHE hybrids, we'll want to call this
1981 * function multiple times. */
1982 ret = ssl_tls13_generate_and_write_key_share(
1983 ssl, group, server_share + 4, end, &key_exchange_length);
1984 if (ret != 0) {
1985 return ret;
1986 }
1987 p += key_exchange_length;
1988
1989 MBEDTLS_PUT_UINT16_BE(key_exchange_length, server_share + 2, 0);
1990
1991 MBEDTLS_PUT_UINT16_BE(p - server_share, buf, 2);
1992
1993 *out_len = p - buf;
1994
1995 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
1996
1997 return 0;
1998 }
1999
2000 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_hrr_key_share_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)2001 static int ssl_tls13_write_hrr_key_share_ext(mbedtls_ssl_context *ssl,
2002 unsigned char *buf,
2003 unsigned char *end,
2004 size_t *out_len)
2005 {
2006 uint16_t selected_group = ssl->handshake->hrr_selected_group;
2007 /* key_share Extension
2008 *
2009 * struct {
2010 * select (Handshake.msg_type) {
2011 * ...
2012 * case hello_retry_request:
2013 * NamedGroup selected_group;
2014 * ...
2015 * };
2016 * } KeyShare;
2017 */
2018
2019 *out_len = 0;
2020
2021 /*
2022 * For a pure PSK key exchange, there is no group to agree upon. The purpose
2023 * of the HRR is then to transmit a cookie to force the client to demonstrate
2024 * reachability at their apparent network address (primarily useful for DTLS).
2025 */
2026 if (!mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
2027 return 0;
2028 }
2029
2030 /* We should only send the key_share extension if the client's initial
2031 * key share was not acceptable. */
2032 if (ssl->handshake->offered_group_id != 0) {
2033 MBEDTLS_SSL_DEBUG_MSG(4, ("Skip key_share extension in HRR"));
2034 return 0;
2035 }
2036
2037 if (selected_group == 0) {
2038 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching named group found"));
2039 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2040 }
2041
2042 /* Check if we have enough space:
2043 * - extension_type (2 bytes)
2044 * - extension_data_length (2 bytes)
2045 * - selected_group (2 bytes)
2046 */
2047 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 6);
2048
2049 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0);
2050 MBEDTLS_PUT_UINT16_BE(2, buf, 2);
2051 MBEDTLS_PUT_UINT16_BE(selected_group, buf, 4);
2052
2053 MBEDTLS_SSL_DEBUG_MSG(3,
2054 ("HRR selected_group: %s (%x)",
2055 mbedtls_ssl_named_group_to_str(selected_group),
2056 selected_group));
2057
2058 *out_len = 6;
2059
2060 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
2061
2062 return 0;
2063 }
2064
2065 /*
2066 * Structure of ServerHello message:
2067 *
2068 * struct {
2069 * ProtocolVersion legacy_version = 0x0303; // TLS v1.2
2070 * Random random;
2071 * opaque legacy_session_id_echo<0..32>;
2072 * CipherSuite cipher_suite;
2073 * uint8 legacy_compression_method = 0;
2074 * Extension extensions<6..2^16-1>;
2075 * } ServerHello;
2076 */
2077 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_server_hello_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len,int is_hrr)2078 static int ssl_tls13_write_server_hello_body(mbedtls_ssl_context *ssl,
2079 unsigned char *buf,
2080 unsigned char *end,
2081 size_t *out_len,
2082 int is_hrr)
2083 {
2084 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2085 unsigned char *p = buf;
2086 unsigned char *p_extensions_len;
2087 size_t output_len;
2088
2089 *out_len = 0;
2090 ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2091
2092 /* ...
2093 * ProtocolVersion legacy_version = 0x0303; // TLS 1.2
2094 * ...
2095 * with ProtocolVersion defined as:
2096 * uint16 ProtocolVersion;
2097 */
2098 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2099 MBEDTLS_PUT_UINT16_BE(0x0303, p, 0);
2100 p += 2;
2101
2102 /* ...
2103 * Random random;
2104 * ...
2105 * with Random defined as:
2106 * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
2107 */
2108 MBEDTLS_SSL_CHK_BUF_PTR(p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2109 if (is_hrr) {
2110 memcpy(p, mbedtls_ssl_tls13_hello_retry_request_magic,
2111 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2112 } else {
2113 memcpy(p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN],
2114 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2115 }
2116 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes",
2117 p, MBEDTLS_SERVER_HELLO_RANDOM_LEN);
2118 p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
2119
2120 /* ...
2121 * opaque legacy_session_id_echo<0..32>;
2122 * ...
2123 */
2124 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1 + ssl->session_negotiate->id_len);
2125 *p++ = (unsigned char) ssl->session_negotiate->id_len;
2126 if (ssl->session_negotiate->id_len > 0) {
2127 memcpy(p, &ssl->session_negotiate->id[0],
2128 ssl->session_negotiate->id_len);
2129 p += ssl->session_negotiate->id_len;
2130
2131 MBEDTLS_SSL_DEBUG_BUF(3, "session id", ssl->session_negotiate->id,
2132 ssl->session_negotiate->id_len);
2133 }
2134
2135 /* ...
2136 * CipherSuite cipher_suite;
2137 * ...
2138 * with CipherSuite defined as:
2139 * uint8 CipherSuite[2];
2140 */
2141 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2142 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
2143 p += 2;
2144 MBEDTLS_SSL_DEBUG_MSG(3,
2145 ("server hello, chosen ciphersuite: %s ( id=%d )",
2146 mbedtls_ssl_get_ciphersuite_name(
2147 ssl->session_negotiate->ciphersuite),
2148 ssl->session_negotiate->ciphersuite));
2149
2150 /* ...
2151 * uint8 legacy_compression_method = 0;
2152 * ...
2153 */
2154 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1);
2155 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
2156
2157 /* ...
2158 * Extension extensions<6..2^16-1>;
2159 * ...
2160 * struct {
2161 * ExtensionType extension_type; (2 bytes)
2162 * opaque extension_data<0..2^16-1>;
2163 * } Extension;
2164 */
2165 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2166 p_extensions_len = p;
2167 p += 2;
2168
2169 if ((ret = ssl_tls13_write_server_hello_supported_versions_ext(
2170 ssl, p, end, &output_len)) != 0) {
2171 MBEDTLS_SSL_DEBUG_RET(
2172 1, "ssl_tls13_write_server_hello_supported_versions_ext", ret);
2173 return ret;
2174 }
2175 p += output_len;
2176
2177 if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
2178 if (is_hrr) {
2179 ret = ssl_tls13_write_hrr_key_share_ext(ssl, p, end, &output_len);
2180 } else {
2181 ret = ssl_tls13_write_key_share_ext(ssl, p, end, &output_len);
2182 }
2183 if (ret != 0) {
2184 return ret;
2185 }
2186 p += output_len;
2187 }
2188
2189 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2190 if (!is_hrr && mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2191 ret = ssl_tls13_write_server_pre_shared_key_ext(ssl, p, end, &output_len);
2192 if (ret != 0) {
2193 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_server_pre_shared_key_ext",
2194 ret);
2195 return ret;
2196 }
2197 p += output_len;
2198 }
2199 #endif
2200
2201 MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
2202
2203 MBEDTLS_SSL_DEBUG_BUF(4, "server hello extensions",
2204 p_extensions_len, p - p_extensions_len);
2205
2206 *out_len = p - buf;
2207
2208 MBEDTLS_SSL_DEBUG_BUF(3, "server hello", buf, *out_len);
2209
2210 MBEDTLS_SSL_PRINT_EXTS(
2211 3, is_hrr ? MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST :
2212 MBEDTLS_SSL_HS_SERVER_HELLO,
2213 ssl->handshake->sent_extensions);
2214
2215 return ret;
2216 }
2217
2218 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_finalize_server_hello(mbedtls_ssl_context * ssl)2219 static int ssl_tls13_finalize_server_hello(mbedtls_ssl_context *ssl)
2220 {
2221 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2222 ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl);
2223 if (ret != 0) {
2224 MBEDTLS_SSL_DEBUG_RET(1,
2225 "mbedtls_ssl_tls13_compute_handshake_transform",
2226 ret);
2227 return ret;
2228 }
2229
2230 return ret;
2231 }
2232
2233 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_server_hello(mbedtls_ssl_context * ssl)2234 static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl)
2235 {
2236 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2237 unsigned char *buf;
2238 size_t buf_len, msg_len;
2239
2240 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
2241
2242 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl));
2243
2244 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2245 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
2246
2247 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
2248 buf + buf_len,
2249 &msg_len,
2250 0));
2251
2252 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2253 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
2254
2255 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2256 ssl, buf_len, msg_len));
2257
2258 MBEDTLS_SSL_PROC_CHK(ssl_tls13_finalize_server_hello(ssl));
2259
2260 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2261 /* The server sends a dummy change_cipher_spec record immediately
2262 * after its first handshake message. This may either be after
2263 * a ServerHello or a HelloRetryRequest.
2264 */
2265 mbedtls_ssl_handshake_set_state(
2266 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO);
2267 #else
2268 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
2269 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2270
2271 cleanup:
2272
2273 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2274 return ret;
2275 }
2276
2277
2278 /*
2279 * Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
2280 */
2281 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context * ssl)2282 static int ssl_tls13_prepare_hello_retry_request(mbedtls_ssl_context *ssl)
2283 {
2284 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2285 if (ssl->handshake->hello_retry_request_count > 0) {
2286 MBEDTLS_SSL_DEBUG_MSG(1, ("Too many HRRs"));
2287 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2288 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2289 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2290 }
2291
2292 /*
2293 * Create stateless transcript hash for HRR
2294 */
2295 MBEDTLS_SSL_DEBUG_MSG(4, ("Reset transcript for HRR"));
2296 ret = mbedtls_ssl_reset_transcript_for_hrr(ssl);
2297 if (ret != 0) {
2298 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_transcript_for_hrr", ret);
2299 return ret;
2300 }
2301 mbedtls_ssl_session_reset_msg_layer(ssl, 0);
2302
2303 return 0;
2304 }
2305
2306 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_hello_retry_request(mbedtls_ssl_context * ssl)2307 static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl)
2308 {
2309 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2310 unsigned char *buf;
2311 size_t buf_len, msg_len;
2312
2313 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello retry request"));
2314
2315 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_hello_retry_request(ssl));
2316
2317 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2318 ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
2319 &buf, &buf_len));
2320
2321 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
2322 buf + buf_len,
2323 &msg_len,
2324 1));
2325 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2326 ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
2327
2328
2329 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len,
2330 msg_len));
2331
2332 ssl->handshake->hello_retry_request_count++;
2333
2334 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
2335 /* The server sends a dummy change_cipher_spec record immediately
2336 * after its first handshake message. This may either be after
2337 * a ServerHello or a HelloRetryRequest.
2338 */
2339 mbedtls_ssl_handshake_set_state(
2340 ssl, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST);
2341 #else
2342 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
2343 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
2344
2345 cleanup:
2346 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello retry request"));
2347 return ret;
2348 }
2349
2350 /*
2351 * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
2352 */
2353
2354 /*
2355 * struct {
2356 * Extension extensions<0..2 ^ 16 - 1>;
2357 * } EncryptedExtensions;
2358 *
2359 */
2360 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)2361 static int ssl_tls13_write_encrypted_extensions_body(mbedtls_ssl_context *ssl,
2362 unsigned char *buf,
2363 unsigned char *end,
2364 size_t *out_len)
2365 {
2366 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2367 unsigned char *p = buf;
2368 size_t extensions_len = 0;
2369 unsigned char *p_extensions_len;
2370 size_t output_len;
2371
2372 *out_len = 0;
2373
2374 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2375 p_extensions_len = p;
2376 p += 2;
2377
2378 ((void) ssl);
2379 ((void) ret);
2380 ((void) output_len);
2381
2382 #if defined(MBEDTLS_SSL_ALPN)
2383 ret = mbedtls_ssl_write_alpn_ext(ssl, p, end, &output_len);
2384 if (ret != 0) {
2385 return ret;
2386 }
2387 p += output_len;
2388 #endif /* MBEDTLS_SSL_ALPN */
2389
2390 extensions_len = (p - p_extensions_len) - 2;
2391 MBEDTLS_PUT_UINT16_BE(extensions_len, p_extensions_len, 0);
2392
2393 *out_len = p - buf;
2394
2395 MBEDTLS_SSL_DEBUG_BUF(4, "encrypted extensions", buf, *out_len);
2396
2397 MBEDTLS_SSL_PRINT_EXTS(
2398 3, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, ssl->handshake->sent_extensions);
2399
2400 return 0;
2401 }
2402
2403 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context * ssl)2404 static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
2405 {
2406 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2407 unsigned char *buf;
2408 size_t buf_len, msg_len;
2409
2410 mbedtls_ssl_set_outbound_transform(ssl,
2411 ssl->handshake->transform_handshake);
2412 MBEDTLS_SSL_DEBUG_MSG(
2413 3, ("switching to handshake transform for outbound data"));
2414
2415 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions"));
2416
2417 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2418 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2419 &buf, &buf_len));
2420
2421 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body(
2422 ssl, buf, buf + buf_len, &msg_len));
2423
2424 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2425 ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
2426 buf, msg_len));
2427
2428 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2429 ssl, buf_len, msg_len));
2430
2431 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2432 if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
2433 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2434 } else {
2435 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
2436 }
2437 #else
2438 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2439 #endif
2440
2441 cleanup:
2442
2443 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write encrypted extensions"));
2444 return ret;
2445 }
2446
2447 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2448 #define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
2449 #define SSL_CERTIFICATE_REQUEST_SKIP 1
2450 /* Coordination:
2451 * Check whether a CertificateRequest message should be written.
2452 * Returns a negative code on failure, or
2453 * - SSL_CERTIFICATE_REQUEST_SEND_REQUEST
2454 * - SSL_CERTIFICATE_REQUEST_SKIP
2455 * indicating if the writing of the CertificateRequest
2456 * should be skipped or not.
2457 */
2458 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context * ssl)2459 static int ssl_tls13_certificate_request_coordinate(mbedtls_ssl_context *ssl)
2460 {
2461 int authmode;
2462
2463 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2464 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
2465 authmode = ssl->handshake->sni_authmode;
2466 } else
2467 #endif
2468 authmode = ssl->conf->authmode;
2469
2470 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
2471 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
2472 return SSL_CERTIFICATE_REQUEST_SKIP;
2473 }
2474
2475 ssl->handshake->certificate_request_sent = 1;
2476
2477 return SSL_CERTIFICATE_REQUEST_SEND_REQUEST;
2478 }
2479
2480 /*
2481 * struct {
2482 * opaque certificate_request_context<0..2^8-1>;
2483 * Extension extensions<2..2^16-1>;
2484 * } CertificateRequest;
2485 *
2486 */
2487 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_request_body(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)2488 static int ssl_tls13_write_certificate_request_body(mbedtls_ssl_context *ssl,
2489 unsigned char *buf,
2490 const unsigned char *end,
2491 size_t *out_len)
2492 {
2493 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2494 unsigned char *p = buf;
2495 size_t output_len = 0;
2496 unsigned char *p_extensions_len;
2497
2498 *out_len = 0;
2499
2500 /* Check if we have enough space:
2501 * - certificate_request_context (1 byte)
2502 * - extensions length (2 bytes)
2503 */
2504 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
2505
2506 /*
2507 * Write certificate_request_context
2508 */
2509 /*
2510 * We use a zero length context for the normal handshake
2511 * messages. For post-authentication handshake messages
2512 * this request context would be set to a non-zero value.
2513 */
2514 *p++ = 0x0;
2515
2516 /*
2517 * Write extensions
2518 */
2519 /* The extensions must contain the signature_algorithms. */
2520 p_extensions_len = p;
2521 p += 2;
2522 ret = mbedtls_ssl_write_sig_alg_ext(ssl, p, end, &output_len);
2523 if (ret != 0) {
2524 return ret;
2525 }
2526
2527 p += output_len;
2528 MBEDTLS_PUT_UINT16_BE(p - p_extensions_len - 2, p_extensions_len, 0);
2529
2530 *out_len = p - buf;
2531
2532 MBEDTLS_SSL_PRINT_EXTS(
2533 3, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, ssl->handshake->sent_extensions);
2534
2535 return 0;
2536 }
2537
2538 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_request(mbedtls_ssl_context * ssl)2539 static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl)
2540 {
2541 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2542
2543 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2544
2545 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_certificate_request_coordinate(ssl));
2546
2547 if (ret == SSL_CERTIFICATE_REQUEST_SEND_REQUEST) {
2548 unsigned char *buf;
2549 size_t buf_len, msg_len;
2550
2551 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2552 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2553 &buf, &buf_len));
2554
2555 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body(
2556 ssl, buf, buf + buf_len, &msg_len));
2557
2558 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
2559 ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
2560 buf, msg_len));
2561
2562 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2563 ssl, buf_len, msg_len));
2564 } else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
2565 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2566 ret = 0;
2567 } else {
2568 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2569 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2570 goto cleanup;
2571 }
2572
2573 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CERTIFICATE);
2574 cleanup:
2575
2576 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
2577 return ret;
2578 }
2579
2580 /*
2581 * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
2582 */
2583 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_server_certificate(mbedtls_ssl_context * ssl)2584 static int ssl_tls13_write_server_certificate(mbedtls_ssl_context *ssl)
2585 {
2586 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2587
2588 #if defined(MBEDTLS_X509_CRT_PARSE_C)
2589 if ((ssl_tls13_pick_key_cert(ssl) != 0) ||
2590 mbedtls_ssl_own_cert(ssl) == NULL) {
2591 MBEDTLS_SSL_DEBUG_MSG(2, ("No certificate available."));
2592 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2593 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2594 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
2595 }
2596 #endif /* MBEDTLS_X509_CRT_PARSE_C */
2597
2598 ret = mbedtls_ssl_tls13_write_certificate(ssl);
2599 if (ret != 0) {
2600 return ret;
2601 }
2602 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY);
2603 return 0;
2604 }
2605
2606 /*
2607 * Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
2608 */
2609 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_certificate_verify(mbedtls_ssl_context * ssl)2610 static int ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
2611 {
2612 int ret = mbedtls_ssl_tls13_write_certificate_verify(ssl);
2613 if (ret != 0) {
2614 return ret;
2615 }
2616 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
2617 return 0;
2618 }
2619 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2620
2621 /*
2622 * Handler for MBEDTLS_SSL_SERVER_FINISHED
2623 */
2624 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_server_finished(mbedtls_ssl_context * ssl)2625 static int ssl_tls13_write_server_finished(mbedtls_ssl_context *ssl)
2626 {
2627 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2628
2629 ret = mbedtls_ssl_tls13_write_finished_message(ssl);
2630 if (ret != 0) {
2631 return ret;
2632 }
2633
2634 ret = mbedtls_ssl_tls13_compute_application_transform(ssl);
2635 if (ret != 0) {
2636 MBEDTLS_SSL_PEND_FATAL_ALERT(
2637 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
2638 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
2639 return ret;
2640 }
2641
2642 MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic"));
2643 mbedtls_ssl_set_inbound_transform(ssl, ssl->handshake->transform_handshake);
2644
2645 if (ssl->handshake->certificate_request_sent) {
2646 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
2647 } else {
2648 MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate"));
2649 MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
2650 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_FINISHED);
2651 }
2652
2653 return 0;
2654 }
2655
2656 /*
2657 * Handler for MBEDTLS_SSL_CLIENT_FINISHED
2658 */
2659 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_process_client_finished(mbedtls_ssl_context * ssl)2660 static int ssl_tls13_process_client_finished(mbedtls_ssl_context *ssl)
2661 {
2662 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2663
2664 ret = mbedtls_ssl_tls13_process_finished_message(ssl);
2665 if (ret != 0) {
2666 return ret;
2667 }
2668
2669 ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
2670 if (ret != 0) {
2671 MBEDTLS_SSL_DEBUG_RET(
2672 1, "mbedtls_ssl_tls13_compute_resumption_master_secret", ret);
2673 }
2674
2675 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
2676 return 0;
2677 }
2678
2679 /*
2680 * Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
2681 */
2682 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_handshake_wrapup(mbedtls_ssl_context * ssl)2683 static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
2684 {
2685 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
2686
2687 mbedtls_ssl_tls13_handshake_wrapup(ssl);
2688
2689 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
2690 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2691 /* TODO: Remove the check of SOME_PSK_ENABLED since SESSION_TICKETS requires
2692 * SOME_PSK_ENABLED to be enabled. Here is just to make CI happy. It is
2693 * expected to be resolved with issue#6395.
2694 */
2695 /* Sent NewSessionTicket message only when client supports PSK */
2696 if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) {
2697 mbedtls_ssl_handshake_set_state(
2698 ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
2699 } else
2700 #endif
2701 {
2702 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2703 }
2704 return 0;
2705 }
2706
2707 /*
2708 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
2709 */
2710 #define SSL_NEW_SESSION_TICKET_SKIP 0
2711 #define SSL_NEW_SESSION_TICKET_WRITE 1
2712 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context * ssl)2713 static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ssl)
2714 {
2715 /* Check whether the use of session tickets is enabled */
2716 if (ssl->conf->f_ticket_write == NULL) {
2717 MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
2718 " callback is not set"));
2719 return SSL_NEW_SESSION_TICKET_SKIP;
2720 }
2721 if (ssl->conf->new_session_tickets_count == 0) {
2722 MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: disabled,"
2723 " configured count is zero"));
2724 return SSL_NEW_SESSION_TICKET_SKIP;
2725 }
2726
2727 if (ssl->handshake->new_session_tickets_count == 0) {
2728 MBEDTLS_SSL_DEBUG_MSG(2, ("NewSessionTicket: all tickets have "
2729 "been sent."));
2730 return SSL_NEW_SESSION_TICKET_SKIP;
2731 }
2732
2733 return SSL_NEW_SESSION_TICKET_WRITE;
2734 }
2735
2736 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2737 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context * ssl,unsigned char * ticket_nonce,size_t ticket_nonce_size)2738 static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
2739 unsigned char *ticket_nonce,
2740 size_t ticket_nonce_size)
2741 {
2742 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2743 mbedtls_ssl_session *session = ssl->session;
2744 mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2745 psa_algorithm_t psa_hash_alg;
2746 int hash_length;
2747
2748 MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg"));
2749
2750 #if defined(MBEDTLS_HAVE_TIME)
2751 session->start = mbedtls_time(NULL);
2752 #endif
2753
2754 /* Set ticket_flags depends on the advertised psk key exchange mode */
2755 mbedtls_ssl_session_clear_ticket_flags(
2756 session, MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2757 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2758 mbedtls_ssl_session_set_ticket_flags(
2759 session, ssl->handshake->tls13_kex_modes);
2760 #endif
2761 MBEDTLS_SSL_PRINT_TICKET_FLAGS(4, session->ticket_flags);
2762
2763 /* Generate ticket_age_add */
2764 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng,
2765 (unsigned char *) &session->ticket_age_add,
2766 sizeof(session->ticket_age_add)) != 0)) {
2767 MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret);
2768 return ret;
2769 }
2770 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
2771 (unsigned int) session->ticket_age_add));
2772
2773 /* Generate ticket_nonce */
2774 ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size);
2775 if (ret != 0) {
2776 MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret);
2777 return ret;
2778 }
2779 MBEDTLS_SSL_DEBUG_BUF(3, "ticket_nonce:",
2780 ticket_nonce, ticket_nonce_size);
2781
2782 ciphersuite_info =
2783 (mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
2784 psa_hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
2785 hash_length = PSA_HASH_LENGTH(psa_hash_alg);
2786 if (hash_length == -1 ||
2787 (size_t) hash_length > sizeof(session->resumption_key)) {
2788 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2789 }
2790
2791 /* In this code the psk key length equals the length of the hash */
2792 session->resumption_key_len = hash_length;
2793 session->ciphersuite = ciphersuite_info->id;
2794
2795 /* Compute resumption key
2796 *
2797 * HKDF-Expand-Label( resumption_master_secret,
2798 * "resumption", ticket_nonce, Hash.length )
2799 */
2800 ret = mbedtls_ssl_tls13_hkdf_expand_label(
2801 psa_hash_alg,
2802 session->app_secrets.resumption_master_secret,
2803 hash_length,
2804 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(resumption),
2805 ticket_nonce,
2806 ticket_nonce_size,
2807 session->resumption_key,
2808 hash_length);
2809
2810 if (ret != 0) {
2811 MBEDTLS_SSL_DEBUG_RET(2,
2812 "Creating the ticket-resumed PSK failed",
2813 ret);
2814 return ret;
2815 }
2816 MBEDTLS_SSL_DEBUG_BUF(3, "Ticket-resumed PSK",
2817 session->resumption_key,
2818 session->resumption_key_len);
2819
2820 MBEDTLS_SSL_DEBUG_BUF(3, "resumption_master_secret",
2821 session->app_secrets.resumption_master_secret,
2822 hash_length);
2823
2824 return 0;
2825 }
2826
2827 /* This function creates a NewSessionTicket message in the following format:
2828 *
2829 * struct {
2830 * uint32 ticket_lifetime;
2831 * uint32 ticket_age_add;
2832 * opaque ticket_nonce<0..255>;
2833 * opaque ticket<1..2^16-1>;
2834 * Extension extensions<0..2^16-2>;
2835 * } NewSessionTicket;
2836 *
2837 * The ticket inside the NewSessionTicket message is an encrypted container
2838 * carrying the necessary information so that the server is later able to
2839 * re-start the communication.
2840 *
2841 * The following fields are placed inside the ticket by the
2842 * f_ticket_write() function:
2843 *
2844 * - creation time (start)
2845 * - flags (flags)
2846 * - age add (ticket_age_add)
2847 * - key (key)
2848 * - key length (key_len)
2849 * - ciphersuite (ciphersuite)
2850 */
2851 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len,unsigned char * ticket_nonce,size_t ticket_nonce_size)2852 static int ssl_tls13_write_new_session_ticket_body(mbedtls_ssl_context *ssl,
2853 unsigned char *buf,
2854 unsigned char *end,
2855 size_t *out_len,
2856 unsigned char *ticket_nonce,
2857 size_t ticket_nonce_size)
2858 {
2859 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2860 unsigned char *p = buf;
2861 mbedtls_ssl_session *session = ssl->session;
2862 size_t ticket_len;
2863 uint32_t ticket_lifetime;
2864
2865 *out_len = 0;
2866 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write NewSessionTicket msg"));
2867
2868 /*
2869 * ticket_lifetime 4 bytes
2870 * ticket_age_add 4 bytes
2871 * ticket_nonce 1 + ticket_nonce_size bytes
2872 * ticket >=2 bytes
2873 */
2874 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + 4 + 1 + ticket_nonce_size + 2);
2875
2876 /* Generate ticket and ticket_lifetime */
2877 ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
2878 session,
2879 p + 9 + ticket_nonce_size + 2,
2880 end,
2881 &ticket_len,
2882 &ticket_lifetime);
2883 if (ret != 0) {
2884 MBEDTLS_SSL_DEBUG_RET(1, "write_ticket", ret);
2885 return ret;
2886 }
2887 /* RFC 8446 4.6.1
2888 * ticket_lifetime: Indicates the lifetime in seconds as a 32-bit
2889 * unsigned integer in network byte order from the time of ticket
2890 * issuance. Servers MUST NOT use any value greater than
2891 * 604800 seconds (7 days). The value of zero indicates that the
2892 * ticket should be discarded immediately. Clients MUST NOT cache
2893 * tickets for longer than 7 days, regardless of the ticket_lifetime,
2894 * and MAY delete tickets earlier based on local policy. A server
2895 * MAY treat a ticket as valid for a shorter period of time than what
2896 * is stated in the ticket_lifetime.
2897 */
2898 if (ticket_lifetime > 604800) {
2899 ticket_lifetime = 604800;
2900 }
2901 MBEDTLS_PUT_UINT32_BE(ticket_lifetime, p, 0);
2902 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_lifetime: %u",
2903 (unsigned int) ticket_lifetime));
2904
2905 /* Write ticket_age_add */
2906 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 4);
2907 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket_age_add: %u",
2908 (unsigned int) session->ticket_age_add));
2909
2910 /* Write ticket_nonce */
2911 p[8] = (unsigned char) ticket_nonce_size;
2912 if (ticket_nonce_size > 0) {
2913 memcpy(p + 9, ticket_nonce, ticket_nonce_size);
2914 }
2915 p += 9 + ticket_nonce_size;
2916
2917 /* Write ticket */
2918 MBEDTLS_PUT_UINT16_BE(ticket_len, p, 0);
2919 p += 2;
2920 MBEDTLS_SSL_DEBUG_BUF(4, "ticket", p, ticket_len);
2921 p += ticket_len;
2922
2923 /* Ticket Extensions
2924 *
2925 * Note: We currently don't have any extensions.
2926 * Set length to zero.
2927 */
2928 ssl->handshake->sent_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
2929
2930 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
2931 MBEDTLS_PUT_UINT16_BE(0, p, 0);
2932 p += 2;
2933
2934 *out_len = p - buf;
2935 MBEDTLS_SSL_DEBUG_BUF(4, "ticket", buf, *out_len);
2936 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
2937
2938 MBEDTLS_SSL_PRINT_EXTS(
2939 3, MBEDTLS_SSL_HS_NEW_SESSION_TICKET, ssl->handshake->sent_extensions);
2940
2941 return 0;
2942 }
2943
2944 /*
2945 * Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
2946 */
ssl_tls13_write_new_session_ticket(mbedtls_ssl_context * ssl)2947 static int ssl_tls13_write_new_session_ticket(mbedtls_ssl_context *ssl)
2948 {
2949 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2950
2951 MBEDTLS_SSL_PROC_CHK_NEG(ssl_tls13_write_new_session_ticket_coordinate(ssl));
2952
2953 if (ret == SSL_NEW_SESSION_TICKET_WRITE) {
2954 unsigned char ticket_nonce[MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH];
2955 unsigned char *buf;
2956 size_t buf_len, msg_len;
2957
2958 MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket(
2959 ssl, ticket_nonce, sizeof(ticket_nonce)));
2960
2961 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
2962 ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
2963 &buf, &buf_len));
2964
2965 MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body(
2966 ssl, buf, buf + buf_len, &msg_len,
2967 ticket_nonce, sizeof(ticket_nonce)));
2968
2969 MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
2970 ssl, buf_len, msg_len));
2971
2972 /* Limit session tickets count to one when resumption connection.
2973 *
2974 * See document of mbedtls_ssl_conf_new_session_tickets.
2975 */
2976 if (ssl->handshake->resume == 1) {
2977 ssl->handshake->new_session_tickets_count = 0;
2978 } else {
2979 ssl->handshake->new_session_tickets_count--;
2980 }
2981
2982 mbedtls_ssl_handshake_set_state(
2983 ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH);
2984 } else {
2985 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
2986 }
2987
2988 cleanup:
2989
2990 return ret;
2991 }
2992 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2993
2994 /*
2995 * TLS 1.3 State Machine -- server side
2996 */
mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context * ssl)2997 int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)
2998 {
2999 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3000
3001 if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) {
3002 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3003 }
3004
3005 MBEDTLS_SSL_DEBUG_MSG(2, ("tls13 server state: %s(%d)",
3006 mbedtls_ssl_states_str(ssl->state),
3007 ssl->state));
3008
3009 switch (ssl->state) {
3010 /* start state */
3011 case MBEDTLS_SSL_HELLO_REQUEST:
3012 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3013 ret = 0;
3014 break;
3015
3016 case MBEDTLS_SSL_CLIENT_HELLO:
3017 ret = ssl_tls13_process_client_hello(ssl);
3018 if (ret != 0) {
3019 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_process_client_hello", ret);
3020 }
3021 break;
3022
3023 case MBEDTLS_SSL_HELLO_RETRY_REQUEST:
3024 ret = ssl_tls13_write_hello_retry_request(ssl);
3025 if (ret != 0) {
3026 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_hello_retry_request", ret);
3027 return ret;
3028 }
3029 break;
3030
3031 case MBEDTLS_SSL_SERVER_HELLO:
3032 ret = ssl_tls13_write_server_hello(ssl);
3033 break;
3034
3035 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
3036 ret = ssl_tls13_write_encrypted_extensions(ssl);
3037 if (ret != 0) {
3038 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_write_encrypted_extensions", ret);
3039 return ret;
3040 }
3041 break;
3042
3043 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
3044 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3045 ret = ssl_tls13_write_certificate_request(ssl);
3046 break;
3047
3048 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3049 ret = ssl_tls13_write_server_certificate(ssl);
3050 break;
3051
3052 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3053 ret = ssl_tls13_write_certificate_verify(ssl);
3054 break;
3055 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
3056
3057 /*
3058 * Injection of dummy-CCS's for middlebox compatibility
3059 */
3060 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
3061 case MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST:
3062 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3063 if (ret == 0) {
3064 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
3065 }
3066 break;
3067
3068 case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
3069 ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
3070 if (ret == 0) {
3071 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
3072 }
3073 break;
3074 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
3075
3076 case MBEDTLS_SSL_SERVER_FINISHED:
3077 ret = ssl_tls13_write_server_finished(ssl);
3078 break;
3079
3080 case MBEDTLS_SSL_CLIENT_FINISHED:
3081 ret = ssl_tls13_process_client_finished(ssl);
3082 break;
3083
3084 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3085 ret = ssl_tls13_handshake_wrapup(ssl);
3086 break;
3087
3088 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
3089 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3090 ret = mbedtls_ssl_tls13_process_certificate(ssl);
3091 if (ret == 0) {
3092 if (ssl->session_negotiate->peer_cert != NULL) {
3093 mbedtls_ssl_handshake_set_state(
3094 ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY);
3095 } else {
3096 MBEDTLS_SSL_DEBUG_MSG(2, ("skip parse certificate verify"));
3097 mbedtls_ssl_handshake_set_state(
3098 ssl, MBEDTLS_SSL_CLIENT_FINISHED);
3099 }
3100 }
3101 break;
3102
3103 case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
3104 ret = mbedtls_ssl_tls13_process_certificate_verify(ssl);
3105 if (ret == 0) {
3106 mbedtls_ssl_handshake_set_state(
3107 ssl, MBEDTLS_SSL_CLIENT_FINISHED);
3108 }
3109 break;
3110 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
3111
3112 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3113 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET:
3114 ret = ssl_tls13_write_new_session_ticket(ssl);
3115 if (ret != 0) {
3116 MBEDTLS_SSL_DEBUG_RET(1,
3117 "ssl_tls13_write_new_session_ticket ",
3118 ret);
3119 }
3120 break;
3121 case MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH:
3122 /* This state is necessary to do the flush of the New Session
3123 * Ticket message written in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
3124 * as part of ssl_prepare_handshake_step.
3125 */
3126 ret = 0;
3127
3128 if (ssl->handshake->new_session_tickets_count == 0) {
3129 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
3130 } else {
3131 mbedtls_ssl_handshake_set_state(
3132 ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
3133 }
3134 break;
3135
3136 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3137
3138 default:
3139 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
3140 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3141 }
3142
3143 return ret;
3144 }
3145
3146 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_TLS1_3 */
3147
